Health data ‘most vulnerable’ to cyber hack attack, says Proofpoint CEO Ashan Willy
Healthcare has become the most vulnerable sector to cyber hackers, with attacks on the personal health records of children carrying lifelong consequences.
Healthcare has become the most vulnerable sector to cyber hackers, with attacks on the personal health records of children carrying lifelong consequences, according to the chief executive of one of the world’s biggest cyber security software providers.
Proofpoint chief executive Ashan Willy revealed his private equity-backed group, the second-largest vendor globally in the highly fragmented Data Loss Prevention (DLP) market behind Forcepoint, was currently setting up its first data centre in Sydney to spearhead its expansion into the local healthcare market. A second one is planned for Melbourne later in 2023.
He said while governments and the finance sector had invested significantly to bolster cyber security for targets such as critical infrastructure and payments systems, the healthcare sector had focused its technology spend on devices and digitising medical records, while spending less on security.
“The data they have is very important to bad actors. You can essentially get a profile of a human as a person from a healthcare organisation. If you think about the impact that can have on a child, they will have to live with that information being out in the ether for the rest of their lives. Every one of these people are victims,” he said in a wide-ranging interview with The Australian during a visit to Sydney, his first since the onset of the Covid-19 pandemic.
“One of the issues here is you have so much information. In the last four to five years we have become the number two vendor in data loss prevention and the number one player in the insider threat market, or how we look at and protect data leaving once a bad actor gets into a system. That started for us from the healthcare sector. There is a real opportunity here for us in healthcare in Australia. It is one of the reasons we are putting data centres here, it allows us to move into that market.”
Mr Willy said healthcare professionals in Australia were facing the same cyber security threats as their peers globally and retaining medical records data onshore would provide an additional layer of privacy protection for Proofpoint’s local clients.
Australian healthcare providers are required to adhere to Australian privacy laws, which can be more challenging if the data is stored on a cloud server in another country. Mr Willy’s comments come after last year’s attack on private health insurer Medibank by Russian hackers saw the leaking online of the personal details of 9.7 million current and former customers.
The firm is now defending a class action by law firm Baker & McKenzie, funded by Omni Bridgeway. Maurice Blackburn, Bannister Law Class Actions and Centennial Lawyers are investigating making a separate claim.
Large-scale data breaches in Australia jumped 33 per cent in the first six months of 2022 before the Medibank hack and the earlier attack on telecommunications giant Optus, according to data from the Office of the Australian Information Commissioner.
A recent report, released by Cognitive Market Research, found the Global Data Loss Prevention Market size is projected to grow by over 20 per cent over the next seven years to be worth $US56.28bn ($81.8bn) by 2030.
Proofpoint, which already has a significant presence in Australia, analyses daily more than 2.6 billion email messages, 49 billion URLs, 1.9 billion attachments, 28.2 million cloud accounts and over 500 million events associated with potential data loss worldwide.
The firm, founded in 2002, went public a decade ago and now generates over $US1bn in annual revenue. In 2021 it was the subject of the largest-ever privatisation of a cyber security firm, when acquired by private equity group Thoma Bravo in a deal valued at $US12.3bn.
The firm, in collaboration with research firm Cybersecurity at MIT Sloan, recently surveyed 600 board directors from around the world inviting them to share their experiences and insights on cyber security.
The survey found only 58 per cent of Australian board members saw cyber security as a top priority – the least of all 12 countries surveyed – while just 54 per cent of local directors were confident in their board’s understanding of systemic risks from cyber threats, the second-lowest of all countries surveyed.
Only half of the Australian directors surveyed felt their companies should be required to report a material cyber attack to regulators within a reasonable time frame, while only 66 per cent expected to increase their cyber security budget in the next 12 months. Both were the lowest results of any market surveyed.
“For a CISO (chief information security officer) to be able to do their job, they need the support of the board. There is clearly an education gap that Australia needs to close,” Mr Willy said.
“Depending on the industry, directors may view other things as more impactful. For example, safety might be the number one risk. Or they have confidence in their security posture. Some of the board members may also not be aware of how sophisticated some of these attacks can be.”
He added some of the larger companies in Australia were “quite mature, forward thinking and very open to preventing these attacks”. “They are also much more conscious of geopolitical attacks. They are very attuned to that,” he said.
Yet while state-sponsored attacks generate significant headlines globally, Mr Willy said they represented less than 5 per cent of the overall threat landscape.
“China is on our radar but we have culprits all over the world, including Iran, Russia, North Korea. It also becomes harder to attribute today than it ever was. Because the bad actors are using cross-pollinating tools. They sell tools to another actor, then another uses a different distribution method,” he said.
While Proofpoint offers a range of security and compliance services, the California-based company made its name in email security.
It still believes that human nature and mail attachments are the root of many corporate attacks.
“The reality is bad actors want to find the easiest way to get into the organisation and the easiest way is to get in through people. We fundamentally believe that security is a people problem. It is not about super-cool computers,” Mr Willy said.
Multi-factor identification has emerged in recent years as a major control for stopping identity fraud. But Mr Willy said the hackers had evolved their tactics to get around such checks.
“We saw the rise in the past year of a multi-factor identification bypass kit. We are tracking 2000 of these kits globally. They can sit in the middle of your authentication and steal your key. You are going to continue to see new ways to do that,” he said.
“Another trend, tied to human behaviour, is that with the current economic headwinds you will see more people leaving organisations involuntarily and you will see more disgruntled users wanting to take information. It started in Covid-19. I think you will see a lot more insider threats.”
Premiums for cyber insurance have skyrocketed in recent years and many major insurers are cutting back their exposure to the space, which Mr Willy expects to continue.
“Everyone thought cyber insurance was a panacea three years ago. But a lot of these insurance companies don’t understand the risks in cyber. If there is an industry wide vulnerability or a sophisticated state actor, they say we can’t cover that. Premiums have gone up because of ransomware claims,” he said.
“Cyber insurance will play a part but not as big a part as we thought three to four years ago. It has become a math equation for the insurance companies — it becomes too risky to insure.”
More Coverage
