The year 2022 has been dubbed the “year of the cyber plague” due to the occurrence of two of the worst breaches in Australian history happening within weeks of each other, with Optus and Medibank falling victim. These attacks are a testament to the severity of the havoc that cyber attacks can cause, which has been documented over the last 15 years by Verizon’s Threat Research Advisory Centre (VTRAC), and serve as a stark warning of what the future may hold.
Indeed, the scale of the challenge led to the Minister for Home Affairs and Cyber Security, Claire O’Neil, vowing to “make Australia the world’s most cyber secure country by 2030”, conceding there is considerable work to be done.
Minister O’Neil pointed out that for the first time in our history, espionage and foreign interference have replaced terrorism, with Australia becoming a persistent target of cyber espionage over the past financial year by a wide range of state actors.
Cybercrime poses a high threat to Australia’s economic prosperity, with cybercriminals becoming increasingly persistent in their targeting of sectors across the national economy, according to the Australian Cyber Security Centre’s (ASCS) Annual Threat Report.
This trend echoes the findings of the 2022 Verizon Data Breach Investigations Report (DBIR), which looked at 4,114 incidents in 2021, including 283 confirmed breaches in the Asia Pacific region. This represents over 17 percent of the global incidents and around 5 percent of confirmed breachers.
From well-publicised critical infrastructure attacks to massive supply chain breaches, the report delves into the financially motivated criminals and nefarious nation-state actors who have been active over the past 12 months, compared against trends seen since the report’s inception in 2008.
The hacking of JBS, the world’s largest meatpacking business, in 2021 is a notable example of an attack that had far-reaching impacts on Australia, with our agricultural sector responsible for much of the nation’s major exports impacted through the temporary shut down operations of JBS’ operations across 47 Australian sites.
Cybercriminals swung at governments and businesses full force in 2021 and 2022, making it a particularly memorable year for the murky domains of cybersecurity and cybercrime.
Ransomware On The Rise
The most telling feature in DBIR’s history was the stratospheric rise across the globe in ransomware breaches, which has increased 13 percent in a single year – representing a jump greater than the past five years combined.
While the Asia-Pacific region suffered a much lower number of ransomware attacks (10% of all confirmed breaches) than other regions in the world, the region experienced a high number of social and hacking-related attacks.
This trend is clearly continuing into 2022, with the Optus cyberbreach disclosed in September being one of the largest in Australia’s history, seeing the personal details of over 10 million Australians stolen. Two months later, Russian hackers posted data stolen from Medibank, the nation’s biggest health insurer, on the dark web after the company refused to pay a $A15 million ransom.
Over half of the breaches investigated by the 2022 DBIR involved the use of either remote access or web applications, a marked increased from 2017, when basic web application attacks comprised less than 20 percent of incidents examined. Remote onboarding and web management were challenges that businesses needed to address during the COVID-19 pandemic. These practices have remained in place even now, and can contribute to the increased risk of these attacks. We can expect to see businesses locking down their HR practices accordingly, as many new starters now begin jobs without the support of face-to-face training and onboarding practices.
Two-thirds of breaches analysed in the 2022 DBIR, which includes data contributed by 87 organisations around the globe, involved phishing, stolen credentials and/or ransomware, something we can see correlated in the news of high profile breaches and cyber attacks in Australia
over the last 12 months. Attacks like this also demonstrate the need for businesses to tighten up policies and onboarding procedures, to ensure employees can more easily recognise a phishing attempt and avoid their outcomes accordingly.
It remains to be seen whether ransomware continues to rise, but what we do know is that the vast majority of cyber attacks are still financially motivated, so businesses are well advised to set policies in place in the event of a ransomware attack.
The Human Element Remains Prevalent
Data from Verizon’s inaugural DBIR, released in 2008, found that 62 percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. Fifteen years later, the 2022 DBIR made a similar finding, concluding that 82 percent of breaches involved a human element. We can therefore safely surmise that one of the big trends we are likely to see in 2023 is businesses making it a priority for staff to understand the integral role they play in cybersecurity.
Human error may remain a major component in cyberattacks, but Australian businesses are facing a battle for resources as well, with Per Capita’s Upskilling and Expanding the Australian Cyber Security Workforce report predicting that Australia will face a shortfall of up to 30,000 cyber security professionals over the next three to four years.
This further complicates an already difficult challenge – Australian security leaders are waging a war on two fronts – one against cyber threats, and one to win talent in an incredibly competitive and limited cybersecurity pool.
While external factors like the accelerating evolution of cyber threats and the skills shortage cannot be solved overnight, we are seeing some canny CISOs strengthen their cybersecurity by diversifying their hiring practices, as well as focusing on opportunities to cross-train and upskill existing staff as a value add to their careers.
We are also seeing some organisations creating shorter, more engaging security awareness training for users across the business and providing pathways to learn new security technologies for their cyber teams. Implementing a security-first culture is fundamental in making team members feel engaged – if they understand the “why”, they will do a better job of doing the “how”.
Looking Ahead: Businesses Need to Stay Resilient
We know that cybersecurity is not a solo sport – cybercriminals operate at a highly-organised and sophisticated level. Responses by businesses must match their attack attempts with a calculated, measured, and analytical approach.
No single individual or department can protect the digital estate, and the single biggest challenge, and asset, is bringing your people with you. Employees need to be consistently engaged with protocols and education, in addition to being given clear strategies and milestones for security programs.
The global cybersecurity landscape is rapidly changing. To stay safe against the rising threat of cyber-attacks, businesses must prioritise the allocation of resources towards shoring up their digital defences.