Cyber security attacks are evolving to get more sophisticated and targeted. Currently, 250,000 malware alerts are created a day and 30,000 websites are compromised a day, globally, according to Sophos Labs. Targeted cyber attacks looking to steal personal identity information (PII) are on the rise as criminals target employees as their gateway to the organisation.
IT security and data protection provider, Sophos, engages with governments in Asia Pacific not just as a provider of security software, but also as an educator, explains Rob Forsyth, APAC Director of Sophos. He believes that information sharing and education is key to maintaining strong cyber defences for government organisations.
The Australian Crime Commission reported in 2013 that the overall cost of cyber and major technology-enabled crime to the Australian economy is estimated to be US$1.7 billion per year, with major cyber intrusions cost organisations an average of US$ 2 million per incident.
One such cyber attack targeted to steal PII from employees of the Department of Defence earlier this year. The scam involved targeted emails advising that a childcare centre was to open soon and would only accept children whose parents worked in the Russell complex in Canberra.
The Russell complex is where the Defence Signals Directorate (DSD), Australian Security Intelligence Organisation, Defence Intelligence Organisation and otherDefence Force and Department of Defence agencies are located. The childcare application asked for information such as employee numbers, tax file number and official business cards - information that is normally not requested.
“The DSD began to analyse who this advertisement was being run by and identified it to a location to the north of Australia. They were clearly attempting to get information from employees of Department of Defence,” shared Forsyth.
The “keys to the kingdom” for security is with an organisation’s staff, Forsyth believes. “The answer to security is not just about IT systems, but also about having good staff. Staff education is my personal mantra,” he says .
Even the rise of social media threatens government security today. Forsyth talked about cases of criminals using fake LinkedIn profiles to target an organisation’s employees and attempting to get personal information which could eventually enable them access to the organisation itself. “Are organisations communicating with their own employees about what security issues this could create?” asks Forsyth.
What governments can do is create a good IT culture of caution within their organisation, he advocates. This includes educating staff, organising human resource and encrypting trophy data.
Government agencies should ensure mandatory password hygiene and internally publicise audit oversight, making it known to the staff that security action is being taken. They should also regularly review logs and actively counsel staff.
“30 per cent of companies currently don’t have a plan in case of a cyber breach.” It is crucial to have an cyber security action plan which governments could perhaps share amongst each other, he suggests.
In September this year, Sophos was given the inaugural Partnership Award by Australia’s Queensland Police Service in recognition of its efforts to raise greater awareness about fraud and cybercrime in the government and communities.