Cyber-safe: How businesses can help protect themselves in an age of heightened threats

The menace of cybercrime has grown fast in recent years, with the World Economic Forum ranking it as the eighth most-severe global risk over the next decade. Not only has cybercrime become more common; it is also largely under-reported. In the UK, for instance, only 16.6 percent of an estimated 4.4 million fraud offences were reported in 2020.

Cybercrime is also costly. When IBM assessed data breaches across 550 organisations around the world last year, it calculated the average cost at US$4.45m, which includes lost business and the effort to remediate. That cost is up 15 percent over the last three years. And this is just for one type of cybercrime. Another estimate suggests the cost of cybercrime will reach US$10.5 trillion globally by 2025.

Among the biggest drivers is the rise of ransomware, says Shane Ripley, ANZ’s Product Area Lead on Threat Intelligence and Offensive Security.

Ransomware incidents, where threat actors lock companies out of their systems and data unless they pay to regain access, have exploded in number, with five times as many incidents today as in 2018-19, he notes.

Cybercriminals are also doubling down – not only are they adjusting ransom demands based on a victim’s insurance coverage; they are also stealing data to extort even larger sums.

In a time of heightened concerns around individuals’ data privacy, “threat actors realise it's much less effort to go in and steal data than to try and lock up a whole system”.

That, he says, constitutes half of the cybercrime challenge. The other half is dealing with sophisticated state-sponsored cyber-attacks, “which could be focused on espionage, financial disruption or infrastructure disruption, who are near impossible to detect”.

So, in addition to stolen data (confidentiality and privacy), successful attacks can shut down operations or lock companies from their data or systems (availability) or call into question accuracy of data (integrity) by manipulating records. A compromised social media account that a hacker uses to post unauthorised posts is a simple example of a failure of integrity.

{CFINFOGRAPHIC: cia-triangle.png} Source: Information Security - Nissatech Innovation Centre

Cyber-crime has become big business with some operators making their services readily available to the public, “in the same way that any of us can subscribe to streaming services”, says Gajan Ananthapavan, Technology Area Lead – Security Operations, Intelligence & Influence, ANZ.

When it comes to the most significant areas of cybercrime, he adds, ransomware is in the top three, along with business email compromise (phishing) and the exploitation of critical vulnerabilities – the last where vulnerable software or end-of-life legacy systems have weaknesses that are compromised as a back door into organisations.

A common phishing tactic that affects organisations is business email compromise (BEC), a type of cybercrime where email is used to trick someone into sending money (e.g. a falsely modified invoice) or divulging sensitive information. Generally, the culprit poses as a trusted figure – a senior executive, a supplier or even an employee asking for changes to bank details for payroll. BEC attacks reportedly increased 55 percent in the first half of 2023 compared to the last six months of 2022, driven in part by the huge increase in organisations’ use of third-party applications.

{CFINFOGRAPHIC: word-cloud.png} Source: Information Security - Nissatech Innovation Centre

Third parties – critical links in the security chain

That third-party aspect is crucial: There is plenty of evidence to show that, for some organisations, their weakest links are in their supply chain, through trusted third parties who manage critical services and have access to sensitive data.

Large, trusted third parties such as software companies with significant digital footprints across their customer base globally have been used as platforms for large-scale global attacks. Hackers use these trusted third-party software organisations to insert and distribute malicious code through automated and regular software updates. As we have seen, this approach has been highly effective – one incident alone compromised the computers of up to 18,000 customers globally, including the US government.

Breaches like that explain why risk management and insurance professionals surveyed in nearly 100 countries by Allianz rank cyber incidents (including IT outages, ransomware attacks and data breaches) as the most important global business risk, ahead of business interruption and macroeconomic challenges.

{CFINFOGRAPHIC: top-cyber-exposure-concerns-graph.png} Source: Allianz Risk Barometer

Action needed: Now what?

So, how can institutions stay safe? When it comes to supply chains, says Ananthapavan, organisations need to:

• Gain greater visibility and comfort over the third- and fourth-parties in their supply chains.
• Understand the types of connectivity that those organisations have to their business.
• Determine what sensitive data and critical systems they have access to, and how it is being protected.
• And, decide whether those organisations in their supply chain really need the access to critical systems and data to support their business.

“We've seen many major data breaches around the world where organisations struggle to answer those questions,” he says, adding that external suppliers should play a bigger role in demonstrating how they comply with leading industry security standards.

Cloud-based data service providers are also a key challenge, with IBM research showing four-fifths of breaches involve data in the cloud. That means firms need to ensure they have “visibility across hybrid environments” and can keep their data safe as it moves between organisations and third-party environments.

Some simple, actionable steps that may help your organisation improve its cyber security include: applying multiple factor authentication (MFA), ensuring systems and software are regularly updated and backed up, and restricting privileged access to those who need it.

