Australia’s national science agency, the Commonwealth Scientific and Industrial Research Organisation (CSIRO), is offering free R&D Cyber Security training for SMEs. Applications for the next Cyber Security intake are open until Monday 11 July 2022, with the program commencing 26 July 2022.

Innovate to Grow: Cyber Security is a free 10-week program for Small to Medium Enterprises (SMEs) to further their R&D opportunities related to cyber security solutions. Applications for the next intake are open until Monday 11 July, with the program commencing 26 July 2022. Apply here.

The Innovate to Grow program is a self-paced and virtually-delivered program to boost innovation performance of SMEs in high priority sectors.

The course will provide tools and information to help you better understand what’s involved with R&D and key things you need to consider at each step of the process. You’ll be able to apply this knowledge to advance your innovation journey.

This program is specifically aimed at companies currently working and innovating in the cyber security sector. It is not a general course for those who would like to learn more about cyber security.

Dr George Feast, who leads the agency’s SME collaboration work, said the risk of cybersecurity attacks had increased following the COVID-19 pandemic. This view is backed by data from the Australian Cyber Security Centre (ACSC), which shows annual cybercrime reports in 2020-21 increased by 13%.

“Just like many other parts of the world, Australia’s dependence on the internet saw a big increase during the pandemic, with many services moving online and more people working from home than ever before,” Dr Feast said.

“To stay ahead of these cyber attacks, new solutions are required, and much of this is driven by SMEs developing new products and services through R&D.”

The CSIRO hopes its 10-week training will boost the number of SMEs wanting to test their commercial idea and collaborate with more R&D groups.

Up to 25 SME graduates of the training will be given a chance to connect with the CSIRO’s digital and data specialist arm Data61, along with dollar-matched R&D funding.

“Participants will be given help to refine a new idea they want to explore and to better understand their idea’s business and scientific viability.

“They will also be exposed to industry knowledge, hear from innovation and industry experts, and work with an R&D mentor,” Feast said.

While SMEs comprise an overwhelming majority of all businesses in Australia (99.8%), Feast noted the cost of R&D meant it was an expensive risk for this cohort without the right guidance and support.

Last year the national science agency released research showing that less than 15% of Australian businesses engage universities or research institutions for their innovation activities.

The ‘Innovate to Grow: Cyber Security’ training will start on July 26. If your organisation would like to apply here: https://bit.ly/csiro-cyber-security-rnd-training

While cybersecurity is becoming our greatest threat, complexity is acting as a massive risk amplifier. Indeed, for many IT leaders, CIOs and CISOs addressing complexity can be even more of a challenge than addressing the actual cyber threats, explains Bill Mew.​

As we discussed in a recent expert debate on ‘The Digital HQ: How to Effectively Run Your Business in 2022‘, we need to address both cybersecurity and complexity at the same time; with security built in at all levels (from the hardware up) and with enhanced manageability enabling us to overcome the rising complexity.​

The problem is that complexity is widespread and, if anything, it is getting worse in many key areas:​

Cloud complexity:​

Many organizations have long-held digital transformation ambitions, based on strategic plans to migrate their workloads to the cloud. Whereas, once it was ‘do we want to migrate to the cloud?’, it soon became ‘in what order should we migrate workloads?’ And then for many during the pandemic it became ‘how quickly can we migrate them’ as the need to enable working from home accelerated their move to the cloud. Further complicating matters is the need to support legacy systems, many of which cannot be moved to the cloud easily or at all. There is typically also an array of SaaS applications, a proliferation of shadow IT instances, and particular workloads that are tied to different cloud providers, resulting in a hybrid multi-cloud reality that CIO’s have little choice but to deal with.​

Compliance complexity:​

At the same time compliance teams are currently facing numerous headwinds at all levels. Increasing compliance challenges are even hitting regulated industries, such as the financial services sector, which is already used to a significant burden of compliance, from Anti-Money Laundering (AML) and Know your Customer (KYC) to data privacy and MiFID (Markets in Financial Instruments Directive). A divergence of sometimes conflicting regional data sharing regulations has created a patchwork of data islands. Data sharing across the Atlantic has been impacted by the demise of Privacy Shield and across the English Channel it has been impacted by new trade processes as a consequence of Brexit. Add to this the various data sovereignty and data residency regulations emerging in various countries, as well as on a state by state basis across the US, and firms are facing an ever more complex compliance landscape. On top of this there is now the need to comply with a fresh wave of sanction requirements that are changing frequently. Thus, it is evident that compliance has become an almost impossibly complex task. Indeed, most organizations are now believed not to be fully GDPR compliant and many could well be falling short in other areas as well.

