Cybersecurity should be keeping business leaders up at night
A new government report has revealed cyberattacks on critical infrastructure networks globally were targeted at phenomenal rates in 2021-22, including an Australian electricity generator.
Cyber has is also generated its own black-market industry, Cybercrime-as-a-Service (CaaS), enabling cybercriminals to become more specialised, further elevating the threat they pose to individuals and businesses, according to the latest assessment of cyber security threats and trends released by the Australian Cyber Security Centre.
However, the true scale and impact of malicious cyber activity targeted at Australia's critical infrastructure assets is unlikely to be revealed until next years report, says Ashwin Pal, Director of Cyber Security and Privacy Risk Services, RSM Australia.
Pal says new mandatory reporting obligations on critical infrastructure entities did not commence until 8 July after the ACSCs annual reporting period.
"Next year's report will likely show a spike in incidents because the new laws capture a considerably larger group of industries and infrastructure assets," he says.
"They also give the Australian Government walk-in rights to manage a serious cyberattack if its not being managed properly and is compromising the provision of essential services."
Pal says physical wars were now being played out online as evidenced by the disruption of telecommunications services and online scams targeting citizens in the Ukraine and Europe prior to and during the Russia-Ukraine war.
The Russia-Ukraine war highlights the increasing role that cyber, and specifically cyber warfare, can play when nations are at war. It clearly shows that cyber is the fourth frontier in warfare now alongside land, air, and sea.
"This also demonstrates the vulnerability of nations as they become more connected and the need to identify key assets and manage their vulnerabilities - a key objective of Australia;s new critical infrastructure laws."
Growing business reliance on interconnected digital devices and systems has resulted in an escalation of cyberattacks, with public, private, and not-for-profit entities reporting more than 76,000 cyber incidents in 2021-22, a 13% increase on the previous year, according to the ACSC report.
Queensland and Victoria were the top reporting states, while healthcare and social assistance was the top reporting industry sector, after government agencies which are required to report significant cyberattacks.
Pal says medical files were like the Ferrari of stolen data.
"With a stolen credit card, the most you can use it for is five days, if you're lucky," he says.
"However, with patient data and all of the information you get with it, you can actually go in and get multiple credit cards, mortgages and personal loans and then head overseas."
Cybercrime hit medium-sized businesses with 20-199 employees hardest, with losses averaging $88,407 per enterprise, compared with $62,233 for large business and $39,555 for small businesses.
RSM Australia National Head of Cyber Security Darren Booth says the ACSC Annual Cyber Threat Report should be required reading for every business owner, CEO, and company board.
He says cyber security was one of the most significant risks to modern-day businesses and needed to be elevated from the IT department to the boardroom.
"Cyber security should be keeping business leaders and department heads up at night, and if its not they need to question their cyber defence strategies. It should also be a standing agenda item at every board meeting,," says Booth.
"Every single business with an email is at risk from cybercrime. Remote working and learning has increased the risk of business email compromise (BEC) with impacted organisations reporting losses of more than $98 million in 2021-22. These are easy attacks to carry out and the returns are high," he says.
"Ransomware attacks, which unsurprisingly impacted more education and training entities in 2021-22 due to the switch to online learning during the pandemic, also have the potential to cripple the operations of organisations."
Booth says cyberattacks were escalating in scale, sophistication, and frequency, exploiting vulnerable systems and weak entry points in digital supply chains to target more valuable, higher-order infrastructure.
"SMEs in software and service supply chains are hot targets for cyber criminals looking for a backdoor into the systems of larger and more lucrative organisations. As a result, business-to-business contracts are increasingly requiring proof of cyber resilience."