¶¶Òõ¶ÌÊÓƵ

Dr Juliet Bourke  00:01

If you're running a business in 2024, cyber security is probably a top priority for you and your board.

00:09

There is now confirmation from Australia's largest private health insurer, Medibank, that hackers do have sensitive medical information and are threatening to release it.

00:19

Medisecure has revealed nearly 13 million Australians had their data stolen and a cyber attack in May of this year.

00:26

Here we go again. The information of almost 8 million Australians is at risk this morning as the full extent of the Latitude Financial cyber hack is revealed.

Dr Juliet Bourke  00:37

Headlines about these incidents are common in today's news cycle, but cyber attacks and data breaches are actually happening even more than you realise.

Laura Newton  00:45

Statistics coming out of the Australian Signals Directorate is that there is an incident between every one to six and one to seven minutes every day in Australia.

Dr Juliet Bourke  00:56

And it's not just impacting the likes of Optus and Medibank. Cybersecurity events can happen in any business, ranging from small incidents like invoice fraud to full blown system hacks.

Laura Newton  01:08

What traditionally was an IT problem is now a board problem.Ìý

Dr Juliet Bourke  01:23

This is The Business Of a podcast from the University of New South Wales Business School. I'm Dr Juliet Burke, a professor of practice in the school of management and governance.Ìý

Laura Newton's always had an interest in Australia's criminal underworld. She's worked on criminal intelligence, anti money laundering and at ASIC, fighting corporate crime. She's even worked for the counter terrorism finance regulator. Laura is now a senior associate at law firm Herbert Smith Freehills, advising on a number of significant cyber attacks and forensic investigations.Ìý

Let's start with the basics. What's the difference between a cyber incident and a cyber event?

Laura Newton  02:05

That's going to come down to your company and what is really in your own policies and procedures. But I guess at a high level, what we'd be calling an event is something that's going to require your attention, you should action something, but not necessarily something that eventuates to anything serious. Versus an escalation of an event which would then become an incident, and that's something that is likely going to now enact your incident response plan. So if you have a specific cyber incident response plan that will be enacted at that point. So different escalation points will now be brought in and different meetings convened to deal with the incident. And the event is, I suppose, something that maybe is bubbling away, it's not quite reached that point of severity until it does or doesn't.

Dr Juliet Bourke  02:57

So are you saying then that every, let's say, seven minutes an actual incident happens? Which is a penetration of an IT infrastructure, as opposed to someone attempting to get in.Ìý

Laura Newton  03:10

Yep. That’s the statistics and that's based on the ASD, the Signals Directorate, doing various surveys. They engage a lot with businesses, and if you do have an incident, they do like you to report it. It's not mandatory, but that's where that data comes from. It's companies making those reports saying, ‘Hey, we've had an incident’. That's not necessarily a ransomware attack. It's not necessarily even a cyber incident. It may just be that you know, you had something that might trigger a report, or feeling the need to provide that information to them.

Dr Juliet Bourke  03:44

And how many of those incidents are coming from one type of hacker group, you know? Or is it sort of organised crime where, you know, like you can see it in a physical world, there's lots of sort of organised crime groups, let's say, as opposed to there's many hackers in the background.

Laura Newton  04:02

There are so many. There's actually now this concept called ransomware as a service. So much like software as a service, there is RAS or ransomware as a service, where a lot of these groups splinter off, or they provide, essentially ransomware in a box, and then anyone can pick it up and purchase that and act as though they are that ransomware group. Which makes things incredibly difficult, because you've got some highly sophisticated groups and some really well known groups, and then you've got those people that have bought essentially their product, and it is a business, and they've bought their product, and they are pretending to be that company. And so you never really know if you're dealing with the real deal, or if you're dealing with a teenager sitting behind their computer who's just a little bit bored. For the most case, it is a mixture and there are ways that forensic investigators can tell. Not definitively, but they do get a bit of a sense, okay we are dealing with the legitimate threat here, or it might be here that we're dealing with someone who might not know what they're doing. We do joke about these ransomware groups who run these legitimate companies, but they actually are. So some of the really well known groups, they do have an accounts team, they have managers, they've got HR, and when you start engaging with them, so if they do attack your company and you decide that you're going to talk to them, and that's for no other reason other than to just engage and see what they want and also verify that they actually have your data. They might say, ‘Oh, you know, I can't answer that, because I need to talk to my boss’, and they actually do have a boss. So that's when, you know, when you're dealing with a credible group.

