Why your business is at risk from cybersecurity threats

Business Australia’s conversation with Shannon Sedgwick, Senior Managing Director at Ankura, on how to protect your business from cybersecurity threats.

Q: We are encouraged to broaden our business horizons and develop a global footprint if we want to remain competitive. However, having an international presence and an ever-evolving digital business landscape, will organisations be faced with cyber risks? And will cyber security threats apply no matter what part of the world they operate?

A: The threat from cybercrime is pervasive throughout the world. Indeed, as businesses expand their global reach through more advanced technology and improved transactional relationships and communication, the risk from cyber threats grows. Statistically, less than 10% of cybercrime occurs in the same geographic location as their target. Cyber security is a rapidly evolving landscape for both industry and government, and no matter where you are conducting business in the world cybercrime remains a significant issue.

Q: What types of cyber security threats are present now and what can we expect in the future?

A: I will limit this to three main cyber security threats businesses face presently. The first is socially engineered malware where the user is fooled into installing a malicious program sent from a source or website that they either trust or frequently use, which then compromises their data.

The second is insider threats where there is a threat to the organisation from employees, former employees, or third-party suppliers. They have access to company data, IP, and systems. Those who pose the threat can be either untrained and unknowingly make common mistakes with their cyber hygiene, or malicious in their intent by stealing or compromising sensitive data.

The third risk is outdated and unpatched software. The software used by an organisation has not been upgraded with the most up-to-date security patches, therefore, creating vulnerabilities in their network. Up-to-date cyber security protection and strong risk management are key to avoiding this threat. 

Q: What can we expect from future information security and emerging cyber threats?

A: One of the main threats we will face in the future will stem from the rapidly increasing use of IoT devices* in the workplace and the lack of security architecture in place from the start of the product’s manufacturing roadmap. The addition of IoT within the business can aid in the optimisation of processes, however if it is not secured to the same standard as the rest of the network, cybercriminals can use it as a ‘stepping stone’ to scan for vulnerabilities in more critical systems in the network.

There has also been an exponential increase in the use of business email compromise, where a malicious person sends a team member an email appearing to be sent from senior management requesting or authorising a transfer of funds or sensitive information to a ‘vendor’.

*The Internet of Things (IoT) is a network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these objects to connect and exchange data.

Q: Does it matter how big or small the business, what industry or sector it is in, or whether the internet only plays a small role in their operations?

A: Certain industries such as banking and the financial sector are frequently targeted, which requires them to have high-security standards. Cybercriminals will often target easier prey such as SMEs who are often aware of their vulnerabilities and unprepared for the threat. Less than 25% of Australian SMEs have a dedicated IT security staff member or provider, and despite facing as many threats as the larger end of town, do not have the resources or training to address and mitigate the risks adequately.

The damage caused by a breach to an SME cannot be understated, with 80% of SMEs that suffer a breach going bankrupt within 12 months.

Q: What cyber security and computer security practices should businesses implement to help protect their data, assets, and network?

A: Cyber security policies, procedures, and frameworks should be implemented throughout the organisation’s structure. From cyber hygiene and employee training to implementing a breach response plan and delegating roles and responsibilities, cyber security should be a top priority. When a company conducts a business impact analysis as part of its business continuity planning, it’s critical that they identify the most significant cyber risks and triage the treatment and mitigation of these risks.

Q: What is intelligence sharing and how important is it?

A: Intelligence sharing is the communication between companies, industry, and government that enhances a greater overall security posture for all concerned parties. 

Sharing of intelligence can benefit an organisation by informing them of new threats and practical strategies. However, it can be difficult to convince organisations of the benefits of security intelligence sharing due to the reputational and financial consequences of admitting a breach or vulnerability. Collaborative efforts against cybercrime should be encouraged, including between competitors, and the sharing of valuable insights that can protect their shared industries.

Q: Do businesses require a cyber insurance policy?

A: Cyber security insurance is an essential aspect of an overall risk management strategy. The insurance should cover liability, costs of cyber investigations, public relations, legal, compensation and regulatory fines. 

