Einstein once defined insanity as doing the same thing over and over again and expecting different results – making corporate Australia’s approach to how it manages the protection of data and information an interesting conundrum or reflection on how they think and an ignorance of the legal minefield they blindly trek, writes Michael Connory.
Corporate Australia it seems, either through lack of education or information, is strong of the view by investing large amounts of money into technology and ignoring the roles humans play, will protect them against data breaches and attacks – a mistake consistently made and how litigation now looms greater than ever before.
Recognising what that legal minefield looks like and its implications for both corporate Australia and government, seeing the issue of an individual legal suit or a class action case becoming a reality has driven legal firms like Minter Ellison’s to establish a dedicated legal team focusing only on cyber security laws.
It has taken a once little-known but now world-leading Australian cyber security scoring program known as CARR the (Cyber Assurance Risk Rating) program, to expose the gleaming flaws that repeatedly exist within how corporate Australia operates and manages its data protection.
Through the implementation of the CARR program, organisations are now beginning to ensure each company they share information with has security technology processes in place to protect the data shared which have helped to uncover serious cyber risks that have shown:
1. 27 per cent of Australian software companies have dedicated certified security specialists employed to manage and implement cyber security best practices - reflecting a lack of serious security expertise that exposes the challenge of creating technology software, designed to help reduce organisation costs enabling individuals to be more productive, without understanding the consequences of how someone might use the application to access confidential information.
2. 38 per cent of Australian technology organisations implement ‘secure by design’ into their software development lifecycle practices – most of the applications currently developed may fulfil business objectives but not always measure up to security standards – making software applications we use daily vulnerable to a cyber incident. The ability to incorporate ‘secure by design’ is more prevalent for smaller software companies due to the increasing costs.
3. 52 per cent of Australian software developers having implemented a secure info security foundation such as COBIT5, NIST or ISO27001 as a foundation for their organisation and program.
4. Upon examining the ease to socially engineer a hack on a software company, only 13 per cent of organisations reviewed, were capable of understanding how to respond to a request for information based on the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 – or the encryption bill.
5. When organisations were asked how the organisation would respond to a request from an agency such as ASIO, the most common answer (87 per cent) said they would not know how to respond. A further 11 per cent said they would need to obtain advice from outside counsel.
Demonstrating how this becomes a problem is highlighted through this scenario: should a staff member of an Australian software company be approached by a person claiming to be from ASIO, the individual could advise a contractor or employee under current law. They have a “technical assistance notice” and can ask “orally” for the individuals assistance to spy on another individual. This requires no paperwork. The person representing ASIO could simply present actual legislation to support this requirement, with a threat of five years imprisonment if that individual communicates this to another party.
This legislation leaves the door open for anyone keen to gain easy access to confidential information, through socially engineering the legislation and individuals to access confidential information on another individual.
The technical assistance notice could include:
- Decrypting communications where a DCP already has the ability to do so;
- Installing agency software of the DCP's network;
- Modifying the characteristics of a service or substituting a service provided by the DCP;
- Facilitating access to the relevant facility/equipment/device or service;
- Handing over technical information such as “source code, network or service design plans, and the details of third party providers contributing to the delivery of a communications service, the configuration settings of network equipment and encryption schemes”; or
- “Concealing the fact that agencies have undertaken a covert operation”.
Few organisations understand the legislation and fewer individuals understand their legal rights, begging the question – what would you do if an individual claimed to be from ASIO, advised of an imminent terrorist threat and had to help implement a piece of spyware immediately? If communicated to another party or failed to help, they would be prosecuted and receive five years jail – all delivered verbally and supported with components of the actual legislation?
What security in depth has discovered is Australian software companies have a long way to go in cyber security, and it’s becoming harder for smaller Australian technology companies to manage the complexity of cyber security with the increased costs of expert staff.
The CARR process and the ability of organisations to now review and understand the practices of organisations they are sharing critical information with, is helping companies understand the different risks when it comes to sharing information with other organisations, and putting in place practices and processes to protect their information – and sometimes choosing to walk away, when the risk is too high.
Michael Connory is the CEO of Security In-Depth.