The world doesn’t seem to be short of regular data breaches, but the latest one to hit Optus and Australia’s biggest to date, has sent Australia’s cybersecurity panic into overdrive. A cybercriminal managed to access the details of no less than 9.8 million customers when a database was left open to the internet. News outlets are already reporting that the incident is the wake-up call that corporate Australia needs. Not only that, but the Minister for Cybersecurity is already suggesting law reforms that will see companies experience severe legal ramifications for the mismanagement of data. There are also suggestions that there will be laws drafted against big data hoarding.
The breach itself had a ripple effect on major enterprises, with many of them scrambling to send out reassurances to customer databases that their details were safe. You would have recently received a text or email from your financial service providers, insurance services and even retail operators explaining what they are doing to protect your data. We asked our Infosec Engineer Lachlan Potter for guidance on what we can all learn from such a disaster, and better protect our own businesses as a result.
This shows you that even major companies aren’t infallible. Optus obviously had very sophisticated measures, but what’s the lesson for enterprises?
The main takeaway for other businesses from the Optus breach is that security isn’t just a tickbox item, but something that needs to be embedded into the daily processes, workflows and culture of your business. All it takes is one misconfiguration or process breakdown where the necessary checks aren’t done, and you could end up leaving your organisation wide open for someone to swoop in and steal your data. At the end of the day, this situation came from human error, not some overly sophisticated attack – so focusing on your people and processes and integrating security into the day-to-day is essential for protecting your business.
What are the dangers and ramifications of such a breach?
When considering the consequences of a breach like this, depending on the type of data lost, the hit to the organisation can be huge. The damage to a business’s reputation and trust in its brand is often overlooked when considering the flow-on effects of a data breach. However, the loss of clients, investors, employees and public favour, along with the financial aspects like fines and remediation costs can cripple an organisation.
What would you say to smaller businesses that believe it won’t happen to them?
In the current landscape, it’s not so much about being a target as much as it is about leaving an opening in your defences. 99% of the time attackers don’t know or care who you are when they’re probing your network, they’re just looking to make a quick buck off whoever and whatever they can. A majority of network intrusion attacks start with mass scanning from bots and automated systems to see what’s out there and vulnerable, followed by spraying whatever exploits they have at everything they find to see what sticks. Once an attacker finds a foothold on a network, they’ll either sell whatever access they’ve obtained to someone who’ll worm their way into the network to see what they can steal, or they’ll hit the network with malware and ransomware to try and monetize whatever access they have, regardless of who you are.
What would you recommend to a new client who feels their current cybersecurity resilience and strategies are immature?
Focus on the basics – Cybersecurity isn’t a race to a finish line, it’s about continuous improvement and understanding what you’re protecting, so having a solid base to build your organisation’s security strategy form is essential. Consider implementing things like password and authentication best practices, security awareness training, asset discovery and logging, and regular access reviews. These will go a long way to improving your overall security posture and provide a solid foundation for developing more mature, risk-aware cybersecurity strategies.
What is the first stage in the process of improving a business’s cybersecurity defence?
The first stage for improving any business’s defences is working out what they need to protect. Without visibility and understanding of your accounts, devices, systems & services, you won’t know what needs securing, or where the gaps are that need tending to first. Having a solid grasp on the who, what, where and why of your business is key to improving your security posture.
It often takes disaster to mitigate change. Do you think it is acceptable that data laws may become more severe in the wake of such a breach?
Australia’s data protection and privacy legislation are lacking when compared to regulations like GDPR and the CCPA that stress the importance of an individual’s data rights, so seeing the government take more interest in implementing better regulation and guidance around what data businesses can and should store can only be a good thing for everyone involved.
No system is 100% secure so data breaches are inevitable; however minimizing the amount and types of data businesses keep on file through tighter regulations would result in less sensitive data being leaked, less pain for consumers and clients, and less reputational damage to the businesses as a result.
Trust Evologic for IT security
Evologic will always keep your data safe with a range of customised cyber security and managed IT solutions for Greater Geelong and Western Victoria. Find out more here.