This is not a drill: A cyberthreat reality check

There were 47,000 cyber incidents in Australia alone last year. An ‘incident’ is defined as one or more unexpected events that are likely to compromise an organisation’s operations. That’s 128 a day. Five every hour.

Many of them are online scams or frauds.

But the rest are more serious, often aimed at disrupting businesses, sometimes destroying them; stealing secrets and compromising operations; making money and costing companies both cash and reputation.

Lloyds of London rates cyberthreats in Australasia as the second highest risk to our Gross Domestic Profit after a market crash.

Meanwhile, all those hackers are hard at work, and here’s five reasons why they often succeed.

1. People

We are the biggest problem – opening that email, clicking on that attachment. You might think when you read the headlines that “I would never do that” but you’d be surprised who would. Phishing emails are still one of the most popular (and successful) tools of the cybercriminal.

And hackers are using increasingly sophisticated techniques to get you to help them access the systems you’re connected to. It’s not always obvious you’re being had.

Last year, reports to the government’s Cybercrime Online Reporting Network indicated losses of over A$20 million as a result of compromised emails. That’s up from A$8.6 million the previous year – a jump of 130 per cent.

But as the government notes, it’s probably a fraction of the real number because it’s a crime that is commonly underreported.

2. Obsolete technology

It may seem extraordinary that in the 21st century as we move closer to the reality of driverless cars, some of our critical infrastructure still operates on systems so old they can no longer be patched; this basically means the technology can no longer be updated to address any vulnerabilities.

Last November, Victoria’s Auditor General looked at four government departments as well as the Victoria Police, and found 41 per cent of the systems that support their critical business functions were obsolete.

At Victoria Police, that figure sat at 79 per cent, while a number of public hospitals were also found to have unsupported or outdated technology.

Victoria is not alone, every state has its version of the issue. Old systems are hard to replace – it’s time consuming, complicated and expensive.

3. Better hackers

Whether they’re motivated by money (the criminal) or to push a political or social cause (the hacktivist) or to steal secrets (the nation state) or an employee who acts consciously or unwittingly (the insider) – hackers are agile, adaptable, and innovative.

As quickly as one bit of malware is detected, another pops up. Speak up as a target and you risk losing visibility and it is virtually impossible to stay ahead of the game. It may not even be an attack on your own systems – think of your supply chain. Brand new software can come with its very own pre-loaded infections and the more connected we are, the higher the risk.

Officially, nation states have the greatest capability to compromise Australian networks, with the resources of an entire country behind them. The government says it’s detected extensive state-sponsored activity against itself and the private sector.

Just in the last three years, we’ve seen the Russians deny they brought down Ukraine’s power grid; the North Koreans deny they were behind the global chaos of the Wannacry ransomware attack; and the Chinese deny they installed malware on computers at Australia’s Bureau of Meteorology.

The Australian Prime Minister Malcolm Turnbull calls cybersecurity the new “frontier of warfare”.

Australia now has a very publicly declared offensive cyber capability, with the government officially directing the Australian Signals Directorate to use that capability to “disrupt, degrade, deny and deter” organised offshore cyber criminals.

But what’s not clear is when and how we’re using it. Indeed, just what is acceptable under international law when it comes to offensive cyber operations is the subject of significant debate.

Last year, the UN Group of Governmental Experts on Information Security, which had been negotiating norms of state behaviour in cyber space, collapsed. The sticking point was the application of international law. As a result, the “Wild West” of cyberspace remains with no established legal framework to address cyberattacks internationally.

4. Corporate priorities

Cybersecurity is now on the priority list for most corporate boards in Australia, but what exactly does that mean? Two years ago, the American research and advisory firm Gartner said organisations spent an average of just 5.6 percent of their entire IT budget on security and risk management.

Technology systems, rather than security and risk, have traditionally been where the money’s gone. But the good news is, that’s changing.

This month, Australia’s Cyber Emergency Response Team (AusCERT) found that 58 per cent of organisations in Australia increased their security spend in 2017.

A change in the legislative landscape is also helping to focus minds, with a number of new regulatory requirements aimed at greater accountability.

A key change is the new mandatory breach reporting laws. Since February of this year, businesses have been required to report data breaches involving personal information that is likely to result in “serious harm” to the individual affected. In the first 6 weeks of the new regime there were 63 breaches. The next quarterly report will be interesting reading to see if this trend continues.

But there is still a fair way to go when it comes to how business manages its data use.

For its latest State of Information Security survey, PriceWaterhouseCoopers interviewed more than 9,500 senior executives across the globe. It found that just over half have an overall information security strategy. Which means around half don’t. And this could prove disastrous if current threats continue to rise.

5. Human nature

How many times have you been working on your laptop when the ‘updates available’ box has popped up, and you’ve clicked ‘tonight’, ‘tonight’, ‘tonight’ repeatedly – and when tonight comes you’re away from your computer and you never install it.

You should.

And it’s the same for business.

The sheer number of businesses that are not adequately protected, and don’t have backups, is astounding. If they did approach their cybersecurity properly, hackers would find their jobs a lot harder.

The Australian Cyber Security Agency makes the point that “too many”of the incidents they deal with “could have been prevented had organisations employed established and relatively straightforward cybersecurity measures”.

The problem is, human nature often gets in the way. Whether it’s making the decision to install the measures in the first place, following the rules and keeping them up to date, or finding a way to hack around them… humans are the biggest vulnerability.

Australia’s cybersecurity is an issue tackled by Ali Moore’s This is Not A Drill series in partnership with the University of Melbourne, Asialink, the Wheeler Centre and the ABC. This episode will air on the ABC News Channel at 10pm on Sunday 24 June.  This article was published by Pursuit.