2023 was a year in which cybercrime continued to dominate headlines, with major breaches affecting millions of Australians. With cyber security now front of mind, Australian businesses and the government are taking significant steps to uplift the nation’s cyber resilience. In this article, we’ll review some of the high-profile security breaches that occurred in 2023 and explore what the government is doing to improve cyber security strategy, manage risk and better support Australian businesses and individuals into 2024 and beyond.
LATITUDE FINANCIAL SERVICES CYBER INCIDENT UPDATE
In March 2023, Latitude Financial Services, a major consumer lender in Australia and New Zealand, experienced a significant cyber incident. Hackers gained access to the company's systems and stole a large amount of personal information from customers, past customers, and applicants. Initially, Latitude reported that around 100,000 identification documents and 225,000 customer records were affected. However, in a later update, they revealed that the data breach impacted a staggering 14 million customer records, including email addresses, passport numbers, financial statements and more.
Latitude took immediate action to contain the attack and shut down its systems and refused to pay the demanded ransom. They have also been working with authorities and cyber security experts to investigate the incident and mitigate the risks and have set up a dedicated website and helpdesk to provide support to affected individuals.
THE QUEENSLAND UNIVERSITY OF TECHNOLOGY CYBER INCIDENT UPDATE
The Queensland University of Technology (QUT) faced a significant cyber security incident in July 2023, impacting their systems and exposing personal information of staff, students, and applicants. After detailed forensic analysis, QUT established that cybercriminals accessed a number of files on an internal storage drive. 11,405 people were impacted in total, with information exposed, including bank account numbers and tax file numbers.
The first stage of QUT’s response was to reset all passwords, introduce additional verification steps and repair and restore affected systems. The university also implemented additional monitoring and validation mechanisms. Meanwhile, all individuals impacted by the data breach were notified and counselling offered to help them. Moving forward, the university has emphasised its commitment to data security and encourages good cyber hygiene to everyone involved.
WHAT THE AUSTRALIAN GOVERNMENT IS DOING TO STRENGTHEN CYBER RESILIENCE
As the sophistication and scale of cyber incidents affecting Australia have continued to increase throughout 2023, safeguarding critical infrastructure and sensitive data has become more important than ever. As such, the Australian government is taking proactive measures and starting initiatives to strengthen the country’s cyber resilience and safeguard both public and private entities. The following are some of the policy frameworks, initiatives and collaborative partnerships that are working together to build the nation’s cyber defences:
1. Australia’s 2023 – 2030 Cyber Security Strategy
The 2023-2030 Australian Cyber Security Strategy is a comprehensive roadmap towards becoming a global leader in cyber resilience by 2030. This ambitious vision rests on six powerful "Cyber Shields," each designed to fortify a critical aspect of the nation's cyber defences:
- Shield 1: Strong Businesses and Citizens - focusing on empowering individuals and businesses to navigate the online world safely. It involves widespread cyber hygiene training, accessible security solutions for small businesses, and robust community protection against scams and phishing attacks.
- Shield 2: Safe Technology - aiming to tackle the root of many threats and secure technology across the board. Under this shield, the government plans to make investments in secure hardware and software, employ stricter industry standards, and focus on protecting the supply chain from vulnerabilities.
- Shield 3: World-Class Threat Sharing and Blocking - aiming to achieve seamless information sharing between government agencies, businesses, and international partners, coupled with cutting-edge intrusion detection and blocking systems.
- Shield 4: Protected Critical Infrastructure - prioritising robust defences for essential services, including vulnerability assessments, incident response plans, and continuous monitoring.
- Shield 5: Sovereign Capabilities - developing local expertise in cyber technology, cryptography, and incident response and reducing dependence on foreign solutions.
- Shield 6: Resilient Region and Global Leadership - focusing on assisting Australia’s neighbours, sharing best practices, and contributing to international efforts to combat cyber threats.
2. The Australian Critical Infrastructure Annual Risk Review
The Australian Critical Infrastructure Annual Risk Review assesses and analyses risks to vital sectors, ensuring a comprehensive understanding of potential threats and vulnerabilities. The 2023 review paints a sobering picture of the evolving cyber risks facing Australia's vital infrastructure; growing threats include:
- Sector Interdependence - critical infrastructure systems are rarely self-sustained; attacks on one sector can ripple across others, causing cascading disruptions.
- Cyber/Information Threats - from sophisticated malware to ransomware attacks, cyber threats are ever-evolving, with hackers targeting operational technology directly or exploiting information systems to gain access.
- Supply Chain Vulnerabilities - global supply chains present weak links; compromised components or software updates can introduce hidden vulnerabilities into critical infrastructure systems.
- Physical Threats - disruption of crucial physical infrastructure, like dams or transportation networks, can have devastating consequences.
