The Johnson Papers || Developing Cyber Security
We are delighted to release the latest instalment of The Johnson Papers.
The Escalating Threat of Cyber-Attacks
The advance of digital technology in business is proceeding at an exponential pace, as all enterprises and business activity becomes supported by digital networks (see Johnson Papers Digital Innovation in Business). This digital transformation has greatly enhanced the efficiency and capacity of business. But it is not without its dangers. As the number and density of digital networks increases the continual risk of cyber security becomes greater. Cyber risk is a constant, unpredictable and dynamic risk.
While many cyber-attacks are the work of common criminals, there is sometimes a toxic mix of private financial motives and foreign state actors with more sinister intent. The extensive development of malware as in Ransomware products makes it feasible to maintain frequent cyber-attacks even when cyber-defences are being introduced. The losses caused by cyber-attacks can include financial loss, business interruption, loss of reputation, operational loss of data or software, and loss of intellectual property.
“Cyber security risk is the probability of exposure or loss arising from a cyber- attack or data breach on an organisation, which may result in financial harm, disruption or reputational damage”(Tungall 2022).
Cyber-attacks can come from anywhere in the world, and can involve direct theft, fraud, or extortion, as in ransomware. The apparent anonymity of the criminals involved makes the exercise more sinister, and the merciless character of the transactions even more disturbing. The attacks can come through the use of information technology software, networks or hardware.
The Alarming Statistics of Cyber-Crime
The rising figures on cyber crime are worrying. The Actuaries Institute (2022) reports 623 million ransomware attacks in 2021 internationally, with 20 ransomware attacks occurring every second. In Australia a cyber crime is reported every 8 minutes, and the reported losses in 2021 amounted to $33 billion. In the UK, Government reported that 46% of businesses have had a cyber attack in the last 12 months.
These attacks impact on all enterprises – small businesses, large corporations and government services. Initially the targets of cyber-crime were data rich organisations such as retail, health and financial services. Now they are targeting vulnerable industries such as manufacturing, food and energy. In 2022 the NAB bank was subject to 50 million attempted cyber attacks a month, and the ATO, 3 million a month. Optus and Medibank both experienced cyber-security disasters which badly harmed their customer base. In one survey conducted by the ANU in 2022, almost one third of Australian businesses reported that they had been exposed to a data breach in the previous 12 months (Biddle et al 2022).
What Motivates Cyber Attacks?
There are many different motivations for cyber attacks beyond simply theft. An expert in the field Tim Rains (2020) has catalogued the motivations of cyber attackers as:
How Cyber Attacks Succeed
While technological advances may help in preventing cyber-attacks, the human element is critical, and an IBM study indicates that the majority of cyber security breaches occur due to human error as in phishing attacks (WEF 2022). There is a constant evolution of cyber crime as new methods are employed to extract greater amounts, as in the recent frequency of ransomware activity. Cyber criminals have proved resourceful in continuously evolving new techniques (Actuaries Institute 2022)
Email phishing now accounts for as much crime as Remote Desk Protocol (RDP) compromises (allowing remote access for criminals to a system by network connection). Crypto has provided them with a currency to ply their trade in anonymity. Ransomware as a Service (RaaS) now opens up the possibility for hackers to obtain state of the art malware, while the malware developers stay remote from their cyber-crimes, and the malware software is continuously updated to evade detection. (Finding talent where they can, the FBI and other law enforcement have drafted in ex-hackers to help in the fight on crime).
The methods of the cyber criminals have moved from stealing information to sell, to disrupting a company’s services to extract ransoms. The recent refusal of Optus and Medibank to deal with the cyber criminals will have set them back significantly, but millions of customers feel their personal identity has been compromised.
Trends in Cyber Threats
The key threats going forward recognised by the Australian Cyber Security Centre (ACSC 2021), include:
Exploitation of the Pandemic – the targeting of individuals with phishing, and major health services, trying to access sensitive information about the response to covid.
Disrupting essential services – targeting essential services (health, food, energy) and critical infrastructure (energy, water, airports).
Ransomware – with a growing sophistication of dark web tools and extortion methods, disrupting professional and scientific organisations and healthcare and social services.
Supply chains – hackers employ widely used software products and services to gain access to a vendors customers.
Business email compromise – cyber criminals are exploiting the increase in remote working across business and government with the average loss per event significantly increasing.
Cyber Risk Management
For corporations cyber risk has now become their number one risk management concern (Airmic 2021). There is an unnerving sense of where responsibility for cyber security should be in distributed network ecosystems? (Olyaei 2022). Nathan Wenzler, chief security strategist at Tenable, emphasises that data security is a continuous, whole-of- business process. “You will forever be managing cyber risks, just as you do legal and financial risks,” he says. “You will adjust as the threat landscape changes, the technology changes, the laws change and your own business changes. That’s why you adopt a risk management approach to it” (Mudditt 2022).
The joint AICD-Cyber Security Cooperative Research Centre Cyber Security Governance Principles were launched on 22 October 2022.
At the event Melinda Conrad said,
“The cyber threat environment is dynamic and constantly evolving, often at a much faster pace than other operational risks an organisation faces. It is for this reason that oversight of cyber risk warrants an elevated focus by the board, and directors should be continuously looking for ways to uplift their skills and knowledge and identify where external help may be needed.”
