The frequency, diversity and scale of potentially catastrophic cyber-attacks serve as a reminder that data is a global currency in the information age. Consequently, a country’s economy, infrastructure and prosperity are dependent upon cybersecurity resilience.
Rarely does a day pass without news about another business or government agency suffering a cyber-attack – this agency got hacked, that company lost data, another organisation was held to ransom. There is little or no expectation that this situation will change any time soon, with bad actors continuing to exploit any vulnerabilities that exist.
Of course, cyber-attacks are nothing new. Since the digital age began, they were inevitable. But now the situation has reached a critical point. The proliferation of “successful” cyber-attacks is the visible reflection of a degree of apathy regarding cybersecurity, and a corresponding lack of investment by business and government alike. It’s time for government to take the lead and advocate for a more effective level of cybersecurity resilience.
Impact of cyber-attacks
Whether a cyber-attack is state sponsored, an act or terror or simply motivated by greed, the impact can be catastrophic. The financial consequences of identity theft, unauthorised account access and lost or stolen IP run to billions of dollars annually. However, the trickle-down effects of attacks on critical national infrastructure can be felt economy wide.
The number of cyber-attacks targeting critical national infrastructure control systems (energy grids, dams etc) is on the increase. That’s why the urgent response taken by the Australian government and its security agencies is a welcome development. Its evident concern will, hopefully, motivate government and non-government organizations alike to take a serious look at their own cybersecurity resilience.
There is a clear need for a strong regulatory framework. Current government and non-government best practice guidelines must be unambiguous – including the removal of current opportunities to interpret regulations to a lower standard.
Successful cyber-attacks have seen bad actors access everything from state secrets and strategic IP to citizens’ financial and medical records. The revelation that, more often than not, this data was not protected by strong encryption is unacceptable. Had it been encrypted the stolen data would have been rendered useless in unauthorised hands.
A coordinated response
Around the world, governments have responded to these growing threats by establishing various cybersecurity agencies, advisory bodies and national security oversight. However, few have implemented any effective national legislative ‘cybersecurity resilience’ policies. Europe’s GDPR (General Data Protection Regulation) may be one exception, being considered by many experts as a cybersecurity ‘gold standard’.
As Australia’s largest exporter of cybersecurity solutions to government and non-government customers in more than 40 countries, Senetas’ experience has shown the frustration reported by cybersecurity experts. Too often the attitudes of leaders in government and business around the world are cavalier. In these cases, cybersecurity is not taken seriously enough, and they do not sufficiently advocate for cybersecurity resilience. They often show a lack of knowledge of the cyber-risks they face, and little understanding of the harm successful attacks will cause.
Mitigating risk
Whilst we cannot stop cyber-attacks, we can mitigate the damage they cause. How? In the case of attacks on data networks and systems infrastructure, which business systems depend on, encryption of network transmitted data and data at rest are essential. In the case of network transmitted data, strong encryption may also prevent injection of malicious code and eavesdropping.
It is also clear that traditional preventative security approaches in this era of persistent and exponentially more sophisticated attacks on IT systems via email, websites and malicious files just don’t cut it anymore. The pace at which new malware attacks are launched threatens the effectiveness of traditional anti-virus and sand-boxing solutions. We must look to new technologies, such as Content Disarm and Reconstruction (CDR) to offer a greater degree of protection, especially against unknown or zero-day attacks.
Adapting to the new normal
During Covid-19 we have seen businesses and government agencies around the world dramatically expand their IT infrastructure to enable remote working. Obviously, this has increased the cyber-threat profile of every organisation. However, we must ask what percentage of these organisations simultaneously implemented secure, encrypted worker collaboration tools to prevent against data theft? What percentage implemented advanced CDR solutions to protect against unknown malware infiltration?
The Australian government’s initiative embodied in the Australian Signals Directorate’s (ASD’s) “Essential Eight” controls is a good initiative that all organisations should embrace to prevent the risk of a successful cyber-attack. But even the implementation of these controls does not eliminate the risks of successful cyber-attacks. Data must be protected in the event of a successful attack.
The last line of defence is strong encryption of network transmitted data and data at rest. However, without strong advocacy for cybersecurity resilience, governments cannot depend upon all agencies and businesses to do so. That has been proven time and again by data breach statistics. Globally, the Thales Breach Level Index has shown for some years that less than four percent of lost or stolen data was encrypted.
Governments must take immediate action to ensure that designated ‘national interest’ government and non-government data is safe in the event of a successful cyber-attack. It must, at least, strongly advocate for those organisations to encrypt their data whilst at rest and in transit.