Mandatory data breach notification obligations commence on 23 February 2018, which means that businesses may no longer have the option to conceal cyber security breaches that have compromised their networks. Cyber security awareness should thus be a priority to reduce the risk of both legal and reputational damage.
In this respect, the Australian Cyber Security Centre (ACSC) 2017 Threat Report is a useful resource that details current trends in Australia's cyber landscape and the means to counter these threats. The ACSC's core observation is that cyber attacks are increasing in sophistication, particularly against government networks, but so are the defence measures against it.
Developments - cyber criminals are becoming increasingly sophisticated in their attacks
The ACSC lists the following as the key developments in Australia's cyber landscape:
- an increase in the frequency, scale, sophistication and severity of cyber incidents;
- more diverse and innovative attempts at cyber espionage, for example compromising government and private sector networks. The ACSC particularly cites foreign investment in the Australian private sector as a motivator;
- the increasing number and scale of Distributed Denial of Service (DDoS) incidents, including from activities originating outside Australia that affect related systems through interdependencies;
- an increase in cyber criminal sophistication and deliberate targeting. For example, the ACSC considers the Defence industry to be a particular target of attack; and
- foreign states increasing their level of investment in cyber capabilities to conduct cyber attacks. The ACSC warns that "advanced malicious cyber activity" against Australia’s national and economic interests is increasing in frequency, scale, sophistication and severity. Foreign states possess the greatest capability to compromise Australian networks. Over the last 12 months, the ACSC detected extensive state-sponsored activity against Australian government and private sector networks in support of economic, foreign policy and national security objectives.
Reproduced from the ACSC 2017 Threat Report
Threats - the techniques being deployed by cyber criminals
The ACSC identifies various types of cyber criminal activities, and draws particular attention to:
- Ransomware as a method of extorting funds from a wide range of victims is one of the most prevalent cybercrime threats and is likely to remain so due to its continuing success. A notorious example of this success is the "Wannacry" cyber attack this year. The most commonly reported ransomware delivery method was mass-market untargeted phishing campaigns.
- Credential-harvesting malware for stealing credentials (such as login details) poses an increasing threat due to a specific focus on targeting Australia. The ACSC also noticed an increase in the targeting of Android smartphones. The ACSC considers that smartphones will become a common target due to the increased amount of information stored on them.
- Social engineering plays on a person's confidence to perform actions that divulge information (eg. through email correspondence). Although a common pop culture trope (think Nigerian princes), the ACSC warns that social engineering is growing in sophistication and is likely to be increasingly employed to bypass tougher security measures.
- Targeting trusted third parties has increased, particularly in the case of vendors that provide products and services to other companies and have extensive access to their data and networks. The ACSC notes that some Australian networks of global service providers have been compromised, and through them, their customer's networks.
Standing conclusion - prevention is better than a cure
The ACSC notes that, despite the development of sophisticated defence measures, many cyber security attackers are compromising networks using publicly known vulnerabilities that have known mitigations. These incidents could have been prevented through straight-forward cyber security measures.
Protecting sensitive information, safeguarding business reputation and complying with legal requirements are imperatives for all businesses. A cyber incident can have significant ramifications, and the advice remains as it has always been - prevention is better than a cure. Particularly given the mandatory data breach notification obligations to commence early next year, businesses should proactively consider their investment in cyber security, rather than reactively when critical vulnerabilities are discovered.