Health and Professional Services most at risk of prolific ransomware attacks

The Office of the Australian Information Commissioner (OAIC) has recently released its Notifiable Data Breaches report from January through June 2021 (available here). The OAIC received 446 Notifiable Data Breach (NDB) reports for the period. Despite reported breaches decreasing by 16% compared to the previous six months, a key concern of cyber professionals has now become the type of incidents being reported.

Malicious or criminal attack figures were a heavy contributor to the NDB reports, dwarfing human error and system faults by a margin. Alarmingly, 192 (or 43%) of the OAIC reported incidents were the direct result of a cyber-attack. That is, as a result of a phishing campaign, compromised or stolen credentials, ransomware, general hacking activities or malware. Stolen credentials increased by as much as 24%, with the data revealing a proliferation of ransomware incidents too. Loss of credentials is a key component of any successful ransomware attack chain, commonly leading to extortion and a payday for crime gangs, and it is interesting to see these attacks on equal footing in the reporting to the OAIC.

The top five affected industry sectors in Australia are unsurprising; Health Service Providers and Professional Services are at the greatest risk, accounting for nearly 70% all data breaches (69.5%) as shown in the graph below.

A Critical Alert provided by The Australian Cyber Security Centre (ACSC) on 2 August 2021 further highlighted the cyber risks facing the healthcare industry. Large amounts of valuable data and a typically low historical investment in cybersecurity mean that the healthcare industry will sadly, remain a high priority target for cyber criminals

The latest OAIC report confirms the trends we are seeing on the front line. McGrathNicol has observed similar cyber incident trends across our client base over the last six months. Increasingly, our teams have been engaged to provide both strategic and operational assistance in responding to ransomware and cyber-incidents across multiple industries. The encryption of critical resources, coupled with the theft of high value data, can cripple business operations and have significant financial and reputational impact. We encourage all Australian organisations to consider ransomware attacks as a high-risk and very real threat.

Executive and Crisis Management teams must stress test their crisis management capabilities, making sure internal teams are well-trained and ready to respond. In particular, a key part of this process is having a realistic conversation about the payment of a ransom or extortion demand in the event of a ransomware attack occurring. This is something we see as mandatory, and is a topic being debated at length in the public arena for good reason.

In contemplating how to alleviate the threat, business leaders can complete a Ransomware Incident Preparedness Assessment as part of their broader cyber security strategy, to identify any gaps in controls surrounding the implications of a potential ransomware incident. Some controls include the following, as outlined in advice provided by the ACSC:

1. Update devices and turn on automatic updates where possible.

2. Turn on multi-factor authentication (MFA).

3. Set-up and perform regular backups, maintaining offline or segregated copies.

4. Implement access controls on organisational devices.

5. Prepare your cyber security incident response plan.

6. Get to know your critical data within your organisation.

7. Remain vigilant and informed.