Our first episode of Behind Business for 2021 discusses one of the most serious issues facing businesses and individuals today – cyber security. Featuring cyber and digital forensic expert and partner at KordaMentha, Brendan Read and cyber risk and claims adviser from HWL Ebsworth Lawyers, Andrew Miers, the episode will discuss the current threats facing organisations and what they can do to avoid becoming the next cyber-attack victim.
Sean Aylmer
Welcome to Behind Business, the podcast where KordaMentha experts
discuss the most pressing issues facing business today. I'm
Sean Aylmer, an economist and journalist for 25 years, and host of
the Fear and Greed daily podcast. If we weren't dealing with a
once in a century pandemic, cyber security would be one of the
biggest issues making news. It is undoubtedly among the great
challenges of the next decade. And as our use of technology and the
daily interaction of tech and everyday living grows, it will become
even more so. There has been government and private funding to
bolster our defenses against cyber-attacks, but the threat is
constantly evolving so those defenses need to evolve too. The
criminals involved, sometimes state sponsored are always finding
new ways of initiating cyber breaches. Today, we're going to
discuss the history of cyber security, where we are now, where we
might be headed, and what we need to look out for.
We have two experts in this edition of the Behind Business podcast. Brendan Read, is the KordaMentha partner specializing in cyber digital forensics. And to help us navigate the legal perspective, we have Andrew Miers, partner at HWL Ebsworth. Welcome to you both.
Brendan Read
Thank you.
Andrew Miers
Thank you very much.
Sean Aylmer
Brendan, starting with you, how big a problem is cyber
security?
Brendan Read
Yeah. Sean, look, it's a really big problem. Any organization,
whether big or small, whether it's a government entity, no
one's immune to the threat of cyber risks. And going back from
my time in the police even, early 2000s, I was constantly seeing a
number of cyber incidents that were happening to business back then
and that risk has just continued to grow and build on momentum. And
as you see now, we're facing a really tough scenario of trying
to deal with these cyber threats that are coming not only from a
domestic front, but international.
Sean Aylmer
You just mentioned that when you're in the police force, quite
a few years ago, it was around. So, cyber threats have been around
for a long time, are they just more prevalent now, Brendan?
Brendan Read
I think definitely more prevalent. There's a lot of sharing of
information of how to do these types of attacks, so a lot more
having a go at doing this type of activity. And I think it's
just a lot more advertised and educated to organizations and
people. So they're becoming more aware that, that threat
actually exists. And obviously, more people are becoming victims of
it, word is getting out.
Sean Aylmer
Andrew, how much damage can cyber crime do?
Andrew Miers
Yeah, Sean, Look, I think it's probably fair to say, it can do
quite a significant amount of damage, so much so that it can even
put a business out of business altogether, and there have been some
instances where that has occurred. The damage is multi-factored.
There's the costs of actually responding to an incident and
getting new external advisors to help remediate and fix it. There
can be regulatory costs of having to comply with regulation around
notifying data breaches to customers and so forth. But also,
there's a significant reputational cost. And I think what
we're seeing, increasingly, is that cyber incidents are hitting
the headlines and they're now front-page news. Something that
wasn't really in public discussion 10 years ago, is on the
front pages of the papers on a regular basis now. So when a company
has a cyber incident, sometimes the most significant damage is that
reputational harm.
Another impact is just business interruption losses. And I think a lot of companies that's where the impact for them is felt. If they're offline for a period of time, whether it's a few days or even possibly a few weeks, they might not be able to trade or earn revenue during that time and they may suffer business interruption losses in much the same way that companies traditionally did when, for example, their premises burnt down. Now, it's sort of the equivalent of your online presence burning down and having an impact on your profits.
Sean Aylmer
Yeah, Andrew, just saying with you, and you talked about it then.
So we have professional cyber security industry, and that's
about protecting people, but then there's also the costs of
remediation and kind of looking after people when harm is done.
I'm trying to get a sense of how big the industry is in the
parts to it.
Andrew Miers
That's a good question, Sean. And it's sort of an emerging
industry and a growing industry. I think the figures around it are
that, five years ago, it was about a $2.2 billion industry in
Australia and it's projected to grow to about $6 billion by
2026. We've got the government sort of actually trying to
actively foster and encourage a standalone cyber security industry
and our home-grown one. I think what we've got to remember is
that, cyber is not solely about IT, it's just as much about
human behavior. And so, risk managers, insurance brokers, insurance
providers, even identity theft to harm, counselors, a lot of those
more soft skill type of things, it's probably self-serving, to
say so, but lawyers, there's a lot of players who provide
services in that space who aren't just focused on the IT
side.
Sean Aylmer
And Brendan, there were small and large companies involved, I mean,
being hit by cyber crime.
