The risk to your business in a cyber attack isn’t limited to remediation activities or solely to brand damage. It’s now often linked to a loss of trust with trading partners (with knock on revenue impacts), a breakdown of corporate culture which can lead to staff attrition and a real likelihood that your business will become insolvent. In Part 1 of this article, I gave the example of a real Australian business, Landmark White. Today Landmark White are battling through the impacts of multiple IT data breaches within their property valuation business in late 2018 and 2019.
Common Drivers To a Bad Outcome
The biggest drivers we see in organisations that lead to cyber related incidents and IT data breaches are:
We’ve all heard the horror stories of social engineering or phishing emails that compromise the least IT literate members of your staff and leverage these to launch attacks against businesses. But cyber security is everyone’s responsibility, much in the same way physical security is the responsibility of all staff in a building. An active and ongoing cyber awareness program is critical in businesses of all shapes and sizes; it needs to be reinforced by (and from) the leadership in the organisation as being considered a high priority and it something everyone should be measured against.
Are you scanning your environment daily for vulnerabilities and are you on top of your patching and maintenance of applications, services and infrastructure? This is a crucial function within your business that isn’t just limited to penetration testing (though that is important) but about total lifecycle management and hygiene for all components in your IT stack, including third party providers if you use them.
Use frameworks like the ASD Essential 8 as a starting point to guide risk management activities, but don’t be afraid to cherry pick the best of NIST or CIS to get something that is right sized for your business too. These Frameworks should be seen as starting points, not shopping lists for compliance and risk needs that fit every business.
Many organisations collect logs and run a series of disparate systems to gain insights into their business’s IT function. In our time we have seen a litany of SIEM solutions growing dust in a corner, being ineffective at protecting businesses from delivering any insights let alone preventing an attack. The traditional SOC / SIEM approach is rapidly becoming overtaken by an integrated Managed Detection and Response (MDR) approach that couples SOC-as-a-Service and SIEM functionality with User and Entity Behaviour Analytics (UEBA), threat hunting and incident response capabilities as a turnkey outcome.
Can your organisation justify 24×7 “eyes on glass” to monitor your security environment and provide you the visibility that you need to detect threats in near real time? It’s often a collaborative approach with a managed service provider partner that makes the most financial sense for organisations.
I can’t tell you how many customers we still see that run legacy AV technologies and stateful inspection firewalls and think that they are protected from cyber threats. What worked well in 2001, isn’t fit for purpose today. Many attacks sail on through email or are enabled through legacy technologies like DNS; A dedicated attacker will use any and all tricks in their inventory to get past your defences.
Building a layered security approach with next generation technologies that interoperate nicely together is critical. Technologies like Deep Learning are providing unique mechanisms to block signatureless malware and solutions like EndPoint Detect & Response (EDR) are helping detect and stop attacks in their tracks through global scale intelligence sharing and endpoint integrated protection stacks. Cloud Access Security Brokerage (CASB) solutions let you gain visibility and an ability to enforce cloud data policy no matter where you store your data or manage your workloads. Look long and hard at your IT stack and leverage what is available today and don’t be afraid to turn off what you used yesterday.
If you think a cyber attack won’t happen to you, you may be right, but I’d wager it will only be a matter of time (if it hasn’t happened already). Our job isn’t to scare people into taking this stuff seriously, it is about helping prepare and protect our customers for the inevitable.
If you think you’re ready to start looking hard at your business and its readiness for a cyber attack, please reach out to us at Cythera. We love helping our customers protect themselves and their customers and we have solutions that fit businesses of all sizes. From our monthly subscription bundles, our professional services, to our turnkey Managed Detection & Response platform, we have a wide range of offerings to fit your business needs.
Let’s help you get started today.
Often, when we are presenting the state of the cyber security landscape and the risks that unprepared customers expose themselves and their businesses to, we get a real sense that customers nod but don’t really appreciate the gravity of the reality. Seeing statistics on a page and bridging that to a scenario that they can wrap their heads around and relate to their business is hard. Too regularly we have to see a customer being impacted themselves before they realise the magnitude of the danger to their business and their staff that a cyber attack brings.
To help bring home an actual example of a cyber attack on an Australian business which has had significant brand damage, broken trust with upstream providers and customers and created a demonstrable financial impact to their business, you don’t have to look much further than Landmark White.
By now, many of you should be aware of the difficulties facing Landmark White (LMW), one of Australia’s leading independent property valuation organisations. These difficulties have built over the past year, precipitated by a breach leaking customer valuation records that left about 37,500 unique valuation records and 1680 supporting documents sitting openly on the Dark Web in early 2019.
