9 November 2018

News round-up 9 November 2018

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy.

The round-up:

Cyber espionage and nation-state activity was the backdrop for news this week, with revelations that an Australian defence contractor had been breached and Australia’s chief cyber spy making a public speech. These issues can be distracting from pressing risks faced by most organisations, so the latest release of data from the mandatory data breach notification scheme was quite timely.

Key articles:

Australia’s cyber spy chief slams corporates contemplating “hacking back”

Summary: The chief of the Australian Signals Directorate issued a warning to Australia’s business community that private offensive hacking attacks in the name of cyber or corporate security won’t be tolerated.

Key risk takeaway: Given the increasing challenge of successfully defending against cyber threats, industry commentators occasionally float the concept of permitting organisations to ‘hack back’ against attackers as a means of deterrence. Notwithstanding the clear directive from ASD’s chief here around the illegality of such activity, hacking back is highly fraught – not just legally but also in terms of its feasibility and even its utility. Organisations are better placed focusing on understanding their risk posture and applying appropriate defences, and cultivating strong government relationships that can be leveraged for assistance in the event of a major cyber event.

Tags: #riskposture #controls #governmentoutreach

Australian organisations reported 245 data breaches between July and September this year

Summary: The Office of the Australian Information Commissioner’s (OAIC) quarterly statistics release of statistics from the mandatory data breach notification scheme reveals 245 data breaches between July and September, on par with the prior three months.

Key risk takeaway: A fifth of data breaches in the quarter occurred when personal information was sent to the wrong recipient, such as by email, mail or fax. This reflects the continued need for good data protection policies, underpinned by staff training. More broadly, this report reflects a continuing maturation of the mandatory data breach notification scheme, which took effect in February. Organisations should ensure they are prepared for their reporting obligations with an effective data breach response plan.

Tags: #databreachresponse #staffawareness

Australian defence contractor Austal hit by data breach

Summary: The US Department of Justice unsealed charges against 10 Chinese nationals for a multi-year campaign to steal aerospace technology, while an Australian shipbuilder and defence contractor also revealed its IT systems had been breached by an unknown attacker.

Key risk takeaway: Despite international agreements, nation states continue to use cyber means to steal intellectual property – as reflected in these reports and according to local think tanks. Organisations most likely to be targeted by nation states are those in defence and national security and/or those engaged in high-value trade (eg. mining). For all companies, identifying any high-value assets that could be potentially targeted is a key first step in assessing cyber risk levels.

Tags: #assetidentification #cyberrisk

SamSam ransomware group has hit 67 organizations in 2018, researchers say

Summary: SamSam, a disruptive strain of malware capturing the attention of researchers has attacked 67 different organisations in 2018, a quarter of which are health care organisations.

Key risk takeaway: Ransomware continues to rise as a serious threat. This form of malware has been deemed a particularly grave threat by researchers due to using targeting techniques commonly seen in espionage attacks. Detection technology and educating users to detect emails with malicious links or attachments are key defences against ransomware infection.

Tags: #ransomware #securityawareness #malware

AustCyber to figure out what ‘cyber skills’ actually are

Summary: AustCyber – Australia’s government agency tasked with developing the Australian cyber security industry – is embarking on a project to understand the country’s needs for cyber vocational education and training.

Key risk takeaway: The shortage of cyber skills remains a key challenge for any organisation seeking to uplift its cyber posture. Having a prominent and positive profile on cyber security and privacy in the marketplace is a critical element to attracting scarce talent. Organisations can participate in AustCyber’s project here.

Tags: #cyberskills #reputation #publicrelations