Cyber threat must be brought to light, govt urges
In the wake of new research showing that cybercrime impacting Australians is becoming more common and alarmingly sophisticated, the federal government has urged businesses to speak up when they are targeted.
The Australian Cyber Security Centre’s (ACSC) 2017 Threat Report found that cybersecurity incidents identified by the centre grew 15% in the past 12 months to 47,000. More than half of these were online scams or fraud, and such attacks grew more than 22%.
One type of online scam alone — CEO fraud or business email compromise — cost Australian businesses a combined $20 million during the 2017 financial year, up from $8.6 million the prior year.
Meanwhile, during the financial year the ACSC reported 7283 cybersecurity incidents affecting major security businesses, 734 affecting critical infrastructure providers and 671 incidents affecting government networks considered serious enough to warrant an operational response.
Cybercriminals are also widening their nets and setting their sights on a wider range of potential victims. The report found that attacks on non-traditional targets — such as businesses in the automotive, accommodation and hospitality sectors — grew by around 50% last financial year.
But despite the growing prevalence of attacks, Minister Assisting the Prime Minister on Cyber Security Dan Tehan said cybercrime remains an underreported problem, with many crimes flying under the public radar.
In an address to the National Press Club, Tehan urged victims of cybercrime to come forward, stating that business, government and the public must work together to tackle the mounting threat.
“When your house or car is broken into, you report it to the police. We must have the same mindset when it comes to cybercrime,” he said.
“Of the reported incidents that impacted business, fewer than 60% came forward to report what had happened. For the other 40%, the incidents were identified by the ACSC… The fear of public reaction to being a victim of a cybercrime is something that all businesses can understand [but] in the public eye, honesty is a better approach than a cover-up.”
The headline-grabbing cyber attacks of recent months, such as the WannaCry and Petya ransomware outbreaks, also show that criminals are increasingly exploiting known vulnerabilities, Tehan said. This means that even detecting and plugging security holes is not enough, businesses and individuals must be brought on board and convinced to apply the fixes.
A coordinated response is particularly important in light of the growing sophistication of the cybercrime business. Tehan noted that attackers have become so successful that they have started to adopt franchise models, including by selling exploit kits and attack applications to others without the technical skill to create them on their own. Others are offering ransomware, data theft and spyware as a service on the dark web.
“As the 2017 Threat Report shows, each day, there are Australian businesses that are being robbed, held to ransom or shut down. In the next 12 months, there will be more globally significant attacks. There are new cyber threats on the horizon, such as cyberterrorism,” Tehan said.
“They all pose a danger of financial and social damage. It is why cybersecurity must become second nature to all Australians. It is why we must follow the simple steps to keep ourselves safe online. It is why we must report when we are hit. In the end it is up to all of us — government, business and individuals — to take the fight to criminals online and keep all Australians safe.”
Sense of Security COO and co-founder Murray Goldschmidt agreed that Australian businesses and organisations need to step up their security game in response to the growing scale and sophistication of the cyber threat.
“The problem is, we’ve become cybersecurity box tickers. For example, penetration testing, which is crucial to identifying holes in an organisation’s security, has become commoditised and now more frequently used simply to ensure risk audit checkboxes are met. This means each year, businesses conduct the same test and receive the same results,” he said.
“This narrow-minded approach is leaving businesses open to all kinds of new social engineering techniques. We need to think more broadly about cybersecurity and look at going beyond ticking boxes to see where the business is susceptible to attack, whether through social engineering, physical breaches or digital attacks.”
Webroot Senior Information Security Analyst Dan Slattery said the company’s own research indicates that a cyber attack on an Australian business with between 100 and 499 employees costs an average of nearly $1.9 million.
“The [ACSC] report’s findings demonstrate that simply relying on threat lists, virus signatures and simplistic rules for protection is wholly insufficient. Proven, real-time machine learning-based analysis that includes an understanding of threat behaviour and context is necessary for accurate decision-making and protection from today’s threats,” he said.
Australia's Notifiable Data Breach legislation came into effect today, leaving Australian...
With the Notifiable Data Breach scheme about to start, two OAIC guides detail the steps to take...
Gartner urges a multistage approach to dealing with the new class of security vulnerability...