Dr Juliet Bourke  05:57

And the various reasons, what makes someone pay and someone say, 'Over my dead body’.

Laura Newton  06:05

Sometimes it is the stance of the company they outright will refuse, and it is the decision they have most likely made prior to being attacked that that is their stance, and they will not budge from it. Sometimes that stance does shift during the course of an incident, when they realise that perhaps they do have to pay or they're a little bit stuck, and then that comes down to not being able to essentially operate. So with a ransomware attack, for the most part, they will lock up your systems and you can't operate if you don't have workarounds to be able to get back up and running, then you're kind of forced into a position where you do have to pay or face the consequences of not being able to operate. And depending on what type of business you are, that could be catastrophic.

Dr Juliet Bourke  06:55

So, when you do make one of these payments I suppose the value proposition is we will extract our ransomware and we will just go away. But you're really relying upon the nobility of that thief to follow through.

Laura Newton  07:10

Yes, yes, and there are statistics on whether or not they do follow through. So again, going back to the business of these groups, they have reputations to uphold. So if they are known for not following through, no one's going to pay them. But if they're known to yes, absolutely, once you pay we will make sure that you can get back up and running, they're not going to not follow through, because then that becomes a reputational issue. So it really is, they operate exactly like a normal business.

Dr Juliet Bourke  07:43

And I've heard that sometimes hackers offer insight into how you could stop this happening again?

Laura Newton  07:48

Yep. They tend to do that, and that becomes part of what you are buying. So when you make the ransom payment, part of the deal is in exchange we not only let you get back up and running and potentially, if they've encrypted your data, they will provide you with a decryption key to be able to get that data back, but they also give you a report on how they got in and they will frame it as a ‘This is how you can make sure this doesn't happen again. You're welcome’. It is very cheeky, but they will say in those reports sometimes ‘We are a legitimate business. We were here to help you protect your IT, you failed. Here's our report to help you in the future.’

Dr Juliet Bourke  08:31

So how do people protect themselves from hackers?

Laura Newton  08:36

The first thing to really think about is when you look at all sorts of cyber incidents – and this is not just ransomware attacks but other incidents such as business email compromise or invoice fraud, there's all sorts of cyber attacks across the full gamut and the full spectrum – people are your biggest risk. The statistics are varied in this but it's anywhere from between 75 to 95% of all cyber incidents start from a human error. So that's why, when a company is running what they call phishing tests, that stuff is so important to understand where your organization sits in terms of your people, the training of your people. It's getting a lot harder at the moment with AI to recognize those phishing emails, and then from that it's just making sure you have controls in place so if it does get through your people that you do have controls to prevent anything happening there. There's a number of controls that can be put in place, and you can work with an IT service provider or companies that only deal with this type of work to put them in place and essentially help protect your organisation. The other incidents are arising from is actually outside of your organisation. So again, the statistics vary, but there's a large amount of incidents occurring from vendors that you're relying on. So you can have all the controls in the world and train your people as best as you can, and you're still at the whim of vendors that you're using and providing your clients data to or giving access and privileged access to your systems. So it becomes just this, we call it, you know, playing whack a mole really of where do you look? Where do you put the focus? Where do you invest your money to try to protect your organisation?

Dr Juliet Bourke  10:48

One of the biggest cases of that happening where access through a vendor was the cause of an incident is the Latitude cyber attack. What can you tell me about that breach?

Laura Newton  10:58

Yeah, so Latitude experienced a cyber incident in March 2023 so almost a year and a half ago from what became public after the incident, and obviously they would have notified the impacted individuals, it was approximately 7.9 million driver license numbers and over 50,000 passport numbers, which were taken by the threat actors involved. They bought a company called GE money, so a lot of clients who ended up being impacted didn't even know that they were a customer of Latitude, which adds a whole other scale to it of complexity, but essentially it was a third party vendor that they were using to help with their infrastructure, that were able to gain access to that vendor and then they were able to laterally move across into Latitude’s environment. And I guess that's where you know, having your own control environment really solidified, potentially can stop it. I'm not sure if it would have helped in this situation, but it goes to exemplify why we need to have all these controls in place and why you need to do due diligence on all of your vendors that you're using, because once they get in it becomes very hard to stop them moving around.

