Big four bank ANZ’s chief information security officer Lynwen Connick has warned organisations against paying ransoms to hackers, saying the payments only lead to more attacks.
The two recent high-profile cyber attacks against meat-processing company JBS and Georgia-based Colonial Pipeline both ended in multi-million ransoms being paid to hackers after they froze computer systems and brought their respective operations to a halt.
“When organisations pay ransoms it gives the perpetrators more funding and more motivation to continue with their attack,” Ms Connick said.
Lynwen Connick , ANZ Group’s chief information security officer, says banks are facing an increased volume of attempted cyber attacks.Credit:
Ms Connick, who previously led cyber policy and intelligence at the department of the Prime Minister and Cabinet from 2013 to 2016, added that the attacks on JBS and Colonial Pipeline highlighted that no industry was safe from hackers.
“There’s been a lack of awareness in the past. It is an important issue and a major risk for organisations small and large,” she said. “If you’re doing business online, if you operate a computer, you need to have good cyber security controls in place.”
Cyber attacks have become more sophisticated and were being perpetrated by individuals, sophisticated crime gangs and nation-states, Ms Connick said, adding that the volume of attacks often spikes during times of crisis.
According to Ms Connick, ANZ was now blocking around 12 million malicious emails per month, up from 4 million before the pandemic. Of these, around 5000 emails a day used information about COVID-19 to lure unsuspecting victims, including latest case numbers or exposure sites. These ‘phishing’ emails are often the gateway for hackers to mount a full-scale attack on an organisation’s network.
“Cyber criminals often play on peoples’ vulnerabilities, when they might not be thinking properly and open an email and click on a link that maybe they wouldn’t normally,” she said.
Federal Labor has called for a national ransomware strategy that would include mandatory reporting when victims pay ransoms to assist law enforcement investigations and help other businesses be better prepared for an attack.
Ms Connick said while it was not her place to call for changes to government policy, greater visibility is needed to ensure everyone “understands what’s going on”.
“If you know what attacks are occurring, just understanding that they’ve occurred, I think it’s appropriate that reporting is done to government organisations that can then help other organisations respond to something similar.
“We do a lot of work in sharing threat intelligence, it’s not necessarily to do with ransoms but when you see particular types of attacks happening in organisations around the world, sharing that information means other organisations are better prepared.”
“Most organisations do that voluntarily, you don’t need mandatory requirements. I think often doing things in a voluntary way is better at first instance, but sometimes you do require mandatory reporting to get everyone reporting and getting a better understanding,” she said.
Reducing the growing threat of cyber attacks requires a collaborative effort between the government and business and Ms Connick said there was work underway to develop a secure digital platform where sensitive information about cyber attacks could be securely shared in a timely matter.
“If I want to share information more broadly, we need somewhere to share it, where that can be done securely and we need the right protocols in place to say what level of information it is,” she said. “That’s the sort of work that’s happening at the moment.”
A growing number of companies are reporting cyber attacks.
In the meantime, ANZ spends around $150 million per year on specific security capabilities, which includes developing “various playbooks” to protect the bank against an attack, including company-wide data backups and 24-hour surveillance.
Additional funds are spent on security-specific technology, Ms Connick said, but perhaps most important was getting the basics right by training staff to spot and report phishing emails. “No one mitigation strategy or security capability will protect you from every attack.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
Most Viewed in Business
From our partners
Source: Read Full Article