Brendan Read
Yeah, that's correct, Sean. And I see a lot of organizations
that are getting targeted, which are ones that tend to be dealing
with a lot of financial transactions. So, if I give you an example,
like a conveyancing solicitor, that's obviously doing the
groundwork in terms of sale of a property, but someone might just
go to the cheapest conveyancing solicitor they can get online and
they're just operating from their home, not a very
sophisticated set up in terms of their IT as a single operator, but
they're dealing with hundreds of thousands of dollars of
transactions, and they're a prime target for these hackers to
get access to that information and obviously try and divert any
sort of payments, so they can get access to those funds.
They're just targeting everyone, at any opportunity, where they can make money, where they can steal information, people's personally identifiable information. Everyone's a target. Obviously, at the smaller end, having the money to be able to implement an appropriate strategy to deal with these cyber threats is difficult, but equally so, at the top-end of the town, no one is immune to this risk, no matter what your systems are in place. You could pay for the top-end network intrusion protection and firewall protections, but those threats can still come through.
Sean Aylmer
It just seems to have the last, I mean, 2020 particularly, there
are some big firms, know the Reserve Bank of New Zealand, I think
the corporate regulator here, ASIC, they seem to be involved in
major attacks, sometimes by state players it seems. What were some
of the big attacks in the last two or three years that you've
seen, Brendan?
Brendan Read
Yeah, look, I think you've already touched on some of those
Sean. Obviously, Scott Morrison had announced that, I think it was
June, last year, that we had a wide range of political and private
sector organizations that were coming under cyber attack from how
he referred to as sophisticated state-based cyber actors. We've
obviously got a really sophisticated and large groups targeting our
specific government and industries to cause as much damage as
possible. More recently, the data breach of Accellion, where it was
a third-party file sharing platform. And we're still seeing,
even today, more organizations that are still affected by that same
data breach that are now identifying that they're exposed from
uploading their client data into these platforms, and those getting
accessed by the criminals.
Sean Aylmer
It's just worth exploring that a little bit because that one
was a bit different, because rather than someone opening an email
they shouldn't have, it was actually, what was hacked was the
provider of the software, is that right?
Brendan Read
Correct. Yeah. So the way technology is moving, there's a lot
of cloud-based platforms that are now being taken up by
organizations from a cost and a productivity perspective, it makes
perfect sense, but then, also from a security perspective, it
becomes a risk that also needs to be managed. So, it's not
uncommon for any organization to use a third-party platform or
product to put their client data into, but you really need to
understand what that third party is doing around the security of
the data that sits in that product or platform. Like do they have a
dedicated security team that's monitoring? Are they constantly
looking at the vulnerabilities themselves in terms of their own
software? And what are they doing to rectify that? That really sort
of plays. And once a breach happens and a vulnerability is
identified, those organizations need to move extremely quickly to
fix those vulnerabilities, provide updates out to those clients to
obviously ensure that they're protected.
Sean Aylmer
So just, in that instance, people got an update, did the right
thing, but the actual problem was within the update, and therefore,
it infiltrated the system.
Brendan Read
Yeah, correct. That was in the SolarWinds attack that happened
where it actually infiltrated the updating software itself, so it
could deploy the malicious software onto each of the clients. So
yeah, causing a great risk.
Andrew Miers
And can I just add a few comments to that discussion? I think some
of the incidents that you mentioned highlight two key sort of
looming risks at the moment. One is, you mentioned the ever-growing
risk of ransomware. I mean, that's just becoming such a
problem. Ransoms a few years ago were quite small, but they're
just getting more severe.
Sean Aylmer
When you're talking about ransomware, it is literally a ransom
to unlock the data that they've got, is that right?
Andrew Miers
Exactly. Like in the old world, you kidnap someone and you
won't release them until a ransom is paid. And now in the new
world, the online world, you kidnap the data. You might encrypt the
data and the ransom needs to be paid in order to hand over the
decryption key or you might've taken data and you're
threatening to publish it online or release it, or do something
with it. And this is becoming... I mean, it's been a problem
for a few years, but I think in the last 12 months it's grown
exponentially.
Sean Aylmer
What are companies doing when they're receiving these ransom
notes effectively?
Andrew Miers
Well, very good question. I mean, if they've got good backups
that can sometimes assist with the issue and they'll go into
OverDrive to restore everything based on their backups, and so not
have to, I guess, cave in to the demands of the ransom threat
actor. But sometimes, they might not have good backups or the
backups themselves might've been targeted and some companies
are having to grapple with this issue of whether or not to pay the
ransom, and it's a really difficult and tricky issue. It raises
potential, if not legal, at least ethical and moral questions
around paying criminals. And there's certainly a decreasing
tolerance for it. We've seen in the United States in the last
few months, the Department of Treasury have actually called out the
potential for breaching sanctions laws when paying a ransom and we
might say a similar move in Australia. So, it's a real dilemma,
do you pay the ransom and give into the criminals? Or potentially,
there's an impact on your business if you don't pay it.