However, cyber security insurance does not have 100% coverage. It is difficult to quantify the complete financial loss incurred by an organisation when their customers and the public become aware of the breach. Loss of trust in products and services can cause immeasurable damage to a company’s bottom line for extended periods of time. Insurance providers can aid in encouraging the adoption of cyber security policies and procedures by lowering premiums when an organisation meets specific standards in their cyber security.

Q: Is there an international policy or technology underway to protect businesses from cyber threats?

A: There has been a recent push by government and industry to develop policies and regulatory standards that ensure a baseline of security across the Australian business landscape. 

The introduction of the mandatory data breach notifications laws in February 2018 is one such policy, which provides the accurate and timely reporting of breaches to those who could be harmed by the data breach. 

With the formation of the Australian Cyber Security Centre (ACSC) and the Australian Cyber Security Institute (ACSRI), the Australian government is placing greater emphasis on nationwide resilience against cyber threats by promoting innovation and enhancing cooperation between private industry and government.

Six pieces of gold to protect your business against the risk of cyber security threats

1. Train and educate employees.

2. Create and adhere to a company-wide cyber security policy.

3. Update and patch software regularly.

4. Establish access control measures for employees and vendors.

5. Create an incident response plan.

6. Use strong passwords and multi-factor authentication.

Cyber Security Trends Opined

It is no secret that cyber is, and will continue to be the hot topic in 2019, with global cyber security spending expected to reach USD 124 billion (Gartner). We have all heard the spiel of “technology is evolving, and security must evolve with it” and “as technology innovation increases so does the cyber security risk”. I am not going to bore you to death by repeating what we all have heard a thousand times. Don’t even get me started on the incessant sharing of the same news story when a breach occurs…..

277269_Papel-de-Parede-Meme-Virando-a-Mesa_1600x1200[1]

But I digress! In this short piece, I lay out my opinion (rant) of the current market trends and nuances I have seen in Australia across both government and private industry.
“Vendor agnostic” does not always mean vendor agnostic.
– This is particularly true in Federal government. CIO/CISOs/whoever (the buyer) will identify a requirement/gap and assess potential solutions that will fit in with their overall business and its architecture. Often, before an RFQ is even issued, the buyer will already have a solution or provider in mind. Of course, probity and abiding by the government’s strict procurement regulations prevent them from going direct in most cases. If an RFQ seems like it has been written with a specific vendor in mind, (some are even written by the preferred vendor, although no one will admit to that), then it probably is. It is a useful skill to be able to spot these types of RFQs, and if you cannot provide that particular brand or solution, then it might be best to pass on that opportunity.

11697618

Organisations want a silver bullet, or as close to it as possible
– CIO/CISO/buyers are not overly interested in what “value-adding” vendors can provide or their capabilities. They don’t want your “spray and pray” spam emails and cold calls. That’s rookie s@$t man! They want to know if a vendor can identify and solve more than one of their problems at once. Procurement preference has shifted from deeply specialised providers to a vendor that can provide a platform that performs a wide range of functions adequately. A “one-stop-shop” if you will. The focus is largely now on the following:
o Does the solution solve multiple problems?
o Will the solution integrate with the current architecture and is it easy for staff to manage?
o Can it be automated?
Consider the above before you start marketing your solution and pitching to the CIO/CISO/whoever.

what-if-i-told-you-there-is-no-silver-bullet

IoT is not going away. Ever.
– IoT devices are proliferating like, well, rabbits… I and many others like @Lani Refiti have spoken about this issue many times. There is no sign of slowing down, and the lack of enforceable standards means security is not baked into the product lifecycle from the beginning. They are notoriously difficult, if not impossible, to update/patch, and to respond effectively to the threats posed by IoT, an iterative and adaptive approach is needed. Organisations are gradually becoming more aware of the risk and have taken a more considered approach to their use of IoT devices. Considerations like “do we really need a connected fridge that informs us when we are out of milk?” or “is it possible that my toaster is a Decepticon?” (The answer is “Yes” by the way).

