As critical infrastructure providers and their assets have become more digitalised and connected, these industries need to have strong, modern, phishing-resistant multi-factor authentication methods to ensure they are not vulnerable to the increasing number of ransomware attacks, according to Yubico.
Recent revisions to Australia's Security Legislation Amendment (Critical Infrastructure) Act (SOCI) 2021 represents one element of the Government's response to the growing cyber threats faced by Australian critical infrastructure organisations.
Previously the SOCI Act covered key industries such as electricity, gas, water and maritime ports, however, the Act now expands the coverage to encompass 11 sectors now deemed critical. These include communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, health care and medical, space technology, transport, water and sewerage.
According to findings published by the Australian Cyber Security Centre (ACSC) in the ACSC Annual Cyber Threat Report, cyber-attacks are escalating in severity and frequency at a rate of one reported attack every eight minutes. The report also revealed that an estimated quarter of cyber incidents reported to the ACSC in the 2020-21 financial year were associated with Australia's critical infrastructure or essential services.
Geoff Schomburgk, Yubico's vice president for Asia Pacific and Japan, welcomes the additional sectors rightfully classified as critical infrastructure but says that these vital service providers simply cant afford to wait for an attack to happen.
"Having a ransomware mitigation plan is one step towards minimising risk, with phishing resistant MFA the key to keeping necessary accounts secure," he says.
MFA is a security measure that requires two or more proofs of identity to verify users and grant them access to online accounts. It's a simple process that uses a combination of something the user knows (pin, secret question), something they have (card, hardware token, YubiKey) or something they are (fingerprint or other biometric).
According to Schomburgk, ensuring an organisation and its employees have strong MFA systems that do not rely on basic mobile-based MFA, such as SMS or mobile authenticator apps, is a good way to mitigate ransomware attacks.
"Whilst not all authentication is created equal and passwords and other legacy methods are vulnerable to different types of attacks, the most important action is to protect staff working in these newly classified critical infrastructure industries, and their online accounts, with some form of modern MFA," he says.
"We all know how disruptive it is when a transport system like a train network is shut down, but can you imagine the chaos that would eventuate not having access to food, water or medical data getting stolen? Unfortunately, there will continue to be exponential growth in ransomware type of attacks as more criminal groups look to exploit vulnerabilities of critical infrastructure assets," says Schomburgk.
"Having a ransomware mitigation plan, of which MFA is part of, will help reduce the risks and pay off when you need it most," he says.
In the US, the average ransomware recovery cost in 2021 was about $2.39 million, including the ransom, business downtime, lost sales, operational costs, and legal fees. Ransomware attacks with more sensitive or critical data or systems involved brought costs closer to about $5.85 million, higher than even the average normal data breach cost (about $5.83 million). Over 57 per cent of victims end up making a payment to recover their data or to prevent its exposure yet only actually get all their data back after paying the ransom.
Schomburgk says theres a common misconception that preventing ransomware attacks is only about keeping individual users from opening a window by clicking on suspicious links that download malware onto systems or computers. But in many cases, weak authentication systems may allow attackers to gain entry to a system, pose as an authenticated user and place ransomware in the most damaging places.
"Whether it;s for business or simply everyday use, everyone relies on critical infrastructure to help them with getting jobs done," he says.
"Without them, there is mass disruption and Australia's national security is threatened. Governments and private businesses cannot afford to wait or not further strengthen their IT processes. The time to act is now to adopt more secure authentication methods, as the alternate option will come at a great cost."