Tony Jarvis of Israeli vendor Check Point told iTWire in an interview that ransomware "is very much a staple attack tool for cyber criminals everywhere and has also allowed for subsidiary cottage industries to spring up around it".
"These include ransomware-as-a-service (RaaS) offerings that allow those with very low technical know-how to get in on the act, by spreading the ransomware built by those more proficient," he added.
"In addition, ransomware affiliate programs have grown to allow the ransomware creators to claim a cut from their affiliates who spread this malware."
"However, even ultra-secure government organisations are vulnerable to attack, as we saw earlier this year when Victorian hospitals in Gippsland, Geelong and Warrnambool were hit by a ransomware attack," he said.
Jarvis said one trend that was catching businesses off-guard was cryptominers, that had affected 10 times more organisations than ransomware last year. However, only 20% of security professionals were aware of mining malware infections.
"That’s according to Check Point’s 2019 Security Report which also found that 37% of organisations globally were hit by cryptominers in 2018, and 20% of companies continue to be hit every week despite an 80% fall in cryptocurrency values," he added.
"When organisations were asked what they rated as the biggest threats, just 16% stated cryptomining, compared with DDoS attacks (34%), data breaches (53%), ransomware (54%) and phishing (66%). This is concerning, as cryptominers can easily act as stealth backdoors to download and launch other types of malware."
The Australian Government has invited individuals and companies to offer their views on a new cyber security strategy for 2020, with its pitch indicating that it would like to get more involved in such a strategy.
Jarvis had a somewhat different take. "Cyber security threats exist within all organisations that don’t have the right protection in place, including government agencies," he pointed out.
"However, it is hard for government to mandate a cyber security framework because of the ever-changing nature of cyber attacks, and the different needs of each business. It is essential that businesses are proactive in their cyber security approach, and adopt a Zero Trust security approach in order to keep data protected, anywhere."
He defined Zero Trust as "a practical holistic approach to keep business data protected, anywhere - no device, user, workload or system should be trusted by default, regardless of the location in which it is operating from, neither inside or outside the security perimeter", adding that such an approach aimed to close the security gap.
"Today, you no longer have to set foot in the office building to come to work," Jarvis said. "Advancements in technology have expanded what is now classifies as 'the office', with companies able to interface through mobile devices and cloud software, regardless of where their employees are located.
"However, these developments pose a cyber security dilemma. The security perimeter is no longer confined to the walls of an office building. Valuable business data is transferred continuously between SaaS applications, IaaS, data centres, remote users, IoT devices, and more. Which means cyber-criminals have access to wider attack surfaces and more points of entry than ever before."
He identified IoT devices and the rise of 5G as two emerging technologies that were increasing risk to customers. "Securing IoT devices within an organisational environment has been challenging to date, partly due to the reliance on traditional security controls which provide only limited effectiveness," he pointed out.
"Security strategies need to evolve in line with the underlying technology, necessitating a combination of both traditional and newer controls in order to address the concerns posed by such devices."
The recent introduction of 5G networks in Australia would facilitate new kinds of applications, allowing users to connect more devices to the network and each other, while at the same time encouraging them to capture and share more of their personal data, Jarvis said.
"The amount of data being collected is one of the defining characteristics of these new networks, accelerated by the sheer number of connected devices and the countless sensors involved. Many security experts cite user privacy as the biggest challenge facing 5G networks. Multiple stakeholders will need to work together in order to address these concerns. This will entail industry bodies, network vendors and government agencies forming guidelines and regulations in an effort to keep communications, data and privacy secure."
He said Australia was aware of the need to have robust security in place and this was indicated by the fact that the government had put mandatory data breach laws in place. "While Australia is not the only country to have such laws, there are many that are lacking such an obligation to disclose data breaches," Jarvis added.
"We have seen regulation being discussed, implemented and reviewed, which bodes well for the long term efficacy of such measures. The importance of regulation at a national level is now recognised by many countries. GDPR has been in place for over a year, and a similar initiative is slated to be rolled out in the US next year. Regulations which address the specific security concerns posed by developments such as drones and IoT devices are also being prepared."
He noted that security was a moving target "and the environment we operate in is constantly changing. What’s important is for the regulatory landscape to be evolving in step with these changes, and this is something that the Australian government is mindful of".