When Corporate Networks Are the Cyber Security Threat
Catch a plane to the Middle East and so much as train with a terrorist organisation and you can expect to be sent to a dark place behind bars for a long time the moment you return to Australia.
The community would demand nothing less.
But what if your fridge launches an attack on an airliner? Or your corporate network attempts to disrupt a military operation on behalf of a terrorist enemy?
Those scenarios might be extreme, but they are by no means far-fetched.
The question is not if, but when, a major security incident is launched leveraging inadequately secured corporate networks.
Two years ago – well before the Internet of Things (‘IoT’) had become a mainstream discussion – it was reported that a fridge – along with thousands of Internet-connected TVs – had been part of a Bot network that launched a distributed denial of service attack.
Opportunities for connected personal and business infrastructure to be secretly “occupied” and used for nefarious purposes are expanding at an explosive rate as devices are added to the Internet at ever greater bandwidth.
Inside a medium sized business there are likely to be hundreds of devices capable of being, and maybe a dozen in a small business – printers, TVs, modems, fridges just for a start.
Further, the standard defence response to an international DDOS attack – “sinking” the unwelcome traffic by diverting it into a series of dead-end destinations – is far less effective against an attack originating within Australia. There are simply fewer safe places to which the traffic can be diverted.
But even as the risk grows day by day, there is still a tendency to see cyber security as a black art. Too many senior managers do not ask the tough, penetrating questions of their technology teams they are expected to ask of experts in other fields, like finance.
If senior managers are looking for an incentive to make cyber security their business, they need only look at US retailer, Target, where the loss of credit card details for 40 million customers cost both the CEO and CIO their jobs.
A limited subset of the business community are treating cyber security with the appropriate gravity – typically Australia’s largest companies and Financial institutions – the picture elsewhere is much more mixed.
Ignorance is not an excuse in the law, but there has to date been a reasonably generous attitude from lawmakers when it comes to cyber security.
The room for ignorance will be much narrower when the Federal Government releases its new National Cyber Security Statement in coming weeks.
The statement is expected to highlight the importance of a few protective measures that, properly implemented, prevent the majority of common attacks and security breaches.
It is no accident that these are described as “hygiene” measures – they really should be as basic as a food service business requiring staff to wash their hands, or for a car company meeting minimum quality and safety standards.
That they are not already universally applied says something troubling about the level of cyber risk management across corporate Australia.
The Government’s initiatives are likely to take the form of helpful advice and guidance, and some tools to businesses to lift their security stance, rather than introducing punitive measures for poor performance. It is also expected to leverage the work that the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) has done in helping the Government better protect itself from cyber attack.
But lawmakers’ tolerance of poor standards of conduct online has been gradually diminishing in recent years.
For example, we have seen tighter regulation of anti-social conduct on social media by requiring more timely removal of defamatory or offensive content, and compulsory data breach notification law is proposed.
These changes to the law reflect community expectations.
What would be the reaction if a high profile attack on a civilian or strategic target occurred and it was found to have originated from a poorly secured corporate network? And what if it turned out that the company had not deployed even the basic hygiene measures that the Government is going to great lengths to explain and promote?
In that moment, it is likely the community would not look favourably on the latitude directors and managers have been afforded when it comes to meeting the basic standards required to protect not only their businesses, but the community.
Demands for legal liability for directors and senior managers might soon follow.
Expect politicians then to respond quickly and firmly to force managers and directors to make cyber security their personal business or to pay the price.
Businesses that treat cyber security management as an issue for their IT team and do not actively manage it at the board and executive level would be well advised to lift their game before that happens.
Aidan Tudehope is Managing Director of Government & Hosting at Macquarie Telecom and was a member of the PM’s Cyber Security Business Roundtable process.
This article was first published in the Australian Financial Review