Organisations that have experienced a data breach in recent times will confirm that it is a traumatic. It is an unpleasant experience for the board, management, staff and customers impacted. Like any other crisis, there is a lot of uncertainty, it is not easily or quickly resolved and often involves intense media scrutiny. Many organisations will be out of their ‘comfort zone’.
The cyber security team at InConsult take a closer look at the factors contributing to the proliferation of cyber attacks and what you can do to reduce the risks and prepare your organisation for a data breach.
Data Breach Alert
Globally, a total of 108.9 million accounts were breached in the third quarter of 2022, a 70% increase compared to the previous quarter. According to cybersecurity company Surfshark, the top 5 countries affected by data breaches were Russia, France, Indonesia, the US and Spain.
Australia has also experienced a recent surge in cyber attacks and data breaches, starting with the Optus data breach in late September. Medibank, MyDeal (Woolworths), Vinomofo, Australian Clinical Labs, the Smith Family, LJ Hooker and Energy Australia all quickly followed.
More than 30% of Australians have now been exposed to data breaches in the last 12 months. A new Australian National University (ANU) poll found 6.4 million adults have fallen victim to data breaches.
Many have asked, why have we seen a surge in data breaches recently? Well, from our analysis, it was really just a matter of time that we got to this point and looking into our crystal ball, it’s likely to get worse.
1) Increased sophistication of threat attackers’ business model
Cyber crime is a lucrative enterprise for organized criminal gangs. The gangs are after nothing but money – financial gain. They don’t care about what data they steal, how they steal it, or who it impacts. The data they steal will be subject to a ransom and likely turn up on the black market/dark web, ready to be sold to the highest bidder. Their primary weapon of choice is ransomware.
The gangs recruit globally and operate in a structured, organised and sophisticated manner. They have a leadership team, organisational structure, policies/guidelines, regular reporting and monitoring and performance based incentives.
Innovation is very important to these gangs. Innovation is key to growth and financial prosperity. They change and adopt new business models, recently moving from simple extortion of individuals to double and triple-extortion schemes. The hackers are growing bolder and their monetisation strategies are becoming more aggressive.
2) The rise of hacktivists
Hacktivists use digital tools and cybercrime techniques to carry out an attack driven by religious, political, or moral motivations. These could be ethical or unethical. Their aim is to hack into government agencies or businesses and expose or draw public awareness to things they believe the organisation is doing wrong or covering up.
They often use distributed denial-of-service (DDoS) attacks, which involve flooding a website or email address with so much traffic that it temporarily shuts down. Other tactics include data theft, website defacement, computer viruses and worms that disseminate protest messages, stealing and revealing sensitive data, and taking over social media accounts.
Doxing (occasionally spelled as Doxxing) is the act of releasing personal information about an organization or individual, such as their valid name, home address, workplace, phone number, bank information, and other personal information. That information is then broadcasted to the general public without the victim’s consent. The data is often sensitive and is commonly utilized in extortion efforts.
“Anonymous” is a popular hacktivist group made up of people from all over the world, but other hacktivists might work alone.
Well known hacktivist groups like WikiLeaks will leak classified documents, private company information, sensitive data, and government information. Their motivation is ideological and to expose ‘the truth’, secrets or awareness to the public.
The Syrian Electronic Army, which reportedly has ties to Bashar al-Assad, the Syrian President, launched DDoS strikes on the United States Executive Branch in 2013 to further their anarchist goals. The Army has conducted operations to infiltrate government, media, and privately held organization websites employing spear-phishing and DDoS hacking techniques.
The best way to protect against hacktivism is by maintaining a solid and secure online presence, communicating with regulatory bodies, adhering to ethical practices, and adopting transparency as a part of organizational culture.
3) Technology is an enabler and a risk
Technology itself is a double edged sword. It enables organisations to deliver services quickly and efficiently, improve service delivery, innovate faster and reduce costs.
Unfortunately, the same type of infrastructure, software and methods that are used by governments and large organisations can also be used by criminal gangs to exploit people and organisations. New dark web tools make ransomware attacks possible with little to no technical sophistication, opening the door to cybercrime to anyone with a Tor browser and a little time on their hands.
As the level of sophistication of technology grows, so do the risks and vulnerabilities. Many systems were built in the 1980’s or 1990’s and security ‘retrofitted’. Enter application programming interface (API), a way for two or more computer programs to communicate with each other. APIs provide users, applications and IoT devices access to sensitive data and other network resources. But without robust security, they’re highly vulnerable to a variety of attacks that can lead to data breaches and compromised networks.
There are also many legacy systems that sometimes cannot be secured. The business needs a plan to phase out these systems. Most of the recent breaches were rumoured to be to legacy parts of their systems. As we move to faster internet speed and faster servers, cyber criminals will move just as fast. They can run scripts to cause havoc in seconds not hours…allowing them to move in and out of systems quickly.
Organisations must have multiple layers of controls. As Medibank and Optus found out, just one weak point in thousands of controls and millions of dollars in an IT budget will be enough.
4) Commercialisation of hacking tools increase data breach risks
Hackers typically have exceptional programming skills and computer knowledge. They know how to bypass a computer’s security system and access data that they wouldn’t have been able to get otherwise (as well as data that’s not available to the public).
Contrary to popular belief, the vast majority of hackers don’t have genius-level IQs or superhuman powers, just superior research skills, lots of patience, and a love of problem-solving.
However, ransomware-as-a-service (RaaS) has bloomed into a lucrative dark web economy, leading to the proliferation of ransomware attacks. This means hackers’ exceptional programming skills and computer knowledge is not always required.
In the RaaS model, there are at least two parties who establish a business relationship: the developer and the affiliate. The developer writes the malicious program that encrypts and potentially steals the victim’s data. The affiliate executes the attack and collects the ransom, potentially also including additional business arrangements, like purchasing exploits or using cryptocurrency. For the record, REvil (the gang behind the Medibank breach) is one of the prominent providers of RaaS.
5) Unwritten hacking rules are changing
The first generation of hackers were bored teenagers or IT geeks putting their problem solving and technical skills to the test. In most cases, once they got into a system, they got out just as quickly…mission accomplished and they can tell all their friends how clever they are.
With more data collected and available, todays hackers see the financial value in data when sold on the dark web. Hackers are willing to invest months problem solving and collaborating to get a $5 million pay day.
Historically, there was an unwritten rule amongst hackers – never hack critical infrastructure. Today, critical infrastructure remains firmly in the sights of hackers, ranging from Russian hackers targeting U.S. airports to Chinese nation-state actors exploiting vulnerabilities within telecoms.
6) Data breach laws don’t apply fairly
Lets be honest, the chance of the FBI, CIA and other law enforcement agencies locating, arresting and bringing hackers from Russia or China to justice in Australia is remote. Hackers know this.
In fact, state-sponsored attacks are usually the most sophisticated, with criminals having dedicated tools and the most advanced software available. They have the funds, the time, and the knowledge to complete the most high-value attacks out there. State-sponsored actors are often employed just for the purpose of completing a cyber attack and will have numerous resources and dedicated time to research and carry out an advanced attack. They are funded by their nations to spy on foreign agencies, steal sensitive information or other intellectual property.
Hackers are virtual. They move organisations/groups, change their identities and their equipment. Good hackers don’t leave their identity and ‘fingerprints’ behind.
On the flip side, legitimate and honest organisations must comply with hundreds of international cyber security laws or risk massive fines. The Australian government introduced new laws recently to increase fines for companies involved in data breaches, with the maximum fine raised from $2.2 million to at least $50m.
To highlight the importance of cyber security, credit-rating firms are now looking more closely at companies’ responses to cyberattacks, giving the issue greater weight as a factor in a firm’s creditworthiness. Analysts at S&P Global Ratings say they have downgraded companies and government agencies that were hacked in part because the organizations weren’t able to make important information available due to IT outages, and because the attacks did financial damage.
10 Strategies to Manage Cyber Risks and Prepare for a Data Breach
There is no shortage of strategies that can be used to improve cyber security. Here are our top tips:
Improve cyber risk management
- Expect more data breaches in 2023. Don’t be complacent. Don’t think it’s not going to happen to you. The first mistake is thinking that a data breach will never occur.
- IT security budgets are limited, so use a risk based approach to cyber security. For example, vulnerability assessments are good enough for low risk systems and more expensive penetration testing should be used for higher risk systems.
- Don’t follow one cyber security framework or standard. Understand all of them and select the areas/elements within each one that best meet your needs.
- Regular reinforcement of your cyber security expectations to all staff and suppliers is critical. Invest in your people and suppliers. Build a a strong human firewall through regular communication and training.
- Regularly review your controls to make sure they are working as planned.
Monitor and prepare
- Monitor everything you can. Enable event log monitoring on all managed workstations and servers. 99% of the malicious action begins on a regular end-user’s workstation before it spreads to the servers holding the data. Remember, 85% of victims were unaware of their compromised security state for weeks to months before they were made aware.
- Prepare and regularly update your response plans and playbooks.
- Exercise your response plans to strengthen your response capabilities and confidence.
Assurance and reassurance
- Audit your higher cyber risk areas and your key controls to confirm they are working as designed.
- Don’t rely on one form of assurance, use multiple layers of controls and assurance.
Can we help?
Don’t play the waiting game. The spate of recent data breaches is a timely reminder that cyber attacks are real. Organisations need to get it right 100% of the time, hackers only need to get it right just once.
Now is the time to move beyond cyber security to cyber resilience. InConsult is committed to helping organisations improve their cyber resilience posture. We have extensive experience in vendor risk management, cyber risk management, vendor audit and assurance, crisis management and business continuity.
If you want help to strengthen your cyber resilience posture, contact us to confidentially discuss your needs.