2020 has seen a number of Australian organisations impacted by malicious cyber attacks and the OAIC’s most recent report has found that 61 percent of notifiable data breaches made in the first half of the year are from malicious or criminal attacks.
The Federal Government has released a new Cyber Security Strategy, announcing Australia’s largest ever investment in cyber security and given clear warnings of the increased risk of cyber attacks. It is now looking at cyber, privacy and data related legislative reform that will apply to both critical and non-critical business.
With other reforms already being planned to the Privacy Act 1988 (Cth), the economic and social impacts of the COVD-19 pandemic, and new rules for data sovereignty being considered, it is an opportune time for business to actively engage in a review of our current laws and how we manage data protection and privacy in Australia.
We take you through how the cyber security landscape is changing and what it means for your organisation.
1. Those who may not expect to be targeted are also at risk
The level of cyber risk for all organisations, including those that may not expect to be targeted, has increased. This is reflected in Australia’s new Cyber Security Strategy, the level of investment by the Federal Government and the insights provided recently by the OAIC.
2. High-profile incidents call for a re-evaluation of perceived risk
Many organisations recognise a cyber incident as a high impact event, but may assess the risk of these incidents occurring as low. The Government has provided a clear message that this approach needs to be reconsidered. We have seen a number of high profile incidents in Australia over the last 6 months. These include government agencies and businesses that may not have been seen as obvious or valuable targets, yet have been seriously impacted.
3. Simple security and response plans won't be enough in the new normal
This increased threat environment is now the new normal and a simple security plan and relying on a standard data breach response plan is unlikely to be enough going forward. The Federal Government’s recommendations and the lessons learned from the range of cyber incidents in 2020 provide a prompt for all organisations to reassess their cyber resilience and incident readiness.
4. Prevent, detect, contain and respond
We may not always be able to stay ahead of the threat actors who are becoming increasingly sophisticated, but the capability to prevent, detect, contain and respond to cyber incidents like a ransomware attack must now be a core business competency.
5. There is more at risk than data
These attacks may impact an organisation’s data, but can also impact its staff and operations and those of its customers and suppliers.
Preparation is key
- understand and map your organisation’s data, IT environment and third party interfaces
- understand the potential operation and supply chain impacts of an incident
- continually focus on information and cyber security and consider security tools such as two-factor or multi-factor authentication, patching, scanning tools and encryption
- ensure your capability to respond to a cyber incident – with clear roles and responsibilities, escalation points and a detailed playbook.
Insights from the OAIC
|61% of data breaches are malicious or criminal attacks|
|Social engineering or impersonation contributed to a 47% increase in data breaches|
|22% of notifications come from the health sector|
|Motivation behind attacks may be to extract as well as encrypt data|
|Many businesses are reportedly paying attackers to recover data|
The Office of Australian Information Commissioner (OAIC) Notifiable Data Breach Report (NDB Report) for the period 1 January to 30 June 2020, provides some helpful insights. Across all industry sectors, malicious or criminal attacks remain the leading source of data breaches comprising 61 percent of all notifications. Phishing and compromised or stolen credentials followed by a ransomware attack and then brute force attacks were the main causes with social engineering or impersonation contributing to an increase of 47 percent in data breaches. The impact of the COVID-19 pandemic has meant individuals are more vulnerable to phishing attacks and disclosing their credentials.
The health sector also continues to produce the largest number of notifications at 22 percent, followed by the finance sector (15 percent), education (8 percent), insurance (7 percent) and legal, accounting and management services (5 percent). Both the health and finance sectors’ leading causes of data breaches were malicious or criminal attacks.
The NDB Report noted that recent media reporting highlighted the increase in ransomware attacks and expressed concern that there is growing evidence that the motivation may be to extract data as well as encrypt it. The OAIC indicates this will have an impact on how businesses assess whether there are reasonable grounds to suspect that an eligible data breach has occurred as a result of identifying ransomware in their environment. Apart from having to go off line and possibly rebuild their networks in order to contain the impact, many businesses are reportedly paying attackers amounts ranging from thousands to millions of dollars to recover their data in response to blackmail threats, as the cost of recovery is considered to outweigh the ransom demanded. However, depending on the type of malware used, they still face the prospect of their data also being stolen and disclosed against them or being sold on the dark web, with the potential to also harm individuals whose personal information is included.
