Data breaches are increasingly common and increasingly damaging. In early 2020, Australian wool auctions were cancelled for several days due to a ransomware attack on an industry-standard software provider that encrypted files and locked databases.1
In 2021, global meat processing giant JBS Foods had to pay $14.2 million (US$11 million) in Bitcoin to a ransomware operation.2 Some of its workers at Australian plants were laid off during a five-day shutdown that threatened the nation’s meat supply chains.
In the US, a ransomware attack against Colonial Pipeline disrupted fuel supplies to big cities on the East Coast in May 2021, pushing up fuel prices to an average US$3.03 per gallon.3 Russia-linked group DarkSide had been able to get into the system by stealing a single password.4
Ransomware attacks infiltrate an organisation’s system with software that locks users out of files until the attacker is paid a ransom. In Australia last year, ransomware attacks made up almost one-quarter (23%) of reportable cyber incidents, according to data from the Office of the Australian Information Commissioner (OAIC).5
Any organisation, large or small, that relies on networked systems to control its operations is vulnerable to a cyber attack, says Chris Sant, Senior Manager, Security Outreach & Customer Engagement at Commonwealth Bank.
“It’s notable that some of these organisations have made significant investment in protecting their assets from cyber threats and yet they are still vulnerable,” says Sant.
As he explains, key hygiene principles are vital for protecting your business’s data, its finances and reputation. However, there is no one-size-fits-all solution to safeguard essential business data.
Where are the key threats to an organisation’s data?
Protecting your organisation and customers begins with understanding the sort of threats you face, says Sant.
“When thinking about the vectors of a data breach, we often think about a lone bad actor in a hoodie; a criminal, trying to break into our systems,” he says. “While that may be the case, there are other threats we need to consider, including attacks from foreign nation states targeting a particular industry for strategic reasons, like financial or intelligence gains.”
That view is backed by the Australian Cyber Security Centre which warns that Russia-aligned cybercrime groups have threatened to conduct cyber operations against countries and organisations providing support to Ukraine.6
Even ‘ordinary’ cyber criminals are gaining in sophistication. Social engineering, where a criminal poses as a legitimate person – such as a known supplier or IT support person – is on the rise. For example, the criminal gains a person’s trust and manipulates them into divulging login details or paying a false invoice. The OAIC had 30 notifications of data breaches resulting from social engineering or impersonation in the second half of 2021.7
The OAIC noted in its July to December 2021 report that malicious actors and cyber attacks made up 55% of notifiable data breaches in Australia.8 Digging into the numbers, about a third of the data breaches resulted from cyber security incidents, mostly due to compromised or stolen credentials.
Human error was responsible for about 41% of breaches.
- 43% of these cases occurred when personal information was emailed to the wrong recipient.
- 21% of the cases were the unintended release of public information.
Data breaches using compromised credentials are quite common and, as Sant puts it, the culprit is people being people.
“One of our issues is remembering things, which can be a challenge across dozens of websites we use in our personal and professional lives,” he says.
He explains that people tend to use similar passwords across different systems. That means if an individual’s password for a less secure system is breached and sold to criminals, those malicious actors can use it to access system with more important data.
What are critical steps for protecting your data?
Sant emphasises that organisations need multiple layers of defence to protect data. Training staff to be cyber aware is as important as deploying patches to maintain software security.
“The organisations that are doing this and doing it well are doing what we call the ‘defence in depth’ approach. They’re not relying on one particular control; they’re layering many controls across three key areas: people, process and technology,” he says.
It’s essential to recognise that securing your systems isn’t just a technology or IT issue, says Sant.
Make your people a cyber defence line
The people that use your system are both your best defence and your weakest link, says Sant. “While there is a technology component to cyber security, the people who are using the technology need to be skilled in using the technology and have an understanding of why it exists.”
You can strengthen this defence by:
- Focusing on training staff, not once off but as an ongoing program of work
- Gauging how much your employees care – do you engage them and talk to them about new and relevant cyber issues?
- Ensuring employees are using long strong, unique passwords preferably managed in a secure password manager
- Testing your staff’s capability to ensure they’re getting the basics right – such as reporting and correctly handling phishing or scam emails
Have robust processes around data
Having a robust business process around data management helps break down silos in your business and ensures accountability. This includes:
- Knowing what your data looks like and where your data is stored
- Understanding your data lifecycle, for example, processes to onboard new customers
- Considering privacy impacts in your projects
- Regularly reviewing who has access to your data, especially considering cloud usage
- Having a plan for when things go wrong
Keep your technology and software secure
While technology isn’t the only part of securing your business’s data, it remains a critical component. No matter the size of your organisation, you need a plan in place to help prevent breaches, to mitigate damage and allow a return to normal operations if something does go wrong. This includes:
- Using secure methods to transfer sensitive information externally
- Setting up multi-factor authentication (MFA)
- Securing email systems to prevent data loss
- Having a plan to manage lost or stolen devices
- Performing an audit of all technology used in your organization and keeping them updated regularly
- performing independent penetration tests to check the integrity and security of your business websites, systems and networks. This ensures that they have robust security controls in place and can’t be inappropriately accessed by unknown 3rd parties
It doesn’t matter what kind of business you’re running, your business process and the data that underpins it is essential.
Setting up simple yet strong controls around technology will help keep your business protected.
Our cyber security expert
Chris Sant is Senior Manager, Security Outreach & Customer Engagement at Commonwealth Bank. He leads a portfolio of customer education initiatives focused on keeping customers safe from online threats. Chris is passionate about using clear and simple messaging to make cyber easily accessible to everyone. The more employees understand, the more they’re able to uphold their company’s defences against cyber threats. Over the past 18 years Chris has held various roles in cyber security across the banking and finance, consulting, healthcare and manufacturing sectors.
Want to know more?
CommBank is committed to protecting its business and customers from scams, fraud and other cyber attacks. For more ways to safeguard your information, search CommBank Safe. To learn more from leading industry experts about what’s important to business and the economy at CommBank Foresight™ – insights for future-facing businesses.