Securing Australia’s cyber future Part 1: The big breach nightmare

Attacks have ranged far and wide, from major corporations such as Optus and Medibank to smaller businesses, leaving CISOs shaken and boards concerned.
As the government considers new measures, organisations must look to their security. But what lessons can we draw from this wave of cyberattacks, and how can Australia’s cybersecurity sector best respond?

Some of this year’s breaches have been colossal

The breaches have hit household names hard and brought cybersecurity into the public eye at a whole new scale. In late September, telecoms giant Optus revealed that the data of around 10 million customers had been exposed, including names, contact details and several million passport and driving licence numbers. Data from the breach is believed to have already been used in multiple scams.

Weeks later, Medibank announced a “cyber incident”, later confirming that 9.7 million Australians’ data was affected, including Medicare numbers, dates of birth and codes that indicate diagnosis and treatment. A sample of the user data has since been shared by an alleged hacker. The health insurer also revealed that it was not covered by cyber insurance, and its shares have dropped to their lowest level for two years.

But the breaches did not end there. Over 200,000 people’s records were exposed in an attack on Medlab Pathology that went unreported for eight months and real estate firm Harcourts had its Melbourne rental property database breached, with Telstra, MyDeal, wine retailer Vinomofo, the Australian Music Examinations Board and EnergyAustralia also hit.

The breaches could have been avoided (in theory)

In hindsight, it looks like these breaches could have been easily avoided. Investigations are ongoing, but we already know how some incursions were made:

1. Optus – a misconfigured API gave a hacker an easy route in
2. Medibank – compromised login credentials were used to access Medibank’s files, probably by a sophisticated ransomware group
3. Vinomofo – customer data was exposed while testing a digital platform
4. MyDeal – compromised login credentials were exploited
5. Australian Music Examinations Board – a crucial patch was not applied, leaving the online shop open to malicious script
6. EnergyAustralia – in the absence of multi-factor authentication (MFA), several customer accounts were taken over

“None of the intrusions are the result of indefensible exploits”, notes Information Security Media Group’s Jeremy Kirk. “The people behind these attacks are most likely workaday cybercriminals, not your top-level nation-state attackers.”

But the lesson to take away here is that no matter how large or well-funded the cybersecurity function might be, there will always be gaps somewhere. It is an unavoidable fact that comes with any tech-enabled organisation.

What we can control is the probability of becoming a target, which is why the focus should be on ensuring that security fundamentals like awareness training, security configurations and patching are regularly actioned. These measures won’t guarantee 100% security but will greatly reduce the risk of getting caught out by a data breach.

These incidents are just the tip of the cyber iceberg

While many attacks may lack sophistication, the damage they cause is very real. The sheer number of attacks and attempts means that sooner or later, a major breach can and will occur somewhere. The Australian Tax Office has revealed that it suffers three million attempted hacks every month, while the census website fought off around a billion attacks in 2021. If we also consider the number of attempted hackers and the large number of successful breaches that were never reported (or simply haven’t been discovered yet), this year’s headlines are just the tip of the iceberg.

The Australian Cyber Security Centre (ACSC)’s 2022 report records a 13% rise in cyberattacks over the last 12 months. It shows the rise of state-linked actors, attacks on critical infrastructure, the increased destructiveness of ransomware and the cost of Business Email Compromise (BEC), losses from which totalled $98 million.

Why Australia is in the firing line

The rise of remote work and adoption of IoT devices have dramatically increased the attack surface of the average organisation in a relatively short period of time. This rapid shift has created opportunities for cybercriminals globally. But why have Australian organisations been breached so often in recent months? The ACSC note that, with the highest median wealth per adult in the world, “Australia’s prosperity is attractive to cybercriminals”. That wealth could be better protected: 16 countries, including APAC peers Malaysia, Singapore and Japan, rank higher in the Global Cybersecurity Index; more damningly, the Digital Quality of Life index ranks Australia 36th in the world for cybersecurity.

Slow adoption of cloud security, difficulties hiring cybersecurity professionals and gaps in government policy are all contributing factors. What’s more, both hostile nations and ordinary cybercriminals could see the recent breaches as an opportunity.

“The worry for Australia should be that nation-state actors may very well see Australia as a soft target,” says Information Security Media Group’s Jeremy Kirk. “If the workaday cybercriminals are having so much success now, Australia may be in for a rough run.”

The government is taking action, but there are concerns

The government acted quickly as news of the breaches broke, with Home Affairs Minister Clare O’Neil criticising Optus for “leaving the window open” and failing to protect customer data. An overhaul of privacy measures and increased penalties for businesses affected by serious breaches has also been announced. The reporting of cyber incidents is now mandatory for businesses in several sectors.

Cybersecurity professionals agree the government has a major role to play, but also want the freedom to manage their own incident response. “We want clarity on the role of government,” said one member of Mimecast’s Customer Advisory Board. “We don’t want them swooping in and taking over – there are some things they can help with, but other aspects they shouldn’t. It’s important that these scenarios are managed by the right people using the right processes.”

The debate over how far government oversight and control should extend into the private sector is ongoing, but it is clear that, given how much personal data private organisations hold about their customers, the security of literally millions of people is hanging in the balance.

Some positives can be drawn from the breaches

Despite this wave of breaches, it’s not all bad news in the security world. These incidents have also served as a wakeup call for many leaders, and we are seeing some positive changes happen at the highest levels of leadership in both public and private organisations.

Positives include:

1. More engaged boards that understand a breach’s impact on company profits and reputation. “The recent breaches have resulted in the Board being very supportive of our needs, knowing that we need to be as prepared as possible, because it’s a case of when, not if,” observed one Advisory Board member.
2. This shift in mindset is a huge advantage for CISOs, and it has led to budgets being unlocked for cyber insurance, better tools and new hires.
3. Deeper engagement of cybersecurity within organisations. That can include security being invited to departmental meetings, security KPIs being put in place across multiple teams and a renewed focus on awareness training, incident response plans and breach tabletop exercises.
4. The unification of the cyber community. “It never used to be this close,” said another board member. “We used to judge from the sidelines but now it’s on our shores and impacting us all.” There is also a growing openness to sharing learnings and information across the cybersecurity community, fostering a supportive cyber-aware culture across multiple sectors.
5. Increased impetus for ambitious new policies and measures, and for meeting standards like the General Data Protection Regulation (GDPR).

Do the basics right, and focus on incident response

It’s easy to get caught up in the doom and gloom, but it is also worth remembering that the majority of recent breaches have not been sophisticated. Companies that do the basics right, by securing APIs, staying on top of patching, enforcing MFA and building effective, multi-layered cybersecurity are at a much lower risk from such attacks – and those that prioritise incident response can bounce back faster, and make that cybersecurity nightmare feel like it was just a bad dream.