Discussing the Business Continuity Implications of the Australian Cyber Attacks with Noggin CTO Owen Prime
The near-unprecedented wave of cyberattacks on corporate and governmental systems has been an underreported story coming out of the COVID-19 crisis, with alarming business continuity implications for organisations still battling the fallout from the pandemic.
Already in March of this year, online threats had risen by as much as six times their February levels. Hacking and phishing attempts alone were up 37 percent month on month.
The surge would only accelerate. By June, reporting would find a staggering 400 percent increase in cyberattacks.
The threat hasn’t gone unnoticed. An IBM study confirmed that nearly half of all surveyed remote employees were worried about impending cyber threats in their new home office settings.
Nor are home-office workers the only targets of this wave of cyber criminality. The global healthcare sector, in particular, has been sight of some of the most brazen attacks. In April, the World Health Organization confirmed a dramatic increase in the number of cyberattacks directed at its staff, as well as email scams targeting the public at large.
Besides the WHO, a high-profile IT incident involving a Czech Republic hospital ground that country’s COVID-19 testing effort to a temporary halt. In its turn, the US Department of Health and Human Services (HHS) was also the victim of a foiled distributed denial of service (DDoS) attack. And there have also been numerous reports of state-sponsored cyber industrial espionage in the race to develop a COVID-19 vaccine.
Perhaps, the most notorious COVID-19-era attack against public infrastructure has been the recent spate of wide-ranging cyberattacks against Australia’s government and institutions, which have crippled vast networks in both the public and private sector. According to Prime Minister Scott Morrison, these attacks, which have escalated over the last few months, cover “all levels of government,” in addition to essential services and businesses.
To get a better handle on these recent attacks, as well as the more generalised escalation of cyberattacks during the pandemic, we talk to Noggin’s Chief Technology Officer/Chief Information Security Officer (CTO/CISO), Owen Prime.
Q: What do you make of this sudden uptick in cyberattacks? And why are they happening now?
OP: Here, I think we need to distinguish the corporate security threat picture from the government security threat picture, tackle each at a time, even though both seem to be deteriorating rapidly.
What’s clear to me is cyberattacks against corporate systems – especially ransomware attacks – are rising because of sheer opportunism.
Because of the pandemic, everyone’s guard is down. People are now working from home en masse – in Australia, we see surveys showing somewhere close to 90 percent of workers might have been encouraged to go remote. Many of those workers are accessing corporate systems with their less secure personal devices, or a mix of personal and corporate devices. Add to that, we have a growing number of data points that suggest that workers haven’t received proper corporate security training for these improvised remote working set-ups – like a recent U.K. survey that showed that some two thirds of remote workers hadn’t been given any form of cybersecurity training in the last year.
Which brings us to the reality that unfortunately a lot of corporates have let their guard down, too – IT teams are swamped, fragmented, under-resourced, and just spread too thin. Responding to the pandemic (just to ensure businesses stay open) has been the top concern of leaders since the crisis began – who can blame them, right? That’s why we’ve seen the massive uptick in popularity for business continuity. A lot of employers, though, are making the calculation that they need to get their employees working no matter what, which entails connecting to corporate systems; and they are just jettisoning the security, privacy, and compliance considerations that they would have ordinarily taken more seriously in more “normal” times. It’s a cost of not working trumping the benefit of ensuring that that work is secure, private, and available-calculation that a lot of corporates are making – I’m just not sure they are making the right assessment.
Some of the artificial siloing that’s long been in place between business continuity and information security hasn’t helped, either, especially since our reliance on IT for a lot of our critical business functions and data means that cyber attacks are themselves some of the likeliest threats to business continuity. Not to mention what we are seeing now: external crises like the pandemic serving as the greenlight for hackers to cause further disruption, because people have taken their eye off the ball.
Q: What kind of impact have you seen on business continuity programs?
OP: Most businesses today are completely dependent on cloud, virtual communication, and collaboration services, especially now with all of their remote staff. And so, if someone breaches those systems, if they go down, your people can’t work – end of story. It’s just as much a business continuity risk as a data centre going down, severe weather event, sick workers, or contaminated premises.
That’s why we emphasise taking an integrated approach to information security and business continuity, which in essence means ensuring that your overall IT operations are in alignment with your efforts to maintain and restore operations in the event of a cyberattack. Create continuity plans for your IT operations – there’s a whole lifecycle there that includes risk management, resilience, redundancy and availability, recovery, and contingency planning for all of the degrees of IT failure.
But what we’ve talked about so far is availability – or losing access to certain critical IT operations because of a cyberattack. That’s the easiest point to talk about because there are countless studies about the hard costs businesses incur when their systems go down for any reason – not just hacks.
There are other components that we can’t neglect in this conversation, including privacy (a lot of the data that you are leaving unprotected is private data, around which there are usually pretty strict compliance regimes) and, for lack of a better word, security (that data can also be leveraged for malicious ends). Those need to be business continuity considerations, as well, because of the compliance, legal, and reputational risks involved.
One of the things I would tell people to consider, procurement-wise, isn’t just infrastructure security but also software security – they are distinct things. A lot of the apps out there run on public clouds, usually AWS, that have the best security credentials out there. But a lot of the hacks happen at the software application level, which means you can’t let your guard down and defer to a vendor’s infrastructure credentials.
Q: Besides collaboration services and other cloud systems that encourage productivity, mission-critical systems themselves might be the targets of cyberattacks, right?
