Remember when incidences of hacking and cyber crime were occurrences sufficiently unusual to deem them worthy of comment or concern?
Those days are long gone and, in a frantically digitising world, the chances are they won’t be coming back any time soon.
In 2019, Australian organisations are at rising risk from high-tech criminals and fraudsters and the costs associated with a successful attack have never been higher.
A growing number of local enterprises know this from first-hand experience. Last November, Aura Information Security research found that half of CEOs, general managers and operations executives said they have been subject to a cyber attack in the previous 12 months.
The prevalence of the attempts has made senior executives cognisant of the risk cyber crime can pose to an enterprise’s viability and prosperity. Those surveyed identified it as the most disruptive economic crime of the present day, and the most significant danger to growth prospects.
Are decision makers right to be concerned? Yes, if recent research from Frost and Sullivan is anything to go by. The firm has calculated the potential direct economic loss Australian businesses experience as a result of cyber security incidents could reach $29 billion a year, if fines, legal repercussions, remediation costs and reduced profitability are included in the collective bill.
The Australian Criminal Intelligence Commission estimates the direct costs at a more modest $1 billion a year. That’s still far from chump change for the local businesses that find themselves left with no choice but to open their chequebooks to cover damage caused by high-tech hijackers.
Wide open door – why web applications represent an easy entry for attackers
Wherever weakness is evident, it’s likely to be exploited. On the cyber security front, web applications have become something of an Achilles heel for Australian organisations, according to research conducted by web-application shielding service provider, RedShield, in 2018.
Many of the 157 organisations interviewed by the firm were using old systems that had not been patched or upgraded for years; some not since 2010.
As a result, scores of common vulnerabilities and exposures that are typically mitigated by a regular patching program remained in place and ripe for the exploiting, by hackers with a modicum of expertise.
Penetration testing also revealed a plethora of vulnerabilities within bespoke software solutions not covered by vendors’ patching programs. Such solutions can only be strengthened with custom code. That’s an exercise that can be expensive and time consuming – and prone to slipping down the priority list, if security resources are scarce.
Should businesses be alarmed about these inadequately secured back doors into the enterprise? There’s certainly no case for complacency, particularly given the changing profile of those seeking to gain illicit entry.
The old stereotype of hackers and cyber criminals being a ragtag collective of enthusiastic amateurs, revelling in the challenge of cracking supposedly secure solutions, no longer holds true.
RedShield’s research suggests many of those attempting to attack Australian enterprises via malicious HTTP requests are located off shore, with evidence pointing to the likelihood of multiple individuals operating from the same physical location. They’re professional hackers whose raison d’etre is to infiltrate business systems, in Australia and around the world, for commercial purposes, not for fun.
Plugging the gaps in the security cordon
For Australian organisations that want to lower their chances of falling victim, reducing the risk is a two-step process.
It should start with an audit of all internet facing applications. For many enterprises, this is a process of discovery that can unearth a clutch of solutions that don’t figure on the asset register. Often present as a result of mergers and acquisitions, or the phenomenon dubbed ‘IT sprawl’, these systems must be documented by security staff and included in a comprehensive vulnerability assessment.
Once the latter exercise has been completed, a patching and testing program covering both third-party programs and bespoke solutions needs to be implemented, ideally as a matter of urgency.
Organisations should look to utilise advanced security technologies which can make it possible to mitigate vulnerabilities within customised and bespoke solutions without the requirement for intensive human intervention.
Time to act
Given the prevalence of global hacking activity – and the expertise displayed by those undertaking it – Australian organisations can ill afford to be complacent about cyber security. Investing the resources necessary to strengthen vulnerable web applications can reduce the likelihood of their becoming cyber crime statistics in 2019 and beyond.
Michael Warnock, Australia country manager, Aura Information Security