Data breach: Plugging a hole to save your company’s skin

By Ewen Ferguson

20 November 2020 - When organisations began sending workers home in March, the majority no doubt thought it was just going to be temporary and that staff would soon be back in the office.

We can look back now and know that where we work will never be the same. As you’d expect, organisations were not prepared for most of their workforce to be working from home – let alone wanting to stay there permanently, or at least some sort of hybrid arrangement.

The COVID-19 pandemic has not only seen us change our ways of working. Cyber criminals have adjusted the way they work and have intensified their focus on low-hanging fruit, particularly ‘quick fixes’ many organisations had to urgently put in place to support unprecedented numbers of employees working remotely.

According to the Office of the Australian Information Commissioner (OAIC), the number of data breach notifications attributed to ransomware attacks from January to June this year increased by more than 150% on the previous six months, from 13 to 33.

These attacks have included several large organisations, including Lion, Bluescope Steel, Toll, Regis Healthcare and the Spotless Group. Lion’s ransomware attack on 9 June forced the company to stop production for three weeks. It was hit again not long after, with criminals threatening to put confidential data up on the dark web unless they were paid a $1 million ransom.

Industry experts estimate the ransomware attacks could have cost Lion as much as $100 million.

Toll’s January cyber-attack forced the company to spend six weeks rebuilding its IT infrastructure. A second ransomware attack in May saw its systems offline for weeks and corporate data stolen and reportedly leaked onto the dark web.

IBM’s 2020 Cost of a Data Breach Report, which uses figures gathered by the Ponemon Institute, puts the average cost of a data breach globally at US$3.8 million. The average cost in the US is much higher at US$8.64 million.

IBM estimates that each comprised record costs an organisation an average US$150. It says it takes an average of 207 days to identify a data breach and 73 days to contain it – so 280 days in total. That is five days up from the 2015 figure of 275.

A data breach not only affects the continuity of a business and its financials but there is also a financial penalty. Under the Australian Privacy Act, the current fine ranges from $525,000 to $2.1 million. However, on the 30 October the Attorney-General’s Department released its terms of reference for a review of the Privacy Act. Amongst other changes, it’s possible that Australia will adopt a regime similar to the General Data Protection Regulation in Europe where penalties are significantly higher, with the fine based on a percentage of the organisation’s turnover.

The costs to reputation

As well as hefty fines, organisations need to take into account the inevitable reputation impacts of data breaches. As a customer if you see a company has repeated data breaches you may not want to deal with them anymore. If you are a shareholder there can be significant impacts as well.

In its delayed 2020 budget, the Federal Government announced a significant increase in spending for cyber security, with an additional $201.5 million to support its $1.7 billion 2020 Cyber Security Strategy. It also included $470 million to bolster Australia’s cyber security workforce on top of $1.4 billion for government security efforts.

The current measures build on the government’s previously announced $1.4 billion Cyber Enhanced Situational Awareness and Response (CESAR) package, which includes a raft of measures to improve Australia’s strategic cyber capabilities.

The fact that organisations take more than 200 days to identify the average data breach shows that most Australian companies just aren’t responding (or in cases can’t respond) quickly enough.

Part of our role has been to try to hack into an organisation to test their defences. We get in more times than you would expect.

We then go through the ‘cyber kill chain’ – a number of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data.

The hackers are happy to take their time. They do their own research and due diligence such as what can they find out about your organisation from publicly available information. That might be, for example, looking at member interests and starting to build a profile.

From a protection point of view there needs to be a layered approach – building up the controls which enable an organisation to disrupt or slow the kill chain.

When we look at hacking into organisations, we want to see if and where there are vulnerabilities that could be exploited by a hacker.

History tells us that we are never going to prevent attacks entirely. Many companies have seen a big uplift in the number of attacks during this pandemic.

This is perhaps a combination of people having more time on their hands and the attackers knowing companies have made some compromises to their infrastructure to support large number of their employees working from home.

What we aim to do is to prevent hacker success. We look at identifying and securing our clients’ most valuable and critical assets – their ‘crown jewels’ if you like. These could be systems containing company’s source code or running operational technology – areas that are critical to the organisation.

Continuous monitoring is vitally important – but we need to be monitoring the right things and correlating the data we get. Companies tend to record a lot of logs; what they don’t do so well is monitoring these logs and correlating multiple log sources to look for the right trends and indicators.

If you look at traditional security controls, they are very much focussed on preventative controls. There is usually a lot of talk about firewalls – and all those typical controls we hear about. But actually, if we work on the premise that there will eventually be an attack, and it’s better to detect it early when we still have a chance to do something about it.

Usually our advice on cyber security strategies involves simulations that are not announced – with only a small number of employees knowing about them. This helps to test a company’s incident response and crisis management plans, to see if they work and refine them where they don’t. With a significant number of the workforce now working from home, this can make for an even more challenging test.

The bottom line is that a data breach is more about when than if. But being prepared can make a huge difference, both to your customers’ safety and your bottom line.

Ewen Ferguson is Managing Director of Protiviti with specific expertise in technology governance, risk, compliance, cybersecurity and privacy.