Despite being contacted anonymously through live chat and through the corporate Twitter account, LMW were slow to respond to initial notifications of the breach, with their Twitter channel unmanned over the Christmas holiday period. After a further email notification from the Australian Cyber Security Centre to a vulnerability on an exposed programming interface on their platforms, LMW claim to have closed the vulnerability by January 23rd.
After this breach and subsequent notification of same, LMW stopped trading on the ASX in February 2019. As a result of the incident and the publicity that it received, LMW was “suspended from receiving work from a significant number of clients which is impacting our revenues, profitability and cashflows,” company secretary and CFO John Wise wrote in a letter to the ASX.
A second breach involved posting to SCRIBD that “mostly comprised PDF valuation documents and other operationally related commercial documents”. This incident LMW believe was precipitated by corporate sabotage and potentially internally generated in nature. This next breach was shortly followed by an exodus of staff from the Sydney franchise business a fortnight later. Heading into a trading halt again following this secondary breach, LMW’s market capitalisation more than halved from $39 million at the close of 2018 and to $15.3 million when shares were suspended in June 2019.
There has been much speculation that LMW directors are seeking an exit for the business with leaked emails from the acting Chief Executive Tim Rabbitt stating they “have to consider alternative options for the business including the potential sale of the whole or parts of the business”.
This is an absolutely horrific scenario and I’m sure there are many people within LMW today who would love to be able to roll back the tape and make some different decisions on how they prepared their business and their cyber security approach.
In part 2 of this article, I will spend some time discussing the biggest drivers we see related to cyber security incidents and outline some suggestions on how you might position your business to best defend itself from the potential of a cyber attack.
We help a lot of Australian businesses out with security incidents, as well as recovering from hacks and breaches. Many of them can be attributed back to human error or poor security hygiene. I thought I would share some of my top tips to help you avoid a costly hack, or brand damaging breach.
This is an easy one. Operating system vendors don’t just release patches for new features, they’re also patching security vulnerabilities regularly. Keep desktops and laptops up to date and enable automatic updates wherever possible. Apply the same thinking to critical applications such as Microsoft Office (Vulnerabilities in Microsoft Office have risen 121 percent over the last 6 years ), to keep ahead of problems.
Many successful cyber security incidents start with an account being stolen or ‘phished’. One way to help stop these attacks being escalated is to have a second factor of authentication beyond just your username and password. This means that even if an account is stolen, the attacker can have a difficult time accessing the second login which may be a token or application that runs on a users smartphone. Two factor can be enabled selectively such as when a user is outside your corporate network. Some 2fa vendors to consider are Ping Identity https://www.pingidentity.com/ and Azure MFA https://azure.microsoft.com/en-au/services/active-directory/ .
Cyber security is not just about technology and processes, it’s also about your people and the way they go about their day to day business. As a successful cyber attack can shut down your business or irrevocably damage your brand, It’s key that management and executive set a good example as this attitude then flows throughout the organisation. Ongoing cyber awareness training to make staff more conscious of potentially malicious behaviour will improve the cyber-hygiene of your business, with more mature organisations now also including cyber security training into staff onboarding.
Accounts that are stolen or included in breaches often end up being sold on the dark web for use in other attacks. There are resources available for you to check if key staff accounts have been included in previous breaches. https://haveibeenpwned.com/ allows you to search for staff email accounts, and any that are discovered should have passwords reset and even enabling two factor authentication on.
There’s a common theme with many of the companies we assist with security incidents; They didn’t plan for one. They often have a health and safety plan, and even a terrorism plan! This doesn’t need to be war and peace, and can be a single pager on roles and responsibilities, as well as who to contact including any cyber security partners you work with to assist in responding to incidents. If you have any regulatory bodies or government agencies you liaise with make sure to include any reporting structures that may need to take place here. The Australian Office of the Information Commissioner has a good guide on data breach plans . Make sure you’re also familiar with the Notifiable Data Breach Scheme .
There’s lots of talk about the increasing skills shortage in cyber security. And let’s face it, cyber security is probably not part of your core business so you’re constantly going to be playing catch up with a rapidly changing landscape. By partnering with a cyber security specialist you’re also subscribing to the ongoing skills and herd intelligence to help you plan and protect your business and brand from being the next headline. Just make sure they’re a specialist and not someone who’s also trying to sell you phones systems and printers.
Australia’s emerging enterprises are facing the same security risks and suffering the same incidents the big end of town are, but with much less capability to respond and protect themselves from a rapidly changing space. By baking security into your businesses DNA, and partnering with strategic cyber security specialists, you’re setting yourself up for success.