Cybersecurity complexity:​

If anything, the cloud and compliance challenges are dwarfed by the challenges that It leaders, CIOs and CISOs face in dealing with the rapidly increasing volume and sophistication of cyber attacks. ​

We are in an AI-powered cyber arms race, where black and white hats are battling to be the first to uncover vulnerabilities that they can either exploit or patch, but the black hats only need to be lucky occasionally while the white ones have to be lucky all the time. And if the rising volume of ransomware attacks and severity of supply chain attacks were not enough, IT leaders, CIOs and CISOs were forced to accelerate cloud migration plans during the pandemic with remote access creating additional vulnerabilities. And the worsening geopolitical situation means that in addition to opportunistic cybercriminals, they may also face well-resourced and highly-skilled state actors as well. Unfortunately, a proliferation of poorly integrated point products and security solutions mean that the management and interoperability of their cyber tools is often as much of a challenge as dealing with the cyber threats themselves.​

Countering the threats while overcoming the complexity​

Addressing the myriad of challenges will require a multi-layered approach with integrated and automated tools to help overcome the overall level of complexity.​

• Multi-layered: there is no silver bullet or single all-encompassing solution. You need hardware-based security and remote manageability baked in from the ground up, and this starts with the processor – those supporting Intel’s vPro platform incorporates both. Instead of focusing simply on a protective perimeter, multi-layered security provides ‘defence-in-depth’ with a ‘Zero Trust’ approach. While traditional security only really protects against known threats and known attack vectors, a multi-layered approach can also:​
• protect and guard against upcoming or increasing polymorphic malware​
• provide protection from an attack that comes through email attachments, files, adware, links, apps, and more​
• counter the potential threat from insiders and rogue administrators as well as from external actors (including those in the supply chain)​
• provide DNS-level security to safeguard against threats arising at the network level.​
• Integrated: rather than needing to develop skills for multiple point solutions, each with different implementation and management requirements and each with a different dashboard, CIOs need solutions that are not only reliable, but that can be managed via secure APIs from central management consoles to provide the desired ‘single pane of glass’. Again, Intel’s vPro platform and other leading security solutions provide this level of interoperability. As more vendors adopt such interoperability, APIs will enable IT and security teams to manage operations centrally from a dashboard of their choice, whichever is best for their business.​
• Automated: even with centralized dashboards though, the volume of attacks is making it impossible for security teams to manage threats in real time without a level of sophisticated automation. Such automation tools need not only to be finely tuned but must also include situational intelligence. For Security Operation Center (SOC) teams, ‘false positives’ are one of the biggest pain points, with too much time and effort often spent chasing security alerts that incorrectly indicate a vulnerability where none exists. ​

Automation can also have many other advantages – such as dealing with the dull and difficult, but nevertheless essential, tasks like backups or patch management. This can be a real challenge when dealing with a geographically dispersed array of devices. Ideally, you’d want to automate patch and update controls remotely. Unfortunately, this kind of remote management is only really possible if you have invested in devices that incorporate Intel’s vPro platform. ​Having Intel Hardware Shield built-in, allows such devices to deliver one of the highest levels of hardware, software, and data protection right out of the box. Not only does it minimize the risk of malware injection by locking down memory in the BIOS when software is running, but it also helps to prevent planted malware from compromising the OS. You also get a secure boot, allowing your PCs to launch into a trusted state.

With a war for talent and cyber skills in short supply, securing scarce resources only to waste them all with unnecessary complexity is no longer viable. However, with complexity increasing on so many fronts, expecting to overcome it without actively seeking to adopt fully integrated and automated tools, is somewhat unrealistic – just as addressing the cyber threat landscape is equally unrealistic without a multi-layered cybersecurity approach. Focusing on doing both together could well be the only viable option.​

Extortionists like multiple levers

In my last blog, I wrote about the perils of data growth and the increased ‘attack surface’ it presents, which was part of a wider message on data and sustainability. Here, I’m digging into the security aspect of data growth, how it relates to cyber-attacks and especially to ransomware.

Let’s start with the mind of the attacker. The more hooks they have you on, the more likely you are to pay. Even now, organisations (commercial & public sector) are still falling victim to ransomware without a reliable cyber-recovery strategy. If your attacker infiltrates your organisation undetected for months, not only can they encrypt your data, but they can also extract it. This is an increasing problem, known as leakware, or double extortion.

