Cyber security in the age of connectivity

Cybersecurity has been in the news a lot lately after the Australian Government revealed that the Liberals, Nationals and Labor parties had been victims of cyber-attacks at the beginning of 2019. Days after this announcement, a crime syndicate hacked and scrambled the files of 15,000 patients from a specialist cardiology unit at Cabrini Hospital in Victoria, demanding a ransom to break the encryption. 

While cyber-attacks are not new and have been around for as long as the internet has existed, the unprecedented level of digital transformation occurring across all industries has resulted in cyber-attacks becoming much more frequent and costly. The growing amount of valuable data being digitised is prompting cyber criminals to employ increasingly sophisticated ransomware and malware, resulting in attacks that have far reaching consequences.

Just look at the coordinated hacking of internet-connected devices in 2016 that shut down hundreds of websites including Spotify, Twitter, The New York Times, Netflix and Reddit¹. Or the 2017 cyberattack using a ransomware cryptoworm called WannaCry, which shut down 200,000 computers in over 150 countries².

In Australia, serious cyber-attacks against companies almost doubled in 2018³, costing businesses an average of $276,323 per attack⁴. Despite this, a survey by Accenture found that, on average, only 62% of an organisation is actively protected by its cybersecurity program⁵.

In the emerging hyperconnected and data-driven age of industry 4.0, where new cyber threats and techniques are emerging all the time, an insecure entry point to networks and devices can cause huge disruptions to business operations.

The Australian Government’s Cyber Security Strategy shows that all organisations regardless of size face cyber risks. However, healthcare, advanced manufacturing and agribusiness are particularly vulnerable due to their recognition as strategic priority sectors under the Australian Government’s Industry Growth Centres Initiative.

According to the CSIRO’s cybersecurity roadmap, these industries are attractive to cyber criminals for a number of reasons. In the health industry, cyber criminals can use patient records for blackmail or to sell on the black market; in the advanced manufacturing industry, cyber criminals can gain access to intellectual property and sensitive customer data for financial advantage; and in agribusiness, data can be manipulated to enable food fraud⁶.

A holistic cybersecurity strategy that addresses different types of threats should therefore be a fundamental requirement for businesses.

Even if your business already has a cybersecurity plan in place, the beginning of the year is a good time to reassess and identify if there are any areas where vulnerabilities may exist.

Below are some simple measures you can take to improve basic cybersecurity practices.

• Draft a set of security policies and procedures that make clear who can access the network and how, who can install software, who can analyse and log data, and where and for how long data is stored. This should also include acceptable use, reporting mechanisms, password requirements, e-mail standards, handling of removable devices, handling of sensitive information, locking computers and devices, and social media standards. Distribute this to all staff and contractors.

• Keep a register of your assets, including what devices are on your network, where they are located, what information is stored on them and who has access. This should also include any ‘bring your own devices’ (BYOD).

• Make use of firewalls, security software and spam filtering, and ensure these are kept up-to-date.

• Have multiple back-up methods for important data.

• Mandate the use of strong credentials such as two-factor authentication.

• Split your network into sub-networks to keep sensitive or critical systems separate.

• Move critical applications to a trustworthy cloud service. Most of these services have invested heavily in security infrastructure so they’re generally more secure than internal servers.

• Educate and train staff in proper cybersecurity practices, including network access responsibilities.

• If you are new to cybersecurity, familiarise yourself with the two standards most commonly used in Australian businesses – the ISO-27001 and the NIST.  

Author: Adelle King

References

¹ Perlroth, N 2016, 'Hackers used new weapons to disrupt major websites across the US', The New York Times, viewed 21 February, <https://www.nytimes.com/2016/10/22/business/internet-problems-attack.html?_r=0>.

² Sheedy, C 2018, 'Why cyber attacks are becoming more dangerous', In the Black, viewed 21 February, <https://www.intheblack.com/articles/2018/04/01/cyber-attacks-more-dangerous>.

³ Pash, C 2018, 'Serious cyber attacks against Australian companies have almost doubled this year', Business Insider, viewed 21 February, <https://www.businessinsider.com.au/serious-cyber-attacks-attacks-against-australian-companies-have-almost-doubled-this-year-2018-6>.

⁴ Braue, D 2017, 'Ignorant of cybersecurity risk, breached small businesses are concealing the cost of recovery', CSO, viewed 21 February, <https://www.cso.com.au/article/616882/ignorant-cybersecurity-risk-breached-small-businesses-concealing-cost-recovery/>.

⁵ Pash, C 2018, 'Serious cyber attacks against Australian companies have almost doubled this year', Business Insider, viewed 21 February, <https://www.businessinsider.com.au/serious-cyber-attacks-attacks-against-australian-companies-have-almost-doubled-this-year-2018-6>.

⁶ CSIRO 2018, Cyber Security: A roadmap to enable growth opportunities for Australia.