Australian organizations are continually failing to fend off ‘inevitable’ and costly cyber-attacks!
Watchdog rips into NZX for repeated tech fails & OAIC finds ‘multiple’ Australian companies downplaying data breaches.
A recent study has reported that Australian businesses and organizations are frequently under pressure from malicious cyber-attacks and data breaches that leave consumers vulnerable.
Studies conducted by the Ponemon Institute run by IBM Security have shown that data breaches are a rising problem globally, with the cost to Australian companies growing by more than 14 percent over the past year.
The study showed that the total expense of a data breach for an Australian corporation soared to more than $3 million in 2018-19.
When it came to detecting and containing violations, Australia lagged behind the US, UK, Canada, ASEAN nations, Germany and South Africa.
An Australian organization’s average time to discover a data breach in 2019 was 200 days, with another 81 days expected to contain the threat.
By comparison, it took an average of 131 days for companies in world-leading Germany to detect a violation and 39 days to contain it.
The average time for the sector [to detect a breach] is 185 days. Unfortunately, here in Australia, we are above the level at 200 days.
Not only does it take longer to locate, but it also takes longer to contain it. All of this is having a considerable influence on Australia.
This year alone, there have been a variety of high-profile data breaches in Australia.
In other words, companies today are almost one-third more likely than they were in 2014 to suffer a breach within two years!
Malicious cyber-attacks on the rise
NZX Cyber Attack
The damning review of the NZX share exchange was released by the New Zealand Financial Markets Authority (FMA) regulator following a rash of high-profile distributed denial of service attacks that saw the operator go offline for days at the end of August last year.
NZX is a licensed market operator mandated by the Financial Markets Conduct of 2013 to fulfill specific general obligations.
These include provisions to ensure that markets are equal, orderly and transparent, and to provide adequate financial, technical, and human resources to operate them.
The DDoS attacks on NZX were foreseeable, FMA discovered, noting alerts about such attacks were issued by the NZ government cybersecurity agency as early as November 2019.
Despite this, FMA noticed that the response of NZX to the DDoS attacks was insufficient and lacking at many levels, cataloging a litany of shortcomings in the country’s single share market.
To tackle the cyberattacks, NZX was forced to hurriedly restructure its network infrastructure, transferring many externally accessible sections to Akamai.
FMA strongly criticised insufficient IT security processes and disciplines implemented only in 2019.
Internal cultural variables also led to the failure of NZX to have sufficient technical capital, FMA said.
The FMA criticised the exchange for not taking responsibility for known systemic and industry-wide problems or moving fast enough to address the issues raised.
Order by OAIC to Home Affairs to reimburse asylum seekers over data breach
The Australian Information Commissioner’s Office (OAIC) ordered the Department of Home Affairs, formerly the Department of Immigration and Border Protection, to assess the amount owed to each applicant and to pay compensation for the “mistakenly” release of 9,251 asylum seekers’ personal information.
OAIC published the new Notifiable Data Breaches (NDB) Study last month, covering July to December 2019, showing that data breaches in the second half of 2019 rose by 19 percent. The trend emphasises organizations’ need to establish and test a data breach response plan regularly to mitigate a cyber incident’s financial, reputational, and regulatory effects.
According to the OAIC, “malicious or criminal attack” was attributed to 67 percent of violations, with human error being the second most common cause at 32 percent. However, even in the case of a malicious or criminal attack, it has been recognized that the underlying cause is related to human error. Criminals target workers or third parties using social engineering techniques to exfiltrate data and access the network (often through phishing emails). The OAIC data reinforces Australian companies’ need to recognize people as a vital part of their security strategy and ensure that they have a roadmap for a good security culture to be implemented and nurtured.
So, what are the measures for Australian organizations to safeguard themselves, their reputation, and their very existence when it comes to data breaches, and how can they better prepare?
How can businesses safeguard themselves?
Statistics abound when it comes to the chronicling of the consequences of data breaches. According to recent research, the global cost of cybercrime will exceed $10.5 trillion by 2025, an amount that far exceeds the annual damage caused by natural disasters by 2025. This figure hides various implications within it, spanning the destruction of records, financial losses, and theft of intellectual property and personally identifiable information to business disruption. Still, figures do not tell the whole story, despite this toll.
Think about the recent cyber-attacks on organizations in Australia & NZ. Organizations need effective cybersecurity service providers to in helping organizations to determine whether other members of your ecosystem have suffered a violation, reduce your organization’s attack surface, and define potential entry points before you can respond to your executive sponsors.
The most acceptable approach to cybersecurity, then, is to do the right thing, build strong safeguards and recognize threats as soon as possible, and prevent inevitable breaches.
When was the last time you tested your IT infrastructure against cyber-attacks? Most critical being how secure is our organization?
· Have we documented cybersecurity policies and procedures for our organization?
· Have we performed a risk assessment to detect internal and external threats?
· How frequently are we performing vulnerability assessment and penetration tests on our network to identify weaknesses/vulnerabilities in the network?
· Do we conduct web application assessment using Red Teams? Did you know compromised web applications lead to some of the largest data breaches?
· Do you have daily monitoring logs reports which confirm your organization is not being attacked?
· How does your organization detect vulnerabilities, are you fixing them on priority?https://www.cyberneticgi.com/2020/06/07/vulnerability-summary-reports-by-cybernetic-gi/
· What preventive/detective controls have we implemented for data breaches?
· When was the last cybersecurity training provided to the staff members in the business?
· Are we aware of all regulatory and non-regulatory cybersecurity compliances like ISO 27001, PCI-DSS, GDPR, APRA’s CPS 234, etc.? And are we compliant with these regulations?
Collectively, through enhancing your data protection obligations, you will improve organizational stability and increase cyber maturity across the organization.
Cybernetic Global Intelligence is located in the heart of Brisbane CBD and works with organizations across Australia & NZ, with a global presence in helping organizations in meeting cybersecurity compliance standards to minimize the impact of cyber-attacks and improve your readiness to respond to potential threats.