Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Think state-based actors won’t target your business? Think again
It’s a pretty unequal contest: the IT resources of a nation-state versus those of your business.
But that’s the reality behind Prime Minister Scott Morrison’s announcement that Australian organisations are being targeted by “a sophisticated state-based cyber actor.”
The Prime Minister made no comment on the possible motivation of this threat actor, and you might think no nation-state could have any motivation to attack your business. Unfortunately, the motivations of some nation-states are no different from those of any other cyberattacker: they are purely financial. Any personal or financial data can be valuable, and public-facing organisations or those involved with infrastructure, like healthcare, are particularly vulnerable.
How to lower your risk profile
Unequal though this contest may be, there is a lot you can do to protect your organisation from such threats. Many of the most effective measures are simply good cybersecurity practices, but one specific measure you can take is to avoid using any IT technology from a nation suspected of perpetrating attacks. Make sure any devices or digital services you use are reputable and have been independently verified for security.
Get cyber-assessed and get insured
While it won’t protect you from an attack itself, one measure that could significantly mitigate the risk is to make sure your cyber insurance policy does not contain exclusions for attacks by nation-states. Cyber threat insurance policies can be very complex, with many exclusions that are hard to identify. So it’s best to get professional advice to make sure you understand exactly what you are covered for.
Patch your software regularly
The Prime Minister also pointed to some specific guidance on how Australian organisations could protect themselves, which was released in the form of a technical advisory produced by the Australian Cyber Security Centre (ACSC) and the Department of Home Affairs.
The advisory detailed “a sustained targeting of Australian governments and companies by a sophisticated state-based actor.” ACSC called these attacks ‘copy-paste compromises’, noting they relied heavily on tools copied almost identically from open sources.
The advisory also observed that these threat actors were exploiting vulnerabilities in unpatched versions of Telerik UI, a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability. Fixes and patches for these vulnerabilities are available, so make sure you update them regularly.
Nurture good cyber-habits
The Australian Strategic Policy Institute (ASPI) described Morrison’s announcement as being “remarkably content-free”, saying it had been designed to send a message to two different audiences.
“To all Australians, particularly those involved in decisions regarding cybersecurity, the message was: ‘Cybersecurity is important, we need to improve, and we all need to be wary of capable and determined adversaries.’ Chief information security officers should be using this press conference to push for more resources.”
In other words, as I said at the start, the best protection against nation-state based cyber threats is simply well-rounded cybersecurity - which includes technology, policies, practices and awareness.
And the best way to beef up your cybersecurity is to build up awareness within your organisation. According to a 2017 study by IBM and the Ponemon Institute, human error is involved in more than 90% of security breaches.
Effective employee security awareness training which focuses on modifying behaviour and cyber hygiene can greatly reduce your chances of being compromised. Especially at a time when more workers than ever before are working remotely, good cyber habits can make all the difference when it comes to securing your organisation.