Cyber criminals don’t stand still, and neither do the people who protect organisations against them. We caught up with six analysts and security experts to ask them about the current risk factors in Australia and New Zealand.
We asked each person four questions – and got more than 8,000 words of transcript in response. What follows here is a representative selection of their answers to those questions. It makes for interesting and sobering reading.
What are the main cyber crime risks in Australia and New Zealand at the moment?
Jason Ha, national manager, security practice, at Dimension Data, says: “Previously, we might have seen solo skilled hackers with a fair amount of know-how. Now it’s more like a sophisticated marketplace, in which anyone can reasonably easily buy cyber crime services. Now we have a scenario where they are innovating, with quite advanced online presence, impressive websites and 24/7 customer support. They almost look like Amazon, with rating systems, feedback, commentary. It’s a professional marketplace and we’re seeing highly targeted spear phishing attacks come out of it.”
According to Anne Robins, research director at Gartner, from a topical point of view, ransomware is getting a lot of interest. “That’s especially so in the SME [small to medium-sized enterprise] market, perhaps more than for larger organisations. Australia is the second most commonly attacked country after the US for ransomware now. This is starting to get picked up and generate a level of interest, but those who are more likely to be hit aren’t the ones that are aware of the risk.”
Charles Lim, senior industry analyst for information and cyber security Asia-Pacific at Frost & Sullivan, agrees: “An estimated 50-60% of the globally generated attacks [using] ransomware were detected in Australia.”
For Bryce Boland, Apac CTO at cyber security firm FireEye, the risk is primarily data theft. “What’s reported tends to be high-visibility attacks, such as DoS [denial of service], extortion, attacks against consumers. But the actual risks are much more insidious, such as large-scale data theft,” he says.
“Spear phishing targeting is now at a very high level, using reconnaissance, LinkedIn profiles, social media posts, etc. These provide a mine of information for an attacker, who can then build a ruse around it, offering weaponised content apparently from someone the target trusts,” he adds.
“People still think it’s malware that’s the problem. But that’s not true at all. A soldier might have a gun, but might also have a knife, grenades, the ability to call in an airstrike, and so on. The attacker has a range of tools, and they’ll use whichever tool is appropriate.”
Who’s winning: the hackers or the businesses and those who protect them?
Dan Miller, country manager ANZ at Splunk, says: “It feels like a progressive stalemate, iterating back and forth, where organisations have been in the habit of being reactive and responsive – only reacting when something is known as a bad thing, to prevent it happening. I think, therefore, you’re always on the back foot. But what we are seeing is a shift increasingly around advanced threat protection, an element of predictive analytics. People get wildly carried away with that, and machine learning, but there is increasing maturity around security now.”
Dimension Data’s Ha says: “If you’re going to take an objective snapshot, it appears the bad guys are winning at the moment. That’s because the mindsets are different. The businesses (good guys) haven’t really caught up with the mindset of the bad guys. A lot of what we’re doing is education and awareness. Specifically trying to educate executives, boards, even security teams in organisations, about how sophisticated the bad guys are. Once armed with that thought process, they can improve the effective- ness of their defences.”
FireEye’s Boland says you can’t prevent every breach. “It’s just not possible,” he says “but you can re-define what winning is. Look at what you can do that stops the attacker achieving their objective and prevents impact on the business. Usually an attacker has some mission in mind. They want to steal your corporate secrets, credit card details, customer lists or IP. If you can prevent them getting the stuff that lets them fulfil their mission, you’ve won.”
Phillip Simpson, principal consultant at Dell Secure- Works, says: “As one of the richest, least regulated, English-speaking counties in the world, Australia is front and centre for well-researched hackers – but you wouldn’t know it from the big breach notifications. Unfortunately, the main risk is lack of security awareness in the boardroom.”
What’s the key issue for an organisation in this region trying to identify and prevent cyber crime?
“The most common thing is that there’s a skills shortage,” says Splunk’s Miller. “Organisations know they need to do this, need to be better at it. It has visibility at senior levels, but it’s very difficult to find security analysts with the skills required.”
Gartner’s Robins says: “At the smaller end they just don’t have the resources and expertise, and where they are successful is where they’ve outsourced that to a man- aged service provider, or a cloud computing environment that does it for them.”
Dell SecureWorks’ Simpson says: “Many Australian companies are doing the bare minimum to survive. Security here is seen as defensive action versus a competitive advantage. Without doubt Walmart sees a competitive advantage that it didn’t get breached and suffer the brand damage that Target did. Investing before a breach is far less costly than trying to recover from a breach.”
FireEye’s Boland says: “By and large it’s still a lack of awareness of large-scale data theft. Unfortunately today we find most organisations that we talk to have been com- promised and don’t even realise it.”
Dimension Data’s Ha says: “Taking an asset protection-oriented approach, not a threat-based or attack-based one. Understanding what an asset is worth to the criminals, not just to the organisation. The value might be very different. Also, 79% of businesses out there don’t have a proper incident response and incident management process. That’s usually what damages the organisation rather than the attack. Most organisations will be attacked – it’s how they respond that’s important.”
Will companies in Australia and New Zealand have to reduce staff freedom and connectivity to increase security?
According to FireEye’s Boland, as soon as security becomes a business disabler it tends to get turned off. “There are few organisations where you can put in place very obtrusive controls. So don’t lock down completely – trust, but verify, and use better intelligence,” he says.
Splunk’s Miller says: “There is always an element of risk, and we could lock everything down and make it utterly secure, but that would prevent us interacting with our customers and working in any way. So we have to give people access to certain things, but take a balanced view of the appropriate level of risk we can tolerate. “We have to determine the right form of governance for internal and external behaviour management, and watch the things that are unusual. Behaviour analysis is becoming really important. What does a system, a user, an application that’s normal and expected actually look like? Once you understand that, you can identify things that are unusual.”
Dimension Data’s Ha says: “No doubt some organisations will become gun-shy and might move to more draconian approaches of lock-down. But any organisation that does that will probably not survive. The need for agility and cost reduction is being met by technology. So putting a full-scale ban on cloud or mobility is really not going to work.”
Gartner’s Robins says: “It depends. We’re not seeing companies reducing access, but strong efforts are being made to understand what access there is, to put in place the right sorts of policies so that employees understand acceptable usage. There’s also a much stronger reliance on monitoring. Not preventing users from doing things, but keeping an eye on what they actually are doing.”
According to Dell SecureWorks’ Simpson, employees are almost always the entry point in every major breach. “When restrictions come in, people feel constrained, but eventually understand and see the benefits. For the company, it’s about risk management. Gradually those security measures evolve and become easier to live with.”
What stands out here is that Australia, in particular, is a country highly targeted by cyber criminals; that many organisations have been breached (even if they don’t know it); and that few organisations have the resources to counter all threats.
On the plus side, more organisations are becoming aware of the risks they face – even at board level. Progress is being made.
But there’s a long way to go. Whereas an average business might spend 5-10% of its IT budget on defence, the cyber criminals are spending 100% of theirs on attack. The weaponry may change, but the battle goes on.
Alex Cruickshank has been a technology journalist since 1994. He grew up in England and moved to New Zealand a few years ago, where he now runs his own writing agency, Ministry of Prose.
This was first published in August 2015