The idea behind leakware is that in addition to encrypting your data, the attackers will also make exfiltrated sensitive data publicly available. The idea is to scare you into paying the ransom not just to get back access to your encrypted data, but also to avoid regulatory fines and/or lawsuits. Both can be eye-watering in scale, and despite the headlines GDPR isn’t the scary one here – class action suits could cost many times more¹. There’s also the addition of brand-damage which can really hurt you depending on the sector you operate in. Leaked legal, financial, or medical records are particularly devastating, and research indicates that a data breach in a small or medium business leads to closure of the company in up to 60% of cases².

Ransomware-as-a-Service doesn’t come with an SLA

The murky world of ransomware has a lot of variability. Ransomware-as-a-Service means you could be hit by an inexperienced hacker looking to make a fast buck, or a ‘professional’ criminal gang with capabilities that rival that of nation states.

So, on the upside they might be bluffing about having your data… but how can you tell for sure? If they offer you a sample or file names, ask to see everything. It’s easy to make copies and a professional gang can (somewhat ironically) give you a secure connection. They wont worry about storage costs either. This will also give you some time to check your security logs, and to engage a crisis/breach management specialist³.

Doh! They have our sensitive data!

‘Well, that’s just bad luck, isn’t it?’ Unfortunately, regulators and litigation lawyers will always see the answer to that as ‘no’. From un-patched firewalls and VPNs to unsecured cloud buckets, and rogue employees, it’s always the fault of the organisation, and it’s the organisation that ultimately pays up. Er, but…

• My data was encrypted! Encrypting data at a storage level doesn’t help if hackers have user-level access
• The user shouldn’t have had the breached data in the first place! Still your fault – training, access controls, data policy etc.
• It was the database admin that made an insecure copy. A control issue: DBAs should not have un-checked access that enables them to make unauthorised copies
• How can we pay that much??? Maybe you shouldn’t have collected personal data that you didn’t explicitly need, or held on to data for so long

Where (and when?) did you park your time machine?

Sadly, if you’re in a situation right now where leakware has led to a confirmed data breach, you have very few options. ‘What about my cyber-insurance?’ I hear you say. Before you rely on it (or buy it) I recommend you research it carefully – many experts question its impact and its value⁴.

If you operate in the EU, and personal data on EU citizens is compromised, you MUST report a data breach to the supervisor authority within 72 hours. The UK’s Data Protection Act 2018 is the same. Regulations in other countries vary but trying to keep a breach quiet will invariably get you into more trouble and will always lead to larger fines than ‘fessing up’. You also have a duty to your customers (and suppliers) to notify them so that they can take any necessary action to protect themselves – failures here will harm you in court if that’s where you end up.

Ultimately, for leakware to work the cyber criminals are relying on your integrity falling short. If it does and you pay the crooks, how can you be sure they will delete the copies they have? You really can’t.

Three steps you can take today to mitigate the risk of leakware:

• Have a security review. Employ some security specialists to assess your organisation and importantly, act on what they say
• Sort your data out. Data growth increases your attack surface (risk) and costs you lots of money. Profile your data and expire, secure and archive based on content and business policy. Automate it for the future or you’ll end up in the same state again
• Get a training program in place. Your users are a big risk factor, and they are also your eyes and ears. Training helps reduce risk and spot issues early

No security is fool proof, so in addition to these steps having a backup and disaster recovery system that is resilient to ransomware is also critical. Look for a zero-trust security model, immutable backups, and air-gapped cloud storage as a minimum. These won’t help with leakware but are essential components of any serious ransomware risk mitigation strategy.

As I said in my last blog, sorting out your data can save you buckets of money, enough to beef up your security and train your staff, with change to spare. I can’t see any boardroom turning that down.

Sources:

1: EasyJet example: DPA 2018 (GDPR) states that companies who fail to secure personal data can be fined up to 4% of their turnover – for EasyJet in 2019 it was a little over £6B; pre-pandemic law firm PGMBM planned to file an £18 billion class-action lawsuit for the same breach. While neither are likely to meet the headline figures, the company could end up paying out on both

2: 6 Potential Long-Term Impacts of a Data Breach, Security Intelligence, Nov 2021 https://securityintelligence.com/articles/long-term-impacts-security-breach/

3: Crisis management companies can provide forensic security services, expert IT support, legal help and reputational damage management – but don’t wait until you need one to research them

4: Cyber-Insurance Fuels Ransomware Payment Surge, security Threatpost, June 2021 https://threatpost.com/cyber-insurance-ransomware-payments/166580/