From employee tax file numbers stored on a USB and passed around an office, to this week’s establishment of the Data61 Oceania Cyber Security Centre, they discussed the exponentially-growing threat of cyber attacks.
Here are some of the things top of mind among the panel members.
The numbers are mind-boggling
Simon Raik-Allen, MYOB’s Chief Technical Advisor, said he recently tallied the number of online services he has subscribed to that required a user name and password. The total: 285. He said most people tallied between 100 and 200. That’s a lot of potential gateways for a security breach.
Raik-Allen said few people realised the scale of botnets, which scan the world looking for unpatched networks. “My home router averages 150 attacks per day.”
This changing threat landscape means businesses have no idea how much they should be spending on security. “In most cases it’s a judgement call,” he said.
Large clients are forcing smaller businesses to take cybersecurity seriously
Alastair MacGibbon, the Prime Minister’s Special Adviser on Cyber Security, said solving the cybersecurity problem was a “generational opportunity” – but there were no silver bullets.
He said individuals often didn’t understand the value of their own data. “We trade it off for free services. I’m concerned about the amount of information we give away about ourselves,” he said.
When it comes to business, he said there were promising signs: smaller providers were being forced by larger customers to tackle cybersecurity more rigorously.
Government alone can’t tackle cybersecurity
Echoing sentiments raised by Prime Minister Malcolm Turnbull in Washington recently, auDA CEO Cameron Boardman said the government alone was neither willing nor able to govern the internet single-handedly. He said it must be a joint approach between the government, industry and academia.
When it comes to cybersecurity research, money talks
“University interest follows money,” Professor Paul Cornish, from Oxford University’s Global Cyber Security Capacity Centre, told the panel.
He said when governments start offering money to solve a problem, the university sector shows interest.
Education is key to withstanding the onslaught of threats
MailGuard CEO Craig McDonald told the panel nine out of 10 businesses had threats landing regularly in their email inboxes. He said phishing click-rates were about 25%, often pushed higher by cybercriminals impersonating trusted brands. “Most of [MailGuard’s] referrals come after an issue has occurred,” he said, pointing to a tendency for lax processes until a company has fallen victim to a cyber attack.
But no training can combat boredom
Security expert and SafeStack founder Laura Bell added that some people clicked phishing links out of boredom rather than naivety, knowing they could hand over to IT to ‘fix it’ if a problem arose. She agreed education is essential, saying only 48% of users have a passcode on their smartphone, despite the wealth of personal information they hold. “They’re gateways to your entire world.”
But she said training alone isn’t enough, and stressed the need for employees – and just as importantly, executives – to be measured on their security capabilities before and after companies invest in training.
Treat your company as a social network
Addressing the fact not all cyber attacks come from outside an organisation, Professor Leckie said the key to preventing rogues was to treat your company as a social network. “Review access rights regularly. Ask why has this person got this access?”
While attacks are increasing exponentially, our capability for analysis isn’t
Professor Chris Leckie, a University of Melbourne academic and Associate Director of the Oceania Cyber Security Centre, said some telcos collected petabytes of relevant data each day, but had little capacity to analyse and contextualise it. He said while it was easy for criminals to increase the scale of their attacks, the security world needed to make it easier for organisations to respond.
AuDA has just completed its largest-ever deletion of domains impersonating Australian businesses
Last week auDA — the administrator of the .au domain – deleted 1025 domains that attempted to trade off the names of well-known businesses. auDA chairman Stuart Benjamin said the majority of those deleted originated in China.
There's far more to tackle
When it comes to cybersecurity, there's no quick fix. The Australian Internet Governance Forum continues in Melbourne on Wednesday.
About the panel
Discover tips on cybersecurity by subscribing to MailGuard’s blog.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.