Network Overdrive has been serving and protecting Australian businesses since 2000. There’s been a lot of change in those two decades – both good and bad.   Throughout those two decades we’ve had a special interest in serving the caring community – the community of caring SMBs and NFPs that state and national governments have increasingly engaged to deliver community services. There has been massive growth in the power of technology to enable business productivity and business growth across all sectors – which has enabled the caring community to achieve some amazing things.    Sadly, there has ALSO been massive developments – and massive growth – in cyber crime.   This puts the caring community – and their vulnerable clients – at increasing risk.    

We’ve had first-hand experience of cyber crime

We’ve already survived a cybercrime attack that hit us – despite massive security improvements.  It came through a third party vendor and impacted multiple businesses (including our own). We recovered, and  our customers recovered and the temptation is to  quietly move on.  We went through a massive learning curve about what REAL security is and today’s big gap. It’s a real temptation to quietly move on.But that means no one learns from our experience – and THAT means that the cybercriminals get to steal more money and hurt more businesses. So we want to take the time to share the key thing that we learned with you The full story is one that we’ll be telling in the near future – but there’s ONE BIG THING you should know today..    

Good backups or moving to the Cloud is not enough

Why?  Because disrupting your operations is no longer the way ransomware makes their money.  Today, most ransomware attackers know that you have good backups. So the really nasty ones don’t get into your system and shut you down any more. Instead, they quietly penetrate your system and silently monitor your operations while they watch and learn.  Then they work out where to hurt you most how to get the most money out of you.  Then they craft an attack strategy that makes them money. For big businesses, that can be blackmail – give us money or we’ll publish your data to the world.   For a small business, it’s a whole different story.  Criminals may wait inside your systems for  4-5 months while they watch and learn. They might wait till you have a big payment due – then steal that payment using false banking details. You MUST monitor what’s happening INSIDE your system. The faster you can detect bad actors inside your system, the less damage they can do.  Internal monitoring (Network Detection and Response) is vital.   The next generation of cybersecurity exists – but it’s not getting the urgent attention it needs in Australia Cyber security experts around the world are responding to this threat with new tools and technology to better defend and protect organisations from cybercrime. Network Overdrive’s security experts work alongside former US military chiefs in developing systems to combat ransomware. Australian government policy – at both state and federal levels – is NOT in tune with the reality of cybercrime in 2021.  There are gaping policy holes that mean government approaches are failing to address the fundamental issues of cybercrime in the 2020s. “…governments’ focus is now overwhelmingly on bolstering defences for future attacks rather than addressing immediate, real-world cyber risk that impacts organisations in the here and now…. [they’re] big on [issuing] alerts and advisory, but everyone gets drowned in this…. What we need… is specific information about attacks that’s real-time, situational and you can do something about” https://fst.net.au/government-news/health-care-providers-a-weak-link-in-governments-cyber-sec-priorities/ 

It’s policy stuck in 2000

It’s full of navel-gazing and big ideas and big words. However, there’s nothing in it that’s actually going to help build practical cyber-resilience in the thousands of small businesses and not-for-profit organisations that do the on-the-ground community-facing work of delivering health and community services to Australia’s citizens. These strategies have their roots in a time when “cybersecurity”  was about firewalls and backups and  spam.   They don’t deal with the reality that in 2021, even global tech firms like Accenture and Facebook can’t protect their systems from attack.

Victoria’s strategy has limits

In their recent Cyber Strategy for 2021, Victoria’s government is going to:

• Invest heavily in their own, internal Victorian government cybersecurity.
• Invest in growing the local cybersecurity technology industry to uplift their capabilities.
• Conduct training and education programs in cybersecurity and cyber skills. 
• Fund police to improve their ability to detect and hand cybercrime
• Increase awareness in SMBs and NFPs of the need for enhanced cybersecurity
• Broadcast threat warnings about the growth in cybercrime attacks.
• Require SMBs and NFPs to meet high standards of cybersecurity in order to retain the right to deliver services.

The Commonwealth’s approach is also flawed

In their Cyber Security Strategy 2020, the Commonwealth government says it plans to protect and actively defend the critical infrastructure that all Australians rely on, including cyber security obligations for owners and operators. Their approach includes: 

• New ways to investigate and shut down cyber crime, including on the dark web. 
• Stronger defences for Government networks and data.
• Build Australia’s cyber skills pipeline.  
• Increased situational awareness and improved sharing of threat information. 
• Advice for small and medium enterprises to increase their cyber resilience.
• Guidance for businesses and consumers about securing Internet of  hings devices.
• 24/7 cyber security advice hotline for SMEs and families.   
• Increased community awareness of cyber security threats.

 

What are the current realities these policies are missing?

The policies make no allowance for the evolution of cyber attack into organised crime.  They make no allowance for internal monitoring. They fail to deliver the funding needed to protect the caring community as they deliver government services to vulnerable Australians.

