In hacked cyberspace no one can hear you scream
The Optus hack is a wake-up call for businesses to get their digital affairs in order or pay the price, writes Morry Bailes in this latest Opinion piece published in InDaily.
https://indaily.com.au/opinion/2022/09/29/in-hacked-cyberspace-no-one-can-hear-you-scream/?utm_medium=email&utm_campaign=InDaily%20Lunchtime%20%2029%20September%202022&utm_content=InDaily%20Lunchtime%20%2029%20September%202022+CID_5df25b0b04e0a5ba84c9ba02d5a6ef0f&utm_source=EDM&utm_term=READ%20MORE
With a massive cyber attack successfully launched against Optus last week, cyber threat is well and truly back in the headlines, if indeed it was ever out of them.
In short, customer records held by Optus containing extensive personal and financial details were compromised. Just why Optus needed to retain all that data is to be explained. Meantime, and pending the inevitable class action, customers’ sole comfort thus far seems to be the obvious advice that they should be aware of any suspicious activity that may occur to them as a result of the malign use of their personal information. If that doesn’t work, add it to the damages claim.
The usual modus operandi in these attacks is that malware is installed on the IT system of the victim entity, enabling the digital theft of data, or the installation of ransomware rendering the system useless unless the demanded ransom is paid. Failing a resolution of the demand, personal data is then published on the dark web for auction.
The exact nature of the Optus attack remains unknown, and may remain that way for good reason. Insurance companies underwriting such risk do not want the details of a cyber attack known, particularly during a period of negotiation with the hacker.
The other typical type of attack is the theft of not data, but money. It is a relatively simple process. Once the IT system of a victim entity is hacked, usually through what is referred to as ‘social engineering’, which means a human response to a phishing attack enabling penetration of the system, a new outlook email account is created by the hacker, and if two parties are unwise enough to conduct a financial transaction by email, the hacker sitting in the middle of what is now a tripartite communication, and unbeknown to the original parties, alters account details and digitally steals the money. In law firms that is the ever present risks in conveyancing transactions, but more of that later.
The act of Optus notifying its customers of itss recent breach was not through goodwill, but a requirement in law. That requirement has existed for some time now, and requires an entity which has experienced a cyber breach to comply with the Notifiable Data Breaches scheme and with Australian privacy law by informing a party whose data has been compromised if there exists a risk of serious harm.
The problem for corporate entities, including law firms who are subject to attack, is the mounting costs associated with the requirement to notify. The digital theft of money aside, what is really hurting organisations subject to attack is the cost of the notification process, which can be immense. That in turn is directly leading to increasing cost of insurance to insure against these risks, if an insurer is prepared to write the policy in the first place. There may also be a requirement by an organisation subject to cyber attack to notify the Privacy Commissioner.
A very recent amendment to privacy law in Australia has upped the ante for corporate entities who are responsible for critical infrastructure, such as water, electricity, communications, health, transport and banking. From 8 July 2022 it has become mandatory to report such an attack to the Australian Cyber Security Centre within 12 or 72 hours, depending on whether the impact is ‘significant or ‘relevant’, respectively. Significant fines may apply for breaching these statutory requirements.
The risk for business then is both regulatory and financial, not to mention reputational.
What to do? If we return to law firms, the legal profession has unfortunately proven a valuable target for hackers, particularly the digital theft of money. Why? Because most law firms have lots of their clients money in their trust accounts, and perform multiple trust accounting transactions each day. Out of that has come some understanding however of how to successfully avoid cyber attack, if not entirely, then at least the vast majority of attacks.
“The relentless pace in the growth in cyber threat and attack globally now represents one of the biggest existential threats to business in Australia and elsewhere”
It goes without saying that proper education of staff about phishing risks to address social weaknesses, as well as IT system defence and upgrades, including current patching to address technical weaknesses, are both critical and assumed. Outside of that there are three simple steps that can save most of the pain.
Firstly, proper password protection. As trite as that may sound, it is often ignored, yet is central to successful protection. Rotating passwords in itself may not be the answer due to our lazy human inclination to just add a digit at the end of our existing password each time we are asked to update our password. Password becomes Password2 and so on. Needless to say that Password does not constitute proper password protection, but serves the example. Strong password protection goes a long way.
Secondly, multi factor authentication is no longer advised it is absolutely critical. In a financial transaction however, it is also critical that the parties transacting use voice authentication as well. Software alone is now not good enough, at least for larger financial transactions say in the instance of the conveyance of a house. The parties to the transaction must speak to confirm identity.
Thirdly, device specific authorisation if successfully used in an organisation will eliminate the ability of a hacker to create an outlook account which is the basis for interrupting and re-directing the payment of money to an account other than the intended account. It adds a layer of complexity for users and administrators but may be worth doing.
These three steps will, if implemented successfully go a long way to stave off the risk of financial theft, which is typically what occurs to law firms and other small and medium enterprise, as well as many other forms of cyber attack.
These approaches are universally advocated by cyber security agencies and experts, across the world, including the US Cybersecurity and Infrastructure Security Agency. It is essential to heed such advice and act.
“The best approach is to assume that there is a malign third party actor scanning every email, and act accordingly”
As to opening email attachments designed for malign purpose data collection, or responding to text messages that purport to come from a government agency like the ATO, according to Steve Wozniak ‘a lot of hacking is playing with other people, you know, getting them to do strange things’. In short it is an inevitable element of human behaviour that at some point we will fall for it. We must proceed on the assumption then that our IT systems may be infected.
The best approach is to assume that there is a malign third party actor scanning every email, and act accordingly. There is no way with that approach that you ever use unencrypted email to send financial account details, yet it is alarming how many organisations persist in asking customers to do exactly that.
If you have given your ATO details to a hacker in response to a text message, you may not be seeing your tax refund for a while. Accountants detail countless examples of tax refunds disappearing into hackers’ pockets, claiming your tax refund for themselves and snaffling it.
The relentless pace in the growth in cyber threat and attack globally now represents one of the biggest existential threats to business in Australia and elsewhere. Surveys of managing partners of law firms disclose that that group consider it to be the biggest current threat to law firms.
The threat range goes from state sponsored hackers, to terrorists, to garden variety thieves. The digital ability, know-how and equipment needed to engage in cyber attack can be purchased in a franchise-like way on the dark web. It is a growing criminal industry and the ill informed and naive are its prey.
As to insurance being the answer, it is likely to either not help at all or only partially address the risk. Firstly, to be insurable you are likely to be required by an underwriter to comply with the basic steps set out above anyway. Coupled with that, the mounting cost of premiums and the increasing limitations on scope of cover means in realty this is primarily a question of risk minimisation by business, rather than expecting insurers to pick up the pieces.
We are all in the same boat when it comes to cyber threat, but as the legal profession has had its own experiences we can not only speak to those, but also be a source of information and legal advice about the regulatory requirements that apply at a federal level. That ability to seek and receive advice, legal as well as technical, at the point of a cyber breach is nearly always going to be required.
Aside from that the role of the law in cyber security, outside recognising it as criminal conduct, it is only designed to create transparency so that federal agencies know what’s going on. It is practical not legal steps that may save your bacon.
Kevin Mitnick, the worlds most famous hacker, said ‘the hacking trend has definitely turned criminal because of e-commerce’. ‘Hackers are breaking the system for profit. Before it was about intellectual curiosity and pursuit of knowledge and thrill, and now hacking is big business.’ There we have it. E-commerce will only ever expand, which means the same trajectory of growth for cyber hacking. Get used to this threat as normal and learn to live with it.
However doing nothing is not an option, or you will be next.