Future-proof - May 2021 edition

On this page

• Making headlines
• Market update
• VMIA news and insights
• Tools and resources 

Making headlines

Cyber security, safety and trust ‘the keystone’ of our digital economy: Commonwealth Budget 2021

The Commonwealth Government announced several cyber security initiatives as part of its $1.2 billion Digital Economy Strategy, designed to secure Australia’s economic future and recovery from coronavirus. Initiatives include:

• $31.7 million to secure future connectivity using 5G and 6G mobile networks
• improved standards for trusted identities that underpin the digital environment
• efforts to strengthen Australia's data security settings through the development of a National Data Security Action Plan
• piloting Cyber Hubs, which will see the government’s larger agencies provide cyber services for the smaller ones
• Peri-Urban Mobile Program to improve mobile phone connectivity in bushfire prone areas.

Attack on US gas pipeline shows vulnerability of energy infrastructure

Colonial Pipeline transports almost half the US East Coast’s fuel supplies and services some of the nation’s largest airports. A ransomware attack forced it to shut down in early May, demonstrating the vulnerability of ageing infrastructure to cyber attacks.

The Federal Bureau of Investigation has confirmed DarkSide ransomware was responsible for compromising Colonial Pipeline’s operations. DarkSide hacked into the network, encrypted files to deny Colonial Pipeline access, and extorted the company with a reported US$5 million bitcoin payment to restore service. 

Gas deliveries halted and prices surged as a result of the attack, showing the need for urgent action to protect critical and ageing assets against these threats.

Ransomware is malicious software that makes computer operating systems or files unusable. Cybercriminals use ransomware to ‘hold hostage’ files or devices, then demand a ransom to release them. The Australian Cyber Security Centre (ACSC) advises against paying ransoms as it can increase an organisation’s vulnerability to similar attacks in the future.

Attacks on critical infrastructure are a major concern for Australian governments, and efforts to prevent them have accelerated following the high-profile breaches at Mimecast, SolarWinds, Accellion and Microsoft Exchange incidents, and recently, and recently, attacks on Channel Nine and federal Parliament.

Victoria’s Critical Infrastructure Resilience Strategy identifies cyber attacks as one of the state’s top risks because they can disrupt essential services including banking and finance, communications, energy, food supply, government, health, transport and water. 

Want to know more?

Shedding Light on the DarkSide Ransomware Attack (SecurityIntelligence, 6 min)

 

Coronavirus exponentially intensified cyber risk: Aon’s annual Cyber Risk Report

A sharp uptick in the number and severity of ransomware cases at the end of 2020 and start of 2021, coupled with supply chain and support vendor vulnerabilities, shows that the pandemic did more than reshape the way the world does business; it exponentially intensified cyber risk, according to Aon's Cyber Risk Report (2021).

Aon’s analysis shows that the velocity of digital change forced upon organisations in 2020 outpaced that of security. According to Aon, rapid moves to remote work and digital service delivery compelled many organisations to ‘skim over’ security just to keep the lights on (2021).

But high-profile attacks in the last 6 months highlight vulnerabilities. And against the backdrop of a hardening market, organisations are facing more than a digital transformation: they’re experiencing a digital revolution.

More in Aon’s cyber risk report.

Hospitals and health services get $30 million boost to guard against cyber attacks

The funding package, announced in April, will be shared across 28 hospitals and health services and used to improve ageing network infrastructure, replace end-of-life systems, reduce ICT outages and improve the speed of networks.

In March, one of Melbourne’s largest metropolitan public health services, Eastern Health, experienced a significant ransomware attack that disrupted services for several weeks.

Read the media release.

Cyber security should be up there with sports, beach and barbeques: ACSC

At her March address to the Australian Information Security Association Cyber Conference, ACSC Head Abigail Bradshaw CSC spoke about the state of cyber security in Australia and implored Australians to make security a ‘hardwired part of our national mindset’ amid growing threats.

Read the speech on ACSC’s website.

Market update

Flow-on effects of pandemic and 2020 bushfires continue to shake-up commercial market

Climate change, cyber security and travel insurance are experiencing rapid changes from global catastrophes and the pandemic over the past year.

Cladding continues to be an area of concern, with a St Kilda building evacuated in mid-May due to combustible cladding concerns (Paynter, 2021).

The commercial market continues to harden due to the effect of coronavirus on the global economy, and this uncertainty has led to insurers increasing premiums and adding endorsements and exclusions to policies, while underwriters scrutinise coverage for new policies. The corporate travel insurance portfolio showed a sharp increase in claims when domestic and international travel restrictions took effect, and insurers increased their premiums as a result.  

And with national leaders looking to ease international travel restrictions as vaccination programs take flight, there’s pressure on insurers to reshape these products, which are based on pre-pandemic travel and no longer meet the needs of their customers. The impact of the 2020 Black Summer bushfires continues to be felt, with insurers struggling to balance coverage, claims and premiums.  

