Held to ransom: data security in the cyber age

By Andy Walsh

As widespread cyber attacks become more common, organisations must be vigilant in their preparation and response, according to MLS alumni working in cyber security.

When the ‘WannaCry’ ransomware attack hit networks across the globe earlier this year, more than 230,000 computers in 150 countries were affected. Two months later when the ‘Petya’ attack was released, governments and businesses were again under threat.

Cameron Brown
Above image: Cameron Brown (BA, LLB 2002). Image credit: supplied.

The attacks encrypted and held crucial data until a ransom was paid, crippling organisations as far-reaching as England, Ukraine and, in Australia, Tasmania. The victims included Britain’s National Health Service (NHS), German state railways, food giant Mondelez and law firm DLA Piper.

Cameron Brown (BA, LLB 2002) (@AnalyticalCyber), a cyber defense adviser, information security strategist, data privacy lawyer and digital forensic investigator, says attacks like these are likely to become more common.

Brown, who formerly worked with the United Nations, Australian Government and Transparency International, and now consults for a leading global firm based in Frankfurt, believes future ransom demands will vary depending on what an attacker believes the captured data is worth, and the perceived willingness and capacity of the victim to pay.

He says the success of ransomware may also inspire less sophisticated and opportunistic criminals to enter the fray.

The danger here is that newcomers will be seeking a quick grab for cash, without any intention of giving data back to victims once ransom payments have been made.

“Malware is already becoming more situationally-aware, so as to avoid detection and resist static analysis by security researchers,” Brown says.

Lynne Saunder
Above image: Lynne Saunder (BA 1983, LLB(Hons) 1984). Image credit: supplied.

Lynne Saunder (BA 1983, LLB(Hons) 1984) is Senior Counsel at IBM Legal Global Technology Services and Cloud, Asia Pacific. She says the global malware attacks highlighted the organisations with strong back-up and resilience plans, and those without.

“Cyber criminals have traditionally targeted credit cards, passwords and personal health information,” Saunder says.

“But this has moved more into general data and intellectual property. All types of unstructured data, such as email archives, have been stolen.”

And the effects of cyber attacks can be both highly damaging and long-lasting. A study commissioned by IBM earlier this year found the average total cost of a data breach to Australian organisations reached $2.51 million.

“Loss of access to data can paralyse an organisation,” Saunder says.

We saw UK hospitals being put under a lot of stress when their systems were unavailable in the ‘WannaCry’ incident.

She says the recovery or re-creation of data can be expensive if good back-ups are not available. The damage can add up when possible fines, penalties and the cost of notifying customers and regulators are considered.

“The additional reputational damage is hard to quantify,” Saunder says, “in particular where customers have recourse to add negative commentary on social media if they perceive a breach or incident has been unsatisfactorily managed.”

Brown agrees, noting that even minor breaches can be critical when it comes to data and intellectual property being pilfered from government agencies or corporate networks.

“The pain for business owners and shareholders is palpable when stock prices plummet or administrators step in to wind things up,” he says.

“At the very heart of the issue is a timeless lesson – trust takes a very long time to establish, but only seconds to destroy.”

While it might be law firms that are called in to help manage the fallout from an attack, they too are not immune to cyber threats.

Helen Clarke (BCom 1992, LLB 1993) is a partner at Corrs Chambers Westgarth, where she focuses on technology, telecommunications, data privacy and intellectual property.

Helen Clark
Above image: Helen Clarke (BCom 1992, LLB 1993). Image credit: supplied.

She is Partner-in-Charge of the firm’s Brisbane office and one of the lead partners in its new Corrs cyber team. This provides organisations with access to a combined group of data breach management specialists, including legal advisers, IT forensic investigation specialists, incident response consultants, and crisis and reputation management services.

“Law firms face the same cyber security risks that any organisation does, but the consequences of a cyber breach for a law firm can be significant given the highly-sensitive nature of the information – confidential client information, market-sensitive M&A (mergers and acquisitions) information – that they hold,” Clarke says.

“Law firms are therefore an area of business that is increasingly being targeted by cyber criminals.”

Despite these risks, Saunder says lawyers are well-placed to prepare for and respond to any cyber breaches.

“There is still a perception that cyber security is limited to the domain of technicians and geeks,” she says.

“Whilst these technicians are undoubtedly very skilled, having policies and managing an incident requires other key skills, such as communication, calmness, [an] ability to gather facts and set priorities under pressure.

Lawyers excel at many of these skills, so whether you are in-house, in a firm or working for the government or another organisation, you have an important role in helping your organisation and/or your clients to be cyber-ready.

Brown says leaders of industry and government must be more mindful of the need to frequently test the resilience of their cyber defences.

“Organisations that promote a culture of security – by building security-by-design into systems, establishing decision-making processes for staff and creating a security-minded workforce – are more likely to successfully defend against insider attacks, social engineering, and other persistent security threats,” he says.

“Be prepared to deal with a data breach.  It can be very difficult to make sound decisions in a state of panic.”

Clarke says an immediate response to cyber attacks and breaches is the only way to minimise damage.

Rufus Black
Above image: Rufus Black (BA 1990, LLB(Hons) 1991). Image credit: supplied.

Taking the cyber security threat seriously is not only important to a business’ bottom line, but also to the Australian economy.

Rufus Black (BA 1990, LLB(Hons) 1991), Master of Ormond College and a director at Corrs Chambers Westgarth, co-wrote a review of Australia’s intelligence agencies in 2011. In the report, he and co-author Robert Cornall (LLB 1968) predicted that cyber threats would increase in intensity and sophistication.

With those threats having now materialised, Dr Black believes that protecting economic and politically-sensitive data is one of the greatest challenges for Australia in retaining a competitive advantage.

“For a country like Australia that needs to have an ever more knowledge-based economy, the thing we can't afford to have stolen is the intellectual property upon which the future of our economy is based,” Dr Black says.

Theft of IP from research institutions, government research agencies, private organisations, companies doing significant research and development – that needs to be protected.

“Every bit as much as the ore in the ground – the IP in our systems, the IP in our servers, that’s a future source of wealth."

“We don't want that to be stolen.”

This article originally appeared in MLS News, Issue 18, November 2017