Sean Aylmer
Yeah. I mean, because I'm sure in some cases, on a pure
financial sense, it does make sense to actually pay the ransom and
get the data back.
Andrew Miers
Yeah. I mean, the ransoms are getting quite big. They're often
seven-figure sums now, but even then, that can be cheaper than all
the costs involved in fixing things up.
Sean Aylmer
So we'd mentioned ransomware, and I'll just stay with you,
Andrew. Just quickly, can you run through the definitions of some
of these things? So denial of service, what's that one
about?
Andrew Miers
Well, denial of service is effectively where a threat actor floods
you with so much traffic, so to speak, that it causes your system
to clog up and it quite literally denies you a service. Sometimes
that's in conjunction with a ransomware threat, "If you
pay the ransom, we'll stop it."
Sean Aylmer
Phishing?
Andrew Miers
Phishing, yeah, this is a real problem. And this is phishing with
P-H, not with an F. It sort of is like fishing for information from
someone in that sense. Effectively, that involves sending an email
that purports to be from someone else or tricks you into thinking
that you're dealing with someone that you're not, and you
click on a link or you reply, or sometimes people even hand over
their credentials. So, phishing is often the root in to a broader
attack on a company.
Sean Aylmer
So Brendan, it's all about data at the end of the day. And is
it mostly about finding bank accounts? Or is it actually mostly
about other data in how people act and behave?
Brendan Read
Look, I think it's all types of data. Like Andrew was just
mentioning with the ransomware attack, they're just interested
in being able to get access to the data, locking it down or selling
it on the dark web if they don't have the ransom paid. But the
big risk for a lot of people is their personally identifiable
information, and that's where there's massive repercussions
and impacts on their personal lives, where you'll have their
driver's license details obtained, bank accounts created, loans
taken out, credit cards applied for, and causes nothing but grief
and pain to try and recover from something like that.
Sean Aylmer
So, Brendan staying with you, how do the criminals choose their
targets? Is it arbitrary or do they have favorites? Is it
businesses? Is it individuals?
Brendan Read
Look, it's a case of multiple ways. They'll just do their
own research and look for various businesses where they think they
can get access to it. Other criminals will be just probing networks
and searching for IP addresses that have open ports. So basically,
think of a house and it's like certain windows are being left
open and not protected, and they're just looking for those open
windows to come in. And once they're in, they can do all sorts
of damage. You touching on before, the malware, so they can upload
this malicious software. They can then basically take over total
control over the computers and servers in those environments, and
then just leapfrog from those infected computers to other areas
within the business, and obviously, exfiltrate data, they can
encrypt that data or just monitor activity.
Brendan Read
And that's probably a really interesting point around sort of
the actual average time that people are actually inside a network
during a data breach. And I think if, statistically speaking, I
know IBM has a statistic on it, that back in 2020, the average time
to identify data breach was 207 days. And that flowed onto the
average life cycle of a breach from identification to containment,
that actually blew after 280 days. And if you think of a criminal
inside your network, monitoring email communications and looking at
various files on the network, and confidential information,
that's a lot of exposure period for them to cause some
damage.
Sean Aylmer
Mm-hmm (affirmative). Sure has. Andrew, what about COVID?
Particularly, the shift to work from home, has that increased risk
around cyber security?
Andrew Miers
Yeah, absolutely. And I think that's been one of the big
features of the last 12 months. The remote working arrangements was
a definite part of the cause of that. So, people using their
personal devices and perhaps being a little bit lax with putting
documents on their personal device instead of logging on via
whatever platform their company uses. And so, emphasizing the need
for companies to make sure that people are working from home,
they're logging on properly, not emailing things to themselves,
but also, it just opens up vulnerabilities, generally.
Sean Aylmer
So I'm going to ask you both, what's the most likely threat
in 2021? Brendan, starting with you.
Brendan Read
Look, I think it's going to be a mix of an increase in
ransomware. I think that's extremely profitable, and we'll
definitely see the increase of that.
Sean Aylmer
So ransomware is your core, Brendan. Andrew, what do you think?
Andrew Miers
Well, I'd absolutely agree with ransomware, that's not
going away anytime soon. So that's a huge one. I also think
there is supply chain risk. Some of the examples we were talking
about before, like SolarWinds and Isilon, where you have one breach
which has a ripple effect, or not a ripple effect, it's like a
tsunami, in some cases, that just flows on to multiple other
companies. So, you're going to have these breaches that pile up
into this sort of aggregated risk, just arising out of one
incident.