Government Cyber Policy
By many accounts Australia has not responded as forcefully as it might to the systemic threat of Cyber-Crime compared to other advanced economies. The Australian Government Minister for Home Affairs Clare O’Neill in December 2022 stressed we need better cyber-security as we prepare for more attacks and announced the formation of a joint Australian Federal Police and Australian Signals Directorate task force “permanently focused on hunting down people seeking to hack our systems, and hacking back. This is part of a 36 country Counter-Ransomware Initiative. What is intended in Australia is to enlist everyone into better cyber-security, strengthening critical infrastructure and networks, and building sovereign cybersecurity capabilities – going after the hackers and closing them down.
Australia as other countries needs urgently to fill the qualified cyber-security skills gap, since 8 in 10 breaches are attributed to a skills shortage in defending organisations. From boards of directors to every level of business activity, including small enterprises we need to become more informed of the risks of cyber-attack and the most effective means of cyber security.
Specialist cyber-security skills are required in large organisations, but everyone has to be informed of the existential dangers of cyber security as part of their our work and life experience. All of the major universities now run cyber-security short courses, and more specialist training programs are available.
The essential issues of cyber-security include:
Mission Critical Assets – Essential data that has to be protected, for example in the health services it is Electronic Medical Records (EMR), in finance it is customers financial records.
Data Security – The controls in place to protect transfer and storage of data, and the back-up measures to prevent the loss of data including encryption and archiving.
Endpoint Security – Protection at the endpoints of user devices to ensure they are not susceptible to data breaches including mobiles, desktops and laptops, providing protection on networks and the cloud.
Application Security – Security that controls access to applications and access to data assets, including the security of the applications in use.
Network Security – Security to protect the business network preventing unauthorised access, with regular updating with the necessary patches including encryption, and disabling of unused interfaces and networks.
Perimeter Security – Ensuring physical and digital security methods protect the business as a whole with effective firewalls protecting the business network against external attack.
Human Management – Managing controls and ensuring up to date information on phishing and other invasive techniques, maintaining real time alertness on threats and malicious software (MicroAge 2022)
The State of Play
It is now clear that both business and government need to take cyber-security more seriously. The cyber-criminals are becoming over-confident, as in hacking the AICD event to launch the new Cyber governance principles online on 24 October causing the cancellation of the event. Both government and business recognise it is time to move on to the front foot and adopt systemic approaches to prevent cyber-crime, and to effectively pursue the perpetrators. Internationally this is being done and cyber-crime organisations are being closed down.
For the present, we all have to remain on high alert and active in ensuring effective security in our digital networks to prevent those who seek to subvert them. The great potential of the new digital universe is still achievable (See Johnson Paper on Digital Innovation in Business).
Thomas Clarke is a Fellow of the Royal Society of Arts, and editor of the Cambridge University Press Elements in Corporate Governance book series. Formerly he was Professor and Director at the UTS Centre for Corporate Governance.
Actuaries Institute (2022) Cyber Risk and the Role of Insurance, Green Paper September 2022
AICD-Cyber Security Cooperative Research Centre (2022) Cyber Security Governance Principles
Airmic (2021) Our world has changed forever – The Airmic Perspective – Annual survey 2021
Australian Cyber Security Centre (ACSC). (2021). ACSC Annual Cyber Threat Report – 1
July 2020 to 30 June 2021 https://www.cyber.gov.au/sites/default/files/2021-09/
Australian Government (2022) The Hon Clare O’Neil MP, Home Affairs and the Long View – National Press Club Address, 8 December 2022
Nicholas Biddle, Mathew Gray and Steven McEachern, Public exposure and responses to data breaches in Australia: October 2022, ANU Centre for Social Research and Methods
Bourlioufas, N. (2022, May 4). ‘Cyber shortages drive higher pay and new demand for
education’, Australian Financial Review https://www.afr.com/work-and-careers/education/cyber-shortages-drive-higher-pay-and-new-demand-for-education-20220503-p5ai28
Fortinet (2022) Cybersecurity Skills Gap https://www.fortinet.com/content/dam/fortinet/assets/reports/report-2022-skills-gap-survey.pd
Institute of Actuaries of Australia (2022) Cyber Risk and the Role of Insurance, Green Paper, Actuaries Institute
Jessica Mudditt (2022) Constant Vigilance, Australian Institute of Company Directors, 1 December 2022
Jessica Mudditt (2022) Putting Cyber Governance Principles to Work, Australian Institute of Company Directors, November 2022
MicroAge (2022) Cybersecurity Layering Approach, MicroAge https://microage.ca/cybersecurity-layering-approach/
Sam Olyaei, Claude Mandy (2022) Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem, Gartner https://www.gartner.com/doc/reprints?id=1-29FBE5ZT&ct=220317&st=sb
Rains, T. (2020) Cybersecurity Threats, Malware Trends, and Strategies – Mitigate exploits,
malware, phishing, and other social engineering attacks, Packt
Tunggal, A.T. (2022) What is Cybersecurity Risk? A Thorough Definition, Upguard https://www.upguard.com/blog/cybersecurity-risk
World Economic Forum (2022) The Global Risks Report 2022 https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf
Australian Government, 2023-2030 Australia Cyber Security Strategy, Discussion Paper, Australian Government