With ransomware and other malicious cyber attacks on the rise, it’s vital that information technology security is given top priority.
The world of technology is changing at a rapid pace and developments in this space are giving fantastic opportunities for modernisation and improved business efficiencies. “Leaps in innovation also, however, bring with them potential threats and new risks,” says Paul Malek, General Manager of Integrated Systems at MAX. The message couldn’t be any clearer: if you’re not concerned about cyber security, you should be and in the current climate it’s only a matter of time before your organisation is affected.
Current statistics make for sobering reading…
• in Australia a cyber crime is reported, on average, every 10 minutes *
• cyber crime reports by jurisdiction from July 2019 to June 2020 – Queensland (14,630), Victoria (14,061), New South Wales (12,689), Western Australia (5386), South Australia (3559), ACT (886), Tasmania (839) and Northern Territory (463)*
• average number of security breaches per company each year is up 27 percent to 130 **
• net increase in average number of security breaches is 27.4 percent **
• average time to resolve a malicious insider attack is 50 days **
• worldwide spending on cyber security is expected to reach US$133.7 billion in 2022 ***
• data breaches exposed 4.1 billion records in the first half of 2019 ***
• 68 percent of business leaders feel their cybersecurity risks are increasing ***
• the likelihood of of detection and prosecution of cyberattacks is estimated to be as low as 0.05 percent in the US ****
Roberto Calati, General Manager of Technology at MAX, understands the dangers only too well. “These attacks happen all the time and it’s not just large organisations,” he warns. “You only hear about the large organisations because they make the news. Many smaller organisations get hit and deal with it privately.”
Types of risks organisations may face
• Theft or loss of customer data – while there has been a general decrease in the number of major personally identifiable information breaches,
several breaches are now collateral damage from other events or as a result of poor information hygiene practices.
• Theft or loss of business IP (intellectual property) – the restructuring or reorganisation of organisations leads to a threat of data loss via departing staff.
• Open network access to internet services – this can provide a channel for data loss.
• Ransomware or advanced malware – increasingly sophisticated attacks are now targeted and causing devastating disruption to businesses, escalating to millions of dollars or bitcoins.
• Damage to integrity of key data stores and processes – there has been increased external regulation on application and data integrity and any integrity issues will impact significantly on brands.
“From our perspective it isn’t if there will be an attack, but when.” – Feral Lagios, Senior Manager Technology and Information Security, Tabcorp
The good news is that the majority of these attacks can be prevented by the implementation of a few simple practices and strategies. Cyber criminals tend to be lazy and looking for low-hanging fruit. They see no point in spending weeks trying to infiltrate a well-protected target when there are so many organizations that do not follow the basic steps.
Feral Lagios is the Senior Manager of Technology and Information Security at MAX’s parent entity Tabcorp. “From our perspective it isn’t if there will be an attack, but when,” she says. Accordingly, Lagios and her team follow the CIA triad. “This is a set of practices that maintain the Confidentiality, Integrity and Availability of our assets and data in its various forms,” she explains. The approach also encompasses other elements such as preservation of information, protection of data, privacy principles, any licence obligations that must be maintained and a range of vulnerabilities and risks that need to be kept at bay.
The practice of cyber hygiene will work to keep an organisation’s system healthy and improve its online security. Lagios recommends the following plan of action for any business looking to tighten its cyber security and make it less vulnerable to being attacked.
• Create strong passwords – make sure they can’t be easily guessed and be wary of quizzes and seemingly innocent information gathering posts
on social media that could be used to guess your password preferences.
• Always use separate passwords for separate accounts – it’s vital to ensure there is no duplication of passwords for each account.
• Never store passwords in notes or on sticky notes – while some people prefer to use less complicated passwords that are easier for them to remember, a much better practice is to use a password secure, non-recoverable vault manager such as LastPass. This way users only have to remember one password and then all their others are safely stored.
• Be on guard for password phishing – many malicious attacks are implemented by individuals contacting you by email or phone. Reputable sources – including banks, telcos and employers – will never ask staff for their passwords. Individuals should not share theirs with anyone, not even family.
• Create strong customer password requirements – internally, MAX requires a minimum length of 10 characters. The preference is for between 10 and 14 characters, with a mix of digits, symbols, and upper and lower case letters to provide extra strength.
• Have a fail safe of six attempts for customers attempting to log on – also a lockout duration time is recommended, so if an account is at risk of being hacked the opportunity for this to happen is limited.
• Consider implementing ‘view’ and ‘transmit’ – authentication credentials including passwords should be transmitted in encrypted (cipher) text. Password entry fields should be masked from view and should never be entered in clear text by/to a customer.
• Utilise blacklisting – a block on unwanted entities, including applications and websites, should be implemented with a comprehensive breach dictionary plus a custom dictionary.
To enable MAX to help you with your cyber security, remember these three important rules:
• Consider information security in all your day-to-day work.
• Cyber security is everyone’s responsibility and the weakest link in the chain could have devastating consequences. But, conversely, people are the best defence and people are your firewall.
• Understand what you need to do for compliance and risk. Ensure you are across the latest regulations and requirements as to your legal obligations.
* Annual Cyber Threat Report, July 2019 to June 2020 www.cyber.gov.au/acsc/view-all-content/reportsand-statistics/acsc-annual-cyber-threat-reportjuly-2019-june-2020
** Eighth Annual Cost of Cybercrime Study (Australia, France, Germany, Italy, Japan, UK, US) www.accenture.com/au-en/insights/security/eighth-annual-cost-cybercrime-study
*** Cyber Observer, 29 Must-know Cybersecurity Statistics for 2020 www.cyber-observer.com/cyber-news-29-statisticsfor-2020-cyber-observer
**** The Global Risks Report 2020, 15th Edition www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf
This article was first published in State of Play, Issue 8, 2021