On 29 July 2015, the Australian Cyber Security Centre (ACSC) released its first unclassified Threat Report aimed at informing all Australian organisations of the importance of ensuring they are adequately protected against cyber threats.
While 'cyber risks' are an emerging threat for Australian organisations, it is important to note the types of threats that are generally reported in Australian media are the threats that aim to attract media attention via business disruption and vandalism aimed at an organisation's website or information security measures. See for example, the recent hack of the Ashley Madison website (a company that markets itself as the 'world's leading married dating service for discreet encounters' and offering a '100% discreet service') with the intent of publishing the details of the website's customers.
The Report aims to advise Australian organisations that cyber threats are far more complex, intricate and commonplace that those reported in the media. The Report:
- characterises and identifies the attackers ('cyber adversaries') that are usually responsible for making cyber threats and the reasons driving such threats. Cyber adversaries range from individuals who are solely after media attention through to cyber criminals and terrorists who commit acts that are equivalent to an armed attack/an act of war;
- identifies the tools used to carry out such cyber threats (and the likelihood of such tools becoming more sophisticated over time);
- identifies future trends in cyber threats in Australia, based on threats reported to the ACSC;
- reiterates the importance of properly assessing your organisation's needs. This is not something that should be left to your IT department; rather this is something that your organisation's board should look at;
- outlines the importance of properly reporting each cyber threat incident to both ACORN (specific to cybercrime) and ACSC.
The overall purpose of the Report is twofold, namely:
- to advise Australian organisations of their responsibility to ensure they are adequately protected from cyber threats (regardless of the scale of such threat). By taking a proactive role, organisations will ensure resilience to such threats. As it is likely that such threats will become more sophisticated over time, it is important for organisations to regularly assess and upgrade their cyber security needs as against the types of threats aimed at your organisation ; and
- to ensure Australian organisations adequately report any cyber threats to ACORN and/or ACSC. By reporting such threats, the ACSC can use such information to advise other organisations of the need to protect themselves against such threats. Also the ACSC can provide organisations with assistance as to how to remediate and recover from such incidents.
ARE YOU READY?
The consequences of a cyber-threat are extensive and can include:
- costs of immediately responding to the threat including business interruption losses;
- financial losses stemming from fraud;
- notification costs (including costs of notifying customers and third parties such as banks, the Privacy Commissioner, various government organisations);
- costs of remediating and recovering your system and business;
- additional costs expended through the use of government support programs;
- costs of reinstating your organisation's reputation including the cost of a public relations consultant;
- costs of defending any legal proceedings/recovery action brought by affected customers including legal costs and any damages payable in respect of such claim.
Is your organisation in a position to incur the above costs and still be in a position to continue trading?
Or would a cyber threat debilitate your organisation?
Similar to any other risk that might debilitate your organisation (such as a professional negligence claim), it is important to ensure you are adequately protected by:
- instigating your own quality assurance/security procedures;
- arranging suitable cyber-risk insurance.
Not only will cyber risk insurance policies assist you to meet the costs of recovering from a cyber-attack, such policies typically also provide access to specialist emergency response teams which can assist with your technical IT as well as legal and PR needs. Many specialist insurers and brokers will be able to provide information to assist you to reduce your exposures before a breach occurs.