iotJackson

There will be some (see “many”) that still have not implemented basic security standards
– There are security standards which should be common across all organisations by now. If your organisation (particularly mid to large size organisations) has not implemented the following, you should give yourself a swift uppercut (figuratively… or literally. Up to you.) This is obviously a non-exhaustive list. I just picked a few.
o Cyber awareness training for all staff and contractors. The majority of breaches are caused by human error so this one is a “no-brainer”. There is great training available for as little as $50/person. It will be cheaper than a breach. I promise.
o Cyber security as an ongoing topic of discussion at board/leadership meetings. A top-down focus on cyber will flow through the rest of the organisation.
o Backups. PLEASE, PLEASE back up your organisation’s data. Daily preferably. It is fairly straightforward and cost-effective to set up. Should the worst happen, then you won’t lose everything.
o Encrypt your data, including data at rest. This goes a long way to preventing unauthorised users from being able to view your data, even if they are able to get their mitts on it.
o Multi-factor authentication. Enable it on all applications. On every device. Even your Tinder account has MFA, for all you single people.

a2b5247a7df4fa62fd6965676dc4275a
Final thoughts (see “disclaimer”)
– This piece is just my weekend thoughts on paper and does not reflect the beliefs of my employer etc. etc. Take it with a grain of salt and some humour. I welcome constructive feedback and opinions on any or all of the topics I have discussed.

For more of my thoughts/ramblings, visit ssedgwick.com

But-Im-Not-Ready-To-Say-Good-Bye-Meme

Legislation and Cyber Security

Data privacy and cyber security legislation have been a hot topic in Australia of late, with the implementation of the European GDPR, the Notifiable Data Breach Scheme under the Privacy Act 1988, and more recently, the Australian Government’s proposed Assistance and Access Bill (2018). The Assistance and Access Bill, in particular, is causing concern amongst the wider Australian public, privacy watchdogs, technology giants, and telecommunications providers about the level of government access to encrypted information. Aided by an international media “frenzy”, there is an increasing fear of over-regulation and unintended consequences for the privacy of individuals or organisations.

In our dealings with the public sector, it’s clear that there is a lack of legislation and regulation in Australia that is industry specific. Many within the Australian industry view cyber security as something they have to “put up with”, which means that it may not be allocated sufficient budget or regarded as the business enabler that it is. One of the most effective ways to encourage compliance with recognised standards (NIST, ISO27001, ISM, Essential 8 etc.) is to mandate it with legislation. Legislated compliance provides confidence to end-users and business stakeholders. (Greenwald, 2015)

Consider healthcare as an example. The industry is notoriously immature in cyber security maturity with more breaches suffered than any other sector (OAIC 2018). Statistically, over 50% of their data breaches occur due to human error (Verizon 2018), which speaks to a lack of training and enforced standards. By comparison, the US has healthcare-specific legislation in the form of the Health Insurance Portability and Accountability Act (HIPAA) that provides data privacy and security provisions for safeguarding medical information. Almost 1 million people have elected to opt out of the Australian Digital health Agency’s My Health Record due to a perceived lack of appropriate security measures. (ABC News, 2018) Australia’s adoption of a similar approach to the US’ HIPAA would go a long way towards improving the cyber maturity of Australian healthcare and the trust of the Australian public.

Another issue with the lack of industry-specific regulation and legislation is that organisations are not aware of their data privacy obligations. If an organisation suffers a data breach, non-compliance with their legal and regulatory obligations could equal large fines, greater financial loss, and potential loss of trust with their customers/stakeholders. For organisations and industries to thrive and grow they need to be digitally enabled and digitally driven to keep pace with competitors, both domestic and international. Organisations using cutting-edge technologies can create new products and services, and create better end-user experiences.

To innovate rapidly, cyber security must be prioritised and viewed as a business enabler rather than an expensive anchor. Legislation that has been drafted in cooperation with industry stakeholders will aid cybersecurity maturity and compliance in digital transformation and increase the resilience and performance of Australia on the world stage.

Do you think legislatively mandated compliance with cyber security standards is a good idea? Please feel free to comment your thoughts on this issue below. You can read more of my writing or discuss speaking requests at ssedgwick.com

When computer hackers turn out to be the good guys – UNSW Business Think

I contributed to this article for the University of NSW (UNSW) Business Think Journal https://www.businessthink.unsw.edu.au/Pages/When-computer-hackers-turn-out-to-be-the-good-guys.aspx

The popular image of a computer hacker is a hoodie-wearing night owl, a ‘black hat’ who remotely breaks into an organisation’s systems, intent on mischief, financial gain, or political exposure.

