Are you ready for a cyber breach?28 April 2016
In today's digital age, it's not just governments and military bodies that are susceptible to being hacked. On 1 March 2016, the White House announced that it was using cyber attacks to disrupt Islamic State communications and overload its networks.
Individuals can also be susceptible to cyber attacks. In March, digital protection company ESET discovered malware on Android phones that could steal an individual's banking details. It appears that the malware took over control of a phone when a customer tried to open a banking app. It would then re-direct the customer to a fake login screen that the customer could not exit until they entered their log-in details. Once these details were provided, those behind the malware were free to log into that customer's account and transfer money out of it.
Private companies are being hacked more frequently than ever. Such attacks generally have one of three purposes in that they either:
- get information that hackers can reuse, i.e. the theft of credit card information or industrial information
- affect the business's performance, i.e. where hackers seize control of operating systems, or
- seize control of systems, i.e. where hackers infiltrate systems and use them to send out spam or scam emails.
In recent months, cyber attacks against eBay, Target, Google, The New York Times, Twitter, and the Dow Jones and US Stock Exchange have been reported in the media. The hacks on these companies have received media attention because of their notoriety and public standing.
It would be a mistake to think that small to medium-sized businesses are not being hacked or subjected to cyber attacks. In fact, hacking is happening at such an alarming rate, that it is almost inevitable that these businesses will be attacked. This then raises the question, are you ready for a breach? Business owners and managers need to identify and manage prebreach issues to best protect themselves if an attack does happen.
Strengthening the shield—pre-cyber attack preparation
Before a cyber attack occurs, it is important that a company has action plans from three perspectives—legal, operational and technical.
The legal front
From a legal perspective, this involves pre-breach actions and planning for postbreach events. You should ensure that you are properly insured for any loss that may occur, or liability that may arise, from an attack. This should include a review of your insurance policy's wording to ensure it provides adequate cover.
Post-breach planning should cover notification. This could include contacting your insurer and activating a cyber insurance policy, and also deciding whether to notify customers of a cyber attack. Be aware that failing to notify customers of a cyber attack could have a considerable impact on your business's reputation and goodwill.
Notification might also relate to whether ASIC, the ASX or the Privacy Commission (amongst other government organisations) must be notified of an attack. Notification laws are currently being developed and an exposure draft of new legislation that could make breach reporting mandatory, the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, has been released.
The operational front
From an operational perspective, you should develop a cyber attack policy as part of your overall disaster recovery plan. This policy, amongst other factors, should outline who is responsible for dealing with an attack, how key IT personnel or IT providers will be engaged, how the business will function if one or more of its servers are offline, from where the business will operate if its premises are unavailable and how the board of directors and corporate officers are to be kept up-to-date to fulfil their corporate duties.
Additionally, you should also be aware of, or take advice about:
- cyber security compliance—particularly about ASIC and privacy protocols
- mitigation of your risk through contractual provisions that ensure IT professionals are robustly monitoring your systems
- any multi-jurisdictional issues that arise out of information being stored and used internationally
- obligations regarding the retention of data
- compliance training—training your staff so that they are aware of what a potential attack might look like, and
- working with legal and IT specialists to conduct a cyber fitness test so your business is ready against an attack.
The technical front
Making sure that your systems are kept up-to-date has a significant effect on vulnerabilities. The Australian Signals Directorate estimates that 85% of targeted cyber intrusions can be prevented from just four mitigation strategies: application whitelisting, patch applications, patch operating system vulnerabilities and restricting administrative privileges.There is an additional mitigation strategy of having management and all your staff understand these strategies.
Additionally, technical preparation includes working with IT professionals to conduct a cyber check-up so that IT systems are capable of withstanding or still functioning if an attack happens. IT professionals can also conduct penetration testing to see how systems respond in the event of an attack and to further develop protocols to limit the impact of a cyber attack.
It is also important to engage IT professionals so that, when an attack occurs, there is a first-strike team ready to immediately respond to the attack to prevent as much damage as possible and to ensure any systems that are taken offline are back up as soon as possible.
It is easy to dismiss cyber security as either an unimportant issue related to mere computer viruses or as something that happens only as part of major government operations or hacks on large multinational corporations. In reality, cyber attacks occur frequently on all types of businesses and especially on small to medium-sized businesses.