June 30, 2020
Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.
“Imagine if we could get the Prime Minister to yell ‘cyber’?”
Security leaders preparing to go cap-in-hand for FY21 budgets could only have dreamed of the platform their portfolios would get this month. In this month’s round-up we take a look at the PM’s announcement, and watch as ransomware and business email compromise jostle for the mantle of most damaging cyber threat.
Summary: Cyber became the talk of the nation after Prime Minister Scott Morrison called a national press conference to warn that Australian organisations, including governments and businesses, were being targeted by sophisticated foreign “state-based” attackers.
Key risk takeaway: Over a week after the announcement, the precise risk takeaway remains difficult to discern. The point, insisted the Prime Minister, was primarily to raise awareness of the ongoing and increased (up by 330 per cent, reportedly) but not new cyber activity against Australian organisations. While the PM’s statements and his rather prominent mode of delivery likely form part of broader geopolitical games, the storm of attention created does have specific implications for businesses in relation to cyber risk – including potential new minimum standards for cyber security, which could be a daunting proposition if reports like this are to be believed. There are also opportunities though – we’re aware of security leaders who’ve used the platform provided by the PM to sharpen their board and executive’s focus on cyber security, particularly in light of budgeting conversations for the upcoming financial year.
Tags: #cybercybercyber #executiveawareness
Summary: Beverage manufacturer Lion suffered disruption to key systems as a result of a ransomware attack and faced threats of its confidential data being posted online.
Key risk takeaway: Beer shortages?! A week after we stared into this calamitous possibility, did the Prime Minister really need a press conference to convince Australians of the seriousness of cyber security? More seriously, Lion’s plight here underscores the disruptive and reputational impacts of ransomware. After service impacts on its beer, dairy and other beverage lines, the manufacturer soon faced threats of “pay up or we’ll release confidential data of you and your clients”. The company offered a mixed public response to the incident, initially downplaying it as a “partial IT outage” and stating there was no evidence any information had been affected, a position it later reversed. On the other hand, a dedicated cyber help line for affected stakeholders was a positive move. For prominent brands, having a pre-planned and considered communications approach for cyber incidents is critical to maintaining trust amidst the inevitable media frenzy.
Tags: #ransomware #cybercrisiscomms
Summary: A suspected ransomware attack affected Honda’s production globally, forcing some plants to stop operations. Schools are now in the frame.
Key risk takeaway: Though the previous story also entailed ransomware, it’s worth re-emphasising the point about the increased prevalence and success of this form of cyber-attack. Recent trends certainly reflect that few companies and industries are off limits. The FBI warns schools are now a plump target for extortion – largely because they present attackers with the delicious proposition of sensitive student data protected by limited network defences. More than 80% of Indian organisations have also been hit by ransomware, says one report. A theory abounds that ransomware’s popularity with attackers will only increase if businesses choose to pay the ransoms. With 73 percent of small and medium businesses paying up, and ransomware infections apparently becoming more prevalent, there may be something to this. Strategies to mitigate the risk of ransomware include backing up files, patching computers, educating staff about suspicious links or attachments in emails and limiting its ability to spread through the network.
Summary: A ransomware attack disrupted a major IT services provider, in the second multibillion-dollar IT services company infected by Maze ransomware in recent months.
Key risk takeaway: Ransomware again – but this time our focus is on the adjacent issue of supply chain risk. Cyber attackers are evidently targeting technology suppliers, with the attack on Conduent following closely after the April ransomware attack on Cognizant, another global IT services supplier and a Fortune 500 company. We also learned that attackers recently breached the systems (Active Directory) of Japanese data-management company NTT Communications, potentially affecting 621 of its clients. Supplier security assurance is a critical but increasingly challenging domain for businesses, in addition to managing the security of their own systems and process. Operationally, where it’s known that a supplier is experiencing a security incident (particularly an IT services supplier), organisations should consider quickly disabling system access.
Tags: #suppliersecurityassurance #ransomware
Summary: Business email compromise scams cost Australian businesses $132 million in 2019, the highest losses across all scam types.
Key risk takeaway: $132m – the reported figure for business email compromise scam losses in Australia in 2019 – is a big number. $2 billion is even bigger – that’s the value of losses in the US, according to the FBI. Regardless of which number you choose, it’s clear that this seemingly simple form of fraud, in which scammers send fraudulent payment requests (often posing as CEOs or suppliers), remains highly lucrative for cybercriminals and damaging for victims. So lucrative is this form of scam that even North Korean and Chinese state-sponsored hackers (whose job is to infiltrate a business to gather intelligence) apparently can’t help but look for ways to carry out an email scam. Education is a key countermeasure, along with a culture where large and suspicious-looking payment requests can be questioned by staff.
Tags: #businessemailcompromise #securityawareness
Summary: New Zealand’s parliament has passed a new Privacy Act based on recommendations from a 2011 review, bringing the country into line with international best practice.
Key risk takeaway: For businesses in New Zealand (and outside – see further below), the bill represents a material uplift in privacy compliance requirements and signals the continued shift in public sentiment towards better privacy. Key provisions include mandatory data breach notification, beefed up powers for the Privacy Commissioner including to issue compliance notices and fines of up to $10,000 for failure to comply, and new criminal offences for misleading an organisation or business in a way that affects someone’s personal information or for destroying personal information which a person has requested. The new laws have extra-territorial reach, so would apply to an Australian company carrying on business in New Zealand, even where they don’t have a legal or physical presence. The passing of the bill with multi-party support may foreshadow similar smooth passage for amendments to Australia’s privacy laws currently being pushed along by the Australian Competition & Consumer Commission’s digital platform inquiry.
Tags: #privacy #databreachnotification
Click here to see past editions of the elevenM News Roundup