Cybercrime’s shifting sands: which industries are most vulnerable?

Powered By

When it comes to cybercrime, the most common industry targets are financial services, education and health, mainly because of their vast and valuable data.

Over the past year, however, cybercrime in Australia has increased by 13% because the pandemic has prompted a shift to remote working. Cybercriminals have swooped on unsuspecting organisations to probe their IT vulnerabilities, with 81% of organisations globally acknowledging they bypassed their own cybersecurity processes during the pandemic, according to the EY Global Information Security Survey 2021.

The Australian Cyber Security Centre’s (ACSC) recent report found that one in four incidents targeted critical infrastructure and services, such as aviation and defence. Some industries that were historically not a typical target are now finding themselves underprepared to face the threat.

“Financial services are quite used to dealing with cyberattacks every day,” says Richard Bergman, lead partner for EY’s Oceania cybersecurity, privacy and trusted technology practice. “Most other industries, including federal and state governments, have really under-invested in building up their defences. It’s something a lot of organisations are just waking up to.”

Trouble in the skies

Aviation is both a rich and soft target for cybercriminals, says Michael Wallmannsberger, a cybersecurity consultant and Air New Zealand’s former chief information security officer.

“It’s a rich target because aviation organisations tend to hold a lot of personal data, including identity data such as passport information,” he explains. “There’s payment card and loyalty data, and they’ve also got a lot of data about where you’re going. That information might be valuable to not only profit-motivated cybercriminals but to state actors conducting espionage.”

In 2018, a breach of British Airways’ security systems resulted in a leak of the personal data of nearly half a million staff and customers. In July, it was announced those affected would receive a confidential settlement following mediation. Britain’s Information Commissioner’s Office also fined the airline $38 million (US$27.7 million) for failing to protect the personal and financial details of its customers. This represented the largest penalty of its kind in the UK.

Wallmannsberger says even large carriers can be soft targets. “It’s a low-margin industry and airlines must compete aggressively and be highly efficient in terms of costs,” he says. “They’re highly dependent on technology, and their technology tends to have been built up over decades, so there’s lots of legacy and really complex business processes. From a defence point of view, that’s a tough challenge against a fast-moving threat.”

He adds that while planes aren’t falling out of the sky because of cybercrime – for now – the terrifying perception alone can be enough for cybercriminals to use as leverage.

Defence, by contrast, is an industry that only the most sophisticated cybercriminal outfits would go after, says Garrett O’Hara, principal technical consultant at Mimecast.

“Your average criminal organisation won’t poke the bear of defence organisations,” O’Hara says. “That is because the very large hammer of a government response is very different from a private enterprise’s ability to respond. They don’t have three-letter organisations that can appear in another country and start arresting people.”

He says the impacts of a successful attack on the defence industry could be devastating and ratchet up geopolitical tensions.

Strengthening protections

Organisations can better protect themselves by adopting cybersecurity risk-management measures, says Bergman. “The challenge, of course, is dealing with all the moving parts and complexity, and having the right skills and resources to do that. They need to start seeing technology capabilities as critical to their operations and a major strategic issue.”

Cybercriminals are now just as likely to attack an institution because of its capacity to pay and its weak defences – not just the type of industry it’s in – says Sophos’ ANZ managing director John Donovan. “It’s amazing how many ransomware attacks could have been prevented just from taking simple measures, such as backing up critical data and installing the latest security updates.”

EY’s global survey of more than 1000 senior cybersecurity leaders found that the most common obstacles to industries protecting themselves were inadequate organisational budgets and regulatory fragmentation. Wallmannsberger believes more regulation is needed, but due to the fast-moving and complex nature of technology and cybersecurity, regulations need to avoid over-specificity or risk becoming out of date quickly.

“Ideally, businesses would just make decisions about risk and do what’s required for cybersecurity,” he says. “But there are just too many examples of that not happening, and that’s for complex reasons. I don’t want to see poor regulation or an overreaction, but I think there’s a public good that justifies regulation because when a business is attacked, it has knock-on effects to the rest of the economy.”

Bergman believes Australia needs to boost its sovereign capabilities to protect itself better. “We need more people who are skilled in cyber technical skills, as well as greater collaboration between industry partners and the government.”

O’Hara applauds initiatives such as the Critical Infrastructure Bill, which would confer an extraordinary power of government intervention in response to cyberattacks on critical infrastructure assets. However, he believes the problem of cybercrime is so big that it requires a concerted collaboration of all stakeholders.

“The government alone can’t solve it and nor can private enterprise,” O’Hara says. “This is something we need to do as a society, and spending is important. We hear of these big numbers for different projects and it sounds amazing, but when you do the maths and divide it over however many years, it’s not quite as compelling.”