Modelling indicates increased frequency and severity of natural disasters due to global warming and Australia’s higher exposure and severity of the 2019 fires, premiums are likely to increase.

VMIA news and insights

The state of risk: cyber security in Victoria

Cyber security is one of VMIA’s fastest-evolving insurance programs. The cost of cyber-crime is only partly insurable, and estimated to reach $2-6 trillion by 2022. 

As we’ve seen with recent incidents, cyber attacks can disrupt critical services, impact the economy, threaten public safety and expose sensitive information to unauthorised parties. The risks are real, present and impact every department, ministerial portfolio, business and individual.

The Victorian Government announced in its 2021-2022 budget that it will invest $50.8 million over 4 years to respond to the increasing threat by improving the cyber resilience of the public sector, increasing protections for the community and growing the state’s cyber security workforce.

In partnership with the Department of Premier and Cabinet (DPC), we’ll focus on initiatives that can build risk maturity for cyber while considering our portfolio and reinsurance. A deep understanding of cyber risk maturity is essential to ensuring the availability of reinsurance in the future.

Cyber Maturity Benchmark status update

Education, transport and water agencies are just some of the Victorian organisations that have assessed their level of cyber risk maturity and can now see how they compare against other organisations in their sector.

These agencies are assessing their current maturity against the ACSC's Essential Eight controls, using the Cyber Maturity Benchmark to generate a maturity rating.

VMIA partnered with DPC’s Cyber Security Unit to design the benchmark in 2020 to create a clear view of cyber risk maturity across the Victorian public sector.

So far, we’re seeing a preliminary tendency for maturity in control strategies to limit the extent of cyber attacks, rather than prevent them.

Benchmarking data and insights for the whole of Victorian Government will be available from September 2021. They’ll be used to build maturity across the state, and improve the way we prevent, respond to and recover from cyber security incidents in the future.

In the meantime, you can compare your organisation against others in your sector as soon as you complete the assessment.

Tools and resources

Three things to shift the dial

We asked Victoria’s Chief Information Security Officer John O’Driscoll what you can do to protect yourself against cyber attacks. John’s top three:

1. Take the Cyber Maturity Benchmark self-assessment – use the insights and reporting to identify vulnerabilities and improve your resilience.
2. Implement the ACSC’s Essential Eight controls [PDF, 448KB] – they’ll stop up to 85% of cyber incidents.
3. Know your partners. When we outsource to third parties, citizens aren’t concerned who is managing it – they expect safe and reliable services. So engage in constructive solutions for outsourcing and procurement.

Contact us on 03 9270 6990 or contact@vmia.vic.gov.au to start your self-assessment.

Solutions for you and your team: workshops, resources and 101

Cyber Risk Foundations

Learn how to confidently assess and manage cyber risk at this online workshop. Covering government expectations, better practice principles and how to align cyber threats to your risk profile, this 2.5 hour session is for risk and governance specialists and IT advisers wanting to understand cyber from a business perspective.

What is the Essential Eight?

These eight essential mitigation strategies were identified by the Commonwealth Government’s cyber security experts, designed to help limit exposure to up to 85% of cyber threats. They’re designed to:

• help prevent cyber attacks
• limit the extent of attacks
• recover data and systems availability.

They provide a strong baseline of protection against intrusions, ransomware and other malicious events, and can be practically applied to limit damage and recover if an event does occur.

More details can be found in our guide to using the Essential Eight [PDF, 448KB].

Cyber self-assessment – your toolkit

We’re here to help you complete the self-assessment, with tools and resources for you and your team:

• essential information to get started
• step-by-step instructions
• FAQs [PDF, 112KB].

Contact us on 03 9270 6990 or contact@vmia.vic.gov.au to start your self-assessment.

Wanted: your feedback

We always appreciate your feedback – and we’d like to make it even easier to give comments and ratings. Please tell us how we can do better in this short survey (takes less than 1 minute to complete).

References

1. Insights.aon.com. 2021. 2021 Cyber Risk Report - Foreword. [online] Available at: <https://insights.aon.com/2021-cyber-risk-report/foreword/> [Accessed 4 May 2021].
2. Paynter, J., 2021. St Kilda apartment building evacuated over combustible cladding fears. Nationwide News Pty Limited, [online] Available at: <https://www.news.com.au/national/victoria/news/st-kilda-apartment-building-evacuated-over-combustible-cladding-fears/news-story/084b06b418551536441c417e3fa41ad1> [Accessed 12 May 2021].
3. Prime Minister of Australia, 2021. A Modern Digital Economy to Secure Australia's Future. [online] Available at: <https://www.pm.gov.au/media/modern-digital-economy-secure-australias-future> [Accessed 7 May 2021].