There’s no more time to take a “she’ll be right, mate” approach to cyber security.
Despite the frequency and severity of cyber attacks, some organisations are still slacking off when it comes to their cyber security. They are failing to proactively manage risks, and not even taking basic precautions like patching their apps or backing up critical data. Not only does this put their business operations and customers at risk, but it also makes Australia a soft target for a range of malicious actors, including foreign intelligence agencies.
Two recent government cyber security reports published by the Australian Securities and Investments Commission (ASIC) and the Australian Signals Directorate (ASD) paint a stark picture. It turns out that state-led cyber crime is on the rise. International conflict and tension have ramped up dramatically. Warfare and espionage are no longer limited to the battlefield or diplomatic settings — these conflicts are increasingly being carried out online too. But businesses are far from prepared.
A cyber crime epidemic
The ASD has observed that Australia’s vital systems and networks are increasingly coming under opportunistic and deliberate attacks. According to its recent Cyber Threat Report 2022-2023, the ASD responded to 127 extortion-related incidents, 118 of which involved ransomware or other forms of restriction to systems, files, or accounts.
Different malicious actors have different motivations for stealing data. They might use your stolen information for identity theft or sell it on the dark web for some quick cash. But it’s not all about money; state actors are also snooping around for intel for espionage purposes.
Around 94,000 reports were made to law enforcement through the ReportCyber system, up 23% on the previous year — that’s roughly one report every six minutes.
The cost of cyber crime is also hitting mid-sized businesses harder than ever. According to the ASD report, the average per-report cost of a cyber incident is $97,200 for these companies, while for large organisations, it’s $71,600. Small businesses aren’t faring well either, with cyber attacks costing $46,000 per incident.
So, for organisations that don’t want to be caught in the middle of a cyber battlefield, it’s time to better protect yourself.
Another loud wake-up call
The recent ASIC Cyber Pulse Survey 2023 has also exposed some major flaws in organisations’ critical cyber capabilities.
Completed by 697 representatives across a broad cross-section of organisation sizes, types, and industries, the survey shows that many organisations are reacting to cyber crises after they’ve happened instead of proactively managing their cyber security risks, putting their operations, customers, and customer data at risk.
Phishing was found to be the most prominent concern at 26%, closely followed by ransomware at 17% and business email compromise at 13%.
Survey participants were also asked to rate their organisation’s cyber capability, from 1 to 4, across six key risk areas. By their own admission, they’re doing poorly across all of these areas:
- Governance and risk management: 1.62 out of 4
- Identifying information assets: 1.64 out of 4
- Protecting information assets: 1.69 out of 4
- Detecting cyber security events: 1.74 out of 4
- Responding to cyber security incidents: 1.69 out of 4
- Recovering from cyber security incidents: 1.59 out of 4
The weighted average score across all six areas was an alarming 1.66 out of 4.
The report also uncovered other concerning trends, such as 44% of organisations struggling to mitigate risks associated with vendors, suppliers, partners, contractors, or service providers who had access to internal or confidential information. Smaller organisations are struggling the most due to limited human and financial resources.
Worryingly, 58% of surveyed organisations have limited or entirely lacking capabilities in ensuring adequate protection of confidential information. Meanwhile, 33% do not have a cyber incident response plan and 20% have not adopted a cyber security standard.
These problems are even worse for smaller organisations. Many of them aren’t taking the basic steps to keep their operations, systems, and customers safe.
For instance:
- 34% of small organisations do not follow or benchmark against any cyber security standard
- 44% do not perform risk assessments of third parties and vendors
- 33% have no or limited capability in using multifactor authentication
- 41% do not patch applications
- 45% do not perform vulnerability scans
- 30% do not have backups in place
The stats say it all, but now what?
ASIC has offered four sound recommendations in its report for enhancing an organisation’s cyber defences.
1. Engage a cyber security expert who can evaluate your key cyber risks and help implement an appropriate security standard
A good cyber security expert will have experience in identifying weaknesses in your systems and developing strategies to mitigate these risks. They can also provide valuable guidance on best practices in cyber security and ensure you are up to speed with the latest threats and trends.
