Audit and consulting firm, RSM Australia, claims the risk of cyber security attacks is not going away and businesses need to adapt much faster.
RSM Australia said with Prime Minister Malcolm Turnbull raising cyber security to the level of national security, combined with the recent announcement in regards to the introduction of data breach notification laws, there were now compelling reasons for organisations to ensure their business systems and client data were secure from the risk of cyber attacks.
Michael Shatter, Partner, Risk Advisory at RSM Australia, said “This year the same old predictions appeared in the news, from ransomware to IoT and cloud security. The issues won’t go away in the next few years.
“With the Australian Crime Commission estimating annual direct cost of cybercrime to Australia being in excess of $1 billion, businesses need to adapt and put systems in place to cope with the new normal of cyber crime.”
Utilities are most at risk, with the Australian Cyber Security Centre Threat Report 2016 finding that the energy industry was the most targeted private sector for cyber attacks, with the highest number of compromised systems and among the most likely to receive malicious emails.
The report found that in the past financial year, cyber emergency response body, CERT Australia, dealt with 14,804 cyber security incidents, 18 per cent of which were targeting the energy industry.
The need for the energy industry to adapt to imminent cyber threats and to keep up to date with the latest thinking and technology is being addressed at a Melbourne event, Secure Utilities, to be held in Melbourne on 23 March 2017.
The event will feature speakers including Jarrod Loidl, the Domain Lead for the Security Enablement Program at ANZ Bank, and Professor Chris Leckie, Associate Director of the Oceania Cyber Security Centre, along with a range of consultants, cyber security experts, cultural change managers and a reformed hacker.
RSM Australia has identified three important things businesses need to do to protect themselves from cyber crime in 2017:
1) Make cyber security assessment a continuous process. Every network change, such as adding a router, replacing a server or implementing new software, creates new vulnerabilities for cyber criminals to exploit. Organisations therefore need to assess the network to identify weaknesses and develop incident response plans, then repeat the process regularly.
2) Take control. Preventive controls help reduce the instances of security incidents from occurring and better deter unauthorised access. Detective controls help to monitor and alert the organisation to malicious and unauthorised activity. Corrective controls limit the scope of an incident and mitigate unauthorised activity.
3) Build security awareness into your organisational culture. Many employees become unknowing contributors when they innocently click on a link in an email message that activates a malware attack. Often the email may look like it was sent by a colleague or associate. In 2016, a ransom virus shut down the Royal Melbourne Hospital’s pathology department. Cyber criminals may target officials in human resources, purchasing and other departments who may be less aware of risks they face from intrusions.
Mr Shatter said, “Of course, it would be wonderful to be able to talk to our clients about exciting and new risks that they need to manage, however the reality is that organisations will be impacted by similar and more complex cyber attacks which leverage off many existing vulnerabilities.
“Unfortunately, humans are still the weakest link and many businesses are still failing to educate their staff about cyber security risks.
“Taking the friendly nature of humans into consideration, it is much easier for an attacker to ask someone to open the door than to try and break it down themselves.”
Mr Shatter said cyber security was like a house in that there were many areas that needed to be secured.
“Simply purchasing a security product doesn’t make a business safe. The underlying business environment needs to be secure. Poor foundations lead to poor security.”
“Increasing digitisation means cyber security cannot be considered an isolated risk or something to relegate to the IT department. It must be considered a business risk. The board must be aware of and actively pursuing ways to mitigate cyber risks.
“These threats won’t be solved as a one-off project. Instead, businesses need to manage cyber risks as a part of daily business operations.”
Mr Shatter said, “Businesses seem to be falling victim to the same exploits and attacks time and time again.
“Cyber criminals are sophisticated and sneaky so it’s time for businesses to get a step ahead, putting strategic security measures in place that force attackers to try a different victim.
“Otherwise it’s only a matter of time before the business loses money and faces reputation damage due to a successful cyber attack.”
Has your utility adapted to the danger of cyber attacks? Our event, Secure Utilities, will ensure you’re up to date with the latest thinking and technology to keep your utility’s assets and data safe.