Australian companies need to rethink cybersecurity strategy

Simon Webster

Mar 25, 2021 – 12.00am

Subscribe to gift this article

Gift 5 articles to anyone you choose each month when you subscribe.

Already a subscriber?

It’s a business’s worst nightmare. All of a sudden, all your files have been encrypted – both on the server and in the cloud. No one can open anything. And then up pops a message, demanding a ransom in exchange for access, or for not releasing sensitive information into the public domain.

Ransomware attacks are disturbingly common: 48 per cent of Australian organisations reported being hit by one in 2019, according to The State of Ransomware 2020 report, based on an independent survey commissioned by cybersecurity firm Sophos. Globally, the figure was 51 per cent. And no business, big or small, is immune.

Ransomware attacks can be devastating. Trying to stop them, and having a plan to deal with them when they do happen, is crucial for Australian businesses, says cybersecurity expert Aaron Bugal.

“Everybody is a potential victim,” says Aaron Bugal, a global solutions engineer with Sophos. “If any organisation thinks something like ransomware won’t be a problem for them, that is terrible stance to take. There’s no discrimination when it comes to cybercrime.

“The majority of attacks we see are opportunistic: a front door was left open, a vulnerability existed, or credentials were reused from a previous breach to gain access to a victim’s environment and effectively terrorise them.”

The average cost to rectify a ransomware attack – including downtime, people time, device cost, network cost and lost opportunity – was US$732,520 (double that for organisations that paid the ransom), the report says. For many businesses, those sorts of figures could be fatal.

Make a plan

“You can throw lots of money at cybersecurity and still not have 100 per cent effectiveness,” Bugal says. A single employee can always let an attacker in by falling for a phishing scam. It’s therefore vital that businesses have a plan in place, should the worst happen.

“A lot of organisations need to sit down and plan how they will handle it if they become victim of a cybercrime. What’s our playbook? What’s our incidence response plan? What’s our business continuity plan? Do we have backups? How do we test those backups?

“It’s just like fire drills. The more we practise something negative like this happening, the better we can respond to it if it does happen.”

Part of that planning process should consider post-attack communications, Bugal says. Normal communication networks may be shut down.

“It might be a Slack channel, another internet tool, or just a case of picking up a mobile phone. Can you make a call to the IT manager? Can you validate who you’re speaking to with a few simple security questions? Then, can you initiate your plan and share information?”

Get expert help

Vendors such as Sophos can help repel attacks before they do any harm, Bugal says. Sophos protects clients through its managed threat response service. “It’s a team of cyber security experts sitting in security operations centres scattered across the globe.”

The team monitors clients’ systems, and through a combination of manual and data-driven processes, identifies potential attacks and jumps all over them. “We’re an extension of the security teams of the organisations we protect,” Bugal says.

Having that set of eyes and ears can be particularly useful in the Covid-era new normal, with so many team members working from different locations.

“Allowing people to work on a device not owned and maintained by the IT department was, and still is, a big concern for security,” Bugal says.

“I don’t see a lot of organisations doing persistent evaluation of devices that are out there, working from networks they don’t control. I think that’s going to be a big entry point for a lot of malicious campaigns.”

Educating team members about cyberattacks such as phishing – and encouraging them to keep up their guard even when they’re working from home – is important, Bugal says. As is maintaining a line of defence that people often don’t take seriously enough: keeping apps and operating systems up to date.

“Patch early and patch often. Don’t ignore the update box that pops up in front of you.”

For 24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service, visit www.sophos.com/en-us/products/managed-threat-response.aspx