Minister for Home Affairs releases ransomware paper by Cyber Security Industry Advisory Committee
March 22, 2021 |
When in doubt set up a committee. Beyond meeting a committee should prepare a paper. The Cyber Security Industry Advisory Committee is no different. The Minister for Home Affairs announced the establishment of the Committee on 20 October 2020. Its specific role is to help guide the introduction of Australia’s Cyber Security Strategy 2020 which was announced on 6 August 2020.
The Committee has prepared a paper on Ransomware, Locked Out: Tackling Australia’s ransomware threat which was released by the the Minister for Home Affairs, Peter Dutton MP on 10 March 2021.
Even though Ransomware has been a favoured weapon by cyber criminals for some time the problem is now chronic. As an example only, yesterday the BBC reported in Russian pleads guilty to Tesla ransomware plot where a Russian offered a Tesla employee a million dollars to infect the company with ransomware.
The report is a not bad summation of the current situation and what businesses can do to avoid an attack and remediate damage caused.
Some useful points include:
- Ransomware attacks increasingly involve the exfiltration of data by the attackers which is then used to extort a ransom. The data is often released by attackers on public or dark web sites.
- in the three months of April to June 2020 alone, there was a 65 per cent increase in cyber security incidents, at an estimated $7.6 billion cost to business for the financial year.
- Weaknesses in an organisation’s website and web-based applications can also be a path to network access, particularly if web applications are misconfigured or the systems that support them are not kept up to date
- Early detection of a ransomware attack is paramount to minimising impact, but continuous incident detection and response capabilities may not extend to legacy systems
- businesses need to focus on:
- Email security
- Multi-factor authentication for email
- Keeping software up to date
- Employee Training
- Back-ups
- Data lifecycle management
- Built in security features
- cyber insurance iosone component of a holistic cyber security program, not as a replacement for one
- the decision to pay or facilitate payment of a ransom is complicated as the legal position is unclear. At worst, payment of these amounts may be unlawful and involve committing a criminal offence. Under the Criminal Code Act, it is an offence to “deal with” money or other property if: (a) there is a risk that the money or property will become an instrument of crime, and you (b) are “reckless” or “negligent” as to the fact that the money or property will become an instrument of crime.
- there are strict obligations to notify various regulators of data breaches and cyber security incidents, including obligations under the Privacy Act, the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 and the EU’s General Data Protection Regulation (GDPR).
- Under the Corporations Act and the ASX Listing Rules, listed companies must notify the ASX of ‘market sensitive’ information immediately –that is, information that would, or would be likely to, influence investors in deciding whether to acquire or dispose of securities.
The paper concludes with the key questions:
- What data is valuable to your organisation? Who would your organisational data be valuable to? What data would cause your organisation damage if you lost access to it?
- Where is your data stored? Onshore, offshore or in the cloud? What arrangements are in place to ensure storage is secure?
- How secure are your service providers (and the arrangements in place to ensure security) and have they shared your data with other third parties?
- Who is protecting your data and how is it being protected? What security systems currently exist?•How prepared are you to respond to any breach? Do you have a breach response plan in place? One that aligns all parts of our business (technology, PR, comms, legal, regulatory, etc)?
- What is your position on ransom demands? Are you clear on your legal position and your fiduciary obligations?
For practitioners in this field there is not much new set out the paper. That said, any resource that highlights the problem and ventures an even general solution, or at least a road to a solution, is welcome.