The ever-changing goals and strategies of global cyber criminals

Since the start of 2021, Network Overdrive has run a series of webinars in conjunction with global experts IronNet exploring key issues.   The August webinar highlighted the key issues, including: https://www.linkedin.com/posts/it-strategy-melbourne_collectivecyberdefence-ccd-ironnet-activity-6845609857517805568–aDI

• Backups aren’t enough protection – this is a world where bad actors infiltrate systems and exfiltrate key data for weeks before a ransomware event.  Minimising their undetected “dwell time”  is fundamental to good security.
• The reality of cyberattacks – present and future – includes  ransoming confidential/embarrassing information.
• The cost to figure out what bad actors did BEFORE the ransomware event – which is the true damage – is massive, extremely difficult and very expensive.
• Cyber criminals attack whole supply chains AND attack through the software supply chain, contaminating legitimate, necessary software updates with hidden triggers and backdoors.  What we’ve seen so far is the tip of the iceberg.
• Better training doesn’t deliver substantive security improvements. Despite their deep investment in cybersecurity, Accenture got extorted for $50 million.   All the awareness education in the world won’t stop bad actors – it’s a matter of when, not if.

The realities of the ransomware game

It’s all very well in theory to take a “no-payments” stance on ransomware – but the reality is that it can leave victims with no room to move.  And “no payments” does nothing for the small business who’s just had a big customer payment stolen: https://www.csoonline.com/article/3636795/australia-targets-ransomware-with-new-national-plan.html Victims only if they feel they have to  – so they can keep their business alive.  There’s no need for the government to be heavy-handed. Insurance providers are extremely worried about businesses paying ransomware, but there are other things governments can do to reduce the cost to insurance providers. The government should be devising strategies to either prevent these attacks in the first place or to assist victims through the process of recovery.  

Active attack intelligence trumps a flood of threat advisories

Governments are big on issuing alerts and advisory, but everyone gets drowned in them – they’re about the growing number of threats that can potentially do harm.  But what organisations need is specific information  – information about attacks that’s real-time, situational.  Information that they can DO something about.   The latest automated, collective defence tools deliver this information, allowing fast action and response that minimises the impact and recovery cost of an attack.  

The effectiveness of smart collective defence strategies

What’s working in cybercrime responses?  Ganging up against the criminals – forming alliances and networks of protection, enabled with the tools for real-time response. Collective defence tools and agreements  allow organisations to scan and share intelligence about their IT systems in real-time. These defence systems use EDR (end-point detection and response), SIEM (security information event management) and NDR (network detection responses) to “watch within the network” and reduce dwell time of bad actors.  

It actually takes money to upgrade security

Going forward, it seems that the SMBs and NFPs who deliver health and support services on behalf of government – both state and federal – are going to need to find up to  $150,000 to achieve ISO 27001 (an international standard for managing information security)  plus up to $50,000 each year for ongoing auditing. With zero funding for security, their ability to provide a customer base for local cybersecurity businesses is pretty limited.  

What’s needed from Australian governments?

There are three key things, the Commonwealth government can do, as we outlined to The Mandarin’s Louis White “Tackling the growing threats to Australia’s cyber security” – https://www.themandarin.com.au/169281-tackling-the-growing-threats-to-australias-cyber-security/

• “Firstly, develop strategies for how government departments can work together in a collective cyber defence framework, with a particular focus on strategy needs to develop a framework that will provide real-time attack information and not just cautionary threat advice. “The reality is that [a real-time update on] attacks and potential breaches trumps all reactive methods.

• “Secondly, they could also extend that collective cyber defence approach to essential services and arm’s-length extensions of government departments, which are often targeted as back channels into government systems.

• “And finally, they could appropriately fund the cyber maturity of third-party organisations, to bring them up to the latest standards of defence and prevent soft entry points for attackers.”

 

The policies of yesterday won’t protect government systems and services today

The policies we’ve seen so far  come across as a combination of internal spending and navel-gazing – along with patronising promises around training.  These policies demonstrate a security mindset that’s 5-10 years out of date.  NFPs and SMBs  don’t need to be lectured on how to avoid email scams.  They know that there’s much more to cybersecurity today  than avoiding scams. They don’t want to be patronised with “education”  while the government spends big on their internal systems protection. They don’t need to be loaded down with demands for costly security upgrades to meet onerous new standards – with no funding to help them meet those standards.   The published policies of Australian state and federal governments don’t show any awareness of the next generation of powerful cyber security tools  – collective defence strategies that use full-spectrum security technologies that protect the systems of a sector (not just individual systems at their boundaries).  

NFPs and SMBs need a real hand up – an investment in 21st century cybersecurity

They need funding that matches government demands for higher security standards.  They need advice about today’s advanced tools for whole-systems protection and active, collaborative defence. They need more than just a handout, they need a hand up – real help to deliver real cybersecurity  solutions suited to the rapidly-changing risks of the  21st century. Addressing 21st century, industrial-scale cybercrime with education about email spam and unfunded demands for higher, highly expensive standards is like trying to handle a global epidemic with facemasks and sanitizer and lockdowns.   It’s insufficient to the reality of the attack’s severity. Patronizing statements, followed by more (and more onerous) security requirements and no (funding or) support will not protect the care and community sector – or their clients. As NOD CEO  Greg Clarkson has said, it’s so disappointing to see government strategies that leave Australia’s care and community sector – along the government systems they link in to – so exposed to cyber crime attacks.