In recent days, there has been so much news about data breaches and cyberattacks.
One of the most impactful that have come through our time is the Medibank hack. It feels like that there is a sudden surge of attacks on Australian organisations. That begs the question, have hackers discovered that Australian organisations are not as prepared for cyberattacks?
A decade ago, data breaches that targeted financial institutions for financial gains were mostly perpetrated by script kiddies or lone actors. These days, they are state actors, organised crimes – a group of people with time on their hands – spending an entire day attempting to find the weakest link in any organisation. Security breaches have moved beyond just causing financial loss for the organisations to exfiltrating personal and sensitive information for sale on the dark web. This was the Medibank nightmare.
Australian authorities are now taking serious action
In view of the size and nature of these recent breaches, the Australian Government has swiftly proposed changes to legislations, increasing the fines on organisations that do not reasonably protect citizens’ personal information, and granting the Australian Information Officer greater authority for action. This is just the beginning as privacy laws are being revisited while greater responsibilities are imposed on organisations to protect personal and sensitive information entrusted to them by citizens.
There is no doubt about the concerns that we should all have on the speed in which hacktivism and cyber threats have increased. It’s beginning to feel like a revolution, no longer an evolution. Do you know what your organisation’s security posture is or where your security threats and risks lie? Would you know when you are attacked by hacktivists, and are you well-prepared to respond to an actual cybersecurity attack or a breach?
Time to act against cyber threats – not react
I believe a call to action is now. It is time to get a full picture of:
- What information you are collecting, processing and storing?
- Where your information are?
- Where they are located?
- How they are protected?
- Who has access to them?
- When are they being accessed?
What does this mean? For example, your organisation’s human resource information system (HRIS) has been outsourced to a third-party. As far as you know, you log into the HRIS through the third-party’s web portal, and you are just using the system to key-in the personal and sensitive information of your organisation’s staff. Question would be, if there is a breach of this system, to what extent would your organisation be accountable or responsible for the breach of that information?
It is in our experience that most organisations will assume that it would not be within their remit since it’s the third-party that provides the platform, and the platform is not located within the organisation’s premises. However, in reality, your organisation is the one that has been entrusted to collect the information. The ultimate accountability for it rests within your organisation, even if you may have outsourced the responsibility for it. Therein lies the questions – do you know where the data is, who is accessing it, how is it protected – you need to have the oversight to be accountable for them.
We have worked with clients to help understand the breadth of information across their supply chain, ensuring that the responsibility for information is not lost between your organisation, and those outsourced to third and fourth parties. From which, we are able to assist in assessing the risk of the security posture between your organisation, and your mission-critical third and fourth parties. This enables an oversight of the risks and potential threats within the information flow.
So, I do believe this is the time – the time to re-visit your supply chain risks, to take a proactive approach to understanding the threat landscape as well as the risks posed to your organisation in your current security posture and the information outsourced to third and fourth party. It’s time to take a reign over the data that are within your company walls to external and outsourced to third and fourth parties. Calculate the risk, minimise the gaps, know your information, own your information before the total loss of data overshadows the total cost of security investment.
Lumen’s Connected Security practice is built on the mission statement of “See More, Stop More”. We pride ourselves to be an extended cybersecurity arm to support or augment your IT or cybersecurity capabilities. To combat hacktivism, it is a job for the collective. Our Security Advisory Consulting team offers you the opportunity to gain an understanding of your cybersecurity resiliency and third and fourth party risk and improve your security posture through risk mitigation measures that commensurate your risk appetite.