Born To Be Wild

Category: Cyber Resilience

  • APRA’s information security requirements: is your organisation prepared?

    APRA’s information security requirements: is your organisation prepared?

    With one in 10 Australian businesses reporting an internet security incident breach1, effective management of increasingly prevalent and sophisticated attacks on information is critical. Australian regulators have also begun tightening data management, cyber resilience and information security requirements with APRA’s standard CPS 234.

    The new standard, which came into force on 1 July 2019, clarifies steps organisations need to take regarding board oversight, information security controls and notification of information security incidents. For those organisations whose information assets are managed by third and related parties, the new APRA obligations will begin from 1 July 2020 (or the date on which the relevant third or related party arrangement is renewed or materially updated).

    Establishing a clear information security framework

    To be ready for 1 July 2020, regulated entities such as authorised deposit-taking institutions (ADIs), superannuation funds and health insurers (that rely heavily on external providers for information management), need to start establishing an appropriate framework now.

    ‘Assessing and reviewing the adequacy of the information management service provider is an essential first step in establishing a new or updated framework,’ says Daniel Muchow, Head of Cyber Security at RiskLogic. ‘The framework must also show clear ownership and accountability for information security tasks and functions, clearly define escalation paths and thresholds, and establish compensation measures.’

    Detecting and responding to information security incidents

    Under CPS 234, the APRA entity must also have robust mechanisms and plans to detect and respond to potential information security incidents. ‘Organisations need to be prepared for a worst-case scenario. Even the most rigorous control testing or the most sophisticated encryption protocol can be subject to attack with potential loss of information,’ says Mr Muchow.

    CPS 234 applies to all information assets, not just personal information or data. This includes software, hardware and hard and soft copies of data regardless of materiality. ‘Even if an organisation considers an asset immaterial, a cyber attacker could use this asset to compromise assets with higher levels of criticality and sensitivity,’ confirms Mr Muchow.

    Notifying APRA

    Under CPS 234, all APRA-regulated entities must notify APRA of any information security control weakness or information security incident:

    • that is material, or
    • has been notified to any other Australian or foreign regulator.

    This is required even where information assets are being managed by a third party.

    The APRA regulated entity must notify an information security incident to APRA within 72 hours after the APRA entity becomes aware of the relevant incident or vulnerability. This reporting obligation reinforces the importance of rigorous protocols when working with third parties to ensure information security incidents are communicated to the contracting organisation in a timely way.

    Following the Financial Services Royal Commission of 2018, we anticipate that APRA will rigorously enforce the new standard. Organisations using third party providers will need to be particularly vigilant to ensure there is a clear framework to enable compliance with APRA’s new standard.

    For help protecting your information under APRA’s CPS 234, contact RiskLogic on 1300 731 138 today.

    Visit the APRA website for more information on CPS 234.

  • Strengthening cyber resilience in a COVID worlds

    Strengthening cyber resilience in a COVID worlds

    COVID-19 has transformed the way we work in unprecedented ways, with more people working from home in the longest work from home experiment the world has ever experienced. As organisations re-establish business operations in a phased easing of restrictions, it’s expected that many working from home arrangements will continue.

    For organisations to operate successfully in the new normal, maintaining cyber resilience is paramount. Already, in the month of May, we’ve seen a rise in large scale cyber attacks on Australian businesses.

    Besides the damages and disruption to an organisation’s operations, successful cyber attacks could:

    • result in substantial financial loss.
    • damage an organisation’s reputation and erode customer and shareholder trust and confidence.
    • have legal consequences – data protection and privacy laws across many countries require organisations to safely manage all personal data. If the data is compromised and appropriate security measures cannot be proven, organisations may face potentially large fines.

    Key considerations for maintaining cyber security in a COVID world.

    Importantly, concentrating on your people’s cyber security skills can lessen the risks from social engineering attacks (including phishing). These threats are often successful when an employee inadvertently clicks on a link or open an infected file. Recognising these threats is vital to mitigate the risk of a large scale cyber attack on your organisation.

    Technology

    From a technology standpoint, organisations can implement a range of control measures. These may include firewalls, endpoint detection and response software, virtual private networks (VPN), data encryption and multi-factor authentication (MFA).

    Training and education

    Another essential pillar in meeting the COVID-19 threat environment is ensuring we can react when things don’t go to plan. For example, by simulating realistic cyber scenario exercises relevant to COVID-19 in a BAU environment.

    Consider deploying a regular and robust employee cyber education program (which may include phishing your own people). Training employees to identify email anomalies such as unrecognised sender email addresses and unexpected messages, will improve the organisation’s front-line defence.

    Planning

    Despite having emergency response and business continuity plans, many organisations were underprepared for COVID-19. The pandemic (now considered a live exercise) has provided an opportunity for organisations to plan for further threats – including cyber attacks.

