Defences up after 2017 lesson learned
Hackers have commoditised the machinery of locking out a business from its own information.
With ransomware tools and other tricks of the trade readily available over the dark web, holding an organisation hostage is easier than ever for cyber criminals. Fuelled by the twin trends of encryption and bitcoin, hackers have commoditised the machinery of locking out a business from its own information.
It’s easy money for hackers because in most cases the victims are willing to pay the ransom, usually in bitcoins. No negotiation is not an option, as cardiology private practice Melbourne Heart Group found out the hard way earlier this year.
In February, hackers bypassed the organisation’s security but instead of stealing patient data they encrypted 15,000 or so files, scrambling the information to render it useless.
The attack is still under investigation. Given the sensitive nature of the data, Melbourne Heart Group reportedly paid the ransom, as most organisations do when they are hit with ransomware.
As a trend, ransomware is coming off its peak, according Ernst & Young lead partner for APAC Cybersecurity Risk Richard Watson, but there’s no room for complacency.
Ransomware peddlers made 2017 a year to remember as WannaCry and NotPetya cut a swath through networks across the globe. NotPetya took out Cadbury factories in Tasmania and Victoria and law firm DLA Piper’s Australian operations were knocked out as well.
WannaCry infected traffic cameras across Victoria.
Things could have been worse but Watson says it put ransomware on the radar of boardrooms and since then the frequency of business ransomware attacks has lessened.
According to a survey from North American cybersecurity company Checkpoint earlier this year, just 4 per cent of businesses were hit by ransomware last year, down from 48 per cent in 2017.
But it’s still a guaranteed money-maker for hackers and Watson says small businesses have to be especially careful to make sure their safety procedures are up to scratch.
Watson says: “I was in plenty of boardrooms in 2018 and it was all about ransomware.
“I think that’s because people are alive to it after the big 2017 attacks.
“A lot of the remediation and defences were strengthened, particularly around patching of systems, which was the big hole that WannaCry and NotPetya took advantage of.”
Tim Moylan, chief technology officer and co-founder of Shootsta, an Australian video production start-up, says WannaCry and NotPetya changed the tone of the conversations the company was having with big clients and in pitch meetings for new business.
“Fortunately, none of our company relationships have been threatened because we’ve taken proactive measures to ensure we can meet any cyber security requirements of our clients,” Moylan says
Shootsta’s client list includes BHP, Qantas, Coles, Samsung and Visa.
“We complete regular third-party penetration tests, which give both us and our clients the ability to pinpoint any flaws in our system that require remediation,” Moylan says.
The next layer of security for smaller businesses is to behave like its clients and look at its own third-party providers to make sure they’re keeping up with their security requirements as well, which Shootsta does.
“The next step beyond this would be to hire an internal specialist, dedicated to ensuring best practice across the company,” Moylan says.
The publicity of WannaCry and NotPetya has galvanised the business community to mitigate the risk and Watson says ransomware is now a service people can buy on the dark web.
“So you don’t have to be some super nerdy boffin to hack into a big company. You can buy it effectively (for about $10),” says Watson.
“This creates an asymmetry of the playing field.
“If I want to attack, I can send one million emails. Only one has to work.”
The Australian Cyber Security Centre provides a list of steps for all businesses to use to minimise their ransomware risk, including keeping up to date with patches, installing updated antivirus and anti-ransomware software, minimising clickbait, backing up systems and disabling macros in Microsoft Office.
In March last year, the federal government passed the Critical Infrastructure Act, which Watson says provides a framework under which more concrete steps can be written for each industry.
Industries with the most to lose, usually those with the least capacity to endure downtime, such as power and media, have been the quickest to respond to the threat.
The real challenge for many companies are the ones with legacy IT systems, which have been left alone because the risk of upgrading them is too high. More guidance will be needed.
“We’re probably likely to follow the US route, where the critical infrastructure protection legislation became quite specific,” Watson says.
“It actually spawned a whole new cybersecurity framework that allows a broad range of companies to improve their posture in this particular sector or face massive fines.”
These fines are in the order of $US50 million ($70m). But UNSW professor Greg Austin, deputy director of Canberra Cyber, says Australia could be a decade behind the US in terms of its cybersecurity policy and standards.
Watson puts a time frame on it of five to 10 years.
“It’s a bit of a journey to go on,” he says.
To find out more, go to fraudwatchaustralia.com.au
Google dumps diversity hiring targets
The tech giant joins a growing list of US companies to get rid of diversity, equity and inclusion programs, citing it wanted to create more ‘equal opportunities’.
Google kills diversity hiring targets
The tech giant is eliminating goals to hire more minority employees and reviewing DEI programs, part of a pullback across Silicon Valley.