Australia needs more cyber in the middle

Government cybersecurity programs usually aim to help big, critical enterprises directly, or improve the cyber awareness of families and consumers. What about all the small and medium businesses?
Written by Stilgherrian , Contributor

We've got a problem. Two, actually. One is that traditional antivirus (AV) technology is broken. The other is that most small and medium businesses probably don't know it yet, and aren't keeping up generally.

So-called "fileless attacks" are on the rise. They're predicted to comprise 35 percent of all cyber attacks this year. Phishing attacks continue to be popular too, because they work, and our ability to spot them is failing to improve. AV isn't much good against either of those things.

"A lot of the tools and techniques that are used by the adversaries, they're just not detected," says Michael Sentonas, vice president for technology strategy at CrowdStrike. "And the attackers know this, right?"

You can't blame the products, Sentonas told journalists in Sydney last Friday. They're simply being hit with something they weren't designed to face.

"A lot of the information that was stolen from the US government, there were playbooks of how to bypass pretty much every commercially available AV product," he said. "You could cut and paste the code, and you literally could bypass the industry."

It's a cliche, but small businesses really are the backbone of the Australian economy. Only 2 percent of the nation's actively trading businesses have an annual turnover of AU$2 million or more, according to the latest official statistics released on Tuesday. Of the 38.8 percent of businesses with employees, 70.1 percent employed between one and four people. Only 0.5 percent had 200 or more employees.

Talk to anyone who provides IT services to those tiny businesses, and they'll probably tell you that if these businesses think about cybersecurity at all, they only think about the basics.

They've got whatever firewall their ISP provided, and whatever antivirus product was on special at OfficeWorks last June. Or the June or three before that.

"We need to do a better job of helping small [and] medium business[es] that are relying on a basic firewall and traditional AV to protect themselves," Sentonas said.

"A lot of the initiatives -- and I'm not having a go at the Australian government -- but a lot of the initiatives in Australia are targeted at the large enterprises."

The Australian Cyber Security Centre (ACSC) and CERT Australia, for example, focus on critical infrastructure and bigger business, and rightly so.

But there's a gap in the middle. A big gap. And as the data theft from an Adelaide engineering firm showed us all too clearly, even SMBs are handling restricted defence information on projects such as the F-35 Joint Strike Fighter and the P-8 Poseidon maritime patrol aircraft.

Sometimes they handle it very poorly indeed.

What about cybersecurity awareness? Again, the ACSC and friends can help at the big end. Broader cyber safety programs quite rightly focus on families and individuals.

The cybersecurity awareness of those little firewall-and-AV cyber sandcastles probably comes from whichever talking head was just on radio or TV for the three minutes, jammed between news of a shed fire in the western suburbs and an interview with the winner of a cake decorating competition.

"That's a problem," Sentonas said.

"It's one of the challenges in the industry, right? You hope that that advice is happening, but I don't think it is. I don't think we're doing a good enough job ... Public, private, all of us, we need to talk about some of these things, and kind of call it out, and do it in a way that gives people advice, and is not pushing product because that doesn't help either," he said.

Indeed. Australia needs much more cyber in the middle.

Related Coverage

Is PayID look-up no more a breach of privacy than a phonebook?

Being able to find someone's name and mobile number through the New Payments Platform PayID system shouldn't be used as a function creep, but it is, and NPP Australia says it's the user's choice to opt-in.

Australia re-enters Information and Privacy Commissioner limbo

A little over a year after being permanently appointed, Information Commissioner Timothy Pilgrim is set to retire on March 24.

Government agrees to up Medicare card privacy and security controls

Scrapping PKI certificates in favour of PRODA is one of 14 recommendations the Australian government has accepted following a review into health providers' access to Medicare card numbers.

Paranoia will destroy us: Why Chinese tech isn't spying on Americans

The notion that the Chinese government would spy on corporations and our agencies with electronic devices manufactured by Chinese companies is not only absurd but would be catastrophic to furthering their ambitions in world trade.

IBM Security Report: Asia-Pacific users are biometric early-adopters (TechRepublic)

Users in the APAC region were the most knowledgeable and comfortable with biometric authentication, while the US lagged furthest behind in these categories, says IBM Security's Limor Kessem.

White House: Cybercrime caused up to $109B hit to US economy in 2016 (TechRepublic)

A Council of Economic Advisers report examined the full impact of cyberattacks in the US, and found the malicious activity left a large bill.

Editorial standards