As we enter a more interconnected world, the danger of a cyber attack increases exponentially. Manufacturers’ Monthly investigates.
In May this year, a global ransomware attack, Wannacry, targeted more than 200,000 computers in more than 150 countries. Businesses’ computers were taken hostage by the ransomware, which would not allow them to access their files unless they paid $300 in bitcoin within three days, or $600 in seven days. As of 14 June 2017, a total of 327 payments totalling XBT$130,634 had been transferred, and the hackers have possibly made more since then.
Not only did businesses lose money through the ransom, but they lost even more money through disrupted operations. At least 16 hospitals in Britain were affected, with some forced to halt urgent surgeries as patients’ scans could not be accessed. Spanish telco company Telefonica and US delivery service FedEx also admitted to being targeted. Countless other companies were affected, with Russia, Ukraine and Taiwan suffering the most, according to cyber security firm Avast. At least one Australian company admitted to being affected, although others may have concealed their involvement due for fear of losing consumer confidence.
The Wannacry attack would have been nowhere near as prolific had businesses run the updates provided by Microsoft in March, according to University of Melbourne cyber security expert Dr Suelette Dreyfus.
“This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support,” said Brad Smith, president and chief legal officer at Microsoft.
While the Wannacry attack should have served as a call to action for businesses to update their cyber security solutions, it is clear that this was not the case for many. Just one month after the Wannacry attack, another global ransomware attack, dubbed Petya, disrupted businesses across the world, including Australia’s own Tasmanian Cadbury Chocolate Factory.
The factory was forced to halt production when its computer system was struck by the attack. Just like in the Wannacry attack, the factory was unable to access its computer files unless it paid a ransom of $300 in bitcoin. As a result, hundreds of staff could not carry out their daily work. It took over a week to get production up and running again, according to industry sources.
Food and beverage company Mondelez International was also among the businesses affected, with the attack causing disruption to its shipping and invoicing. The attack also managed to stall the company’s deal with Bega, whereby the company would be acquiring Modelez’s grocery and cheese business, which included the iconic Vegemite brand, as well as ZoOSh salad dressings and beef extract Bonox, among others.
As a result of the attack, Mondelez has estimated that its second-quarter revenue growth will be down three per cent, not to mention other additional costs related to attack that the company will need to pay in the second and third quarter of 2017.
For the most part, Australian businesses were not majorly targeted in the Wannacry and Petya attacks. But there were several large businesses that were forced to halt operations, and experts have expressed fears that these cyber-attacks (which have managed to reach hundreds of thousands of computers) are just the beginning. The same experts believe Australian businesses are highly vulnerable, yet many are still failing to undertake urgently required remediation.
Experts at a recent round table event in Sydney agreed that urgent action is required in Australian businesses of all sizes.
“Business owners are understandably focused on the day-to-day challenges of running their business,” said David Cohen, founder and managing director of SystemNet.
“But unfortunately, this means they are not paying sufficient attention to cyber security. Many might be aware of the risks, but have not considered the impact a ransomware attack could have on their operations. Effects could range from mild inconvenience to a data loss so significant it puts them out of business.”
Monica Schlesinger, principal of Advisory Boards Group International, said the situation is not confined to small businesses, with many large organisations also vulnerable to attack. She added that traditionally, boards don’t understand IT challenges, however in the current environment senior management need to oversee.
“It needs to be seen as special risk,” said Schlesinger. “When you suffer an attack, it can happen very quickly and can destroy your company. It’s not a case of ‘if’ an attack will happen but ‘when’ and the board needs to be sure all required steps have been taken.”
While Australia is at the forefront of the Asia-Pacific region in terms of ICT industry development, poor cooperation dragged down its overall score in the 2017 ITU Global Cybersecurity Index, according to the International Telecommunications Union (ITU).
Of the ITU’s 193 member states, Australia ranked seventh overall because it scored just 0.44 on the cooperation ranking, putting it well behind countries like France (0.61), Georgia (0.70), the United States (0.73), Oman (0.75), and table leaders Singapore and Malaysia (which both scored 0.87).
The report described Australia’s score as a “massive disparity” and a “significant blow for Australia”, which compared well with other leading nations in the four other categories – legal, technical, organisational, and capacity building.
“The overall picture shows improvement and strengthening of all five elements of the cyber security agenda in various countries in all regions,” reads the report. “However, there is space for further improvement in cooperation at all levels, capacity building and organisational measures.”
Cooperation, which the ITU said is “measured on the existence of partnerships, cooperative frameworks and information sharing networks”, has been a key part of the Turnbull Government’s cyber security policy. But, experts say the ITU’s assessment suggests Australia’s private-public initiatives are failing to gain traction. It has also been suggested by some analysts that the establishment of “centres of excellence” is not doing enough to foster cyber security.
However, some experts are pleased with the introduction of the Notifiable Data Breaches Bill, which will come into effect in February 2018. The bill requires companies to report security breaches where there has been unauthorised access, disclosure or loss of personal information held by a company that is likely to result in “serious harm to any of the individuals to whom the information relates”.
“This means the impact of attacks can no longer be swept under the carpet,” said David Higgins, ANZ country manager at Watchguard Technologies. “Senior management has to be aware of its responsibilities and realise that security can no longer simply be left to the IT team. They have to take a top-down approach.”
Education critical to understanding risks.
“There is also a need for ongoing education of staff around IT best practices,” said Systemnet’s Cohen. “They must be aware of the risks associated with opening emails from unknown parties, visiting suspect websites and installing software from unknown sources.”
Higgins agreed, saying IT security is the responsibility of everyone in a business and all have a part to play in ensuring defences are as robust and effective as possible.
“Awareness and action has to extend from the managing director or board through to the most junior staff member,” he said. “By taking a holistic approach, businesses can ensure they have both the tools and behaviours in place that are needed to counter the threat.”
“Cyber-attacks are going to become more sophisticated and, unfortunately, more effective,” said Higgins.