When it comes to cybercrime, the industry’s most common targets are financial services, education, and healthcare, primarily due to their vast and valuable data.
In the past year, however, cybercrime in Australia has increased by 13% as the pandemic has caused a shift to remote working. Cybercriminals have flocked to unsuspecting organizations to probe their IT vulnerabilities, with 81% of organizations worldwide admitting to bypassing their own cybersecurity processes during the pandemic, according to the Global Information Security Survey. EY 2021.
The recent Australian Cyber ââSecurity Center (ACSC) report found that one in four incidents involved critical infrastructure and services, such as aviation and defense. Some industries that were historically not a typical target now find themselves under-prepared to deal with the threat.
âFinancial services are quite used to dealing with cyber attacks every day,â says Richard Bergman, EY lead partner for cybersecurity, privacy and trusted technology in Oceania. âMost other industries, including federal and state governments, have really underinvested in strengthening their defenses. This is something that many organizations are just beginning to realize.
Problem in the heavens
Aviation is both a rich and soft target for cybercriminals, says Michael Wallmannsberger, cybersecurity consultant and former chief information security officer at Air New Zealand.
âIt’s a rich target because aviation organizations tend to hold a lot of personal data, including identity data such as passport information,â he explains. âThere’s the payment and loyalty card data, and they also have a lot of data about where you’re going. This information could be valuable not only for profit-motivated cybercriminals, but also for state actors carrying out espionage activities. “
In 2018, a breach of British Airways’ security systems resulted in the personal data leaking of nearly half a million employees and customers. In July, it was announced that those affected would benefit from a confidential settlement following mediation. The UK Information Commissioner’s office has also fined the airline $ 38 million ($ 27.7 million) for failing to protect the personal and financial data of its customers. This is the biggest sanction of its kind in the UK.
Wallmannsberger says even large carriers can be easy targets. âIt’s a low-margin industry and the airlines have to compete aggressively and be very cost efficient,â he says. âThey are highly technology dependent, and their technology tends to span decades, so there are a lot of legacy and very complex business processes. From a defensive standpoint, this is a tall order in the face of a rapidly evolving threat.
He adds that while planes don’t fall from the sky due to cybercrime – for now – the terrifying perception alone may be enough for cybercriminals to use as leverage.
Defense, on the other hand, is an industry that only the most sophisticated cybercriminal groups could target, says Garrett O’Hara, senior technical consultant at Mimecast.
“Your average criminal organization will not steal the bear from advocacy organizations,” says O’Hara. âThis is because the very big hammer of a government response is very different from the response capacity of a private company. They don’t have three letter organizations that can pop up in another country and start arresting people.
He says the impacts of a successful attack on the defense industry could be devastating and fuel geopolitical tensions.
Reinforcement of protections
Organizations can better protect themselves by adopting cybersecurity risk management measures, says Bergman. âThe challenge, of course, is managing all the moving parts and complexity, and having the right skills and resources to do it. They must begin to see technological capabilities as essential to their operations and as a major strategic issue. “
Cybercriminals are now just as likely to attack an institution because of its ability to pay and weak defenses, and not just the type of industry it is in, says John Donovan, Managing Director of Sophos ANZ . âIt’s amazing how many ransomware attacks could have been prevented just by taking simple steps, such as backing up critical data and installing the latest security updates. “
EY’s global survey of more than 1,000 cybersecurity officials found that the most common barriers for industries to protect themselves were inadequate organizational budgets and regulatory fragmentation. Wallmannsberger believes more regulations are needed, but due to the complex and evolving nature of technology and cybersecurity, regulations must avoid over-specificity or the risk of quickly becoming obsolete.
âIdeally, companies would just make decisions about risk and do what’s required for cybersecurity,â he says. âBut there are just too many examples where that doesn’t happen, and that’s for complex reasons. I don’t want to see bad regulation or overreaction, but I think there is a public good that justifies regulation because when a business is attacked it has ripple effects on the rest of the economy. . “
Bergman believes Australia needs to strengthen its sovereign capabilities to better protect itself. “We need more people qualified in e-tech skills, as well as more collaboration between industry partners and government.”
O’Hara applauds initiatives such as the Critical Infrastructure Bill, which would confer extraordinary power for government intervention in response to cyber attacks on critical infrastructure. However, he believes that the problem of cybercrime is so important that it requires concerted collaboration of all stakeholders.
âGovernment alone cannot solve it, and neither can private enterprise,â says O’Hara. âIt’s something we have to do as a society, and the expense is significant. We hear about these big numbers for different projects and it sounds amazing, but when you do the math and spread it out over the number of years, it’s not as convincing.