SMEs should be on high alert for cyber threats
Businesses have been urged to boost self-defence measures and cyber security awareness in the wake of the Optus data breach.
Editors note: this story originally appeared on Lawyers Weekly’s sister brand, Cyber Security Connect.
Dr Thompson — who was the first head of Information Warfare for the Australian Defence Force and is now on ParaFlare’s board as a non-executive director — told Cyber Security Connect that “intuitively”, he would direct businesses related to professional services to be on alert for criminal behaviour in relation to cyber security, rather than state-sponsored activity.
However, “the threat is the threat is the threat” regardless of who was the source and there was no one-size-fits-all assessment of the potential threats facing businesses, he warned.
“[The nature of the threat] doesn’t change your approach to cyber security,” he said.
Dr Thompson recommended a three-pronged defence system against cyber attacks for businesses.
The first is self-defence, which would require practitioners to educate their employees to increase awareness and embed a culture of caution.
The second is passive defence, where system administrators assess how well businesses are complying with the mitigation strategies developed by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC), which aim to prevent attackers from compromising systems.
Known as the “essential eight”, these strategies include:
- application control;
- patch applications;
- configure Microsoft Office macro settings;
- user application hardening;
- restrict administrative privileges;
- patch operating systems;
- multi-factor authentication; and
- regular back-ups.
“[It’s about] having all of those self-defence measures, and [increasing] your awareness. Don’t be that person who clicks on the link in a phishing email. Don’t be that person who finds a USB stick in the carpark, and out of idle curiosity, plugs it into the system,” Dr Thompson warned.
Understand your assets very quickly
Mr McCarthy advised business owners to focus on the fundamentals of cyber security by understanding what assets they own and the software that operates within their environment.
“If you don’t understand those two things, get really, really familiar with them really quickly,” he warned.
“Understand your systems, understand the way in which they communicate. Then you can go about protecting them.”
Once business owners do this, they can then extrapolate how their applications and software communicate across all the assets, he added.
The security breach at Optus — the second-largest telecom company in Australia — came to light on Thursday, 22 September, when it was discovered that around 10 million of its customers’ personal information was disclosed, including their names, dates of birth, phone numbers, email addresses, and in some cases, driver’s licence, passport, and Medicare numbers.
While some law firms like Slater and Gordon and Maurice Blackburn investigate data breach class action and legal claims against Optus, there have been reports that the breach allegedly occurred after Optus left an application programming interface (API) open to its customer database without requiring authorisation or any type of authentication.
An API is an interface that allows machines to talk to each other, and exchange and transfer information without requiring human-readable formats, and allows users to retrieve information, according to Mr McCarthy.
APIs must have availability, integrity, and confidentiality, with Mr McCarthy noting that failures occur where it is not confidential or connected.
“From all the reporting, the [Optus] API was either exposed by happenstance, or by poor design, poor control, or human error. We don’t know,” he said.
“Regardless, if you have access to an API at certain levels, you can do a lot of things with it. It’s very, very powerful.”
Because API security is complex and prevalent in every business that uses technology, understanding the inherent risks is critical, McCarthy flagged.
“A business can’t operate in a vacuum and not assess their own risk,” McCarthy said.
Consulting other industry professionals and peers about their cyber security practices and how secure their APIs are would be helpful for business owners, he advised.
Businesses with chief information security officers should consult their peers to gain a deeper understanding, exchange ideas, and potentially adopt their practices where appropriate, he added.
“Talking with peers in the community, leveraging experts … and people in the field is really important,” he concluded.