{CFINFOGRAPHIC: simple-actions-from-anz-cyber-brochure.png} Source: Simplifying cyber security for business (PDF)

From plan to people

Drafting a plan to address cybersecurity starts by better understanding your risks, potential threats to your industry/sector, weaknesses in your environment and why your business might be a target, says Ananthapavan.

Firstly, “people often think that technology and security tools will solve all problems – but actually your people play a critical role in defending and protecting your organisation,” he says.

Enabling people to understand and prioritise the actions they can take to improve security, both personally and professionally, empowers staff to play an important role. This helps people become another layer of defence to protect our organisations, systems, data and ultimately our customers.

Ananthapavan goes on to suggest, “there are a variety of assessments that organisations can undertake to better understand their potential security risk and exposure, based on industry frameworks such as NIST (National Institute of Standards and Technology) to benchmark the maturity of security controls across your business. However, practical assessments, such as penetration testing or red team exercises, can help to prioritise where immediate action needs to be taken.”

Zero trust: Isolate, then limit access

One industry approach that organisations are more frequently adopting is zero trust, which incorporates principles to effectively isolate data and applications only to those legitimate systems and users that need to access them.

The analogy of how a moat protects a castle is a useful one when explaining zero trust, says Dr Maria Milosavljevic, ANZ’s Chief Information Security Officer. Traditionally, access into an organisation requires your username and password, and increasingly an MFA prompt. With that, users are allowed to cross the moat and into the castle, where they can go from room to room (the databases, applications and systems) as they wish.

With zero-trust architecture, everything changes. Once inside the castle, “every door is locked, including access to every database, every system and every application”. Under a zero-trust model, accessing a particular room requires specific, individual requests.

In short, zero trust only allows transactions that have a specific purpose and a specific path mapped. In addition, it employs behavioural analytics to understand if the activity is typical and expected behaviour. Behaviours from a new device, source location or at an unusual time will alter a risk score to determine if the activity/transaction is blocked or allowed to proceed.

{CFINFOGRAPHIC: zero-trust.png} Source: Zero Trust Network Access-A solution to Network Security

Zero trust will help to mitigate some of our security challenges, says Dr Milosavljevic, as we continue to adapt at scale to the growing threat and increasing volumes that we are facing.

Harnessing the opportunity of Artificial Intelligence

Artificial intelligence (AI) and machine learning present an incredible opportunity to transform our business as we explore ways to harness its power. ANZ leverages these capabilities across our security systems, using machine learning and AI to operate at scale, ingesting over 12 billion data points each day as part of monitoring, detecting and responding to potential events. Equally, ANZ is aware of the threat that this technology could pose.

“AI can work for us and against us, and it is a space that's moving very quickly,” says Dr Milosavljevic. “Over the next 12-18 months, we'll face into the challenges to regulate the AI market, recognise that its level of accuracy is based on the quality of data and models that it is trained on, be aware of how it can be used to spread disinformation, while at the same time creating efficiencies across our businesses through automation, speed and innovation.”

“It’s easy see how AI can be used against us with the generation of a phishing email as a simple example of what can be created to potentially bypass a lot of clever systems,” she says. “Importantly, we also have the opportunity to use AI to help detect and prevent against that happening.”

With the right steps, a more cyber-secure future

Although the growth in cybercrime may seem daunting, there are reasons to be optimistic. Greater awareness, especially at the top of organisations, means corporations are building a more security-aware culture, while governments like the US and the UK are increasingly demanding that firms and agencies pursue a zero-trust approach.

An upside, says Ananthapavan, is that the problem is prompting the pooling of resources, “and is helping to drive greater collaboration and better focus between industries, governments and regulators, and in how we’re managing supply chains”.

As governments and organisations work hard to tackle cybercrime, individuals can do a lot to protect themselves, says Dr Milosavljevic, by putting in place basic steps: Use different passwords for different sites; save them in a reliable password manager; and use MFA wherever possible.

Perhaps the most important step is that individuals take time to review that surprise email or unexpected SMS, says Dr Milosavljevic.

“Pausing to think about whether it is legitimate or not is the starting point,” she says. “And if you receive an email, particularly with instructions to transfer funds or provide sensitive information, call the sender, on a listed number, to verify before reacting.”

Further reading

Simplifying cyber for business summary (PDF)
Improve your cyber resilience with these simple actionable tips and information.

Working from home securely (PDF)
Tips for both organisations and individuals - to help you and your staff work from home securely.

Business Email Compromise (PDF)
Prevention is the first layer of protection. Here’s what you can do to help your business stay safe.

CERT NZ
An organisation that works to support businesses, organisations and individuals who are affected (or may be affected) by cyber security incidents. They provide trusted and authoritative information and advice, while also collating a profile of the threat landscape in New Zealand.