Australian Infosec Leaders Reveal Ransomware Weaknesses
Many organisations in Australia and New Zealand are likely to feel the pain of a ransomware attack if it occurred today
In its 2022 Annual Cyber Threat Report, the Australian Signals Directorate’s Australian Cyber Security Centre reported having received 447 ransomware cybercrime reports for the year, and stated that it was likely that ransomware remained significantly underreported, especially by victims that pay a ransom.
Ransomware disrupts business and causes reputational damage to hundreds of organisations globally.
In the 2021 financial year, the Australian Cyber Security Centre observed almost 500 reports of ransomware, an increase of almost 15 percent on the prior year.
In late 2022, Corinium produced a report titled the State of Ransomware Readiness, ANZ, after surveying 119 cybersecurity professionals across Australia and New Zealand. This article is an exerpt from that report.
With so many successful ransomware attacks occurring annually, the ASD expects these incidents will remain a common threat in Australia and globally. As such, it is imperative that organisations in our region are prepared.
A lot of this preparation, according to Healthscope Chief Information Security Officer Varun Acharya, comes down to timely threat intelligence and response, security governance, risk assessments and understanding the operating environment.
Healthscope is Australia’s second largest healthcare provider. With 39 hospitals across the country, about 20,000 staff, and some 10,000 endpoints, Healthscope has a considerable technology infrastructure, which demands considerable security care and sophistication.
“My alignment is always with business objectives, and a big part of that is ensuring that the board, and enterprise leadership team, are aware of the cyber risks involved with doing business and digital transformation, as well as how we are managing those risks and navigating the security challenges that we face today,” Acharya says.
“Ransomware has always been at the top of the list of threats that the organisation faces, based on the destruction it can potentially cause, especially in our case with patient health and outcomes involved. It’s a key priority in defining our security strategy that effectively drives decisions around equipping the security division with the right capabilities and functions, in order to best protect the organisation.”
With the risk of ransomware well understood at Healthscope, Acharya says a deep understanding of the organisation’s infrastructure and security capabilities underlines its ability to respond to such a threat.
“We have to get on top of things like our SIEM and SOC capability, or our end-point security coverage, vulnerability management, and attack surface management. Looking at the entire kill chain of a ransomware attack end-to-end in order to detect, mitigate and prevent the threat becomes a fundamental part of the strategy,” he says.
Confidence Levels in Backup and Recovery
We began our survey of Australian and New Zealand cybersecurity professionals by asking leaders generally about their confidence in their ability to recover quickly from a ransomware attack, using the following question:
“If your organisation suffered a ransomware attack today, how confident are you that your data would be recovered quickly, systems would be restored seamlessly, and your business would experience minimal disruption?”
Almost 18% of our survey respondents say their organisation would ‘more than likely experience significant disruptions’, while just over 66% suggest their organisations would ‘more than likely experience moderate disruptions’.
Having 84% of respondents expecting disruptions ranging from ‘moderate’ to ‘significant’is quite concerning.
“This suggests that a CISO’s readiness to recover should the security posture fail is inadequate,” says Pete Murray, Managing Director in Australia and New Zealand for data protection software provider Veritas.
“I think CISOs have spent a lot of time protecting the front door and the security posture on the perimeter of their organisations to help prevent ransomware and cyber threats getting in, but have spent dramatically less time worrying about what happens if and when they get in. I think there’s a definite mismatch between the amount of effort and focus put into the two halves of ransomware.
“If there is one thing that the Optus and Medibank data breaches have taught us, it’s that it’s not just about protecting the front door, it’s about protecting everything behind it.
“Security leaders need to ask themselves these important questions: ‘Do we know where all of our personally identifiable information is located?’, ‘Do we know who has access to it?’, ‘Do we have adequate strategies in place to manage it?’ and ‘Do we know when someone is accessing it, who shouldn’t be accessing it?’.”
Disruptions, even moderate, can be expensive and damaging to organisations. Just a 16% portion of the survey group indicate being both confident that their organisation has a robust enough backup system to enable recovery as well as anticipating only minimal disruptions in the wake of a ransomware attack.
We also asked our survey group how confident they were in having complete knowledge of their organisation’s data backup and recovery strategy, in the event ransomware or another cyber event compromised their business.
Almost a quarter (24%) of survey respondents say they are not confident that they have complete knowledge of their organisation’s data backup and recovery strategy. Just over 62% say they are moderately confident that they have complete knowledge of the strategy, while only 13% express confidence that they have complete knowledge of the strategy.
The most popular single response, selected by 33% of respondents, was, ‘I am moderately confident that I have complete knowledge of our organisation’s data backup and recovery strategy. I am moderately confident in the competency of my team’.
The threat that ransomware poses to data makes backup a fundamentally important control in defending against this kind of malware. It is therefore quite concerning that only 13% of the cybersecurity professionals in our survey express outright confidence in their backup strategies.
Similarly concerning are the results from our next question. We asked cybersecurity professionals if they or their colleagues had responded to a ransomware attack in the last 12 months.
While perhaps not surprising giving ransomware’s prevalence, it is still striking to see about a third of respondents, 33%, answer ‘Yes’ to this question. A 53% portion of our survey respondents answered ‘No’, while 14% indicated that they would rather not answer the question.