Whitepaper Protecting data in a threat landscape

Every modern organisation is avidly collecting and storing digital data on connected networks. This data storage has led to an avalanche of cybercrime, a nefarious activity that aims to access, steal and hold data to ransom. As the quantum of data increases daily, it becomes an attractive target for people who would access, steal and ransom it. Today, organisations and individuals are coming to terms with the requirement for cybersecurity and how to implement it.

Cybersecurity has become a catchphrase that tends to illicit reactions of fear or concern amongst users of the internet. It conjures images of unseen hackers or nation states bent on disabling important infrastructure or accessing data that doesn’t belong to them. Within IT circles, the term relates more to the structures and practices put in place to defend computer systems and data from such attack. To an organisation trying to protect its data, cybersecurity is about getting the right information to the right people at the right time, whilst stopping the wrong people from ever accessing it.

Cyber-threats come in many guises but fall into three broad camps; those that seek financial gain, those that seek to steal identities and those designed to effect a denial of service, often directed at public infrastructure, such as power producers or other heavy industrial operators.

Well-known examples include phishing, spam, sniffing and modification1. The nature of the threat landscape is dynamic. No sooner do organisations identify and militate against one attack, than another attack, executed differently, emerges. Given the sheer quantity of data amassed by organisations, it’s not surprising; data is highly prized by the right buyer.  

To illustrate, what might a recorded or transcribed exchange between politicians be worth to a lobby group supporting or campaigning against a proposition? Further, what might national security information be worth to a party with nefarious intent? Commercially sensitive data, client data, financial data or intellectual property are all valuable to competitors. Individuals offer an irresistible array of personal information that could enable identity theft and subsequent access to personal finances. In addition, computer networks are digital doorways to data storage for government, organisations and individuals. They are prizes that will attract the most determined, the most inventive and the most subversive adversary. 

Do not underestimate how important cybersecurity is to government, organisations and individuals. Every week, unnerving statistics about huge data losses or new viruses pervade the internet and press. According to the Internet Organised Crime Threat Assessment (IOCTA) report of 2017, data breaches alone led to the exposure of more than 2 billion data records of EU citizens. Remember, these figures only reflect reported statistics. For the quarter to March 2018, there were 63 data breaches reported to the Office of the Australian Information Commissioner (OIAC). In recent years, organisations have changed their stance on cyberattack. Instead of seeing it as a possibility, most are viewing it as inevitable and taking measures to recognise attacks and minimise the potential loss arising from them. As Victor Miloshis, National Technical Support Manager at Frontier Software says, “The latest cybersecurity advice centres on an approach of continuous monitoring and real-time assessments.” In 2018, Australian spending on cyber-defence was estimated to be $AU3.8 billion.

Undoubtedly, we must take measures to protect our data, but implementing cybersecurity controls is not without its challenges. The capacity to develop malicious software has evolved such that it is now a specialty skill set. Expert hackers are always seeking vulnerabilities in their target data sources, creating a cycle of continual recognisance and attack. To defend against an enemy that is forever evolving requires equal levels of vigilance and persistence, albeit reactive. Hampering defence efforts is a dearth of employees with the requisite skill sets. Cast against a backdrop of organisations marching toward data digitisation, the opportunities to exploit vulnerabilities currently outweigh the resources available to defend against it. Experienced candidates know their worth to the government and corporate sectors and can name and get their price.

Further adding to the challenges is the ever-increasing array of internet-enabled devices, such as printers, that can connect to corporate or personal networks. Without strict controls over passwords, (many devices only offer a default password known to all), networks are placed at risk when such a device connects. Known as the internet of things, the increasing array of web-enabled devices and a trend toward Bringing Your Own Device (BYOD) to work, presents a real threat to governments, organisations and individuals alike.

Organisations must view cybersecurity as a fundamental business practice or risk it becoming a reactive response when critical vulnerabilities cause actual harm. Miloshis adds, “In addressing matters of risk, guardianship and trust, our mission is to get cybersecurity right for ourselves. In doing so, we get it right for our clients.” But where do organisations begin and to whom should they turn when skilled resources are scarce?

The Australian Signals Directorate (ASD) is a government agency concerned with foreign intelligence collection and information security. Forming part of the Australian intelligence community, the ASD has created the “Essential Eight”, a list of actions that organisations can take to defend against cyberattacks. The ASD consider these steps the minimum requirement for Australian organisations. Their execution should follow the sequence shown below:

1.    Whitelist applications

2.    Patch applications

3.    Configure MS Office macros

4.    Harden applications

5.    Restrict administration privileges

6.    Patch operating systems

7.    Employ multi-factor authentication

8.    Perform regular backups1

Darren Hnatiw, CTO at Frontier Software reminds us, “Developing a comprehensive cybersecurity position is not a quick process, but it is possible. One of the biggest challenges faced by CIOs is gaining a company-wide commitment to the changes and governance required to bed it down.”

Depending on the structure of the organisation, managers, employees and IT staff have a part to play in defending against cyberattacks. Managers with access to sensitive company information are a natural target for hackers. They must actively support and embed cybersecurity initiatives within their teams. Employees too must take responsibility for data protection. It only takes one careless click on an email link or one unsecured device to potentially wreak havoc on corporate systems. Employees must be engaged in education and behaviour modification campaigns to embed mitigating behaviours company-wide.

The danger of cyberattack and need for cybersecurity is a reality. Without the proper practices and controls in place, organisations, governments and individuals put themselves, their financial viability, their brand and reputation at risk. Breaches are not something to worry about, but something to expect. Vigilance and action is required today.

1 For more information, refer to our whitepaper, Protecting Data in a Threat Landscape.