Within the rapidly globalising and integrated global community, the evolution and rationalisation of technology has presented the real and present danger of cyber-attacks, creating a threat environment for all businesses. With malware becoming more sophisticated and capable of outsmarting traditional anti-virus technologies, business must prioritise cybersecurity and form an enterprise culture of digital awareness, fortification and resilience.

Until recently security strategies have been mainly reactive, meaning that threats have only been detected and dealt with once organisations have experienced negative consequences. The emergence of Advanced Persistent Threats (APTs) and intrusion vectors mean that the cost of waiting for a breach to occur is simply too high. APTs lurk undetected for long periods, generally on the systems of specific targets, before stealing or corrupting high quantities of data – on average, it will take the business five months to identify an intrusion and a further two months to contain. [1] Common intrusion vectors such as emails sent with malicious links and attachments, fake or manipulated websites that download viruses manipulates people, overtly or otherwise, into performing actions or divulging confidential information.

It is often easy to overlook the complex realities of a cyber-attack on an organisation, holding both tangible and intangible costs. Clearly a cyber breach will prompt an organisation into undertaking regulatory compliance, technical investigations and data breach compensation – yet there is a less visible, often costly aspect to failure to ensure cyber security. Data breaches, malware, “Trojans” and even “ransomware” invariably damage the trading name and weaken the value of an organisation’s customer relations.  An attack will also result in increased insurance premiums, loss of intellectual property and will impair business operations. The extent of cyber damage is measured by the cyber resilience of the organisation and the cost of return to BAU. On average, cyber-attacks within Australia cost an organisational $2.55M. [2] In 2017, tried and true methods of prevention such as patching by software companies are inadequate when dealing with zero-day attacks, where the malware targets the software vulnerability before the software vendor is even aware of it.

Deception technology may provide some hope for addressing APTs, intrusion vectors, zero day events and other new sophisticated threats as it is more proactive than traditional anti-virus software. Deception technology automatically deploys a network of camouflaged malware traps that are intermingled with and appear identical to real data, therefore deceiving the cyber-attackers. The fake data or assets are known to all legitimate users so when they are accessed it is clear that an attacker is present in the network. The real-time automation then isolates the malware and delivers a comprehensive assessment directly to the security operations team. This technology will shift the cost of cyber-attacks, making it less rewarding for hackers, effectively changing the rules of the game entirely.

While deception technology is still in the early stages of development the research company Gartner has already predicted that 10% of enterprises will use this technology by 2018, with many actively participating in deception operations against attackers. [3]

Nevertheless, cyber resilience must evolve to form an undeniably necessary aspect of all business. This will require the business community to shift mindset of cyber safety and alter perceptions of organisation priorities. Australian Business must strive to splice expertise in commerce and IT to ensure a comprehensive understanding, and such, response to attacks. It is this vigilance for cyber threats that will determine the success and failure of business throughout the 21^st Century.

Who is at risk?	Telstra’s inaugural Cyber Security Report found that 41% of organisations it surveyed had been the victim of a significant security breach in the past three years.[4] Globally, 49% of businesses fell victim to cyber ransom in 2016. [5] Small businesses are also vulnerable with 72% of data breaches analysed in 2011 taking place at companies with less than 1000 employees.[6] Last year K-Mart, David Jones and Aussie Farmers Direct were among the large Australian corporations that were victims of high profile cyber-attacks. [REF] https://www.auscert.org.au/resources/blog/kmart-and-david-jones-compromise
What are the effects?	A recent Roundtable of Business Leaders found that data breaches cost Australian businesses on average over $2.5 million dollars a year.[7] It takes 23 days for an organisation to resolve a cyber-attack on average and the average breach consisted of access to over 20,000 records.[8] A data breach will contain both direct (the actual expenses ie consultancy) and indirect costs (the time, capital, and resources used), on average $62 and $80 per compromised record respectively.[9] A Computer Emergency Response Team (CERT) Australia and Australian Cyber Security Centre survey found that of companies who had experienced a breach 23% experienced a loss of confidential information.[10]
What can you do?	The Department of Prime Minister and Cabinet has recently issued Australia’s Cyber Security Strategy Report. [11] Companies can encourage cyber resilience through extensive use of encryption, incidence report plans and IT practices including whitelisting, patching and restricting admin privileges. [12] 40% of organisations do not have a proper incident response plan in place – it necessary to have a detailed risk assessment and triage for a swift operational recovery. [13]

If you need help with identifying issues for your organisation relating to cyber-attacks and data breaches, or in formulating and rolling out policies and procedures to protect against cyber-attacks and data breaches, our experts can help you. Contact us to get advice from our experienced privacy and cyber security lawyers.

[1] Ponemon Institute, 2016 Cost of Data Breach Study: Global Analysis, pg 23.

[2] Ibid, pg 7.

[3] Heather Levy, Riding the Deception Wave, 23 March 2016, Gartner Inc.

[4] Telstra Corporation Limited, Telstra Cyber Security Report 2014, pg 30.

[5] Radware, Global Application & Network Security Report 2016-17, pg 24.

[6] Verizon, 2013 Data Breach Investigations Report, pg 12.

[7] James Nunn-Price, Deloitte Hosts Parliamentary Secretary Roundtable on Cyber Security with Australian Business Leaders, 6 August 2015, Deloitte Touche Tohmatsu.

[8] Above n. 1.

[9] Ibid.

[10] Australian Cyber Security Centre, 2015 ACSC Cyber Security Survey: Major Australian Businesses, pg 17.

[11] Department of Prime Minister and Cabinet Australia’s Cyber Security Strategy, 2016.

[12]  http://www.asd.gov.au/infosec/mitigationstrategies.htm http://www.asd.gov.au/infosec/mitigationstrategies.htm

[13] above note 5