Warning of the increase in breaches due to ransomware, the OAIC is encouraging businesses to:
- comprehensively understand their data, its location and lifecycle
- consider controls such as network segmentation, additional access controls
- use encryption.
Australia’s 2020 Cyber Security Strategy and investment
The themes from the NDB Report reflect the earlier messaging from the Federal Government in a statement released by the Prime Minister on 30 June 2020, Nation’s Largest Ever Investment in Cyber Security. This announced the Federal Government’s largest investment in cyber security, enabled by a $1.35 billion funding boost over the next decade through its ‘Cyber Enhanced Situational Awareness and Response’ (CESAR) package. This seeks to enhance the cyber security capability and assistance to Australians through its key cyber agencies, the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC).
In light of increasing cyber threats from a variety of sources and lessons being learned from the COVID-19 pandemic, the Federal Government’s primary aim is to protect the national economy, security and sovereignty as we become a more digital based economy and society. As part of this package, the Government will invest in increasing cyber security workforces, assisting national law enforcement agencies, platforms to enable threat monitoring and information sharing and research into emerging technology.
A new strategy
Following extensive consultation and submissions, and with support from an Industry Advisory Panel, the Federal Government has also now released Australia’s Cyber Security Strategy (Strategy) on 6 August 2020. The Strategy replaces its 2016 strategy and provides for $1.67 billion in funding (including the CESAR funding) towards initiatives aimed at enhancing Australia’s cyber security as a foundation for transitioning to a digital society. The new Strategy seeks to create a more secure world for Australians and businesses, ensuring cyber readiness becomes a fundamental part of everyday life.
Defining a cyber incident as ‘a single event or a series of events that threatens the integrity, availability or confidentiality of digital information’, the Strategy reports that in the last financial year, the ACSC responded to 2,266 cyber security incidents, or a rate of nearly six per day.
Three pillars of action
While a central part of the new strategy is ensuring that businesses take responsibility for enabling cyber security and proactively secure their products and services, the Government has identified three pillars of action to support the Strategy. These are:
to combat cyber-crime including on the dark web, support businesses to meet cyber security standards and share threat information.
to improve baseline security for critical infrastructure, grow a skilled workforce and ensure their products and services are cyber safe.
to access to guidance, make informed product purchases and report cyber-crime.
Regulatory reform – cyber, data and privacy
The Government has identified that this will also mean the need to strengthen Australia’s regulatory structure and infrastructure to enable government and business to respond to these threats. This will be based on principles-based outcomes, supported with guidance and advice having regard to the risks and circumstances in each sector. The enhanced regulatory framework will first be delivered through:
- Amendments to the Security of Critical Infrastructure Act 2018, for critical infrastructure and systems of national significance. This will expand the framework to include other critical sectors and impose obligations on owners of regulated critical infrastructure assets, including further cyber specific obligations.
- Release a voluntary Code of Practice: Securing the Internet of Things for Consumers for businesses as a principles based guide to the use and cyber security of internet connected devices. The Australian Government will continuously assess whether consumers are able to make informed decisions regarding products and services and if the Code is not considered sufficient, will establish a Cyber Security Best Practice Regulation Task Force to work with businesses and international partners in order to protect consumers.
Further, to assist in reporting incidents, the Australian Government is investing $58.3 million to enhance customer engagement and $12.3 million to further develop the cyber security helpdesk to SMEs and families. This includes the improvement of the online ReportCyber incident tool to provide businesses support and advice when reporting, responding and recovering from a cyber-incident.
The Australian Government has also announced as part of its Strategy that it will consult with businesses to consider further legislative reform that sets national baseline cyber security requirements for those that are not critical infrastructure, as well as options to recover the cost of meeting this baseline. This consultation process will include considerations of:
- privacy, consumer and data protection laws
- duties for company directors and other business entities
- obligations on manufacturers of internet connected devices.