But while wearing a hoodie and operating at night may still be de rigueur, recent years have seen the emergence of a new breed – ‘white hat’ hackers, who do what they do legally and with an organisation’s blessing, with some getting paid as much as $350,000 a year to do so.

Mortada Al-Banna, a doctoral researcher in the school of computer science and engineering at UNSW, and his academic colleagues have investigated this phenomenon of crowdsourced vulnerability discovery, interviewing 36 key informants from various organisations about the challenges and benefits of inviting outsiders to test their computer systems in this way.

“I’m interested in how externally generated events affect the security posture of an organisation, and crowdsourcing security is one of these,” Al-Banna says.

While the first award of a ‘bug bounty’ (a payment for finding and reporting a bug) was by web browser company Netscape as far back as 1995, the wider industry remained sceptical.

But in 2017, this attitude was transformed in remarkable fashion when the US Department of Defense announced via website Hackerone that they wanted people to “hack the Pentagon”.

“This has motivated a lot of companies to get involved,” says Al-Banna. “The Department of Defense started small and then expanded, and the US government is currently considering expanding the program throughout all areas of their operation.”

‘Humans are actually better at this. They are more creative and look for the unexpected’

Test your system
Al-Banna’s research has revealed a number of challenges and reservations that organisations have about crowdsourced vulnerability discovery, including the lack of managerial expertise to run a successful bug bounty program, the possibility of low-quality submissions and cost escalations, and a general distrust of ‘white hat’ hackers.

“If companies want to run a bug bounty, but want to minimise the problems, there are techniques to help them do this,” says Al-Banna.

But while it’s possible to automate, say, the examining of reports from bug hunters to exclude duplication or out-of-scope issues, actually automating the process of looking for bugs is more difficult.

“The current automated tools for looking for vulnerabilities are actually more ‘noisy’ than the crowd,” says Al-Banna.

“Humans are actually better at this. They are more creative, and look for the unexpected.”

So how can organisations make use of this research? Al-Banna’s advice is that businesses need to do their homework first.

“Don’t just jump straight into a bug bounty. You need to test your system yourself with [network] availability tools – bug hunters will use these themselves – before leveraging the crowd for problems that require more creative input.

“In the first instance, limit the scope and only invite in a small number of bug hunters. But if organisations keep it this way forever, they will not reap the benefit of crowdsourcing,” says Al-Banna.

Adrenaline rush
Despite being only 22 years of age, Shubham Shah is a veteran of the world of crowdsourced vulnerability discovery. His childhood interest in computer gaming and ‘game hacking’ (modifying games) soon escalated into the world of computer security. By the age of 13, he was hacking web applications.

Shah’s skills led him to work for professional services multinational EY, and then as a consultant for Bishop Fox, doing work for Fortune 500 companies. But he soon found he could make more money pursuing bug bounties, which he has done exclusively for the past year.

‘They can often show you where you are most vulnerable more effectively than your security team could identify’

“My first bug bounty was from PayPal. It took me eight hours to get into an internal network that they owned, and they paid me US$1500. If you’re good at it, the financial incentive is very high,” Shah says.

“When you find a big vulnerability in a big company, there’s an adrenaline rush. You feel you’ve achieved something big – like running a marathon. But you could spend many hours finding nothing, and there’s no model for predicting what money you’ll make.”

Shah envisages a wider move towards a crowdsourced economy, and not just in computer security – he cites the example of design consultancy 99 Designs, which has been operating a similar model in its industry.

“Traditional consulting, where companies charge even if they ultimately do nothing, involves a waste of resources,” he says. “It’s not based on results.”

During the next five to 10 years, Shah believes that low-level bug hunting will become automated – which will focus the attention of the crowd on being more creative, and searching for more serious vulnerabilities.

“We’re currently paying the crowd to do what is in effect manual labour. We’re encouraging ‘noise’, and it’s a significant effort for a company to run a bounty,” Shah says.