    These attacks need to be managed in the ‘new normal’ where the executive team are most likely dispersed and working from home. In this environment, executive team members need the capabilities to manage multiple risks. Planning for parallel events and conducting table-top scenario exercises remotely could add an additional layer of challenge for the response team and enhance their response capabilities.

    RiskLogic is here to work with you through COVID-19 to identify cyber security opportunities for resilience and help you prepare for a successful recovery.

    Do you like what you’re reading? Subscribe to our newsletter to receive content like this direct to your inbox.

  • What to do when your boss says “drop everything”

    What to do when your boss says “drop everything”

    Tim Archer Head of Communications

    I received an email recently from a CEO who I do a lot of work for. The subject title was “Emergency”. With a clear tone of urgency he said he had a serious issue on his hands and wanted me to “drop everything” and help.

    Given this is exactly what I do as a corporate communications consultant, he had my full attention as I went into crisis mode.

    At least until I read the second line of the email, where he asked me to supply my WhatsApp number so he could brief me.

    For the briefest of moments, I had fallen for a scam.

    Hovering over the sender address revealed the email had not come from the CEO. It was from “sandraralph182@gmail.com” no doubt a random hacker sitting in their dressing gown in some far-flung corner of the world.

    We have all received these emails.

    People who work in finance or accounts are targeted particularly heavily with urgent requests from “their boss” to transfer money or pay a bill.

    So called Business Email Compromise is rampant because it works.

    More than 3,300 incidents were reported to the Australian Cyber Security Centre in the last 12 months, nearly half of which involved financial loss. In total $79 million was scammed out of the pockets of Australians last year.

    In New Zealand, $1 million is lost to cyber crime every month, the majority of which is phishing, credential harvesting, scams and fraud.

    The good news is the Australian Federal Police, working with their local and international partners, were able to claw back $8.45m before it landed in the thieves’ accounts.

    In one case last year, an Australian business was sent two seemingly legitimate invoices that included altered account details for a bank in Singapore. They paid the invoices, worth $500,000 and $2.1 million, before they realised they had been scammed.

    However, because they reported the fraud immediately, police were able to contact Interpol and Singaporean authorities who put a hold on the $2.1m second payment. Unfortunately it was too late to catch the $500,000 payment which no doubt funded a major celebration by the cunning thief.

    The message from police is loud and clear.

    • Do your due diligence before payment.
    • If you are suspicious, pick up the phone and check with your supplier.
    • If you fall victim, don’t be embarrassed.
    • Report it immediately to maximise the chances of recovering the money.

    Human error is always the weakest link in cyber attacks. Good staff communication and education is always the best defence.

    At RiskLogic, you can get industry leading Cyber Consulting and Crisis Communications Planning to help build a culture around this very real and common threat. It’s this awareness within your organisation that can make it harder for cyber criminals to break through.

  • The Internet of Things Security: Being Hacked at Home

    The Internet of Things Security: Being Hacked at Home

    Working from home has become a norm during recent times for organisations across Australia and New Zealand. It’s something we’ve practiced repeatedly the last two years. However, one often overlooked aspect of working from home is ensuring that employees have tight internet of things security.

    The working-from-home arrangement has influenced many crisis and business continuity leaders to adopt more comprehensive strategies when it comes to remote work and response. This much is true, but gaps are appearing in how a more casual working arrangement may compromise an organisation’s digital infrastructure.

    It starts with what is called The Internet of Things, a term used to describe the almost endless option of technology and items that are connected to the world wide web.

    In your home, you may recognise items like your Amazon Alexa, your app-controlled CCTV, Netflix, and your child’s PlayStation falling into the criteria of what constitutes as an item that can connect to the internet.

    For hackers around the world, the perfect scenario has occurred; it’s become easier than ever to access valuable organisational data during a work-from-home arrangement.

    DDoS Attacks

    Denial of service attacks (DDos) are relatively common and a simple approach hackers will take to overwhelm a server. Tens of thousands of machines (fake users and their computers) will target one server to overwhelm it and in some cases, crash it.

    Technology has fought back, and successfully achieving a DDoS attack on large organisations is becoming harder. That’s why hackers have moved their attention to your Amazon Alexa and your remote powered fridge; an innocent device that connects to the same Wi-Fi and system your work laptop does.

    How do they do it?

    Users are typically unaware or oblivious to how their data is being collected by a home appliance or smart device. Furthermore, your IT team is very unlikely to know where exactly that data is being transmitted from within a home.

    The FBI have warned that hackers may be able to conduct a “virtual drive-by” of users’ digital lives if they gain access via unsecured devices. This, in turn, gives them access to a user’s router and everything connected to their home network.

    Each hacker will have their own process.

    There have been reports recently of hackers easily cracking home CCTV systems (done by simply finding your email address – or guessing it – resetting the app’s password and logging in remotely). If a camera is set up in a fortunate position for the hacker (over a computer), they may just get the information they need even more easily.

