Last year, Australia became one of the top five cyber attack source countries across the five most targeted sectors globally. Across Asia-Pacific, Australia was the source of 84 per cent of attacks in the government sector and 66 per cent in the finance sector, according to the latest Global Threat Intelligence Report by NTT Security.
Cybercriminals most likely used compromised resources such as affected networks and infrastructure to launch these assaults.
At a recent lunch in Melbourne, senior technology executives discussed ways of dealing with the increasing size and complexity of global attacks. The event was sponsored by NTT Communications and NTT Security.
According to NTT Communications director, John Jordan, organisations have to decide whether to manage security themselves or engage a service provider to help.
“The complexity factor is forever increasing. Being a subject matter expert in the areas of technology, software, process, threat management and compliance now requires a high level of expertise,” he says.
“There is no right or wrong answer – however, what is clear is that if a breach occurs, the more an organisation can demonstrate the protection steps taken, the more it is likely to survive an attack.”
Access Health & Community general manager, information systems, Noel Toal, says that as cyber threats have increased in recent years, the healthcare service provider’s understanding of the risk posed by them has improved.
The business now has a more proactive cybersecurity position that goes beyond old school firewalls and anti-virus software, he says. It includes better internal controls and aims to improve end user understanding of cyber risks.
“We now spend significantly more money and time improving end users’ understanding of cybersecurity risk and their potential to allow hackers to circumvent traditional cybersecurity defences. The board is more focused than ever before on cybersecurity risks and organisational compliance with health data legislation,” Toal says.
According to Arnold Bloch Leibler chief information officer, David Leong, the law firm’s approach to cybersecurity has changed significantly over the years.
The introduction of General Data Protection Regulations (GDPR) in Europe and reported security breaches have put into focus the firm’s cybersecurity strategy which is benchmarked against security standards such as ISO 27001 and the Australian Signals Directorate (ASD).
“Understanding risk tolerance is a difficult subject to discuss as an organisation’s security profile is always a point-in-time measure and continually changes as networks, systems and applications are upgraded or replaced and new threats emerge,” he says.
Jefferson Automotive Group IT manager, Jack Dempsey, continually maintains and updates the company’s technology infrastructure in line with legislative changes, advances in technology and response to business direction. His IT group’s strategic plan includes policies and practices to conform with the new mandatory data breach notification laws in Australia and to improve security awareness.
“Having said that, it seems that IT has recently experienced a Cambrian explosion,” Dempsey says. “The Internet of Things (IoT) is growing in diversity everywhere – it permeates every facet of our business, our suppliers and even our customers and they mesh together.
Unfortunately, so do the bad actors. They are global, there are more of them and more doors open for them to exploit; they have more powerful and faster tools; there are those that would solicit financial gain, steal and/or sell data, inflict physical damage to systems, harm our customers and cause reputational damage to our brands.”
Dempsey adds traditional security measures do not provide the level of protection the company now requires. “One would think we are at war and, having said that, I think our best defence is our staff but we have a bit of work to do yet.”
The importance of cyber education
More than 50 per cent of ‘self-reported’ data breaches result from an internal mistake and human error can never be eradicated completely, according to a report from the Office of Australian Information Comissioner (OAIC).
“Continuous training and a security-as-a-priority culture will both minimise instances of errors resulting in a breach and provide evidence of compliance and responsible practice when the Office of the Australian Information Commissioner is assessing culpability in the case of a notified data breach." NTT Communications legal and commercial director, Chris Bevan said. "These factors combine to reduce an organisation’s exposure to regulatory non-compliance risk.”
Just as hackers (outside threat) don’t wear ski masks while attempting to infiltrate an organisation’s network, the insider threat may be the person in the office just down the hall, although not every insider threat is a truly malicious person, according to NTT Security CIO and regional CEO, APAC, Martin Schlatter.
“People are, and will continue to be, a primary threat vector for hackers to target. The success of phishing scams only highlights the ease with which people can be convinced or coerced into divulging sensitive bits of information,” he says.
“While instilling a security-minded culture is a critical aspect of mitigating insider threat risk, assigning personal responsibility for protecting company data, as well as determining an organisation’s risk profile, will contribute to a strong security posture.”
One attendee says his company has integrated cybersecurity training and awareness as part of every employee’s training and development plan. “We are also conducting social engineering tests to ensure raised preparedness on modern cyber adversaries.”
Access Health and Community’s Toal says he presents to the board ‘a couple of times a year’ on ICT strategy and a big part of that is cybersecurity.
“External consultants are engaged to undertake testing and audits of current security measures and control compliance. Reports from these activities go to the board,” he says.
The company conducts phishing tests for end users and follows up with short informational videos that highlight what they should look for. It has also implemented a mandatory online cybersecurity course for all staff.
When data breach reporting is mandatory
In late February, the government introduced notifiable data breach laws that impose mandatory investigation and notification requirements on various businesses. They apply to most companies with an annual turnover of more than $3 million, with some limited exceptions.
When asked if companies were meeting their statutory obligations under these laws, NTT Communications’ Bevan says there is a trend towards over-reporting. This may be a classic case where working smart with a dose of confidence and strong understanding of the law is required.
“Without detracting at all from the importance of keeping people’s personal information secure, not every leak of somebody’s information will amount to a serious breach under the Privacy Act. An incorrectly cc’d email with somebody’s first and last name and title which is openly available in the public domain, such as via LinkedIn, may be an example of this.
“I suspect this issue will settle over time as the level of concern/paranoia over what to do becomes more settled,” he says.
NTT Security’s Schlatter adds if the notification statistics released by the Office of the Australian Information Commissioner (OAIC) in the last month are anything to go by, then organisations are taking regulation seriously and are responding to requirements.
“A marked increase in the notifications to OAIC since the amendment to privacy law that was passed in February are certainly encouraging signs that companies are trying to ensure they meet obligations,” he says.