“The only way to reduce the noise is to automate what can be automated.”

Establishing parameters
Shannon Sedgwick, a senior manager for cyber risk at Deloitte Canberra, has experience of employing ‘white hat’ hackers and observing the benefits they can bring to an organisation.

“In my experience, the industry is quite open about engaging with ‘white hats’,” he says. “Google paid out US$3 million in bounties in 2017, and some individual bounties can be as much as $100,000.”

Sedgwick believes that, even with the large budgets available to companies such as Google or Apple, ‘white hat’ hackers can be more efficient and cost-effective than companies performing the same tasks with internal staff.

“They can often show you where you are most vulnerable more effectively than your security team could identify. A plan is only effective if you’ve tested that plan, and this is especially true for security systems.”

Another advantage for companies is that ‘white hat’ penetration testing typically occurs outside of business hours, thus minimising potential disruptions to their business operations.

If a company is considering offering bounties for the first time, Sedgwick suggests trialling the process internally first and then, when approaching the market, establishing strict NDAs [non-disclosure agreements] and parameters of what is under review and cannot be exploited.

“Don’t release all of your applications and systems for testing at once, and engage an experienced specialist security company to oversee the process,” he says.

For Sedgwick, one of the challenges for companies engaging with ‘white hat’ hackers is the risk that some can edge towards becoming ‘grey hats’, who identify vulnerabilities but don’t report them, going on to exploit the vulnerabilities for financial gain or selling them to interested parties on the dark web.

“If ‘white hats’ feel they’ve been treated poorly by a company – for example, being underpaid, or not appreciated – then they can cause problems.”

But importantly for Sedgwick, the boards of organisations have to understand that information security is a business risk, not just a technology risk.

“They need to identify their critical data and assets, and direct appropriate resources to those as a priority,” he says.

“You need to consider the big picture. You can patch vulnerabilities all day, but if a company’s governance and security strategy are not effective, then patching vulnerabilities is not going to do the trick.”

Australian Government – The State of Cyber

Australia and Australians are targets for malicious actors—including serious and organised criminal syndicates and foreign adversaries—who are all using cyberspace to further their aims and attack our interests.” (MP, n.d.)

Amongst the never-ending acronyms of Canberra’s public service are government agencies and departments, who guide the direction and implementation of the Australian Government’s cyber security strategy. Agencies and departments such as the Australian Signals Directorate (ASD) and their subsidiary the Australian Cyber Security Centre (ACSC), the Attorney General’s Office, the Department of the Prime Minister and Cabinet (PM&C), the Department of Home Affairs, CERT Australia, and the Department of Defence (DoD). The collective aim of these agencies and departments is to improve the resilience and cyber security posture of the Australian Government, private industry, and its citizens. They are the first line of defence for Australia in the protection against cyber criminals, espionage, and insider threats. There are unique challenges faced by these organisations, and I will shed some light on these challenges and the progress of our government’s cyber security strategy since it’s introduction in 2016 (The Department of Prime Minister and Cabinet, 2016).

The 2016 Australian Cyber Security Strategy addressed five key goals;

1 – Governments, business and the research community together advance Australia’s cyber security through a national cyber partnership,
2 – Australia’s networks and systems are hard to compromise and resilient to cyber attacks,
3 – Australia promotes an open, free and secure cyberspace by taking global responsibility and exercising international influence,
4 – Australian businesses grow and prosper through cyber security innovation, and
5 – Australians have the cyber security skills and knowledge to thrive in the digital age.

These five goals are laudable fundamentals for which to strive. One of the main issues in achieving these goals is that the Cyber Security Strategy did not address exactly how it was going to implement these plans or quantitatively measure its progress. The Strategy breaks down the five goals into 33 separate action points, which may prove unwieldy. A better approach would be to identify the essential action points and prioritise them according to their severity of risk to the overall five goals.

