Clear and present dangers: understanding and preparing for cyber threats
Of the various winners and losers in the pandemic business environment, cybercriminals have been on the winning side of the ledger. There has been a lot to worry about just keeping the wheels of business turning for many, but as the sobering cybersecurity statistics mount it’s clear there’s a lot of work to do to avoid a digital disaster.
In its annual Cyber Threat Report, the Australian Cyber Security Centre (ACSC) say the pandemic environment has fuelled a significant increase in reported impacts of cybercrime. From July 2020 to June 2021, the ACSC received more than 22,000 calls to its reporting hotline (1300 CYBER1), an increase of 310% over the previous year. Formal reports through its ReportCyber online reporting tool topped 67,500, 13 per cent higher.
Interestingly, medium-sized businesses suffered the biggest average loss by organisational size. While the average loss for small businesses was $8,899 and large organisations $19,306, medium-sized companies lost an average of $33,442.
There’s one obvious reason more businesses are now at risk. “We’ve gone remote very, very quickly,” says Cameron Whittfield, PwC Australia’s legal lead for its cybersecurity and digital trust team. “These are moves that take a long time to implement safely and securely but we’ve been forced to do it quickly. There’s nothing threat actors love more than vulnerable victims.”
Key attacks and threats
“The threat landscape is changing rapidly,” says Whittfield, who flags ransomware as the most high-profile and potentially most disruptive threat. However, he says businesses also need to be aware of traditional issues around ‘basic hygiene’ and less visible threats, such as the many forms of phishing attacks on email.
“We’ve seen an uptick in current affairs ‘bait phishing’,” Whittfield says. This is where employees, for example, are lured into giving away personal details with an offer based on fear, greed or a topical curiosity hook. “COVID is a big one, as you can imagine. But even trying to target people with geopolitical news headlines.”
Email isn’t only a target to gain access to other parts of a corporate network. Business Email Compromise (BEC) is an attack where cybercriminals gain access to business email systems, monitor transaction activity and impersonate key personnel to change payment details and divert funds. According to ACSC, more than 4600 BEC incidents were reported in the past year at an average loss of $50,673. The volume of reported incidents was lower than the previous year, but the average losses grew 54%.
“Cybercriminal groups conducting BEC have likely become more organised,” says the ACSC report. “This not only increases the certainty of success but also increases the overall profit margin associated with the activity.”
In one incident reported to the ACSC, an Australian hedge fund was forced into bankruptcy after a BEC incident led to false invoices transferring $8.7 million out of the company. Even after the recovery of funds, the reputational damage was irrevocable. It led to what the ACSC believes is Australia’s first bankruptcy case as a direct result of cybercrime.
Digital supply-chain attacks have also become an increasing threat to businesses, targeting third-party software services to access their customer’s accounts, services and infrastructure. This can be particularly damaging, as these software suppliers typically have trusted privileges to customer systems, allowing criminals to inject malicious code quite deeply into those customer networks.
“Supply-chain compromises can be difficult to detect and defend against,” says the ACSC report. “Once detected, mitigation can be particularly challenging, as the malicious actor has often been able to develop pervasive access to a range of victims over an extended period.”
From the SolarWinds attack in December 2020 to the Microsoft Exchange Server attacks in March 2021, supply-chain attacks have grown in sophistication and scale. Both incidents were attributed to state actors, Russian and Chinese respectively, showing how high the stakes have become to find weaknesses in global networks and infrastructure.
“We’ve got increased exposure to supply chains and organisations are highly dependent on their third-party suppliers – and their suppliers’ suppliers – so that’s become a significant vector,” says Whittfield. “Yet we’ve found many organisations have a blindspot to the risks posed by those supply chains.”
Having a real plan
“You can’t fathom the volume of decisions that need to be made by an organisation that may not even be able to access its email,” Whittfield says. “The immense stress that puts an organisation under, often at incredibly unfriendly hours, and the extent and breadth of decision-making that has to happen almost immediately can be mind-boggling.”
Whittfield runs down a laundry list of decisions that need to be made almost immediately after an attack. Is the priority to restore fast or preserve evidence? How are you assessing the impact? In which jurisdictions are you impacted? What is your insurance obligation? Which stakeholders must be informed — and when? The list goes on.
“We spend a lot of time with clients helping them prepare,” he says. This includes building their cyber resilience and having a prepared incident response should an attack come.
A recent PwC Digital Trust Insights survey also flagged key areas where businesses are seeing problems that make good security more difficult than it should be.
“Eight out of 10 survey participants have observed their businesses have excess and unnecessary complexity, and that’s a major concern around cyber risks,” says Whittfield. “Two-thirds of organisations also haven’t taken the time to map their data holdings. These threat actors are after data, ultimately. And you can’t protect what you can’t see or what you don’t know exists.”
Whittfield also sees big problems for the SME sector due to a lack of skills and resources to protect themselves adequately.
“These are a significant portion of the economy, and they don’t necessarily have the on-site IT support,” he says. “Basic hygiene is always an issue. Multi-factor authentication is almost a non-negotiable now, and exploiting remote access is a big problem. There’s a role to play for government here.”
The Essential Eight – and beyond
“Bringing everyone to a basic level of resilience is absolutely critical,” says Whittfield. “The government can play a valuable role around standards – what does ‘good’ look like? Many people don’t know.”
The good news is the government has been busy in this space. Whittfield feels the ACSC is doing a lot to facilitate threat intelligence sharing and pointing to good practices, including the Essential Eight Maturity Model to guide businesses toward the key steps they should take for baseline protection.
The very existence of the ACSC has been a tremendous help to the Australian ICT security industry, providing deep knowledge and leadership so closely affiliated with our national defence processes. Offering regular guidance and reports for everyone from personal and family cyber security through SMBs and into our biggest organisations and critical infrastructure, it’s a positive asset for the country.
“I’ve never seen [government] more active in this space,” says Whittfield. “Whether regulatory reform, discussion papers, enquiring into the market on what best to do, and significant investment in cybersecurity strategy. I do take some comfort.”
The struggle to maintain Australia’s cybersecurity
- How well is Australia prepared for cyber threats in 2022 and beyond?
- Cat and mouse: why ransomware is an evolving organisational threat
- How we’re losing the arms race against deepfake technology
- Beware state-based actors looking to kick down digital doors
- Cybercrime’s shifting sands: which industries are most vulnerable?
- Digital tools allowing extremism to flourish around the world
- What skills do we need on the cybersecurity front line?
- Clear and present dangers: understanding and preparing for cyber threats
- Time for government to put its foot on the cloud accelerator
- Two common tech myths holding back public sector innovation