The digital revolution has led to a fundamental change in the ways businesses deliver products, services, and information. IT systems and networked connectivity are core to the operations of most organisations and deliver huge productivity and efficiency benefits. But as businesses rely more on interconnected systems, the risks increase exponentially.
The report from BAE Systems Applied Intelligence, titled Business and the Cyber Threat: The Rise of Digital Criminality, revealed worrying statistics about cyber crime in Australia. It showed that the vast majority of Australian organisations (84 per cent) expect the number of targeted attacks to increase over the next two years. One in four respondents believe that their board does not yet fully appreciate the risks posed by targeted cyber attacks. Thirty-nine per cent said they either did not have, or were not aware of, a crisis response plan in the event of an attack. This suggests that there is a need for further education on cyber security issues and their associated business impacts.
Business leaders must adopt the mindset that a significant cyber attack is almost inevitable. While some attacks have a minor impact, others can threaten an organisation’s brand and entire existence.
Business leaders must adopt the mindset that a significant cyber attack is almost inevitable. While some attacks have a minor impact, others can threaten an organisation’s brand and entire existence. The contemporary approach is moving from just preventative towards a model that recognises the importance of ongoing detection and managed response to incidents. Organisations that don’t switch to this model can have a level of unknown compromise.
The changing nature of cyber attacks
A little over a decade ago, cyber crime typically consisted of cyber criminals gaining access to systems, stealing information, and exiting quickly. Over time, cyber crime has evolved rapidly.
Cyber criminals established that rather than expending significant amounts of time and resources attacking well-secured targets, they could instead leverage access to a system in a weaker partner or supplier organisation to gain access to another, more valuable system. This has been observed in a number of instances, for example, where professional advisory firms, such as legal practices, have been targeted specifically to reveal sensitive information relating to clients’ merger and acquisition activity.
This soon turned into fertile ground for cyber criminals, who aimed to create changes in the physical realm by manipulating the virtual realm. For example, there was quite a well-publicised case in Queensland where a disgruntled engineer allegedly used cyber attacks to manipulate controls within sewage pumping stations in Maroochy Shire, leading to a significant discharge of sewage into waterways. The growing sophistication of industrial control systems, and their convergence with corporate IT systems, means there is greater scope for a cyber attack to lead to a material outcome in terms of public safety or sustained loss of critical infrastructure such as water, power, or transport.
Cyber criminals are now becoming increasingly focused on information crime. Computers are used to inform or make major decisions with little human input or interaction, often drawing on information feeds from a wide range of sources. This trend raises the stakes for cyber security because cyber criminals could, by targeting upstream information systems, affect a decision outcome without actually having direct contact with the final target.
The full article can be downloaded below…