With data breaches on the increase and ever-more sophisticated hacking techniques keeping the IT industry on its toes, we asked our resident cybersecurity expert, DDLS Technical Trainer Terry Griffin, for his perspective on this growing threat.
Recent figures indicate that the number of data breaches reported in Australia are steadily increasing. What are some of the key factors driving this?
One of the most important edicts introduced by the Office of the Australian Information Commissioner (OAIC) is the Privacy Amendment (Notifiable Data Breaches) Act 2017. This established the Notifiable Data Breaches (NDB) scheme in Australia, which legally requires organisations to notify the OAIC when a security breach has occurred and to notify individuals whose personal information has been compromised if it could cause serious harm. As a result, data and security breaches are now finally being tracked in Australia. The scheme only came into being on 22 February 2018, so it’s early days – but already it’s clear that the number of breaches are on the increase, steadily rising from 55 reported breaches in March up to 90 in June.
It’s a similar story worldwide. As more and more businesses undergo digital transformations, storing valuable data and doing increasing amounts of business online, they are leaving themselves increasingly vulnerable to attack. The overwhelming trend to put everything online, even if it doesn’t need to be (or shouldn’t be, in the case of highly sensitive personal data) is the main reason we’re experiencing so many security breaches. You could say that we are dangling the fruit too low, making it all too easy for hackers to gain access to our data.
Of course, with this seamless connectivity comes huge cost-savings and convenience, but when the average cost of a cybersecurity breach is calculated at almost US$3.9 million, there are other financial implications to consider should your company become the target of an attack. That’s why it’s so critical to be well-prepared and remain vigilant. The reality is that hacking is easy – it’s the defence that’s hard. I liken it to shooting a gun versus stopping a bullet.
With so many high profile data breaches making headlines in the last 12 to 18 months, are businesses learning from others’ mistakes?
In the past, senior management didn’t understand the requirement for cybersecurity – it was considered the domain of the IT department, and teams were given limited resources to deal with the issue. Things we take for granted now – like specialist staff, the right training, software and hardware – weren’t always made available. With the current focus on security, CEOs are now very aware of their responsibility to maintain data security and many organisations are strengthening their inhouse capabilities as a result. It’s one of the reasons why we have such a skills shortage in the cybersecurity space.
But while some businesses are ramping up their cybersecurity defences, frustratingly this isn’t happening across the board. A prime case-in-point is the recent Western Australian Government password scandal, which hit the headlines when an audit uncovered the widespread usage of weak passwords, including “password123” which was used by almost 1500 employees. Incredibly, a month after the audit findings were revealed, many of the passwords remained unchanged, indicating a failure on the part of senior management to enforce security measures and emphasise the risks of non-compliance.
As IT specialists, it’s incumbent on us to communicate the cybersecurity threat to the rest of the business and ensure all staff comply with basic security practices. Of course, that may not be enough to deter the more dedicated hacker – but businesses that fail to get the basics right are sending an open invitation to cyber criminals. It’s the equivalent of leaving all your valuables on display in an empty house with the doors and windows wide open.
Post the Mirai botnet attack, should we be concerned about the Internet of Things providing more opportunities for cyber criminals to hack into our homes and businesses?
From baby monitors, smart white goods and home systems to security cameras and smart speakers, the proliferation of connected devices give hackers yet another means of gaining access to our home or corporate networks. Installation of these devices by ‘homebodies’ with limited technical knowledge often means that the default device admin accounts are not changed. Back doors into these devices also can allow a ‘launchpad’ into further network intrusion.
We saw the effect of this back in 2016 when the Mirai botnet infected thousands of insecure IoT devices, leading to an off-the-chart, one-terabyte-per-second DDoS attack on French hosting company OVH – the largest ever recorded. Had the users/installers of these devices followed basic security practices and changed the original password settings on installation, the botnet would never have succeeded.
With that said, we’ve now become more alert to the possibility of IoT devices being used as an attack platform, so I’m hoping we’ll see a reduction in attacks of this nature in future. Similarly, one would hope that with users’ increasing technology literacy will come a greater understanding of the need to be security-conscious (although that still remains to be seen).
Defence against ransomware was a big focus for businesses this year. Are there still businesses out there who are easy targets for ransomware and what should IT managers be doing to mitigate risk?
Every time I teach, I ask how many people in the room have been the victims of a corporate cyber attack – without fail, at least half raise their hand. Increasingly, ransomware is the culprit. A simple and effective weapon, ransomware is a simple form of malware that hacks into your system and then encrypts your files, effectively disabling your system until you pay the hackers a ransom.
Ransomware is big business for hackers, so it’s no surprise to learn that it’s the world’s fastest-growing form of cyber crime (attacks are increasing at an alarming rate of 350% year on year). Research from Cybersecurity Ventures predicts that in 2019, ransomware damage costs will soar to US$11.5 billion globally, with an attack occurring every 14 seconds.
One of the main targets for ransomware are hospitals, as they typically store a huge amount of customer data online. I firmly believe that the dynamic patient data in hospitals (as against relatively static patient records) shouldn’t be accessible online. The major problem hospitals face with dynamic patient data is that it needs to be instantly accessible within the hospital – but that doesn’t mean it should be accessible externally.
Regardless of the industry, any businesses that aren’t implementing sufficient security measures are leaving themselves exposed. One of the most common delivery channels for ransomware is the social engineering attack, typically a phishing email containing infected attachments or a link to an infected website. These tactics are extremely easy to perform – much easier than hacking in – because they exploit our greatest vulnerability: our users. It’s really about psychology and the trusting nature of people. Wherever you have people using your network, you are susceptible.
The best defence against ransomware is of course to take the sting out of its tail by backing up your files in the cloud or on a separate drive to your main business network. It’s also critical to have a system in place for scanning any unsolicited or suspicious emails before they reach your users – at DDLS we do this off site using Office 365.
Other than ransomware, what are the biggest cybersecurity threats for the year ahead?
In the wake of the Facebook Cambridge Analytica scandal, I predict that 2019 will bring even more mass PII (Personally Identifiable Information) breaches, in which sensitive personal information like credit card details and date of birth is compromised. What we’ve seen to date is really just the tip of the iceberg.
The relatively new practice of cryptojacking – the unauthorised use of someone else’s computer to mine cryptocurrency – is also likely to gain ground in 2019. Because cryptocurrency doesn’t have any real form, it’s been remarkably easy for hackers to break into the crypto ‘banks’ and extract money.
Now, with over 100 cryptocurrencies out there and counting, the possibility of disruption has increased even further.
Lastly, what are the top security certifications that IT professionals looking to expand their skill set should have under their belt?
The IT landscape is constantly changing – no sooner have we learnt how to deal with one threat than a new one emerges. Keeping up to date with the latest cybersecurity challenges is a huge task, but any security course is a worthwhile addition to the skills IT professionals have. Even just an introductory course is a good place to start, and could provide the foundation for more extensive training such as Incident Handler, Network Defender, Ethical Hacker and Forensic Investigator.
As they say, the best defence is a good offence: don’t wait until your business is targeted by cyber criminals to introduce more rigorous security measures. Preventing attacks before they occur is infinitely easier than trying to limit the damage once your defences have been breached.