According to the Australian Cyber Security Centre (ACSC), malicious cyber activity is increasing in frequency, scale and sophistication, exacerbated by cyber criminals taking advantage of the coronavirus pandemic.
The ACSC highlights that, on average, a cyber crime was reported every 10 minutes across Australia over the last financial year, and attacks on small, medium and large businesses have resulted in an annual cost to the economy of $29 billion.1
Given the potential for a cyber attack to potentially cripple the operations of a business, there is a need to be vigilant in managing cyber risk. Particularly as companies are now more reliant on their technology infrastructure to deliver services digitally and connect with a remote workforce.
Following on from Cyber Security Awareness Month in October, a global effort to reduce the impact of cyber crime, we spoke to Kate Healy, Head of Google Cloud’s Security practice in Australia and New Zealand. Kate says that cyber security should be approached just like any other business risk and that the most straightforward solutions are often the most effective.
Evaluating rapid technology adoption
Following the onset of coronavirus, businesses fast-tracked their digitisation programs with many rapidly moving their operations further into the cloud. At the time, business continuity and maintaining a remote workforce were the overriding priorities.
Kate says the pace at which many businesses moved meant digital transformation programs were often implemented without full consideration of the cyber risks involved, advising businesses to go back and look closely at what has been done.
“There was a sense of panic, and understandably, things happened very quickly,” Kate says. “It’s easy to miss the simple things. We tend to see breaches happen when people make unintentional mistakes, so you need to look at your processes and the tools provided to staff, and really examine what’s happened as part of that rapid transformation.”
According to Kate, while there is now a greater focus on digital ways of working, the methods used by cyber criminals remain largely the same. Kate says that the most common cyber attacks include phishing and business email compromise. Phishing is where a recipient will be sent a link or attachment using a ‘lure’ to compel the user to take action. Once accessed, it will automatically initiate a download of malicious software such as ransomware that can allow attackers to seize control of a business’s data. For business email compromise, a type of scam, attackers will attempt to bypass typical business procedures to fraudulently gain access to money.
However, Kate says that what has changed since the pandemic is the type of ‘lure’ used to gain access to an organisation, as attackers play on the emotion and fear that surrounds the coronavirus pandemic. "Globally, our systems have detected 18m malware and phishing messages through Gmail a day directly related to Covid-19, in addition to more than 240m Covid-related daily spam messages".
“I think one of the challenges we have is that the most common attacks like ransomware and phishing are simple, but organisations are vulnerable. While many organisations are aware of the risk, they don’t always know how to protect themselves.”
The simplest protection is the boring stuff
Kate says that taking care of the basic issues when it comes to cyber security is the best place to start. “We get very excited about shiny tools, but if you get the hygiene right, that eliminates a lot of the problems.”
“The simplest protection is the boring stuff. For example, are you actively patching the servers, have you got everything up to date, are you running up to date software? But if I had to pick one thing it’s two-factor authentication. Just turn it on.”
“A good backup strategy is going to get you out of trouble most of the time when it comes to ransomware, and good processes will do the same for business email compromise. It doesn’t mean you are immune, but it’s a great way to help prevent it.
Kate believes that basic governance, policies and compliance are vitally important to give guidance to staff on the acceptable level of risk within the organisation. “Too often we see overly complex security policies that just aren’t digestible,” Kate says. “Every company is different, but they shouldn’t be more than a few pages if you get it right, and should be focused on intent.”
Kate says that having complex security can also mean increased risk of ‘Shadow IT’ (individual staff members purchasing software and solutions without IT and risk oversight) and that the cost of protecting against cyber attacks can build. Instead, she says businesses should look for off the shelf tools and software that have security built-in, and recommends cloud based solutions as they often come with enterprise grade security. These in-built features can often make security more cost accessible for small to mid-sized businesses. For businesses, these tools can also be used to coordinate industry-wide solutions, and minimise the need for overly complicated products.
Integrating security into the day-to-day operations
A key part of mobilising a business’s protective defences is having the right culture when it comes to cyber security. This includes ensuring all employees receive regular security training, with an emphasis on phishing attacks. Kate says that there are a number of positive things Google do to develop the right culture, including ‘blameless post-mortems’ designed to learn from a security or technical incident.
“The idea is to identify the process or tool breakdown rather than pinpointing an individual or team, which is a healthy way to understand what went wrong and remediate the situation.”
Beyond culture, business should be integrating cyber security into their operations. Kate says that security teams increasingly form part of businesses’ risk function, and leaders of these teams are no longer just technologists but have business backgrounds as well.
“Security should be just part of what you do as a business; it’s the only way to achieve scale and fight the fight. We need to get better at it, and that means integrating security into everything we do.”
While the external environment evolves and businesses continue to invest in digitisation, addressing the pervasive threat of cyber attacks remains central to resilience and prudent risk management. This starts with getting the fundamental processes in place and viewing cyber security as an everyday part of running a sustainable business. As Kate says, “security is often approached as a very technical conversation, but it’s not a technical problem. It’s actually a business problem, but we address it with technical solutions.”
1 ACSC Annual Cyber Threat Report, June 2019 - June2020