Once you have an expert on your side, you must implement an appropriate security standard. There are many security standards to choose from, but the one that works best for your company will depend on your specific needs. For example, if your organisation handles sensitive data, you may want to consider implementing the ISO 27001 standard. This way, you’re not only protecting your company from cyber threats but also building and maintaining trust with your clients.
2. Strengthen cyber defences and implement risk controls while efficiently managing cyber security investments
Having strong cyber defences means functioning on a zero trust protocol.
One way to protect yourself is to implement identity and access management (IAM) and SSO integration to all your corporate apps (especially SaaS services). It may sound complicated, but it’s like having a passport in that it allows you to prove your identity without having to do the 100-point check. No more trying to remember your username and password for every application. By integrating IAM platforms, you can also monitor who has access to what, and enable multi-factor authentication to keep the bad actors out.
Next up, endpoint security. This is where you make sure that every device connected to your network has all the security bells and whistles, like endpoint detection and response (EDR), firewalls, and intrusion prevention systems.
Firmware management is another important step in keeping your business safe from cyber attacks. You want to make sure that all of your devices (e.g. network devices, network attached storage devices) are running on the latest firmware, which includes all the bug fixes and security updates to keep hackers from exploiting any vulnerabilities.
Then there’s software management. The software we install on your devices can pose a serious threat to our entire system. This is because each software needs certain permissions and access rights to function properly. To keep your system running smoothly, it’s important to review internal processes and speak to IT teams about who’s in charge of software requests and if anyone’s sneaking in unauthorised programs. You also should audit your current tools for any duplicates or underused software, as well as come up with a system for tracking your software licences. Make sure to set guidelines for all employees when it comes to buying new software, so nothing slips through the cracks.
Lastly, it’s also worthwhile establishing 24/7 monitoring of your networks, systems, and devices, using tools and technologies like Intrusion Detection Systems (IDS), Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) systems. These tools will keep a watchful eye on your systems and immediately alert you if there’s any suspicious activity going on. When unusual activity is detected, it can be quickly analysed and removed.
3. Adopt risk management practices that prioritise critical assets, key cyber risks and potential threats
In the world we live in today, it’s absolutely essential to have a risk management strategy in place that prioritises your critical assets — think databases, servers, and financial records.
But why should you be prioritising your risks? Not all threats are created equal, and some require immediate attention. Once you know the risks and threats, you can allocate your resources more effectively and be more proactive in protecting yourself.
In addition to all of the technical measures mentioned, there are also some simple things you can do to keep your business safe. For example, make sure your employees are trained on how to spot phishing emails and other common tactics used by hackers. You can even make it fun by gamifying your cyber security training, and rewarding employees who demonstrate good security practices.
4. Ensure limited resources are used efficiently to protect against cyber threats that have the potential to impact their operations
Finally, it’s important that resources are used efficiently. This could mean outsourcing cyber security functions to specialist experts, like our team at Orro. They can assess your cyber maturity and provide a roadmap and plan for strengthening your security posture. By doing this regularly (for example, annually), you can track the ROI of your cyber program based on the increase in your maturity score.
Remember, it’s crucial to reassess your cyber security, consistently and comprehensively, to ensure the best protection against threats.
Looking forward, there will never be an end in sight to cyber attacks. But we’re not helpless in the face of these threats. We just need to band together — government, industry and the public — and each take responsibility for the role we play in securing Australia.
It’s like a game of chess, where we have to make our moves with careful consideration and vigilance. But unlike chess, these criminals are constantly improving their tactics and evolving their game, which is why we need to adapt and fortify our defences at every turn. It’s up to each of us to be cyber vigilant.
If all of this seems too complex, with the right partner, it can actually be simple. Get in touch for a chat on how to keep your organisation safe without the stress.
Article written by Manny Salazar, Orro’s Director of Cyber Services.
