WA businesses are facing increased pressure to bolster their cyber defences against malign actors.
There's a heightened urgency around cybersecurity among businesses in Western Australia following a recent surge in ransomware attacks.
The renewed cyber focus comes amid the introduction to federal parliament of the Cyber Security Legislative Package 2024, which has yet to be passed into law.
One aspect of the package, the Cyber Security Bill 2024, seeks to establish minimum cybersecurity standards for smart devices, create a cyber incident review board, and introduce mandatory reporting for businesses that pay a ransom because of a cyber incident.
The Bill also aims to empower the government, enabling it to direct entities to rectify significant deficiencies in their risk management programs, and enhance assistance measures for critical infrastructure targeted by cyber threats.
UK-based Darktrace, a global leader in cyber defence, has reported alarming statistics regarding cybersecurity threats.
Between January and June 2024, information-stealing malware strains accounted for 29 per cent of all malware incidents worldwide.
Among the Darktrace finds was a proliferation of sale and ransom efforts, and double extortion methods: a tactic whereby attackers not only encrypt data but also exfiltrate it, giving them two revenue angles.
Between December 2023 and July 2024, Darktrace detected a staggering 17.8 million phishing emails sent to its customers, with 62 per cent successfully bypassing essential security measures.
Darktrace regional vice president Australia-New Zealand, Sushant Arora, highlighted the critical need for Australian companies to elevate their cybersecurity practices.
“Every organisation needs to invest in board-level cybersecurity education and training, implementing AI-powered cyber defence systems, regularly assessing and addressing cybersecurity risks across the entire supply chain, and fostering a culture of cybersecurity awareness through the organisation,” Mr Arora said.
He stressed that boards must take immediate action, particularly considering the new legislation, which would enforce mandatory reporting requirements for businesses that pay ransoms.
Darktrace director of enterprise security for Asia Pacific and Japan, Tony Jarvis, said he welcomed action on cyber legislation but feared the unintended consequences of mandatory reporting.
“There are several cases where somebody pays the ransom and then the ransomware operators say, ‘Well they’ve already paid once, let’s go after them again’,” he said.
“Ordinance to disclose the fact that they have paid a ransom is certainly not something every country is doing. Australia is unique there.
“I think it at least shows that [legislators] aren’t limiting themselves to what other countries are doing. They’re putting it through their own lens and thinking carefully about what else can be done.”
Mr Jarvis said businesses were generally discouraged from paying a ransom, but he expected the reported number of ransoms paid to escalate.
“Ultimately, [paying a ransom] comes down to not so much of a security question, but a business question: how much is it going to cost to pay the ransom versus how much are we going to lose, from a business perspective, not being able to operate?” he said.
One thing Mr Jarvis said needed to be ironed out in the legislation was a clear understanding of which businesses would be implicated.
“I talk to organisations who tell me they’re not entirely sure just yet whether or not they would fall under the [legislation’s] umbrella,” he said.
“They are sizable organisations with various parts that do several different things, and they’ll find certain elements of their business may be subject to the legislation, but other parts not.
“There are people just sort of scratching their heads, wanting a little bit further clarification. That is something I am seeing at the moment.”
The need for enhanced cybersecurity has become increasingly urgent, particularly as the Australian Securities and Investments Commission has announced investigations into how company directors are preparing for potential cyber-attacks.
ASIC chair Joe Longo warned that the regulator would take legal action against directors who failed to adequately protect their organisations.
“With one cyber-attack reported every six minutes in Australia, ASIC’s message for directors is to make sure your organisations have appropriate cybersecurity measures in play; this is your responsibility,” Mr Longo told a recent cyber summit.
Recent incidents have underscored the severity of the situation.
In early October, Kingsley-based TPG Aged Care suffered a breach in which the LockBit ransomware group claimed to have exfiltrated 65 gigabytes of data.
The data included sensitive information, and LockBit has threatened to release it on the dark web.
A spokesperson for TPG Aged Care said the incident had been reported to the Australian Cyber Security Centre.
“TPG Aged Care will ensure that any affected individuals will be briefed as information becomes available,” the spokesperson said.
Adding to the concerns, Compass Group, one of Australia’s largest food and support services companies, was recently targeted by the Medusa ransomware group.
In a dark web post on September 17, Medusa claimed to have exfiltrated 785.5GB of data.
Following the breach, Compass Group worked to verify the compromised information and initiated legal measures to prevent the publication of any sensitive data.
“In anticipation that the accessed data may be illegally published online in the coming days or weeks, we are taking a number of legal steps to prevent this activity and limit its impact,” a Compass statement said.
“This includes working with the Australian Federal Police to remove any material that is posted and taking court action to prevent any party from republishing that data.”
Further highlighting the cyber threat, WA-owned wholesaler Myelec Electrical was attacked in September by the Meow ransomware group, which claimed to have taken more than 110GB of data.
This incident occurred less than a month after Myelec had fallen victim to another ransomware strain, Lynx, on August 24.
Kempe Engineering, which has offices in Port Hedland, Karratha, and Perth, experienced a significant breach in August when approximately 4 terabytes of data were stolen using RansomHub ransomware.
This attack came just a week after civil engineering firm McDowall Affleck, based in Midland, was compromised by the same ransomware group, with 470GB of data allegedly exfiltrated.
McDowall Affleck has been involved in several high-profile projects, including Snowy 2.0 and the Forrestfield Airport Link, which makes the data breach particularly concerning.
A popular preconception of cyber-attacks has been that the criminals go after large business; as evidenced by the Medibank and Optus breaches, which attracted public scrutiny recently.
And while large breaches such as those can have far-reaching implications, Mr Jarvis said attacks on smaller targets had become more common.
“You think of the big organisations, the household names, and you think, well, obviously they’ve got to be important,” he said.
“But they do business with several other partners and suppliers.
“They may be much smaller in size, but they’re critical, because if they’re out of the equation then you don’t have everything up and running at the bigger organisations.”
Submissions on the legislation to the parliamentary committee closed on October 25.