    Another technique being reported is overwhelming a local internet connection and slowing down the user’s operating system while they’re working. This lag in accessibility can provide the hacker just enough time to grab a password or two.

    What you can do to prevent it

    There has never been a successful cyber-attack because of bad machines or technology. All breaches are a result of a human error. That’s why awareness, communication and education is essential when sending your team home.

    Users should change the default password and set unique passwords for every smart home device they have. They should store sensitive and private data on a network system separate from the home devices.

    Update smart home devices regularly and check permissions on mobile apps linked to the smart devices (Apple iOS is particularly good at this). They should turn on automatic updates for software, hardware, and operating systems on your smart devices for the latest updates.

    To safeguard your organisation and yourself against hackers,  assume that every internal and external link is malicious, even if it comes from your CEO.

    Just sharing an article like this with a colleague may encourage them to update their smart TV or automatic vacuum cleaner, which in turn may just prevent the next attack being a successful one.

    You can learn more about cyber resilience here ↗

  • Understanding Cyber Ransom Procedures

    Understanding Cyber Ransom Procedures

    By Resilience Specialist, Amelia Fahey

    Cyber security should be an essential priority for all organisations globally. Irrespective of industry, access to technology and the internet opens us up to the ever-evolving digital threat landscape.

    But despite our best efforts to protect and prevent, there is still the possibility that you may be a potential victim of a cyber ransom attack.

    Therefore, to remain resilient, organisations need to consider, develop and embed an additional step in their cyber response plan; comprehensive cyber ransom procedures.

    Prior to an incident, it’s important to understand and agree on strategic objectives and financial thresholds at a senior executive and board level. This can save valuable time and ensure logical and organisational-aligned decisions can be made quickly and easily under pressure.

    Mapping this out now as a key response strategy means that people are more confident in how to react to a ransom attack.

    Resilience Manager, Harrison Orr touched on the importance of organisations acting now and being prepared for potential cyber attacks in the lead up to Christmas in his latest video, found here.

    A ransom may be in response to any type of actual or potential cyber-attack or IT security incident. The purpose of the procedure is to provide time critical guidance to members of a Cyber Incident Response Team or Crisis Management Team. It guides them on how to:

    • facilitate collection of relevant information on the nature and extent of the attack,
    • assess the implications of the attack on the organisation, and,
    • provide a framework for deciding how to respond to the ransom demand/s.

    Understanding a cyber ransom demand

    Whilst refusing to pay a ransom demand is the preferred approach, and should always be the organisation’s default position, the decision on whether to pay or not is no longer a clear-cut one.

    Legal implications of paying a criminal, reputational impact, and confidentiality issues provide difficult criteria on whether to pay. Often, the cost of not paying is greater than making payment.

    You don’t need to be an expert to know cyber-criminals may have breached your system, but you do need timely and concisely documented procedural expertise to know how to respond and what that response means for your organisation.

    In the third instalment of RiskLogic’s latest Cyber Series, Nick Abrahams, the Global Leader of Technology & Innovation for Norton Rose Fulbright, talks of a case study of a CEO who refused to take responsibility for a response.

    “An organisation worth probably north of a couple of hundred million dollars, so decent size organisation, got hit with a ransom attack” says Abrahams. “And quite clearly the CEO had never conceived this could be a problem because, in his words, “the IT guys got it wrong”.

    It was an extraordinary case study of response and reaction from a leader. He said to me, “It’s so unfair that this should happen to us”. It seemed such a bizarre thing for a leader to say in such a crisis. It’s a clear example of an organisation who was at the very basic level of cyber response.

    Nick’s case study here shows clear evidence that even large organisations still don’t have strong response procedures in place.

    Cyber ransom demand considerations

    Ransomware attacks are the most common form of ransom demand; however, a ransom may result from any form of cyber-attack or IT security breach. (I.e., a DDoS attack, theft of confidential data, etc).

    Care should be taken to avoid confusing a ransomware attack with a cyber ransom demand.

    With ransom demands, payment is usually made via Bitcoin using a link provided in the ransom message. There may be limited opportunity to negotiate with the perpetrators. However, if you do, this should be done through external specialist IT security providers and involve your legal and insurance stakeholders.

    For ransomware attacks, perpetrators will usually need to demonstrate through a ‘proof of life’ style process that they can decrypt files before payment.

    Remember, a ransom demand may be received in a variety of ways including e-mail, website contact form, text message, social media post or note left within a system file. It’s important to always remain vigilant and trust nothing.

    As you move into shutting down over the holiday season, now is the time to ask what your procedures are. When were they last validated? Does everyone know the plan? The December period sees one of the largest spikes in attacks, don’t get caught out.

    To learn more about how RiskLogic can help with your cyber resilience, click here.