Dr Juliet Bourke  12:18

Is there any way that Latitude could have known what was going to eventuate. Could there have been some little signals?

Laura Newton  12:26

There most likely would have been. And I suppose, just talking generally with a ransomware attack, if you have the software to monitor these things, the endpoint detection and response will start issuing alerts where there's potentially some suspicious activity. You might get one or two alerts saying, you know, ‘Please pay attention to this, something has happened. We're not sure what it is. You should look at it,’ and from my experience in dealing with cyber incidents, a lot of the time those initial alerts tend to not be escalated as they should be. There's other indicators where if data has been exfiltrated, so removed from the system and away from the infrastructure, if you think about the type and size of data, particularly with a company like Latitude, that's going to be some big numbers being moved out of their system. So things like that get flagged, or they should be flagged, and they will be able to look back and see exactly when data had left their system because of the huge volumes going out. So that's always a good indicator that you're about to be hit. There are some cyber attacks where the threat actor is meant the term that we used, they're sitting there for some time. They'll sit there dormant, and there's really not many indicators, you're probably not going to know. It's only when they start doing what we call staging to set up their ransomware to start deploying it, or when the data starts moving off site. But again, those software that the EDR really should start to ping you then and say, ‘This is what's happening’. If you don't have that EDR, you're not going to pick up on it. So all of those cybersecurity controls become really important.

Dr Juliet Bourke  14:22

I'm just thinking about a small business owner and their capacity to do what's sounding very complex.

Laura Newton  14:29

It's really hard. It's incredibly hard. And this even to my point, a lot of small businesses are going to outsource that function because they can't possibly have someone doing all of this work if they're only a small business themselves. So it becomes one of those cyclical things of, ‘Well, I can't do this myself. I have to outsource it, but now you're telling me I have to manage the risk of outsourcing that and that if they have an incident, then I'm responsible’. Particularly if it's not your systems, so again if you're talking about a small business who has outsourced a function anywhere, even if it's payroll and they've outsourced their payroll function, it's not their system that will be impacted but it will be their data. And so you can't bring in your own forensic investigator, because it's not your system. So you really are relying on that third party to give you that information.

Dr Juliet Bourke  15:22

You've said a couple of things about how people can protect themselves and one is training the human, and you talked about fishing. But what else can people do to protect themselves from a hacker, but also, if a hack does happen, limit the damage?

Laura Newton  15:36

Yeah, and that's a really good point in terms of limiting the damage because there is the adage now it's not if it's when you were going to be attacked, and going back to those original statistics it really is just something that you need to be prepared for very much a when. So there's a number of cybersecurity frameworks that look at, I guess, risk mitigation of cyber threats that can be implemented and at a very baseline level, there is an Australian framework called The Essential Eight Framework.Ìý

Dr Juliet Bourke  16:10

The primary focus of The Essential Eight Framework is to prevent cyber attacks and then, if a cyber attack happens, it's to mitigate damage and assist recovery. So what are the eight elements? Professor Barney Tan from the Business School explains.

Professor Barney Tan  16:27

So some of the eight strategies include patching your applications, blocking Microsoft Office macros, restricting administrative privileges, patching your operating systems and ensuring that you have multi factor authentication. So these are some of the eight strategies that is part of the essential eight framework. These are guidelines, they are not mandated. They are best practices. I guess anyone who's trained in cybersecurity would know that these are elements that you have to look after in a comprehensive cybersecurity structure and framework. But it's important to stress that it's not just these eight. These eight aspects are probably the most likely sources of breaches, but, you know, there could be others that fall beyond the framework that you have to consider as well. What you realise is with this framework, all of these eight strategies are very much addressing the technical aspects of cybersecurity and I just want to stress that often, with a breach, with a cybersecurity incident, it's not the technical aspects of the system that actually lets them down. It's the human and social aspect. So when we are training cybersecurity professionals here at UNSW and at the Business School where we teach cybersecurity management, it's really important to ensure that, you know, we not only cover what is prescribed in these standard frameworks, but also teach students of cybersecurity to think a little bit more holistically about where potential threats and risks could arise.Ìý

Laura Newton  18:12

And what that comes down to is it's this concept that in the kind of compliance and risk world is called ‘the Swiss cheese approach’, so that if one control fails and falls through a hole of the cheese and if you layer it there's going to be another control that will pick it up. So, if the MFA fails, you've rolled out your patches and you're up to date with all your security updates so that it then still prevents someone getting that access.Ìý

Dr Juliet Bourke  18:39

And I understand there's things we should be doing about the amount of customer or client data we're collecting and storing.

Laura Newton  18:46

There are some legal requirements for companies to continue to hold data. So notwithstanding that it becomes one of those questions of, ‘Why are we still holding customer data? Do we need it? And can we anonymize it if we do need it?’ So there's a number of things to work through and, you know, holding more data than you need becomes a risk when you're putting it in the lens of experiencing a cyber attack. This is going to be more interesting as there are some proposed Privacy Act law reforms coming through, where there are suspicions that Australia will be moving more to the GDPR style regime, and that's when that holding of data becomes important because there's going to be more rights for individuals and rights to request deletions of their data. And if you don't know what data you hold it then becomes very difficult if a customer or a former customer comes to you and asks for you to then delete that data. There's also a lot of small businesses that will just hold on to data because they're, you know, one or two man companies who had customers for many, many years and again going to resourcing, do they need to hold on to all of that? And I think a lot of businesses don't turn their minds to this and I do think that these proposed reforms, if and when they come through, will start to force companies to do that.

Dr Juliet Bourke  20:21

Is that as simple as just going and auditing all of the files that you have and maybe putting a date on it. You know, ‘If I haven't touched this file for seven years delete’?

Laura Newton  20:32

Yeah, yeah. And for a small business, that's what it would come down to. And larger businesses, a lot of them do undertake exercises – data cataloging exercises – and so the bigger the business, the more important this work is. And you know, most of them do have in place teams that are managing data cataloguing and managing the holding of data, but I really do think it's those small businesses that need to start implementing something. And if it is as simple as doing what you've suggested, then that is better than nothing.

Dr Juliet Bourke  21:03

Can you talk through the cost, the cost of both dealing with a cyber incident as well as anticipating and trying to prevent it?

Laura Newton  21:13

The cost of dealing with a cyber incident... it can really range. If we're dealing with a company who holds personal information, because that's where a lot of the cost is going to come from, you are going to need to engage a forensic provider to undertake an investigation into what happened, but also to help contain the incident. Because often when you come into an incident they're still live, there's still a threat actor in your system, and then there may be remediation. But then you're also going to likely engage a law firm to assist with legal advice under the Privacy Act, and then it's identifying and understanding who are your impacted clients and notifying them that they have been the victim of a cyber incident.

Dr Juliet Bourke  22:00

And might they also have a claim against you? 

Laura Newton  22:04

Potentially, yes. And in relation to this large scale attacks we've seen there's, you know, investor claims going forwards like class actions. Individuals can lodge a claim with the office of the Australian Information Commissioner where they go, you know, they're likely capped in terms of cost. But in terms of the cost of dealing with a cyber incident from the entity the biggest that I have seen has gone beyond $5 million and that included investigations from the regulators.

Dr Juliet Bourke  22:36

And on the other side what's the sort of average range of prevention? And that's a hard question to answer, I know.Ìý

Laura Newton  22:43

Hard question. Depends on your organization, depends on the size, the complexity of what you're dealing with. And again, you know, looking at a small business, they're likely going to be outsourcing versus a larger business that will have that function in house. But I suppose, without being able to quantify, it's always that concept of the cost of compliance often seems like a lot, but when you balance it with the cost of non-compliance, or the cost of what could happen if you don't have these controls in place, you've really got to ask yourself is it worth it?

Dr Juliet Bourke  23:18

This podcast is brought to you by the University of New South Wales Business School, produced with Deadset studios. If you found this episode about cybersecurity interesting, we know you'll enjoy our episode about crisis management.Ìý

Sue Cato  23:32

While sometimes people think the media is creating the problem, the media are responding to a set of circumstances. So for instance, if you are being accused of being opaque and the market doesn't believe what your strategy is. Don't shoot the media. Get your strategy clear and be able to tell your story better.

Dr Juliet Bourke  23:48

You can find that episode with Sue Cato, one of Australia's leading crisis management experts, here in The Business Of feed.