Cyber ChallengesIn a rapidly evolving environment of establishing new short-term goal setting, companies and government agencies are required to establish and agree to new objectives and key result tools. A scattered and offsite workforce now has the same vulnerabilities of an unsecured third-party supply chain that is not subject to the same standards and compliance measures of a company that houses employees in one location. We have not even begun to test the robustness of governance, risk and compliance issues when a work-from-home employee or supplier is compromised.
The rapid adoption of work-from-home technologies over the past few months has exponentially increased the use of online communication platforms such as Zoom, Google Hangouts, Skype and Microsoft Teams. Like any internet-enabled service, the scope of exploitation becomes substantially wider and porous for cyber criminals and malign state actors. Cyber criminals have always worked from home, and now companies and employees alike have rapidly moved into the cyber criminal’s domain of comfort and preference.
One example of a practical collaboration with the security of critical infrastructure is between the WA AustCyber Innovation Hub, Edith Cowan University Security Research Institute and two major critical infrastructure providers. This ‘Honeypot Research’ has allocated ECU research students to work with the power companies to build prototypes of certain control systems in their operating technology environment that mimic actual systems. Researchers can then study the threat signatures, attack methods and sophistication in order to gather cyber threat intelligence. This learning will translate directly to the way critical infrastructure providers such as energy , water and defence companies think about their cyber defence and vulnerabilities.
Implications for Defence IndustryDefence industry contractors need to understand the inherent weakness in monitoring and defending systems when they rely on a diversified workforce who are now managing some of those operations from home. Architectural weaknesses inherent in this include unsecured data transmissions, sub-optimal security policy and process enforcement, unsecured personal devices and tools: and a lack of normal workplace controls. In the event of an attack, it is also now much harder to assemble decision-makers in one location to work together to come up with an agreed solution. The distributed workforce model also gives the attacker a time advantage.
The WA AustCyber Innovation Hub has strong linkages with private sector cyber companies, industry associations and government agencies across the state to ensure the message of cyber awareness is spread and amplified. The Australian Cyber Security Centre offers COVID-19 Threat Updates is also a reliable source of information throughout the pandemic for SMEs.
AustCyber recognises that Defence provides many opportunities for sovereign cyber security companies. This year, AustCyber is involved with the MilCis 2020 conference and expo to be held in Canberra in November in support of Team Defence Australia for missions and cyber-focussed delegations to strategic global markets. Support will also continue for the Centre for Defence Industry Capability in their Global Supply Chain Program.
The WA AustCyber Hub has also partnered with ECU since 2018 to relaunch the Cyber Check Me program to assist small businesses and not-for-profits with their basic cybersecurity safeguards. Foundation partners include the Cities of Joondalup and Wanneroo and North Metropolitan TAFE. Advice is provided in line with the Essential 8 Cyber Mitigation Strategies which provides easily understood cyber hygiene practices.
A small cyber army of predominantly second year computer science students with a major in cybersecurity and Advanced Diploma students from North Metropolitan TAFE deliver the program through pop-ups at industry events (pre-COVID) with a migration now to online consultations with businesses.
Practising Cyber HygieneFurther, here are some simple steps that defence industry SMEs could take to protect their business from cybercrime: