Cybersecurity - "Things that keep me up at night"
I've been asked a few times over the last few months or so what it is that keeps me up at night - mostly in the context of business risks for Comunet - but it extends naturally to our partners and clients. Of late, I've consistently been giving the same answer - Cyber security.
There's almost never a day that goes by where we hear another local story of a business who has felt the impact of a cyber attack - mostly ransomware and phishing, but sometimes some other type of compromise.
It's become vary transparent that no-one is really immune from the risk - even technology providers that work in this space. Earlier this year, the Australian Cyber Security Centre launched a program for Managed Services Providers (MSPs) in response to a major global attack on MSPs known as Cloudhopper.
"Known as Cloudhopper, the hacking campaign attributed to the Advanced Persistent Threat 10 group is believed to have successfully compromised 12 technology companies and MSPs around the world since 2014, including giants IBM and HPE (now DXC)." ¹
So, what does it really mean for people (and businesses) operating in South Australia? First, let's look at the publicly available data and stats.
On most given quarters, ACORN (the Australian Cybercrime Online Reporting Network) ²receives more than 13,000 reports of cyber security incidents. Working through the numbers, in their reporting, for South Australia - that’s 2 issues reported every business day.
In 2016, and then again in 2017, Norton performed a SMB Cyber Security Survey ³ across Australia, which I'd like to draw attention to some of the key findings:
- 1 in 4 small business have fallen victim to cyber crime (up from 1 in 5 in 2016)
- The average direct financial loss caused per attack in 2017 was over $10,000 (without considering brand, reputation or other losses)
- Of those that had data lost, more than 50% could not recover the lost data.
So, the data tells us that the risk is real, and has a real financial and business impact.
But. What we hear consistently is the sentiment of "we aren't a target" - a reluctance to acknowledge that everyone is risk these days with more attacks being broad, and automated, meaning they will find the weakest security holes and exploit them.
The Australian Small Business and Family Enterprise Ombudsman ⁴ have published some data that clearly shows that this sentiment is wrong, more than that - it's outright dangerous based on what it can do to SMBs:
- Small business is the target of 43% of all cyber crimes
- 22% of small businesses breached in 2017 Ransomware attacks were so affected they could not continue operating
And then, there's the compliance obligations (and fines for non-compliance) of mandatory data breach notification rules from the Office of the Australian Information Commission - but that's another post for another time.
There you have it. My attempt to shine some more light on a challenging, complex and concerning situation.
The problem is, there is no silver bullet - but there are plenty of things we can all do to protect ourselves and our businesses.
For the good of your business, I implore you to get your IT team (or IT partner such as Comunet) to assess your controls at least against the Australian Cyber Security Centre's Essential Eight ⁵ strategies - and then get cracking on putting those controls in place if they don't exist already.
Look forward to your comments and thoughts!
¹ - https://www.itnews.com.au/news/acsc-launches-security-program-for-managed-service-providers-517278
² - https://acorn.govcms.gov.au/sites/g/files/net1061/f/acorn_snapshot_apr_jun2018.pdf
³ - http://now.symassets.com/content/dam/content/en-au/collaterals/datasheets/cybersecurity-simplified.pdf
⁴ - https://www.asbfeo.gov.au/sites/default/files/documents/ASBFEO-cyber-security-guide.pdf.
⁵ - https://acsc.gov.au/publications/protect/Essential_Eight_Explained.pdf