Albert Einstein once defined insanity as doing the same thing over and over again and expecting different results. This is exactly the way corporate organisations in Australia are approaching how they manage and protect their data.
Our organisations, either through lack of education or information, have the view that investing large amounts of money into technology and ignoring the imperative role humans play will protect them against data breaches and attacks – a mistake they consistently make.
And yet it took a once little-known but now world leading Australian cybersecurity scoring initiative known as CARR (Cyber Assurance Risk Rating) to expose the gleaming flaws that repeatedly exist within how corporates – software companies in particular – operate and manage data protection.
Through the implementation of the CARR program, organisations are now starting to ensure each company they share information with has cyber processes to protect the data shared. This has helped uncover a number of flaws in the way organisations are approaching this issue.
Firstly, CARR discovered that only 27 per cent of Australian software companies have dedicated certified security specialists employed to manage and implement cyber security best practices.
This reflects a lack of serious security expertise that exposes the challenge of creating software that is designed to cut organisational costs and enable individuals to be more productive without understanding the consequences of how someone might use the application to access confidential information.
Secondly, 38 per cent of these organisations implement ‘security by design’ into their software development lifecycles practices. Most of the applications currently developed may fulfil business objectives but not always measure up to security standards. This means that the applications we use daily are vulnerable to a cyber incident. The ability to incorporate ‘security by design’ is more prevalent for smaller software companies due to increasing costs.
Meanwhile, only 52 per cent of Australian software developers have implemented a secure infosec foundation such as COBIT5, NIST or ISO 27001 as a basis for their organisation and program.
Upon examining the ease to socially engineer a hack on a software company, only 13 per cent of organisations reviewed were capable of understanding how to respond to a request for information based on the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 – or the encryption bill.
Finally, when organisations were asked how they respond to a technical assistance request from an agency such as ASIO, 87 per cent said they would not know how to do so. Further, 11 per cent said they would need to obtain advice from outside council.
Imagine this scenario. A staff member of an Australian software company could be approached by a person claiming to be from ASIO. This individual could advise an employee or a contractor that under current law, they have a technical assistance notice. The scammer then asks for the individual’s assistance to spy on someone else.
This requires no paperwork and the person representing ASIO could simply present actual legislation to support this requirement with a threat of five years imprisonment if that individual communicates this to another party.
This legislation leaves the door open for anyone keen to gain easy access to confidential information, through socially engineering the legislation and individuals to access confidential information on another individual.
The technical assistance notice could include:
- Decrypting communications where a DCP already has the ability to do so
- Installing agency software of the DCP's network.
- Modifying the characteristics of a service or substituting a service provided by the DCP.
- Facilitating access to the relevant facility/equipment/device or service
- Handing over technical information such as source code, network or service design plans, and the details of third party providers contributing to the delivery of a communications service, the configuration settings of network equipment and encryption schemes.
- Concealing the fact that agencies have undertaken a covert operation.
Few organisations understand the legislation and fewer individuals understand their legal rights, which begs the question: What would you do if an individual claiming to be from ASIO advised of an imminent terrorist threat and had to help implement a piece of spyware immediately? If you failed to help or communicated this information to another party, you would be prosecuted and potentially receive five years imprisonment.
Australian technology companies in general have a long way to go on the cyber security front. Smaller companies, in particular, are finding it hard to manage the complexity of cyber security with the increased costs of expert staff.
The CARR process and the ability of all organisations to now review and understand the practices of the companies they are sharing critical information will help businesses understand the different risks around sharing information.
What’s certainly now true is that all organisations need to improve practices around sharing their information. They can no longer walk away from their obligations, the risks are just too high.
Michael Connory is the CEO of Security In-Depth.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.