Australian National Audit Office (ANAO) audit reports of various federal agencies make it clear that the government has more work to do in the implementation of its Strategy Action Plan. The ANAO found that the majority of the agencies it audited did not meet the mandatory standards set by the ASD in April 2013, the Top 4 Mitigation Strategies. The Top 4 are a subset of the ASD Essential Eight, which will soon replace the Top 4 as the minimum standard with which Australian Government agencies must meet. The Essential eight are:

  1. Application Whitelisting
  2. Restrict administrative privileges
  3. Patch Application
  4. Patch Operating Systems
  5. Disable untrusted Microsoft Office macro
  6. Multi-factor authentication
  7. User application hardening
  8. Daily backup of important data

The only agency in the ANAO’s purview considered “Top 4 compliant” and “resilient” was the Department of Human Services (DHS). The Australian Taxation Office (ATO) has since achieved Top 4 compliance too.

Whether compliance with the ASD’s Top 4 or any other government regulation signifies an organisation is cyber-resilient is arguable. When too great a focus is on compliance, it can create a “tick the box” culture instead of addressing the principal risks and threats to an organisation’s assets. The ANAO hit the nail on its proverbial head in their recent Performance Audit Report describing what makes an organisation “cyber-resilient”: “cyber-resilient organisations demonstrate a leadership culture and behaviours that prioritise cybersecurity and focus on it. They do more than comply with mandatory requirements; they demonstrate an effective security culture.” (Australian National Audit Office, 2018)

One could be forgiven for not fully understanding which government advice to follow. There is a plethora of different advice and regulations to which industry and government alike can subscribe and align themselves. ASD Top 4, ASD Essential 8, ASD Top 35, Australian Information Security Manual (ISM), Australian Defence Security Manual (DSM), ISO27001, National Institute of Standards and Technology (NIST) Cyber Security Framework, PCI-DSS, Notifiable Data Breach (NDB) Scheme, and the list goes on.  Therein lies another problem. An overabundance of security advice can lead to confusion and cause organisations to either do nothing, over-compensate or attempt to comply with an ineffective mix of national and international standards.

A lack of budget allocation may also be to blame for the slow progress of increasing cyber security maturity, with $230 million earmarked for Australia’s Cyber Security Strategy over four years. The US Government budget for cyber security is approximately A$26 billion, and the UK Government has alotted A$800 million to their cyber security efforts.  When you consider the likelihood of cyber attacks and the possible damage caused by breaches to critical infrastructure and national security, one could argue that spending on cyber is a long way from being sufficient.

It is certainly not all bad news though. The government has opened four Joint Cyber Security Centres (JCSC) throughout Australia which allows the sharing of threat intelligence and collaboration between government, academia, and industry. An additional $30 million in funding has been granted to an industry-led Australian Cyber Security Growth Network that “brings together businesses and researchers to provide a foundation for the development of next-generation products and services required to live and work securely in our increasingly connected world.” (Aust Cyber, 2018)

The Department of Home Affairs has developed initiatives such as the Cyber Security Challenge which promotes the cyber security industry to graduates, with a particular focus on women in cyber. The reforms of the Protective Security Policy Framework (to be released October 1st 2018) to a “principles-based” approach is a welcome change to the previous unwieldy and overly prescriptive version. The revision seeks to simplify the framework by separating guidance material and mandatory requirements. Alastair Macgibbon, the National Cyber Security Adviser & Head of Australian Cyber Security Centre, has also dramatically increased the ACSC’s staff numbers in a relatively short amount of time. This increase in resources will assist to develop collaboration between industry and government further and improve Australia’s cyber resilience and standing on the global cyber stage.

Advanced information and communication technologies (ICT) are necessary for the success of the industry, consumer, and government activities and ICT security should be of the highest priority. Australia is taking steps to address the threats from advancing technology. However, we are lagging behind the pace of other Western countries. (Austin, 2016)

A robust and effective cyber security strategy is critical to the protection of Australia and its citizens and for a profitable technology-led industry.  Effective strategy implementation across government, a cyber-aware and resilient culture, continued collaborative engagement between government and industry, a unified and simplified approach to regulations and standards, and adequate funding is required for Australia to thrive in the digital age and successfully respond to cyber incidents, deter cyber attacks, and protect against threats from both cyber criminals and foreign interference.

As published in Australian Security Magazine Aug/Sep Edition https://issuu.com/apsm/docs/emag_asm_aug_sep_2018/12