OP: Exactly. This gets us closer to the threat to government and other essential services, because we all rely on their being able to maintain continuous operations, but you are absolutely right. We are in the midst of a crisis moment. Businesses are obviously using digital incident preparedness and response services (emergency, crisis, and continuity management systems) in addition to other mission-critical systems.
Corporates don’t want to lose access to their mission-critical services, if they go offline because of a denial of service attack – there goes the whole ROI of that system. You can’t very well say you’ve got business continuity covered if the system you have to handle it can’t withstand a cyberattack; the cost you cut on the security side when you end up paying on the (lack of) availability and delivery side when that system goes down. And also, privacy: imagine a data breach of a continuity or a safety system – by their nature, they store highly sensitive private data, sometimes medical data in the latter case. That’s a whole nightmare of liability.
Q: So, let’s talk about the sustained cyberattacks that the Australian government is now facing. What are some of the key themes you took away from the Prime Minister’s announcement?
OP: Sure. Well, I’d say first of all: these types of attacks aren’t new. The Prime Minister himself mentioned that the attacks had been escalating for some time now. The fact that they are state backed rather than private opportunists isn’t new, either.
I think the scale of the attacks, that they touched every aspect of our government services, especially essential services, at this very critical time, has been a huge eye opener. A wake-up call for all of us, not just for the public and the media who have been consumed with COVID-19 news but for business actors, as well.
The type of attacks just underscores the importance of both government and industry, both reliant on cloud-based services, keeping on their guard, even in new remote set ups, not relaxing information security best practices, and continuing to act in concert to educate and enforce robust security protection measures.
Q: What are some those governmental measures intended to shore up the security of the public’s data?
OP: We’re lucky in Australia that we can point to a certain clear-eyedness by our Governments about the security threat they face and coordinated efforts to mitigate that threat, whether it’s posed by state-based or private actors.
One of the more robust efforts I can think of is the Information Security Registered Assessors Program, better known as IRAP. IRAP is an Australian Signals Directorate (ASD) initiative meant to provide high-quality information and communications technology security assessment services to the Australian Government. It essentially enables government agencies and bodies to store and run highly sensitive data at a variety of security levels, in alignment with the Government Secure Cloud Strategy.
IRAP accreditation involves working closely with an IRAP-accredited assessor to pass a rigorous, multi-stage assessment program. The assessor is the only person able to perform a government-sanctioned review of a provider’s information security system.
The assessor’s responsibility is to designate areas where the provider complies and doesn’t comply with Australian Government Security Manual (ISM) requirements, as well as to describe risks, and prescribe corrective actions that the provider should take. At the end of the process, the assessor gives their recommendations to a Certificate Authority on whether the provider should be certified.
The evaluation itself happens in two stages. During the first, a security assessment identifies security deficiencies. The provider then has the chance to rectify or mitigate those deficiencies. The second security assessment follows up on residual compliance.
During the assessment process, providers get rigorous documentation review, site visit(s), and interviews of their key, internal security personnel. Out of those measures comes the final report, which gets transmitted to the Trust Framework Accreditation Authority for consideration.
In essence, it’s an intense review of your systems and assessment of the actual implementation and effectiveness of security controls, including people, processes, and technology, so as to ensure that those systems address the needs of the ISM.
Q: What are some of the lessons that could come out of undertaking that kind of intensive audit process? Why do you think it’s so important?
OP: A lot of important lessons can come out of it. The purpose of the ISM itself is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats. By its nature, the ISM is incredibly prescriptive. It offers a clear benchmark for what’s expected from a system; it’s quite stringent; and you have to meet that benchmark – there are a lot of other important security credentials out there that tend to be more generic, meaning you adapt them to the needs of your specific organisation.
The IRAP assessors themselves are pretty impressive – they come in with an amazing depth of knowledge and understanding of the scope of the assessment that they have to perform.
Going through that audit process has so much intrinsic value for your organisation. Complying with the ISM just takes your cybersecurity awareness, training, and controls (even policy controls) to a whole new level. IRAP itself in a narrow sense enables you to run a protected zone for certain customers who meet certain classification thresholds. But the effect of going through the entire audit process bolsters your end-to-end security in a way that benefits all of your customers from the organisational policies and security controls that you put in place in order to be compliant with the ISM.
Q: In tandem with complying with the ISM, what are some other strategies do you recommend for shoring up the security of corporate systems handling sensitive data?
OP: Well, complying with the ISM does a lot to shore up your information security. Besides that, there are also your people – as we are seeing now – having them properly trained, aware, even vetted if they are handling sensitive data. It’s a shared responsibility – staff awareness for security is so key. They’re your eyes and ears – when things don’t look right, they need to be empowered to say something. It’s not just about looking at logs all day.
Follow hardening guides. Even if software comes certified for X,Y, and Z, you have to ensure that it’s configured correctly to your environment for those credentials to matter.
And understand your data. Know what’s actually sensitive data and what’s not. Sounds easy enough; but if you treat everything as highly sensitive, it just makes it that much harder to control and focus your efforts to the right places.
Q: What advice would you give an organisation concerned about their data and systems?
OP: These kinds of attacks aren’t going away. In fact, what we saw in the last month is that they will only get more sophisticated. Anyone that handles public data, whether it’s us as a private company or governmental agencies themselves, has a responsibility to ensure their information security practices are as robust as possible, whether it’s through programs like IRAP or something else. We all owe a duty to the public to be as vigilant as possible.
For more resources from Noggin, visit our Resources Center.