Defending Cybercrime as a Service (CaaS)


Have you heard of cybercrime as a Service?

Australians have started the race to have 80% of the adult population fully vaccinated by the end of 2021. This is important because vaccination reduces the health, social and economic impacts of the COVID-19 pandemic.

However, hackers don’t share the same morals as us. They see this as an opportunity to perform cyber attacks, slow down the vaccination process and demand a ransom. In August 2021, the government of Lazio in Italy was hit by a cyber attack that impacted the region’s portal for COVID-19 vaccinations and other IT systems. The attack stopped bookings for jabs.

Throughout the COVID-19 pandemic, cyber criminals routinely attacked hospitals and healthcare facilities with ransomware. They did this, knowing organisations would be more likely to pay ransoms due to the need for lifesaving medical technology.  Cybercriminals quickly adapted their methods, and as a result, there has been an increase in COVID-19 themed malicious cyber activity.

However, hospitals and healthcare facilities are not the only ones under attack. We live in a world where we communicate, learn, do business and are entertained through the Internet. Our reliance on the Internet has increased cyber threats and made every organisation a target for cyber attacks.

In Australia, businesses are under continuous cyber attacks, with more than one cyber crime reported every 10 minutes, as indicated by the Australian Cyber Security Centre (ACSC). Hackers and other threat actors are getting more sophisticated. They have organised themselves in a Cybercrime as a Service (CaaS) business model to sell or loan their hacking tools and services to people. This means even those without technical knowledge can perform cyber attacks.

This blog post provides three recommendations for organisations to follow to address their cyber security concerns.

Quantify the impact of Cyber Attacks

Cyber attacks can result in sensitive data leaks, operational outages and reputational damages that cost businesses millions of dollars. These costs include lost revenue due to business interruption, cost of investigation and recovery, penalties and significant reputational damage that could be long lasting.

Property valuer LandMark White, one of the biggest valuation firms used by banks and other lenders across Australia for services such as assessing mortgage applications, was under a series of cyber attacks in 2019. Using a vulnerability in the IT systems, the attacks exposed the property valuations, personal details and driver’s licenses of 275,000 individuals. The cyber attacks cost the business $7 million in revenue, losing key customers and the stepping down of a co-founder and the CEO. Furthermore, the firm has undergone a complete facelift, rebranding itself as Acumentis to get back on its feet after the cyber attacks brought the company to the brink of collapse.

In Australia, in 2018 a data breach involving an online recruitment organisation, PageUp People Ltd (PageUp), is another example of a data breach in the public domain. Using a brute-force attack, an attacker gained access to a shared email account used by the entity containing the personal information of over 50,000 individuals, such as driver licence numbers, health information and financial information. PageUp faced huge customer losses and lawsuits after the data breach.

The average cost of cyber crime to an Australian business is $276,000. It is recommended that every business estimates the cost of a cyber attack to them. This is done by estimating the cost of potential outcomes such as incident response costs, regulatory investigation and defence, penalties, loss of profit due to downtimes, increased cost of working, lawsuits, the impact of losing sensitive information such as commercial and intellectual property.

Trust the Cyber Security Strategy

I acknowledge that we can’t predict what hackers will do. The Australian Bureau of Statistics (ABS) could not guarantee cyber attacks wouldn’t affect census night in August 2021. However, with the help of the Australian Cyber Security Centre, they took every step to protect household data from state-based actors and hackers. And as a result, the ABS confirmed that Census 2021 experienced no breaches or interruptions. This is an example of what success looks like when organisations implement a Cyber Security Strategy.

Australian businesses must have an IT security strategy that includes access control, backups, and patching, among others. The strategy ensures they are not vulnerable or compromised and their security operations are optimised.

In my previous blog post, “Cyber Security – Where do you start?” I highlighted the pathway organisations should follow to create a Cyber Security Strategy and improve their cyber security posture. The high-level steps include business awareness, risk assessment, implementing security controls, mitigation strategies and continuous monitoring. I stressed that no single solution fits all and organisations need to invest in the mentioned steps to defend against cyber attacks.

Allocate an adequate budget

Cyber attacks are a serious problem that cost our economy $1.4 billion in 2020 and caused the government to allocate a budget of $1.67 billion to investigate and shut down cyber crime – the majority of this budget is assigned to enhancing cyber situational awareness and response.

An Australian survey conducted in September 2019 on cyber security for small to medium businesses found that 48 percent of respondents spent less than AUD $500 on cyber security per year. Surprisingly only 2 percent of the SMBs surveyed spent AUD $50,000 or more on cyber security. This shows that many businesses are still underestimating the importance of cyber security.

Most techniques used by cyber criminals are known. Technology has emerged to provide the right tools to enable organisations to prevent, detect and respond quickly to cyber attacks. Security solutions are no longer expensive nor complex, especially with our cyber security expertise and consultancies in Australia.

Organisations need to analyse their data to know where to focus their cyber security spending. Analysing the data will give organisations information about the most common attacks related to their business and the effectiveness of the related security solutions. Only then will they be able to identify the right tools to use and allocate the appropriate budget.

The Result

Every dollar spent on cyber security mitigates the impact of a cyber attack.

Organisational leaders can sleep better at night knowing they did the right thing to counter cyber attacks and that they’ll never have to pay a ransom to fuel criminals in order to resume their work, protect their data and their reputation.

That’s how the Lazio government survived the cyber attack on its COVID-19 vaccination registration portal and managed to restore most of the services, minimising the impact to one day only without the need to pay a ransom.

Businesses need to understand that no single solution fits all. This is why it’s best to work with a cyber consultancy company that partners with them to understand their business and implement the right solutions within their budget.

Author: Mouaz Alnouri