Cyber attacks on Australian organisations rose by 20 per cent in 2014, according to the Australian Signals Directorate, a timely reminder cyber threats are growing. Moreover, the Australian Crime Commission reported in June this year Australians lose about $110,000 every hour to cyber criminals, or more than $2.6m every day.
This demonstrates how serious cyber security is for every business. As such, it is critical organisations are aware of the growing risk of cyber intrusions and are actively putting in place steps to reduce this risk.
At Marsh, we have observed many rising threats, including criminals targeting data by stealing or disclosing personally identiﬁable or ﬁnancial data, modifying or corrupting data or blocking legitimate users’ access to data. However, external threats from hackers are just some of the risks about which organisations need to be aware. Many perils are actually internal.
For instance, a culture of trust within an organisation’s work force, traditionally thought to be a beneﬁt, now creates a threat. Many high quality phishing emails appearing to be legitimate correspondence from banks, the ATO and other trusted sources may inadvertently be opened by employees, exposing the business to hackers. Therefore, employees must be trained to spot and delete such communication to thwart the intended intrusion.
Some of the other internal risks are known as ‘man in the middle’ intrusions. These are where attackers electronically eavesdrop on email conversations undetected and alter communication between parties who believe they are writing to each other in conﬁdence.
Aside from emerging cyber security threats, the legislative environment is also changing the nature of cyber risks. It was anticipated mandatory data breach notiﬁcation laws would be in place by the end of 2015. While this did not happen, the recommendation for data breach notiﬁcations by the Joint Parliamentary Committee on Intelligence and Security remains. As such it is expected that data breach notiﬁcation legislation will be introduced to Parliament in 2016.
Additionally, the advent of the Internet of Things (IOT) is introducing new cyber perils. For instance, it has been reported the majority of cars stolen in France are targeted using electronic hacking.
Indeed, anything connected to the internet could be targeted by hackers. Worryingly, it’s likely many businesses are overlooking vulnerabilities in devices such as printers, video conferencing equipment and thermostats.
While many organisations now understand potential cyber threats expose them to ﬁnancial, regulatory and reputation repercussions, many don’t appreciate some of the other, more serious consequences of a cyber intrusion. For instance, ratings agency Standard & Poor’s has noted a major cyber-attack on a ﬁnancial institution could put its credit rating at risk.
It’s important for organisations to explore ways to protect their electronic ramparts in light of the growing risks around cyber. As part of this it’s important not to overlook third party vendors or customers when it comes to cyber security. As an example, it was determined that the massive Target breach in December 2013 originated through a vulnerability in an air conditioning contractor’s system.
It’s also essential to seek assurances from third party vendors or customers on their level of cyber security resilience and ask for a Cyber Insurance Certiﬁcate of Currency from them. You may also be asked to provide documentary evidence your organisation purchases cyber insurance.
While we are still developing a detailed understanding of the full spectrum of threats to Australian networks, a number of trends will manifest globally in the near future, as outlined in the Australian Cyber Security Centre Threat Report 2015. Importantly, the number of cyber criminals, and their sophistication, will increase, making detection and response more difficult. We also expect incidences of spear phishing will continue to grow and the use of ransomware will continue to be prominent.
It’s also expected there will be an increase in the number of cyber adversaries with a destructive capability and, possibly, the number of incidents with a destructive element. There will also be an increase in electronic graffiti, such as web defacements and social media hijacking.
What this shows is that cyber intrusions are a growing and increasingly complex peril businesses must face. It’s essential for every organisation to recognise this and put robust mitigation strategies in place to reduce the risk of a cyber threat undermining or even destroying their businesses.