Are businesses taking the threat of cybercrime seriously?
6 June 2019, Written by David Simmons
The news that Australian National University suffered from a massive hack, seeing 19 years of data stolen made headlines earlier this week.
According to the ABC names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details were all stolen. Student academic records were also accessed.
The recent attacks on Princess Polly, Canva and Kathmandu are similarly prime examples of contemporary businesses falling victim to sophisticated cybercriminals exploiting vulnerabilities in digital systems. The reputational harm and the immediate effect of losing customer trust will certainly hurt the pockets of these groups in the long run.
One of Australia's largest banks was also hit this week, with the details of almost 100,000 Westpac Bank customers being exposed in a cyberattack.
And if this week's news of property valuer LandMark White having a data breach for the second time this year resonates for any reason it should be that threats are everywhere, and they have the power to bring major corporations to a screeching halt.
Despite the valuer saying it implemented a robust and hopefully impenetrable cybersecurity system to protect its data it could not stop a leak from the inside.
This latest data breach for the property valuer came just weeks after the company had its suspension from the ASX lifted. Back in May the company revealed that the first data breach, which saw client information sitting on the dark web for ten days, hurt the group's revenue by $7 million.
Following this second attack it is unclear if the group will survive at all; this is the second time in a year that major banking clients like NAB and Comm Bank have suspended using LMW as a property valuer, and the company's reputation is in tatters.
If even major businesses and institutions that store the sensitive data of thousands of people can suffer from a cybercrimes, then what hope do the rest of us have.
Business News Australia has already dived into how cybercrime will cost the world in excess of US$6 trillion annually by 2021, up from US$3 trillion in 2015. That is a huge dent in the world economy.
So, are businesses taking the threat of cybercrime seriously? According to the latest research, it appears not.
According to the board director of international IT governance association ISACA Greg Touhill cybercrimes are being vastly underreported but growing in volume.
"Underreporting cybercrimeeven when disclosure is legally mandatedappears to be the norm, which is a significant concern," says Touhill, referencing the '2019 State of Cybersecurity Study' commissioned by ISACA.
"Half of all survey respondents believe most enterprises underreport cybercrime, even when it is required to do so."
The study also found that only one in three cybersecurity leaders have high levels of confidence in their cybersecurity team's ability to detect and respond to cyberthreats.
According to the ISACA report the top three threat actors are cybercriminals, hackers and non-malicious insiders. Phishing, malware and social engineering top the list of prevalent attacks on businesses while ransomware is falling out of fashion, with 37 per cent of organisations reporting that they experienced ransomware last year, compared to 20 per cent this year.
The vast number of businesses being targeted by financial crimes is quite shocking, according to a report on financial crime by Refinitiv.
The report, titled 'Innovation and the fight against financial crime: How data and technology can turn the tide', details how almost 75 per cent of Asia Pacific organisations have been the victims of financial crime over the past 12 months.
The report says this high rate is due to a lax approach to due diligence checks when onboarding new customers, suppliers, and partners.
Because of the increase in financial crime activity, Refinitiv says that 60 per cent of APAC companies are now adopting new technologies to combat financial crime.
And the necessity of an increased spend is even more amplified by findings from Tenable, a cyber exposure company.
Their 'Quantifying the Attackers Advantage' report details the window of opportunity cybercriminals have to weaponise vulnerabilities.
The researchers found that cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack victims, potentially siphoning sensitive data, launching ransomware attacks and causing extensive financial damage before organisations even take the first step to determine whether they are at risk.
Tenable also found that cybersecurity teams can take on average 13 days before launching their initial search for a new vulnerability in the system; plenty of time for hackers to get in, get out, and get paid.
According to senior director of product management at Tenable Tom Parsons no matter how seriously businesses are taking cybersecurity the cybercriminals are always one step ahead.
"This report illustrates the stark reality facing organisations today - cybercriminals and security teams are engaged in a never-ending sprint to seize the first-mover advantage whenever a new vulnerability is discovered," says Parsons.
"But chief information security officers (CISO) are consistently at a disadvantage in large part due to antiquated processes and tools. We must put the CISO in the driver's seat so organisations can proactively measure and manage cyber risk in the same way as other business risks."
"In a digital economy powered by the cloud, business applications and DevOps cycles, it's imperative that organisations establish good cyber hygiene, which starts with maintaining live and holistic views into their systems at all times. That's a critical step toward reducing Cyber Exposure and eliminating the attackers' advantage."
New vulnerabilities arise every day, and often prove too much for anyone who hasn't spent time researching cybersecurity. As a business leader needing to worry about things like 'dark data', data that remains unclassified or untagged and unprotected, sometimes comes secondary to day-to-day problems.
But these major cybersecurity blind spots are incredibly important to be aware of if your business is to survive in the era of cybercrime; as we've seen recently, no business or organisation is immune to cybersecurity threats, no matter how large.
Author: David Simmons