Cyber attacks on Australian organisations rose by 20 per cent in 2014, according to the Australian Signals Directorate, a timely reminder cyber threats are growing. Moreover, the Australian Crime Commission reported in June this year Australians lose about $110,000 every hour to cyber criminals, or more than $2.6m every day.
This demonstrates how serious cyber security is for every business. As such, it is critical organisations are aware of the growing risk of cyber intrusions and are actively putting in place steps to reduce this risk.
At
Marsh, we have observed many rising threats, including criminals targeting data by stealing or disclosing personally identifiable or financial data, modifying or corrupting data or blocking legitimate users’ access to data. However, external threats from hackers are just some of the risks about which organisations need to be aware. Many perils are actually internal.
For instance, a culture of trust within an organisation’s work force, traditionally thought to be a benefit, now creates a threat. Many high quality phishing emails appearing to be legitimate correspondence from banks, the ATO and other trusted sources may inadvertently be opened by employees, exposing the business to hackers. Therefore, employees must be trained to spot and delete such communication to thwart the intended intrusion.
Some of the other internal risks are known as ‘man in the middle’ intrusions. These are where attackers electronically eavesdrop on email conversations undetected and alter communication between parties who believe they are writing to each other in confidence.
Aside from emerging cyber security threats, the legislative environment is also changing the nature of cyber risks. It was anticipated mandatory data breach notification laws would be in place by the end of 2015. While this did not happen, the recommendation for data breach notifications by the Joint Parliamentary Committee on Intelligence and Security remains. As such it is expected that data breach notification legislation will be introduced to Parliament in 2016.
Additionally, the advent of the Internet of Things (IOT) is introducing new cyber perils. For instance, it has been reported the majority of cars stolen in France are targeted using electronic hacking.
Indeed, anything connected to the internet could be targeted by hackers. Worryingly, it’s likely many businesses are overlooking vulnerabilities in devices such as printers, video conferencing equipment and thermostats.
While many organisations now understand potential cyber threats expose them to financial, regulatory and reputation repercussions, many don’t appreciate some of the other, more serious consequences of a cyber intrusion. For instance, ratings agency Standard & Poor’s has noted a major cyber-attack on a financial institution could put its credit rating at risk.
Plus, a perceived misalignment between an organisation’s published privacy policy and implementation of that policy could lead to allegations the organisation engaged in deceptive practices. It has also become almost obligatory that, following a cyber intrusion, the CEO resigns or is terminated. This was the case with the Target event in the US in December 2013 and the more recent Ashley Madison event.
It’s important for organisations to explore ways to protect their electronic ramparts in light of the growing risks around cyber. As part of this it’s important not to overlook third party vendors or customers when it comes to cyber security. As an example, it was determined that the massive Target breach in December 2013 originated through a vulnerability in an air conditioning contractor’s system.
It’s also essential to seek assurances from third party vendors or customers on their level of cyber security resilience and ask for a Cyber Insurance Certificate of Currency from them. You may also be asked to provide documentary evidence your organisation purchases cyber insurance.
While we are still developing a detailed understanding of the full spectrum of threats to Australian networks, a number of trends will manifest globally in the near future, as outlined in the Australian Cyber Security Centre Threat Report 2015. Importantly, the number of cyber criminals, and their sophistication, will increase, making detection and response more difficult. We also expect incidences of spear phishing will continue to grow and the use of ransomware will continue to be prominent.
It’s also expected there will be an increase in the number of cyber adversaries with a destructive capability and, possibly, the number of incidents with a destructive element. There will also be an increase in electronic graffiti, such as web defacements and social media hijacking.
What this shows is that cyber intrusions are a growing and increasingly complex peril businesses must face. It’s essential for every organisation to recognise this and put robust mitigation strategies in place to reduce the risk of a cyber threat undermining or even destroying their businesses.