Head of Cyber Consulting, Marsh Advisory Pacific
Faizal is a senior security executive who sits on the Australian Information Security Association’s (AISA) Executive Advisory Board, on the Australian Cyber Security Centre (ACSC) panel reviewing the Australian Cyber Security Strategy, member of the Joint Cyber Security Centre (JCSC) and has worked closely with Australian Prudential Regulation Authority (APRA), Australian Payments Clearing Association (APCA) and most recently Australian Energy Market Operator (AEMO), Australian Signals Directorate (ASD) and The Department of Home Affairs, In addition Faizal is also the founder of the Cyber 12.
In today’s day and age, cybersecurity is important to us all because it encompasses everything that relates to the protection of our sensitive data.
The risk of a breach is ever increasing in this uncertain climate, we are largely driven by global connectivity and our shift towards a cloud first strategy. With poor cyber strategies and increasingly sophisticated cyber criminals, the risk of a successful cyber-attack or data breach is on the rise.
The days of a simple firewall and antivirus software being your sole security measures are long gone, leaders now have to be more proactive than reactive with their cybersecurity.
The importance of cyber awareness and training to educate your staff about simple social engineering scams like phishing and more sophisticated cybersecurity attacks like ransomware play an integral part in the organisation’s overall cyber defence strategy.
Before 2020 hit us with a curve ball, workplace mental health was already a significant issue for WA local governments. COVID-19 and the challenges of 2020 have compounded existing issues and the topics of mental health, stress management, and resilience are more pressing than ever for local government leaders, people, and risk managers.
In today’s day and age, cybersecurity is important to us all because it encompasses everything that relates to the protection of our sensitive data.
The LGIS health and wellbeing program is designed to assist members in creating a healthier workplace, improving awareness of health issues, lowering risk factors, and improving workers’ safety performance.
The importance of a robust cyber framework is on the rise. We are now more reliant on technology than ever before and there is no sign of slowing down. As each generation is more and more reliant on technology, the attack surface is therefore increasing at an alarming rate.
Governments around the world are bringing more attention to cybercrimes. The Notifiable Data Breach (NDB) scheme in Australia is a great example. It has increased the reputational damage of data breaches by forcing organizations that are subject to the scheme to:
Australia is not the only country with these types of measures, while there are no national laws overseeing data breach disclosure in the United States, there are data breach laws in all 50 states, and the General Data Protection Regulation in the EU. Commonalities with the NDB include:
Information theft is now one of the most lucrative businesses globally. Industrial controls systems (ICS) that manage power grids and other infrastructure can be disrupted or destroyed and are now
quite targeted.
Cybercriminals are becoming more sophisticated, changing what/who they target, how they affect organisations and their methods of attack for different organisations.
Social engineering remains one of the easiest forms of cyber-attacks with ransomware, phishing, and spyware being the easiest form of entry. Third-party and fourth-party vendors who process/access your data are another common attack vector, making vendor risk management and third-party risk management an imperative part of your holistic cyber strategy.
According to the Ninth Annual Cost of Cybercrime study from Accenture and the Ponemon Institute, the average cost of cybercrime for an organisation (globally) has increased by $1.4 million over the last year to $13.0 million and the average number of data breaches rose by 11% from 130 to 145. Information risk management has never been more important.
From June 2019 to June 2020 in local, state, and federal governments, there were:
The impacts of cybercrime can be varied and quite wide spread:
All levels of government, regardless of the size, must ensure all staff understand cybersecurity threats and how to minimise/mitigate them. There should be regular training and a framework to work with that aims to reduce the risk of data leaks or data breaches.
Given the nature of cybercrime and how difficult it can be to detect, it is difficult to understand the direct and indirect costs of many security breaches. This doesn’t mean the reputational damage of even a small data breach or other security event is not large. If anything, consumers expect increasingly sophisticated cybersecurity measures as time goes on.
A metropolitan local government received an email from a regular supplier, advising of changes to their bank account details. The email address was checked for authenticity with the current email address on file. Once confirmed, the bank account details of the supplier were updated.
The local government then received genuine invoices from the supplier for work carried out, and made payment in accordance with the changed details. A few days later the supplier contacted the local government advising that payment had not been received. Upon investigation, the most likely cause was that supplier’s system had been hacked by a third party and the perpetrator had sent the initial email advising the local government of the changes to bank account details.
A rural local government received an email from an employee who requested a change to their bank account details. The requisite form was supplied for the ‘employee’ to fill out. Once the completed form was submitted, it was sent to the payroll team for the employee’s bank account details to be updated.
A few weeks later, the employee advised that their wages had not been received. Upon investigation, the initial request to change bank account details had been fraudulent.
A large metropolitan local government was targeted in a high impact ransomware attack. Hackers gained access to their network and completely took over administrative privileges. The impact to the local government was several days of near-total IT services shutdown including limited/no access to phones, a complete server outage, limited end user computing capacity and a near inability for staff to work using technology at all.
Council had an IT partner and had invested in data-protection, firewalls, anti-malware, anti-spam, and anti-virus products, however due to the targeted nature of the attack, these were all unable to protect from this type of complex incident.
These claims were successfully made on the LGIS policy. Aside from the financial losses suffered by all parties involved, these scenarios also caused reputational damage and conflict with members’ business partners, particularly around determining responsibility for the loss and who would therefore bear the financial consequences.
Each month we take your questions to one of our LGIS team members to answer.
If you want to submit a question for next issue, email us at [email protected]
We are pleased to announce the continued transition of LGIS fleet protection across from traditional insurance placements to Scheme protection arrangements.
With limits on international travel boosting tourism within WA, it is essential to consider
public safety at local government facilities, places, and spaces.
Asbestos is a fibrous, naturally occurring mineral that was once used extensively due to being lightweight and resistant to high temperatures, electricity, and chemical corrosion.
LGIS is the unifying name for the dedicated suite of risk financing and management services for WA local governments, established by the WA Local Government Association in conjunction with JLT Public Sector (part of the Marsh group of companies). LGIS is managed by JLT Public Sector (ABN 69 009 098 864 AFS Licence 226827).
Risk Matters, via this website, is designed to keep members, their staff and elected members informed on topical risk management and insurance issues and LGIS programs and services.