Brendan Read
Yeah. And just to add to that as well, I think some coordinated
attacks on critical infrastructure will become a problem and I know
that the government is currently looking at legislation to help
deal with that major risk.
Sean Aylmer
And Andrew, where do you think the law's going and regulation
is going in terms of cyber security?
Andrew Miers
Yeah, look, it's moving at quite a pace actually. Probably not
quite fast enough to keep up with the risks, with law always sort
of lags technology. But we've seen over the last 12 months and
ongoing into this year, quite a few changes. We're seeing
regulators take a much more active interest. We saw the privacy
commissioner last year, bring the first ever civil penalty case
against Facebook, not for a cyber breach so much, but it was a
privacy breach. And that's the first time they've ever done
that. But other regulators who aren't necessarily directly
concerned with personal information are also weighing into it. So
ASIC, which is the corporate regulator has been talking about cyber
resilience for quite a few years and they've now brought the
first ever civil penalty proceeding against a financial planning
company, and they're alleging a breach of financial services
laws.
Andrew Miers
Financial services laws don't even use the word cyber, but
they're saying that they didn't have appropriate risk
management in place with their IT and they allowed numerous cyber
incidents to occur. We're seeing APRA, APRA hasn't yet
brought any enforcement action, but APRA as the prudential
regulator introduced a new prudential standard 18 months ago, which
requires banks and superannuation funds and insurers, and other
companies under APRA's regulation to tighten up their cyber
security and to notify APRA if there's a cyber incident. So
we're seeing the regulators getting much more active and much
more interested.
We're seeing more legislation. Brendan mentioned the critical infrastructure legislation, which is currently being considered by parliament, that's going to impose new obligations on... What we think of critical infrastructure is, things like water and ports, and electricity, but it's, going to broaden it to financial services, even to supermarkets because they're part of the critical infrastructure of our economy. And so, tightening up and adding new cyber security obligations there as well. And we're seeing ongoing evolution of privacy law as well, that the government is having another look at the Privacy Act to see whether it has kept up with the times. And we could see some more rights introduced for people to enforce their personal privacy rights. So, look, that's just a taste, but there's a lot happening in that space, which is one reason I find it an interesting area to practice in.
Sean Aylmer
And Brendan, just to wrap it up, what should businesses be doing to
protect themselves? And what do they do if they're in
trouble?
Brendan Read
Yeah, look, I think planning before an actual event occurs is
always going to be best placed in any organization that's
actually going to have an incident response plan, and have it
developed in place and tested before an actual event occurs.
They're going to be in a much better position to have the risk
of financial, I mean, reputational harm to the business. I think
training and education plays a very important role. Changing the
culture of an organization is really critical, that they're
thinking about data and its security all the time and everything
that they do in their operations, and then just creating that
awareness that those risks are actually there.
Sean Aylmer
And Andrew, your take on how business should look after themselves
in 2021.
Andrew Miers
Look, I think the things that Brendan said around training are
definitely key, because as I said before, it's as much a human
issue as it is a technology issue. Following the Australian Signals
Directorate Essential Eight, there eight fairly simple,
straightforward things that the Cyber Security Center says would
prevent about 85% of cyber incidents. But the other one I would
mention is the role of cyber insurance. Obviously, insurance is not
going to stop things happening and it shouldn't be seen as a
security blanket to make you lazy about your cyber security. But it
does mean that if an incident occurs, you know that some of that
financial pressure of the cost of responding to the incident will
be offlaid with the assistance of your insurer. And the insurer can
also provide you with tapping into some of the expert service
providers to assist, especially, for SMA companies that might not
have existing providers. So, I would say that, that is a good
protective measure as well.
Sean Aylmer
That's a great point to leave it. Brendan, Andrew, thank you
very much.
Andrew Miers
Thank you, Sean.
Brendan Read
Thanks so much, Sean. Really appreciate it.
Sean Aylmer
I've been talking to KordaMentha partner, Brendan Read and HWL
Ebsworth partner, Andrew Miers. Cyber security is clearly a
challenge today and into the future. It comes in all shapes and is
forever evolving. The perpetrators of cybercrime are also evolving,
staying ahead of the game. Many are state sponsored. But there are
plenty of cyber criminals out there working from their homes. Cyber
security impacts all of us and has the potential to cause great
damage to people and organisations. It has already done so with a
number of high-profile cases over the past 12 months. Understanding
what cyber crime is and how to address it and prevent it can help
businesses stay ahead of the game. Training, culture and awareness
must be at the basis of a good cyber culture within any
organisation. Being relentless in avoiding cyber crime is also
critical. And using experts in the field will help companies
achieve the very best outcomes. Join us again soon for
KordaMentha's expert's views on Behind Business. I'm
Sean Aylmer and that was Behind Business.
Listen to the podcast, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.