Businesses across Australia and New Zealand (ANZ) continue to be targeted by cybercriminals as technology advances and attacks become increasingly sophisticated. Australia saw one cybercrime report every eight minutes in 2020-21, equating to a 13 per cent increase on the previous year, while New Zealand saw a 15 per cent increase in cyber incidents in the same period.
However, technological advancements aren’t the only thing driving increased cybercrime across the ANZ region. The exploitation of vulnerabilities exposed by the COVID-19 pandemic and threats arising from conflict in eastern Europe also present challenges to local businesses, among other potential threats.
On the surface level, the pandemic is one example of cybercriminals exploiting real challenges and vulnerabilities for their own personal gain. There have also been instances of supply chain issues, food supply challenges, and refugee crises being exploited by cybercriminals looking to cause disruption to businesses. Cyberterrorism also continues to be a major threat to businesses and governments across ANZ, and this has only increased due to the changing geopolitical landscape.
While cybercriminals are becoming more creative with their approaches, the risk to businesses from the likes of ransomware, for example, goes beyond mere disruption. The biggest risk is data access and exposure, further driving the need for leaders to bring security into the very base levels of the organisation. There’s never a guarantee that cybercriminals will safeguard data once its accessed, even if ransoms are paid, so it’s essential that business leaders invest in greater data protection at every level.
The diversity of attacks is just one piece of the puzzle. One of the biggest challenges that’s come to the fore is how entrepreneurial cybercriminals have become, as evidenced in their ability to exploit almost anything without a second thought. Cybercriminal syndicates are increasingly acting like any business would; they share skills to take advantage of exploits and hire specialists based on specific capabilities, with some threat actors working for a multitude of criminal networks.
The existence of new threats is not the only cause for concern in the region. Businesses increasingly need to be able to adapt to the changing nature of cyberattacks and educate their employees on how to identify potential exploits, beyond the more traditional attack approaches such as phishing scams or infected files.
While new threats are constantly emerging, the style of attack is also evolving and cybercriminals are weaponising vulnerabilities and exploits with increasing speed, which should be cause for concern among businesses. One of the most concerning developments in cybercrime is the sophistication of attacks, with both the technology and attackers behind it growing progressively more insidious alongside changing motivations.
Cybercriminals have moved on from unsophisticated spray-and-pray or share-and-click approaches. They’ve become more targeted, more direct, and more well-versed at moving through organisations. It’s especially important for businesses to recognise this shift in approach and adapt both their cybersecurity approaches and their staff cybersecurity education and training to better address and protect against changing attacks.
There’s a risk of organisations becoming complacent in the wake of continued cyberattacks, especially as the question is no longer an if but when organisations will be attacked. While there’s now a level of normality around cyberthreats, the risks start to include the potential for wilful blindness or risk fatigue in terms of cybersecurity. For example, business leaders may be tired of hearing about ransomware, but that doesn’t mean it will disappear.
As cybercriminals continue to increase their sophistication of attacks; organisations need to double down on the security basics or risk their own complacency also becoming a significant threat. To counteract this, business leaders need to increasingly give cybersecurity a seat at the boardroom table and invest in zero trust strategies from a business perspective, instead of only a technology viewpoint.
Beyond strengthening an organisation’s security posture and better educating employees around maintaining good cybersecurity hygiene, more also needs to be done on an enterprise and government level to protect ANZ businesses from cyberthreats.
As cybercriminals evolve, often joining forces to share exploits, business and government need to equally engage in information sharing to help better protect organisations and data from cyberattacks. Enterprises need to collaborate more freely and engage in open communication; ultimately, it’s big technology that can contribute to the safety and security of individuals and their data, and more needs to be done to reinforce this.
As with physical security, there’s an increasing need for a collective, global coalition to be established that will help businesses and governments to better manage security and safety in the digital sphere. Without this, cyberattackers will continue to evolve and threaten businesses. And, as society becomes increasingly connected and attackers become more sophisticated in their approaches, the impacts of future attacks could be devastating.
Corne Mare is chief information security officer (CISO) for Fortinet Australia.
Glenn Maiden is director of threat intelligence for Fortinet Australia and New Zealand.