Snapshot
- The majority of the cyber threats organisations face today are not new – connected devices, ransomware, and insider risk will be ever-present. But what is new is that COVID-19 ushered in a 360-degree shift in the nature of business, and in turn exponentially intensified cyber risk.
- Successful exploits that came to light at the end of 2020, including Mimecast, SolarWinds, Accellion, and Microsoft, brought a new threat reality to almost every business and government, demonstrating the vulnerabilities associated with third-parties, and causing insurers and insureds alike to review their overall exposure to risks related to the software supply chain.
Australia’s heightened cyber risk environment – 2020 review and 2021 outlook
Much like their global counterparts Australian companies are digitally transforming at a pace that outstrips traditional cyber security thinking. With the backdrop of the ongoing pandemic and the increase in frequency and severity of ransomware, business email compromise and supply chain incidents, Australian executives are frequently asking how they better evaluate and understand a cyber risk that changes almost daily.
A majority of the cyber threats Australian businesses face today are not new — connected devices, ransomware, and insider risk will be ever-present. But what is new is that COVID-19 ushered in a substantial shift in the pace of business, and in turn exponentially intensified cyber risk.
Successful exploits that came to light at the end of 2020, including Mimecast, SolarWinds, Accellion, and Microsoft, brought a new threat reality to almost every business and government, demonstrating the vulnerabilities associated with third-parties, and causing insurers and insureds alike to review their overall exposure to risks related to the software supply chain.
Australian business like all others has seen a fundamental shift in business models and employee work practices since the start of the pandemic which are driving the need for more innovation, rapidly increasing the deployment of digital technologies such as artificial intelligence (AI), robotic process automation (RPA) and the Internet of Things (IoT) as well as more traditional digital platforms such as cloud, data and analytics and social platforms.
Continue Reading
Ransomware has exploded in 2020, and we have seen hundreds of Australian businesses of all sizes and in all industries impacted by extortion attempts of various levels of sophistication with ransoms ranging from the thousands to the millions[1].
Ransomware has evolved from just encrypting systems and data to exfiltrating data, destroying backups and persistent attacks against the organisation in order to put pressure on businesses to pay the ransom quickly. 2021 will continue to see ransomware, supply chain risk, business email compromise and attacks against operational technology as the primary cyber threats to Australian businesses and they should be prepared with robust controls, well prepared incident response processes and tested business continuity management and disaster recovery plans.
Supply chain or third-party risk has also arisen as a source of concern for many Australian organisations and several significant losses have occurred due to suppliers having a breach or as a result of third-party software being compromised[2]. What is needed is a move away from self-assessment to a continuous assurance model, with ongoing scanning and threat hunting.
Australian boards want their businesses to approach cyber as part of their overall enterprise risk management, partly due to regulatory scrutiny of cyber risk such as APRA’s prudential standard CPS 234, AEMO’s Cybersecurity Framework and others, but also the frequency and severity of cyber risks reported in the media[3].
As part of this enterprise approach, it is essential to prioritise business continuity planning and identify the cyber risks and threats, mitigate risks as appropriate through best cyber practices, and prepare and be ready for incidents. Then, companies need to consider which part of the risk to transfer off the balance sheet through insurance, and then scrutinise current and available policies to ensure new risks are covered.
There is also a need for organisations to consider both technical and procedural elements of cyber security in their approaches to determining and improving their position. To this end, determining security capabilities should not be purely focused on the technologies and technical capabilities that are available. Lastly, assessing performance periodically against international standards and control frameworks may help ensure adequate coverage when assessing cyber security programs, initiatives and IT services.
[1] https://www.cyber.gov.au, https://www.asbfeo.gov.au, https://home.kpmg/au/en/home/insights/2020/08/cyber-security-2020.html, https://www.abc.net.au/news/2021-01-11/australians-turning-point-on-cyber-security-cyberattacks-crime/13018884,
[2] https://www.cisecurity.org/solarwinds/, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, https://www.zdnet.com/article/everything-you-need-to-know-about-microsoft-exchange-server-hack/
[3] https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf, https://www.afr.com/technology/cyber-strategy-signals-laws-to-make-boards-take-it-seriously-20200809-p55k3b
View Report