- Natural Hazards - climate change and extreme weather events pose additional risks; floods, fires, and cyberattacks can combine to create complex emergencies.
- Personnel Vulnerabilities - human error and insider threats remain a concern; phishing attacks, disgruntled employees, and lack of cyber security awareness can all provide openings for attackers.
The Critical Infrastructure Annual Risk Review also offers practical insights for risk mitigation:
- Separation of IT and OT - implement physical and logical separation between information technology (IT) and operational technology (OT) systems to limit the potential damage from cyberattacks.
- Interdependency Awareness - carefully analyse and understand the interdependencies between critical infrastructure sectors to enable better planning and coordinated response efforts in case of disruptions.
- Supply Chain Analysis - scrutinise all components and software within critical infrastructure systems, mapping potential vulnerabilities and implementing proactive security measures.
- Personnel Education - invest in ongoing cyber security awareness training for all personnel involved in critical infrastructure operations.
- Constant Monitoring and Updating - employ robust monitoring systems, conduct regular risk assessments, and maintain infrastructure with the latest security updates to stay ahead of evolving threats.
THE AUSTRALIAN SIGNALS DIRECTORATE CYBER THREAT REPORT
The ASD (Australian Signals Directorate) Cyber Threat Report provides insights into evolving cyber security threats, tactics, and vulnerabilities. The 2023 report serves as a stark reminder of the constant barrage Australians face and underscores the necessity of collective efforts to strengthen our defences. Some of the key takeaways include:
- Surge in Cybercrime - nearly 94,000 cybercrime reports were submitted, a staggering 23% increase compared to the previous year. This translates to roughly one report every six minutes, highlighting the prevalence of the issue.
- Individuals Face Fraud - identity fraud, online banking fraud, and online shopping fraud top the list of threats faced by individuals, comprising over half of all reported cases. These scams exploit anxieties and vulnerabilities, emphasising the need for heightened awareness and robust online security practices.
- Businesses Face Sophisticated Attacks - businesses grapple with different threats, with email compromise, business email compromise (BEC), and online banking fraud leading the pack. These sophisticated attacks target vulnerabilities within organisation structures and communication channels, demanding robust security protocols and employee vigilance.
- Escalating Costs - the average cost of cybercrime jumped by 14%, signifying the growing financial impact of these attacks on individuals and businesses alike. This reinforces the importance of adopting preventative measures to minimise potential losses.
THE AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY STUDY
The Australian Prudential Regulation Authority (APRA) is the regulatory body overseeing the financial services industry in Australia. APRA offers several key insights to equip boards, management, and businesses to harness the power of data while minimising risk:
- Unified Data Governance - establish a single point of control for data to set clear policies, define ownership, and ensure consistent practices across the organisation. This includes a focus on regulatory compliance, aligning data practices with privacy laws, and staying current with any updates in regulatory requirements.
- Defined Roles and Responsibilities - clearly define roles and responsibilities for data management and empower data owners to feel accountable for data accuracy and security. This includes implementing measures for data privacy and security, such as encryption methods and access controls, in alignment with industry standards.
- Simplify the Technology Landscape - streamline technology infrastructure by consolidating platforms, eliminating redundancies, and implementing user-friendly interfaces. Consider discussing emerging technologies like artificial intelligence, machine learning, or blockchain, and how they may impact the technology landscape in financial institutions.
- Identify Critical Data Elements - Recognize vital information underpinning operations and decision-making. Prioritize the quality and security of critical data elements, ensuring compliance with data protection regulations and addressing potential vulnerabilities.
- Monitor Data Quality - Implement robust data quality monitoring systems to proactively identify and address issues. This includes incorporating measures for ongoing compliance with regulatory standards and ensuring data privacy and security through effective monitoring.
- Integrate Data Management into Risk Frameworks - Embed data management seamlessly into the overall risk management framework. Utilize data-driven insights to inform risk assessments, track risk mitigation efforts, and make informed decisions. This also involves fostering collaboration and communication between different departments to enhance the effectiveness of risk management efforts.
HOW TO PROTECT YOUR BUSINESS
Cyber security is a shared responsibility. Each of us has a role to play in safeguarding our critical infrastructure and ensuring a secure future for Australia. By working to protect your business, practising good cyber hygiene and taking proactive risk mitigation steps, you can not only reduce your risk but help to build a more secure and resilient online environment for all Australians. And remember, when it comes to cyber security, prevention is always better than cure; the best defence is to:
- Continuously assess your security posture
- Introduce a culture of security
- Test your defences through security assurance engagements
- Build a comprehensive incident response plan
- Build a security improvement roadmap
At Infotrust, we are perfectly placed to assist you with all your cyber security responsibilities to mature your security posture over time and mitigate the risks of a cyber incident. If you would like to improve your cyber resilience, contact the experts at Infotrust for a security planning session.