Addressing the evolving cyber threat environment

If there’s one key message from the Office of the Australian Information Commissioner’s (OAIC) latest notifiable data breaches report it’s this: the cyber threat environment is evolving and organisations need to continually update processes and protections to address this.

Around 60% of data breaches notified to the OAIC since the start of the Notifiable Data Breaches scheme have been caused by malicious or criminal attacks, and the majority of these have involved cybersecurity incidents. In fact, 43% of all breaches notified to the OAIC in the first half of the year were the result of a cybersecurity incident.

Australian Cyber Security Centre (ACSC) data shows cybersecurity threats are increasing. The ACSC received over 67,500 cybercrime reports during the 2020–21 financial year. This equates to one report around every 8 minutes, compared to one around every 10 minutes the previous financial year.

The ACSC also noted in its Annual Cyber Threat Report that the complexity and sophistication of cyber threats continued to rise during the 2020–21 financial year, and cybercriminals pivoted to exploit the COVID-19 pandemic environment.

Take ransomware. The ACSC noted in its report that ransomware has grown in profile and impact, and poses one of the most significant threats to Australian organisations.

The OAIC was notified of 46 data breaches arising from ransomware incidents in the first half of the year, an increase of 24% compared to July to December 2020.

It’s of concern that ransomware attacks can make it difficult for an organisation to assess what data has been accessed or exfiltrated. The prevalence of ransomware has highlighted the importance of organisations having appropriate internal practices, procedures and systems in place to assess and respond to data breaches, including a clear understanding of how and where personal information is stored across their network.

The OAIC was also notified of a number of data breaches resulting from impersonation fraud in the first half of the year. Impersonation fraud involves a malicious actor pretending to be another individual to gain access to an account, system, network or physical location.

Our office has been advised of data breaches resulting from a malicious actor calling a service provider’s customer helpline or contact centre, impersonating a customer and passing the organisation’s verification processes. The impersonator is then able to log in to online accounts, update the customer’s personal information, make fraudulent transactions and potentially obtain additional personal information that enables them to commit further impersonation fraud.

Unfortunately, the increase in personal information available on the dark web means that malicious actors often hold enough personal information to circumvent organisations’ baseline controls and identity verification processes.

It’s no longer sufficient to maintain the status quo. Organisations should regularly review security measures to make sure they are keeping pace with the evolving threat landscape. In the case of impersonation fraud, this might involve considering additional measures like mandating multi-factor authentication or automatically notifying customers when changes are made to their account.

Ransomware and impersonation fraud are just two examples of common cybersecurity threats. Across the board, malicious cyber activity and cybercrime can be devastating to businesses and individuals.

The Australian Government’s Cyber Security Strategy 2020 sets out a range of initiatives aimed at building and strengthening cybersecurity capability across the economy. The government also notes that it will take every part of government, business and the community to implement the strategy and achieve a vision of creating a more secure online world for Australians.

Strong data protection and privacy practices are an essential link in the ring of defence that is being built to protect businesses and individuals. The Australian Information Commissioner and Privacy Commissioner Angelene Falk has put a priority on the security of personal information and will take regulatory action where there are significant failings to protect personal information.

Organisations need to take proactive steps to improve the security of personal information they hold, including implementing measures that guard against common threats such as ransomware and impersonation fraud. A preventive approach remains the best defence against malicious cyber activity. Preparation can significantly reduce the impact of a cyber attack and enable swift restoration of services if they are degraded as a result.

A good place for organisations to start is in getting the basics right:

• Train staff to protect their devices and accounts, such as by enabling multi-factor authentication, using strong passphrases and updating software.
• Understand your data holdings and ensure secure backups are performed regularly.
• Invest in better security measures.
• Have a tried and tested data breach response plan.
   

Beyond this, there are a whole range of factors that have a bearing on an organisation’s ability to respond to cyber threats and data breaches and achieve best practice with regard to privacy, cybersecurity and system and process integrity.

The ACSC recommends organisations adopt multiple layers of defence against malicious actors as no single mitigation will protect against all threats. Organisations are encouraged to implement the ACSC’s Strategies to Mitigate Cyber Security Incidents, with a particular focus on the Essential Eight, as their baseline cybersecurity posture.

We encourage organisations to think more broadly about managing the information lifecycle. Effectively protecting personal information throughout its lifecycle means organisations need to be aware of when and how personal information is collected and how it is held and secured. Organisations also need processes for destroying or de-identifying data when it is no longer needed.

We also encourage you to make cybersecurity and privacy an organisational priority. Beyond the benefits of strong cybersecurity and privacy practices making a cyber attack or data breach less likely, it will also help to build community trust in the handling of their personal information and confidence in your organisation overall.

There’s no question that the cybersecurity landscape is evolving at pace. Organisations that advance their processes and protection in parallel will be well placed to manage and mitigate cyber risk.

The OAIC has a range of guidance, advice and resources on data breaches, including guides to data breach preparation and response and securing personal information. Visit cyber.gov.au for the latest security alerts, advice and easy-to-follow guides.

David Stevens is the Assistant Commissioner, Dispute Resolution, at the Office of the Australian Information Commissioner (OAIC). He leads the OAIC’s notifiable data breaches, privacy dispute resolution, enquiries and Commissioner-initiated investigations teams.

Image credit: ©stock.adobe.com/au/Song_about_summer