Education and risk identification are key when it comes to cyber security.
According to a recent report from the Australian Institute of Company Directors (AICD)1, “the big issue keeping executives from getting a good night’s rest is cyber security”. The AICD’s research indicated cybercrime and data security were “front of mind in the small hours of the morning” for the 41 per cent of company directors that were surveyed.
But combating cyber risk is no longer solely in the hands of an IT security department. It depends on everyone, from staff to third-party suppliers. Across all organisations, employees share the collective responsibility to be more aware and vigilant around cyber threats, through education and risk identification.
Every organisation is at risk
Australian organisations face both new and traditional cyber security challenges, and usually it is difficult to predict the next data breach or when the threat will occur.
For example, the Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report 2020-21 found ransomware cybercrime reports increased by 15 per cent2 in one year. With nearly 500 reports received within a 12 month period, there was an average of more than one ransomware cybercrime report received every day.
Cybercrime carries not just the monetary cost of a payment or breach, but also the cost of disruption to increasingly digitised essential services like healthcare, food distribution and energy production. These sectors have become targets of cybercrime, with attacks resulting in possible setbacks for the wider economy. The reputational damage from a successful cyber-attack can also be significant. At the same time, criminals are showing fewer moral qualms about their choice of targets, with organisations such as charities, schools and even hospitals no longer off-limits3.
During 2020 and 2021 there has also been an increase in cyber threats in line with the pandemic-driven shift to hybrid workforces, where “bring your own device” (BYOD), remote working and the adoption of cloud applications are now common-place in the wider business community .
This huge difference in both the location, and the way employees are conducting their work is unearthing several threat exposure touchpoints. To add to this, within FY20-FY21, ACSC also received more than 1500 cybercrime reports of malicious cyber activity related to COVID-19. More than 75 per cent of these related to individual Australians reporting loss of finances or personal information in relation to scams and online fraud.
“There is now more than one ransomware cybercrime reported every day in Australia”
Increasing security threats
While digital transformation during the pandemic has driven many process improvements, it has also opened the door to more cyber threats, which are increasing in volume and complexity.
An organisation can no longer operate in a silo and any information that is managed by consumers, staff and partners is a potential attack vector. As the economy becomes more interconnected, organisations find themselves having to implement systems involving third parties.
According to the ACSC report, there’s been a rise in attacks that compromise organisations’ supply chain software. The attackers access an organisation’s network and covertly modify its software, which in turn provides them with access to customers’ systems, from which more malicious activity can be launched.
With a rising number of breaches occurring via third parties, through so-called ‘island-hopping’ attacks, cyber security measures need to be assessed and maintained across the entire supply chain.
According to the ACSC report, the ransomware threat is also expanding, with a growing number of ‘double-extortion’ attacks, where further demands are made, or further attacks perpetrated, as a result of stolen credentials.
“Cyber security in particular is of concern. Whilst many layers of defence can be implemented, including education, control of employee actions at every level remains difficult and the ever increasing frequency of attacks at all levels of business leave us open to [further] attack.”
AICD Director Sentiment Index 2H21
The combination of more digital, interconnected supply chains, an increasing number of threats, and a distributed workforce means a more holistic approach to managing enterprise cyber security.
Education around cyber security and the risks involved should be presented to all employees. This can help improve an organisation’s overall security posture and reduce any gaps that might arise from adopting new technology or changing market conditions.
The Office of the Australian Information Commissioner (OAIC) tracks human error4 as a source of data breaches and says it directly plays a role in many cyber security incidents.
Of the 446 data breach notifications reported from January to June 2021, 30 per cent were attributed to human error. OAIC commissioner, Angelene Falk noted that organisations can reduce the risk of human error by educating staff about secure information handling practices and putting technological controls in place.
For example, there are more advanced access control solutions, such as Privileged Access Management (PAM), available to prevent unauthorised data access and human error. Similarly, automation and end user education can help thwart ransomware attacks.
Step toward change
With more effective controls in place and as the world becomes more digital and the number of potential threats increases, all businesses should be more vigilant in their awareness of threats with a focus on education, training in security and risk management. The opportunity is there to help drive change and build awareness for enterprise security right across all organisations - from individual employees and contractors, right through to upper management and directors at the C-suite level.
nbn’s commitment to building Australia’s digital backbone, helps to foster that awareness through information channels. This includes threat information sharing, and involvement with government forums such as the Joint Cyber Security Centres (JCSC), and public security awareness campaigns.
Catch up on the 'Enterprise Security; what is your weakest link?' expert panel discussion.
The need for everyone in organisations to play their part in enterprise security was one of the key themes to emerge in the recent expert live panel discussion hosted by business nbn™.
In the discussion entitled ‘Enterprise Security: what is your weakest link?’, the panel examined how security can be an enabler for enterprises, why healthy security culture is central to keeping organisations safe, and practical steps business leaders can take to build security culture.
The panel included:
- Darren Kane, nbn Chief Security Officer
- Rachael Falk, CEO, Cyber Security Cooperative Research Centre
- Nigel Phair, Director, Enterprise at the University of New South Wales Institute for Cybersecurity, and
- Phil Rodrigues, Head of Security for APJ Commercial at Amazon Web Services.