These compromises involved a variety of attack vectors, including malware exploits, spear phishing and gaining physical access and removing data on hard drives. Cases such as this demonstrate the necessity for a comprehensive approach to data security that aligns cyber security, logical security and electronic security to achieve total situational awareness.
Cyber vulnerabilities: Ransomware
In the Asia-Pacific region, ransomware has become the most common form of malware deployed against private organisations, from small businesses with no cyber security infrastructure to international enterprises, the compromise of which costs millions of dollars in lost business and reputational damage.
With 24 per cent of Australian businesses experiencing a ransomware incident on at least a monthly basis in 2016, according to the Telstra Cyber Security Report 2017, prevention and response strategies are vital.
As ransomware has a very short shelf-life, the General Manager of Managed Security Services at Telstra, Thomas King, says rapid innovation is required to stay safe.
“Telstra’s Managed security services are about rapid development and rapid innovation,” King says. “We run a sprint every two weeks to incorporate new features, functions and bug fixes into the product. As rapidly as the opposition is enhancing their offence, our security services are evolving just as rapidly.”
Workforce vulnerabilities: Spear phishing
As the details of our lives become increasingly public online, cyber criminals are becoming more and more adept at personalising phishing messages to blend in with legitimate traffic. A far cry from the implausibly phrased emails that populate spam boxes across the world, spear phishing utilises the names, professions, images and even email addresses of a target’s friends, family and colleagues with the aim of duping people into opening an infected attachment or clicking a link.
Promoting awareness, education and best practice across an organisation is a vital step in preventing these attacks. Each and every employee across an organisation needs to take responsibility for its security, King says, and they need to understand how to limit any damage resulting from compromised systems.
“It’s important to recognise that everyone in an organisation represents a unique attack vector and can be the weak link in terms of cyber security,” he says.
“To stay safe, you need multi-layer defence and controls which encompass technology, people and processes, while balancing your risk and ensuring you can accomplish your business objectives.”
Access vulnerabilities: Physical compromise
Robust cyber security measures unfortunately cannot stop an unauthorised intruder simply walking out of an office, data in hand. Electronic (physical) security is equally necessary to ensure customer data remains secure and intellectual property doesn’t fall into the wrong hands.
Traditional electronic security measures, such as keycard readers and retina scanners, can also be aligned with digital systems including permissions structures, geographic data analysis, access logs and encryption to automatically identify potentially problematic users and downgrade their access.
However, you don’t need to overhaul your org chart to align these two complementary fields. Rather, it’s important to ensure key stakeholders across your organisation develop a shared vision of a what a converged cyber and electronic environment would look like and work backwards from that vision to discover the steps required to achieve this goal.
“It’s important to recognise that everyone in an organisation represents a unique attack vector and can be the weak link in terms of cyber security.”Thomas King, General Manager, Managed Security Services, Telstra
Customer data obligations
In 2016, the average data breach in Australia cost the compromised company $2.51 million and involved more than 18,000 breached records, according to independent researcher the Ponemon Institute’s 2017 Cost of Data Breach Study.
The costs associated with customer data compromise are likely to climb even higher due to the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, which requires that all organisations subject to the Privacy Act 1988 notify potentially affected individuals in case of an “eligible data breach”, in which the breach exposes users to “serious harm”.
Failing to issue a notification carries a maximum penalty of $2.1 million for organisations, along with significant implications for their corporate reputation.
After instituting a comprehensive security plan that minimises the chances of data compromise in the first place, organisations should implement a robust data-breach response plan that includes a pre-drafted customer notification, distinctly delegated responsibilities and designated channels of communication.
With these in place, an organisation is well-situated to minimise the damage to its customers, reputation and bottom line effectively in the event of a data breach.