James Wright, Regional Director ANZ/Oceania, Cloudian
Ransomware attacks increased 150% last year according to Group-IB, a leading cybersecurity solutions provider, a trend that shows no signs of slowing. Given the financial, operational and reputational risk that ransomware poses, boards of directors need to make sure that safeguarding data from an attack is a top priority for the organizations they oversee.
I recently made this case in an open letter to board members in Australia that was published in our only national broadsheet daily newspaper, The Australian, and is reprinted below.
Dear board members of Australia, it is your responsibility to protect the data of your customers, staff and other stakeholders.
Despite the fast-accelerating threat of cyber attacks – in sharp focus following the attacks on Nine and Parliament – the imperative to safeguard data too often lacks the priority it deserves. Ethical responsibility will soon shift to legal, criminal liability as part of the Government’s cyber security strategy and following recent comments from Secretary of the Department of Home Affairs, Mike Pezzullo.
Overseas, the issue came tragically to a head late last year with the first-ever ransomware-related death, attributed to an attack on Germany’s Düsseldorf University Hospital. This is incredibly worrying, particularly with the revelation in March that Melbourne’s Eastern Health had to postpone elective surgeries due to a suspected cyber-attack. Cyber security is officially no longer an issue for just financial or reputational damage – lives are quite literally at stake.
There is no more important place to get our systems right than in healthcare, particularly as we rely heavily on technology for the vaccine rollout and contact tracing to keep citizens safe from the very real virus that has broken through our quarantine systems time and time again.
Ransomware ‘gangs’, such as Ryuk, Egregor and ‘ransomware-as-a-service’ provider Netwalker, are thriving in the COVID era. Ransomware is an incredibly lucrative business, and as our value and reliance on data increases, so too do the ransom demands.
A recent report showed average ransomware payments almost tripled during 2020. Some attackers will no doubt be scanning over recent half-year ASX results and eying which companies have money sitting in the bank they could target.
Once a hacker is in your environment, they will sit undetected for as long as they can and lock up as much data as possible. Many companies will tell you they’ll stay strong and not pay up in the face of an extortion attempt, but the reality is everyone’s got their price when their business comes screeching to a halt.
So, what do boards need to do?
Obviously, they need the right cyber security systems in place, and there is no shortage of vendors, local providers, and solutions in the frontline of defence. But successful attacks occur at organisations that have perimeter defences in place. These alone are not sufficient to protect your organisation, but they’re a vital step and boards should ensure these defences are kept up to date.
To fully safeguard data, it’s important that organisations think about protecting the data storage layer – where it is actually written. Creating an immutable copy means it can’t be changed, and therefore, can’t be encrypted by hackers. This minimizes the impact of a ransomware attack by providing a clean copy that can be rolled back into the company, which takes away the primary leverage of the attacker.
Board governance and education need to improve. As part of taking greater responsibility to ensure the right protections are in place, boards must ensure they stay educated on evolving threats and defences so they can exercise their oversight. Cyber security is not an issue just for the C-suite or IT department.
Transparency is important too – mandatory data breach responsibility has been in effect for over two years now, but there can still be hesitancy and even shame in opening up about attacks. Cybercriminals collaborate and share intelligence to improve their strategies, as is suspected to have happened between Russian hacking group Turla and the hackers behind SolarWinds. Boards need a mindset shift and could take a leaf from this and collaborate better with each other.
I’ve spoken at length to a variety of organisations, critical infrastructure providers, and government leaders about these issues. Sadly, the conversations usually happen after the fact when it’s too late to do anything about it. At that point, they’re also on the attacker’s radar, and they’re likely to be a target again.
There is a role for Government, both to lead by example as Australia’s largest collective buyer for technology services, and to build this kind of thinking and technology into the various frameworks, cyber security policies and legislation coming from the very top, Home Affairs, the Digital Transformation (DTA), and elsewhere. Calls from the opposition for a national ransomware strategy are prudent too.
Australia has been fortunate – in a number of ways – in recent years. Not least of all is that ransomware’s impact to date has not led to a loss of life and has been confined to system outages and data leakage.
But our luck will run out. Without the right defence in place, ransomware gangs will capitalise and cause far greater damage.