The Toll hack is a warning to every Australian business
By Rachael Falk, CEO Cyber Security Cooperative Research Centre
Published in the AFR 18/02/2020
The recent cyber attack on Toll Holdings has been described as "crippling" and the "most significant in Australian corporate history".
The lesson for anyone who operates a business reliant on connectivity is that cyber resilience must be treated like the key business risk it is.
All executives and boards should ask: How can my business recover if it loses access to valuable systems and data, or if the integrity of its systems and data is compromised?
This used to be called business continuity management, but that term sounds almost quaint in today's connected world.
In 2020, data breaches and cyber attacks are entirely foreseeable events. Recent history is replete with examples of stolen data or systems taken offline. The cyber attack on Toll may have been spectacular, but it is not the first and certainly won’t be the last.
For systems to run safely and efficiently, information security management must respect the principles of confidentiality, integrity and availability: known to the cyber security sector by the acronym CIA.
Until now most focus has been on confidentiality, or keeping valuable data safe. This made sense given the amount of sensitive and valuable data generated, stored, sliced and transported. Yet even this emphasis on safeguarding confidentiality has not prevented high-profile data breaches on seemingly a weekly basis.
Perhaps the most damning example was the 2017 Equifax data breach, which compromised the personal information of nearly 150 million Americans, in circumstances described as “entirely preventable” in a US congressional report.
While we know that breaches mainly tend to involve data theft, in recent times we have witnessed even more disruptive instances where not only has data been stolen but entire systems have been frozen, with a crippling effect on the profitability and reputation of firms.
The targeting of Toll has been preceded by a variety of other cases, such as the hospital whose scanning machines would not operate, or the global law firm that went offline for three weeks while dealing with the impact of ransomware.
As our society and economy become increasingly interconnected, the consequences of cyber breaches become ever more critical. That means more emphasis must be placed on the integrity and availability of systems.
In the context of online systems, the test of integrity is whether you can trust the data in a system to be accurate and also, crucially, uncorrupted. Increasingly, cyber adversaries not only wish to gain access to systems but also to corrupt it in ways that undermine trust or commercial value. What would happen if, for instance, data about blood types or water samples was hacked and corrupted? The resulting chaos is barely imaginable.
As with integrity, the availability of data is key – as Toll has discovered the hard way. Once its systems were put out of reach, in this case because of ransomware and the unavailability of backups, its data was completely unavailable and the company could barely transact business.
While many organisations still struggle to get the cyber security basics right, the simplest question to answer is whether, in the event that key systems are unavailable, data can still be made available to the extent required to carry on business. This is the fundamental test of business resilience – one that Toll failed, to its considerable detriment.
Of course resilience is about much more than just having backups. It is also about investing in basic cyber security hygiene, understanding the entire spread of your organisation’s IT systems and assets, testing your suppliers’ systems and security postures, and ensuring your people are educated about cyber threats and supported by skilled incident response professionals who can be on hand immediately.
Only when all of these challenges are addressed can a business have confidence that it is beginning to prepare for the reality of operating in a connected world.
The experience of Toll suggests that perhaps, in addition to confidentiality, availability and integrity, all well-run businesses should be adding a fourth principle of cyber preparedness: resilience.