By Cameron Abbott and Sarah Goegan
We all know that cybersecurity incidents can cost your organisation a lot of money, but exactly how much? A report by Frost and Sullivan has found that losses from cyberattacks in the Asia Pacific region (APAC) could reach a staggering US$1.75 trillion, nearly 7 per cent of the region’s gross domestic product in 2017. As covered in our blog last week, the cost of cyber scams alone in Australia totalled $340 million AUD last year.
By Cameron Abbott and Harry Crawford
A recent survey has shown that nearly one-third (29%) of US businesses experienced a data breach in the previous year.
The Hartford Steam Boiler Inspection and Insurance Company, part of global reinsurer Munich Re, conducted the survey which shows that 8 in 10 affected businesses spent at least $5,000 to respond. 27 percent of the businesses spent between US$5,000 and US$50,000 to respond to the data breach and 30 percent spent between US$50,000 and US$100,000, and a considerable portion spent even more than that. The costs were not only directly financial, with two-thirds of the affected businesses reporting their reputation was negatively impacted.
A Belgian researcher has discovered a weakness in WPA-2, the security protocol used in the majority of routers and devices including computers, mobile phones and connected household appliances, to secure internet and wireless network connections.
The researcher, Mathy Vanhoef, has named the flaw KRACK, for Key Reinstallation Attack.
Any device that supports Wi-Fi is likely to be affected by KRACK, albeit devices will have different levels of vulnerability depending on their operating systems. Linux and Android are believed to be more susceptible than Windows and iOS, and devices running Android 6.0 are reportedly particularly vulnerable.
By Jim Bulling and Michelle Chasser
A quick response to a data breach is key to mitigating its impact. The Office of the Australian Information Commissioner (OAIC) recommends that all entities have a data breach response plan in place and has recently released draft guidance on how to develop such a plan.
The guidance recommends that the plan include setting out the actions to be taken in the event of a breach and the team members involved in those actions. Here are some questions for your organisation to consider based on the OAIC’s draft guidance to developing a data breach response plan.
1. What constitutes a data breach?
2. What actions should your staff take?
3. Who is a member of the response team?
4. When does a breach needs to be escalated to senior management?
5. Who is responsible for contacting and managing any affected individuals?
6. Who decides whether to contact law enforcement or regulators?
7. How are records of data breaches kept?
8. How will you identify and address any weaknesses in data handling that contributed to a data breach?
9. Are there any steps your cybersecurity insurance policy requires you to follow?
10. How will you test your response plan?
The OAIC’s Guide to developing a data breach response plan Consultation draft can be found here.
The increased risks posed by cybersecurity breaches has meant that many organisation are looking to insurance to address some of the exposure. But cybersecurity insurance is still new and there are things which companies wishing to purchase cybersecurity insurance should look out for. Here are five tips if you are considering obtaining or renewing a cybersecurity insurance policy.
By Jim Bulling
Research in Australia and overseas suggests that most cyber breaches can either be prevented or the impact of any attack can be significantly limited by a range of low cost and easy to implement measures. These include the following:
- Username and password standards should be sophisticated.
- Administrative and privileged access should be controlled.
- Undesirable applications should removed.
- Automated patching tools and processes should be used.
- Data should be backed up regularly.
- Access to mobile devices should require authentication and data should be encrypted.
- Anti virus software and filters should be used.
Research released by the Australian Defence Signals Directorate (DSD) indicates that at least 85% of the cyber intrusions that the DSD has responded to would have been mitigated had organisations implemented the above strategies.
Australian Federal Government Cybersecurity Review
The Australian Federal Government holds a Cybersecurity Review.
See the Australian Government’s summary of the review here.
SEC Guidance Update
The SEC’s Investment Management Team published a Guidance Update which outlines measures managed funds and investment advisers may wish to consider in addressing cybersecurity risk. The guidance includes practical tips applicable to Australian entities.
See the Guidance Update here.