An alphabet soup of regulations and frameworks — from AEMO’s AESCSF to APRA’s CPS234 – has done little to protect Australia from ransomware attacks.
Unless they’re actually implemented, all the frameworks in the world aren’t worth the PDFs they’re written on.
On one hand, the Australian Energy Market Operator’s (AEMO) Australian Energy Sector Cyber Security Framework (AESCSF) is voluntary. The Australian Prudential Regulation Authority’s (APRA) CPS234 is mandatory, but recent high-profile attacks suggest more could be done to ensure compliance before a breach occurs.
The crux of the issue is that whether or not these guidelines are adopted is completely at the discretion of the organisation at hand, with little incentive or disincentive to change the status quo.
Until now.
Recent high-profile cyberattacks have raised the stakes. Penalties for breaches of privacy laws have increased from a paltry cost of doing business $2.2 million to the greater of $50 million; three times any benefit obtained from the misuse of data; or 30% of adjusted revenue in the relevant period.
Not only have penalties increased, but the collective theft of the personal data of more than six million Australians has spurred APRA into action. The watchdog announced in late November 2022 it will intensify its supervision of all entities not meeting CPS234 – a regulation designed to minimise the likelihood and impact of cyberattacks against the banking and finance sector.
Breaking the ransomware business model
While tougher penalties and more proactive regulators should lead boards and senior executives to see the light when it comes to the importance of protecting personal data, the $50 million question still begs, “how can this be achieved?”
The answer lies in dissecting the business model behind ransomware attacks.
Last year more than AUD$650 million in cryptocurrency was transferred to wallets known to be controlled by ransomware groups.
It’s clear this industry is highly profitable. As long as they’re turning over hundreds of millions of dollars every year, we can expect these attacks to continue — increasing in scale, sophistication, and severity with every month that passes.
Part of the challenge with defending against ransomware is that the attacks are dynamic and constantly evolving. In its purest form, an attack would encrypt an organisation’s critical data with attackers demanding a ransom be paid before a decryption key is delivered.
Last year, however, we saw exfiltration and extortion become the weapons of choice. In this variety of ransomware, sensitive data is stolen and the victim is extorted on the threat of that data being publicly leaked.
This year, we expect a new shakedown method to take hold — data destruction.
Regardless of the threat being levelled at the victim, all ransomware attacks come back to one fundamental principle. Denying an organisation its data. Encryption, exfiltration, destruction — all these attack methods come back to that one single act.
Outdated cyber strategies leave businesses vulnerable
In years past, the accepted wisdom in cybersecurity has been to pursue a strategy of risk minimisation. Essentially, this boils down to implementing a ‘fortress mentality’ of building the biggest digital walls in the hopes of making the business impervious to cyberattacks.
It’s taken a slew of major attacks, but there is an awareness dawning now that the prevention and detection technologies everyone has been buying are not foolproof.
To beat the attackers, organisations have to rethink their cyber strategies to focus on resilience — keeping their businesses running even after a cyber breach occurs.
The first step is to accept that a breach is inevitable. Once this mindset has been accepted, the way sensitive data is protected changes drastically.
To protect against the encryption and destruction varieties of ransomware, modern cyber strategies would see the organisation implement air-gapped and immutable data copies of all their sensitive data. Then, when data is encrypted or destroyed, business resilience is assured as operations can be rapidly recovered from a ‘save point’ prior to infection.
In response to the threat of exfiltration attacks, an organisation might invest in finding answers to the questions “what data do I hold?” and “where do I hold it?”.
In each of these scenarios, the goal is to reduce the impact of an attack — rather than a breach being a catastrophic incident, it would be a minor inconvenience by comparison — and, ultimately, there’d be no need to pay a ransom.
That is the key to breaking the ransomware business model. The day attackers stop making money from these attacks could be the day we can bid good riddance to ransomware.
READ MORE:
Australia is considering a ban on cyber ransom payments, but it could backfire. Here’s another idea
