Cyberattacks by international criminal gangs against Australian companies have surged over the past 12 months and the consequences of a security breach are growing more severe.
Richard Bergman, Cyber and Forensic Partner at PwC, says cyberattacks have become more prevalent in Australia in the past five years and over the last 12 months have “skyrocketed”.
Part of the increase is due to boards and managers being more aware of cyber threats, and so are finding more attacks, but Bergman says there is also a lot more activity targeting Australian companies.
Bergman says cybercriminals are focussing more on Australia as a target.
“We’re seeing more ransomware attacks against Australian corporations, and some of those organised crime gangs behind those ransomware attacks are now going after company infrastructure and holding the company to ransom,” he says.
Ransomware is where criminals lock an organisation’s files and data and extort a payment in exchange for a decryption code to release the files.
Bergman says he now spends a lot of time talking to boards and chief executives about preparing for a cyber crisis. “It’s not just an IT security issue anymore. This is impacting the brand, it’s impacting the share price, it’s impacting employees, the ability to invest and grow, so they’ve got to be ready to respond appropriately,” he says.
“For a lot of big breaches the cost of the actual breach response is significant, but usually it’s the cost of the remediation post that point that has skyrocketed.”
The stakes for a cyber breach will soon get higher in Australia. The government has released draft “mandatory breach notification” which will require companies to disclose serious breaches of personal information to their customers and to the Privacy Commissioner. Businesses which offend repeatedly or seriously will face fines of up to $1.7 million.
As more and more physical objects are connected to the web via the Internet of Things, we could start seeing safety incidents or loss of lives from cyber breaches, he says.
Cyber threats can come from four different sources.
The first is organised crime, including ransomware and the targeting of financial services companies for economic gain. Bergman says the number of attacks or incidents from organised crime in Australia is up 45 per cent over the past 12 months.
The second is attacks from nation states. This is where hackers working for foreign governments try to hack websites to steal information about the sale of government infrastructure, particularly if they are interested in buying the asset, and to steal intellectual property.
Thirdly, there is the threat from hactivists, which Bergman says is underestimated in Australia, particularly by resources and energy companies. “There is a low likelihood of attack but the consequences can be high,” he says.
“Their motivation is to disrupt your business, if they can stop you operating or create a lot of noise that will have a bigger impact than a lot of the traditional data breaches. Credit card theft is one thing, you can recover from that, but an impact to your brand or ability to operate could have bigger consequences,” says Bergman.
Fourthly and finally, there is the insider threat. “This is the one that corporate Australia is not ready for and is not prepared well for,” says Bergman. Staff can make good profits from selling information on the black market that is easy for insiders to steal, such as usernames and passwords.
This year’s Telstra Cyber Security Report revealed 23.7 per cent of Australian organisations surveyed detected a business interrupting security breach during an average month – more than twice as often as in 2014.
That survey was mostly of large and medium businesses, but small businesses are also targets, particularly from ransomware. In 2012, Russian cyber criminals hacked into the patient records of the Miami Family Medical Centre on the Gold Coast and locked up patient files, demanding a payment of $4000 for a decryption code. The medical centre retrieved its data from backups, but it had to operate for several days without patient files and suffered a lot of negative publicity.
The Telstra Cyber Security report says incidents of ransomware and the phishing emails that often introduce the malicious programs into organisations increased by 29 per cent in 2015, which reinforces the need for staff training to help mitigate these threats.
Ty Miller, director of IT security firm Threat Intelligence, says prices for the code to unlock the files range anywhere from $50 to $10,000, but many businesses choose not to pay them, for fear that if they do they will be targeted again.
“It stops the business for an extended period of time, and depending on what systems they’ve got in place to recover from a breach like this, it could be a day or it could be a week. If your business stops for a week that can add up pretty significantly.”
Furthermore, those businesses which have suffered a breach suffer the reputational damage and resulting loss of customers after they notify clients that their personal information might be compromised.
Specific cyber insurance can help pay for some of these losses, such as income loss, the increased cost of working and PR expenses resulting from reputational damage, as well as the reputational damage itself.
One of the reasons some seek insurance is not only to recover from the financial loss but to access the crisis management expertise and the know-how of the insurer’s incident response network – normally consisting of lawyers, forensic specialists, data recovery experts and a range of other specialists.
Businesses might also be required to undergo additional security audits after a breach. For instance The Payment Card Industry Data Security Standard applies to any business which handles credit card names and numbers and it requires more stringent audits of businesses which have suffered a breach, as well as requiring the businesses to pay for the compromised cards to be put on its watchlist.
A particular point of vulnerability for small and medium businesses is staff laptops, iPads and phones which can connect with its IT systems and provide a way in for hackers.
Companies can limit the number of programs to run on the business’ computer, because malware such as ransomware is usually introduced when a staff member inadvertently downloads a piece of code by clicking on a link on a website or an email and then runs it as a program.
About 200,000 new variants of existing malware programs are generated every day, so it’s impossible for anti-virus programs to keep tabs on them all.
Ravin Prasad, chief executive of IT security firm Cybernetic Global Intelligence, says real estate agents and property developers are being targeted for the personal and financial information they hold about their customers.
Criminals use the stolen information to try to siphon cash from their bank accounts. “Real estate agencies don’t use a lot of protection and they are very easy to get into,” he says.