How to avoid joining Optus and Medibank on the cybersecurity walk of shame

And if your business is, say, running a hospital or the power grid, availability threats are the “nightmare scenario”, says MacGibbon, though it’s not a nightmare you get to wake from till the other two threats have also passed.

Confidentiality threats, meanwhile, can be characterised in two words: Optus, and Medibank. These involve some sort of data loss, either through exfiltration of data (which is what both Optus and Medibank have reported, and reported, and reported) or the physical loss or theft of data storage media.

Lately, says MacGibbon, cybercriminals have been combining the first two threats, exfiltrating data before they encrypt the victim’s copy of that data in a ransomware attack.

This is what appears to have happened in the Medibank breach. Medibank blocked the availability threat so the attackers fell back to the confidentiality threat instead, letting Medibank know they had downloaded the confidential medical records of Medibank customers.

All of that is bad enough, but add the integrity threat into the mix, and this is where whole systems can come unstuck.

Integrity threats are where some or all of the data held by a company or institution gets changed in ways that are hard to detect or remediate.

They range from disgruntled employees getting in and changing their leave balances, all the way up to nation-state actors rewriting the records of a major financial institution in an effort to cripple the entire economy.

Just as the first two threats are now often combined, it’s possible that the third threat could be added to the first two in a devastating attack: cybercriminals download your data, change all your copies of that data, and then encrypt all your copies, so that even when or if you recover from the availability and confidentiality attacks, you still don’t know what data you can trust.

MacGibbon says this triple threat isn’t happening yet, but when he contemplates the possibility, he does use the word “nightmare” a lot.

How can you stop a cyberattack?

We’ve asked a half dozen experts about what can be done to prevent a successful cyberattack, and they all said the same thing: you can’t.

But you can reduce the risk of an attack down to acceptable levels, and all the experts we’ve spoken to say this starts with one thing: data hygiene.

Inventory the data you have, including the “shadow IT” data being kept in an old Windows Server under the CFO’s desk. Destroy the data you don’t absolutely need for the operation of your business, and stop collecting it.

And then, says Kris Lovejoy, head of the global security and resilience practice at the world’s largest IT infrastructure services provider, Kyndryl, you triage what remains.

Calculate which system will cost you the most if it succumbs to a threat, including the cost of regulatory fines, reputational damage and customer loss, as well as the immediate cost of the business going offline, in that calculation, and start there.

Build up robust cyber defences around your most important assets first, and develop practices that routinely look for holes in those defences just in case someone in the company makes an error.

And someone will make an error, says Lovejoy. “In 99.9 per cent of the incidents that I’ve ever responded to, human stupidity has been a factor,” she says.

And if dealing with the big risks first means that the lowly marketing department’s systems are left relatively undefended until you can hire enough cybersecurity staff, then so be it. This is triage. Not everyone gets to live.

Or, as MacGibbon puts it, “There will always be blood loss. The only question is, how much blood?”

How can companies best defend against a cyberattack?

It turns out that putting up defences is only the first step in a cybersecurity three-step.

The dance goes like this: defend, monitor, react.

(In an era when cybersecurity experts are hard to find – Australia is expected to have a shortfall of roughly 30,000 skilled professionals in the next four years – for many companies this will be a partner dance, done together with a cybersecurity outsourcer which may, for instance, do the monitoring for them, having advised them which monitoring software to install at which points in the IT system.)

And the thing is, it’s not an easy dance to get right.

Monitoring, for instance, may involve keeping a detailed log of every query made against a corporate database, so that if someone does get through your defences, at least you know the “radius of the bomb blast”, as MacGibbon puts it.

(And knowing the radius of the damage is important, as we’ve seen in the Optus and Medibank cases because it helps you communicate with stakeholders, minimising the reputational damage caused by the breach. It does you no good at all to tell your customers that their data was safe, only to turn around three weeks later and tell them, well, actually, your data is all over the dark web, and you should have cancelled your credit card three weeks ago.)

But now you not only have a database to defend, you also have a log to defend because it, too, will almost inevitably contain sensitive data. What do you do? Keep a log of what data has been accessed in the log? Now you have another log to defend, before you know it you’ll have logs upon logs upon logs, spiralling away into infinity, and that’s just one example of the tricky interplay between the steps in this dance.

But dance it you must. Put up walls around your IT systems. Monitor those walls for weaknesses, and monitor inside the walls for signs of infiltration. Put plans in place to fix weaknesses when they are found, and put plans in place to shut off an attack when it’s discovered.

How much does it cost to prevent a cyberattack?

All this costs money, of course, and for many businesses it will involve spending more money than they’re already spending, for the simple reason that many businesses are only investing in step one (defending) and they’re not investing enough (or anything at all) in the ongoing costs of monitoring their systems (step two), and of having on call internal or outsourced experts who can step in when a breach has been detected (step three).

We’ve asked quite a few experts how much of an IT budget should be spent on cybersecurity, and they’ve all equivocated. How sensitive is the data? How many legacy systems are there in the IT system, and how have they been modernised? How long is a piece of string?

But there is one rule of thumb everyone agrees on. When you’re calculating how much it will cost you to put in place a proper cybersecurity plan, first ask yourself this question: how much will it cost you to not put in place a proper plan?

Cybersecurity is an existential issue now. As the privacy expert Anna Johnston told us, if you can’t afford to defend your data against cyber threats, then you probably shouldn’t be in business in the first place.