It’s so easy to become a threat actor, says cyber security GM

There are currently so many tools available to threat actors that the barrier to becoming one is very low, according to a cyber security specialist.

Ahead of the inaugural Cyber Security Summit 2023, Chartered Accountants Australia and New Zealand (CA ANZ) general manager, cyber security and IT infrastructure, Ashwani Ram said that threat actors do not have to be sophisticated to launch an attack because there is a range of platforms at their disposal.

“There are phishing platforms as a service, scripting platforms as a service, or ransomware as a service. You can subscribe to any of them and become a threat actor and try to cause harm,” Mr Ram flagged.

“The barrier to becoming a threat actor and launching a cyber attack is very low nowadays.”

============

Mr Ram — who is a finalist in the CISO of the Year award category at the first Cyber Security Awards — noted that threat actors are now targeting companies that cannot afford to invest in cyber security, particularly small and medium-sized enterprises (SME) and non-profits, he said.

Why chartered accountants are vulnerable

Specifically, Mr Ram said threat actors would prey on chartered accountants because they are a rich source of data.

“Most chief financial officers (CFO) are chartered accountants, as are people in finance and government,” he said.

“Threat actors will breach us not to hold us to ransom but as a means to harvest credentials from us and then build a user profile and compromise the user. So, we’re a means to an end. Money is always the short-term goal, but the long-term goal is data harvesting.”

VIEW ALL

His comments precede his session at the Cyber Security Summit, where he and a panel of speakers will unpack how businesses can protect data in all their forms, given data is the new oil.

When asked how an organisation’s CISO or others in similar roles could bolster its cyber security posture, Mr Ram said they must understand the business, its strategy, and what the business and its executives expect from cyber security.

“Until we understand the business, we will not be able to implement a good cyber strategy,” he said.

A quick glance at threat intelligence and risk reports on data breaches reveals that threat actors do not use a highly sophisticated toolset to carry out their attacks, Mr Ram pointed out.

“Threat actors don’t have to be sophisticated to launch an attack. It comes back to the fundamentals. They’re using a vulnerable component in a business to breach it,” he said.

As such, perfecting the fundamentals is crucial for CISOs, which includes patching and updating systems frequently and using multifactor authentication (or strong passwords if multifactor authentication is not possible).

Why you shouldn’t pay ransom

We asked Mr Ram what role a CISO plays if their organisation is held to ransom, to which he responded that his personal stance is not to pay the ransom.

“Paying the ransom just puts more money in the hands of the hackers,” he argued.

“They’ll be better financed, which means they can launch more sophisticated attacks.”

A recent report by Sophos revealed that 70 per cent of Australian organisations have been affected by ransomware attacks. The average cost of a ransom spiked from US$226,863 in 2021 (determined from the reports of 65 victims) to US$1,513,436 (based on 13 companies that responded to the survey).

Moreover, a recent global survey found that over 60 per cent of Australian businesses would pay a ransom following a successful ransomware attack.

Notwithstanding his personal stance, Mr Ram said that it is ultimately a CISO’s role to understand what their organisation prefers.

For instance, if the organisation’s CEO or board of directors choose to pay the ransom, the CISO’s role is to provide advice and make recommendations.

Organisations must have a strong backup of their data so they can restore it after an attack, Mr Ram said, even if that means losing a few days of operation.

He also advised CISOs to share as much information as possible about any data breach so that executives and employees can learn about techniques and be better prepared for the next attack.

“Transparency is critical to helping others in cyber security,” he concluded.

To hear more from Ashwani Ram about why a comprehensive enterprise security strategy is key to minimising risk and keeping data and assets safe and how to roll out a strategy that aligns with an organisation’s culture and objectives, come along to the Cyber Security Summit 2023.

It will be held at Hotel Realm, Canberra, on Thursday, 1 June.

Click here to buy tickets and don’t miss out!

For more information, including agenda and speakers, click here.