If you’ve been following the news over the last few years, and let’s be fair, who hasn’t, you may have noticed – between the headlines of US election drama and burgeoning pandemic numbers – that cyber crime is well and truly on the rise.
From Australian Prime Minister, Scott Morrison’s alarming announcement in June 2020, that a foreign government had been discovered undertaking “malicious” cyber attacks against Australian government agencies; to the numerous hacking scandals plaguing the 2020 US election race, cybercrime is rife.
But it’s not just the largest organisations who are at risk of cyber attacks – many organisations and businesses that have moved to work-from-home arrangements fell victim to opportunistic cyber criminals, making the most of easy access to remote IT systems.
In September 2020, global IT and tech news site ZDNet, reported that there had been a “sharp rise in sophisticated hands-on hacking campaigns”, with the first half of the year showing more incidents than all of 2019.
The findings came from a report from cyber security company Crowdstrike, and were based on “potential hands-on intrusions” identified by their research team.
“The first half of 2020 saw 41,000 intrusions, a higher figure than the 35,000 detected during all of 2019, according to the company,” Danny Palmer, author of the ZDNet article reported.
“Hands-on campaigns are based around hackers gaining access to the network – often via leaked or stolen credentials to an employee account or an exposed RDP server – then using the legitimate access those accounts or systems offer to move across the network, gradually securing the means to gain more and more access.”
This type of “hands-on” cyber crime is often much more difficult to identify than larger-scale hacks, as access is being gained from a legitimate source or account.
“It used to be that this type of sophistication was reserved for nation-state-backed hacking groups, but now it’s regularly demonstrated by cyber criminal gangs too.”
But even before remote working became the norm, business experts were acutely aware of the increasing risks of cyber crime.
According to the ninth Allianz Risk Barometer report, released in January 2020, “Cyber incidents” outranked “Business interruption” by 2% as “the most important business risk globally”, for the first time in the reports’ history.
Rising to first place from its previous ranking of 15th place just seven years ago, this shows that an increased reliance on IT systems and data, as well as the rising number of high-profile incidents, has made businesses (and the boards that govern them) more aware of their digital vulnerabilities.
But how can businesses stay on top of these risks, to reduce the regularity and severity of incidents?
According to a recent article from Andrew Tillett, Political Correspondent for the Australian Financial Review, the Australian Government, along with the Australian Cyber Security Centre, believe that the best way to reduce cyber incidents is to report, and share them.
“To counter the proliferation of online threats – which range from crudely worded criminal scams exploiting the COVID-19 pandemic through to persistent attacks by foreign governments – the Morrison government has unveiled a $1.7 billion cyber security strategy,” Tillett writes.
“The strategy includes hiring an extra 500 cyber spies, greater information sharing of cyber threats, new powers for the cutting-edge Australian Signals Directorate to step in and protect computer networks and obligations for critical infrastructure providers to strengthen their cyber security defences.”
Under this new cyber security strategy, critical infrastructure providers in Australia – including banks, defence contractors, and power and telecommunications companies – will be obligated to report cyber security incidents to the Australian Cyber Security Centre for greater transparency.
This is on the back of the Centre finding that the private sector has been underreporting cyber incidents, to the detriment of their peers.
“The centre’s threat report, released in Oct 2020, showed the agency responded to 2266 cyber incidents in 2019-20, with federal and state governments responsible for 35 per cent of reports,” Tillett writes.
While Australian Cyber Security Centre head Abigail Bradshaw believes this could be due to private entities wanting to “protect commercial reputation” or “concern about market response”, her message is clear: reporting cyber breaches not only protects you, it will also protect the “next victim”.
So who is responsible for tracking and reporting cyber incidents within large organisations? And what’s the best way to ensure cyber risks are managed to avoid major security breaches and incidents occurring in the first place?
According to Adam Collins, Chief Product Officer at Camms, cyber risk management should be a top-down approach, with board directors and business leaders identifying key cyber risks which can then be managed, tracked and ultimately reported, for rapid responses and transparency.
“With the increasing numbers of cyber crime, and Government mandates for cyber risk reporting on the horizon, now is the time to manage your risk in a systemised and transparent way,” Adam said.
“Visibility of cyber risks at the right levels, including the very top, is essential to managing risk and ensuring that those responsible for compliance have all the information they need.
“This requires an integrated system, like Camms.Risk, that can provide large organisations with a consistent view of how all risks, including cyber and IT, are maintained and controlled; a simplified approach to compliance across key regulatory frameworks related to information security; and the ability to respond to cyber and IT breaches quickly to keep key stakeholders informed.”
Camms.Risk is an intelligent and flexible risk management software that provides critical insights and decision making in a fast paced, ever-changing business environment. It’s the best tool to manage risk, including cyber and IT risks.