Cyber threats can do harm to businesses of all sizes, with national security on the line when they are in the defence supply chain.
The ubiquitous nature of digital communications technology in 2021 means there would be relatively few people in the business sector unaware of the term ‘cybersecurity’.
While awareness is a good start, it does not necessarily follow that there is an understanding of the urgent need to prepare businesses to repel such threats.
Even within the defence sector, while cybersecurity remains top of mind for those in cyber or political circles, the issue remains a passing interest rather than a priority for the broader sector.
The threats are numerous and include state actors, cyber criminals and even insiders.
The assumption that it ‘can’t happen to us’ fails to take into account that, big or small, prepared or unprepared, a target company has value based on its ease of access, position within a larger information puzzle, or potential for monetary reward.
In this context, every business is a possible target.
Representatives from the Australian Security and Intelligence Organisation (ASIO) and the Australian Signals Directorate (ASD) have previously mentioned the persistent threat that exists for businesses in Western Australia. Daily data breaches and cybercrime reports are a certainty.
Other sources have revealed the methodical and escalating cyberattacks our nation faces in efforts to test our cyber defence infrastructure.
In the modern world this is not surprising, but it does suggest a high level of motivation and sophistication.
This threat is particularly pronounced for the defence sector. Beyond the normal cybercrime opportunities that a commercial business presents, defence businesses provide a target-rich environment where the attraction can be information just as much as monetary reward.
Hacking of a company website and public-facing media, data loss, denial of service, and email compromises are some of the potential attacks.
Critical hardware has and can also be ‘bugged’ when its intended destination is known.
The majority of these will lead to some form of direct or indirect financial loss, reputational loss, erosion of trust, insurance premium increases, and operational disruption.
There are some key steps that can be taken to help insulate your business against these risks.
The ASD has a published list of recommended steps, called the ‘Essential Eight’.
Every board should be aware of these measures; if not, they must be added to the agenda of the next board meeting.
Multi-factor authentication, back-ups and restricting administration access are some low-cost, quick-implementation measures.
Beyond the ‘Essential Eight’, it is sensible to be aware of your vulnerabilities.
Engaging forensic IT experts to create an action list to address any points of weakness is recommended.
For example, consider company policies for connecting to WiFi networks, and for travelling internationally with alternate IT hardware that doesn’t make the company vulnerable if a device is compromised.
There is the option to insure against the risk, with cyber insurance a mature offering in the marketplace.
Some cyber insurance policies include public relations support, indicating the expectation of reputational damage that can be caused by a data breach.
In the event of a cyberattack or data breach, you should immediately assess whether reporting it to Office of the Australian Information Commissioner (OAIC) is warranted.
Their conditions include assessing if there was a breach, if there is a likelihood of serious harm, and if there are remedial actions.
If in doubt, contact OAIC regardless.
Small businesses that work within the defence sector find themselves a soft target.
The hackers’ motive is to gain access to information about Australia’s defence assets.
The larger the business, the greater the challenge, but the bigger the reward for cyber criminals.
The threat applies to all.
The evolution of cybercrime will potentially have a disproportionate effect on smaller businesses, and the trend also reveals possible concerns for other business sectors.
A prime contractor to defence requires trust in its supply chain, therefore cyber controls will be a pre-requisite to enter such an arrangement.
From a security perspective, this will be critical.
From a small business perspective, little consideration will be given to the return on investment.
This may subsequently preclude small business participation in major programs, and it is possible other business sectors will follow this example.
Finding an appropriately proportional approach, indexed to risk and value, will be critical in managing the threats while continuing to engage the best capabilities on offer from all of Australian industry.