Ransomware and other cyber security attacks will continue to dog Australia’s financial and business recovery from this year’s COVID-19 pandemic.

The warning came as a panel of experts, led by AustCyber CEO Michelle Price, discussed a potential scenario for cyber security disruption in Australia as part of the AustCyber Cyber Week event.

In the scenario, the aged-care business of a woman named Lucia – who, like many Australians, has been riding out the pandemic with husband James and three children at different stages of schooling – experiences website disruption that is ultimately revealed to be related to a ransomware attack that shuts down her business.

That threat hits close to home for Berin Lautenbach, CISO with logistics firm Toll Group – which was itself hit by major ransomware incidents earlier this year when cybercriminals exfiltrated data that was eventually published online, after the company refused to pay up.

Even large companies struggle with their responses and a small business like Lucia’s may lack the “maturity of thinking” to recover alone, he said, because small businesses’ focus on operational continuity means they usually don’t have the digital expertise to deal with such incidents.

“At this stage, Lucia’s preparation for that will be front of mind because she will want to have a workforce, and will be also challenged by wanting to make sure that her business is still operating,” said Lautenbach, a former Telstra CISO who was hired in August to help Toll pivot away from this year’s cyber security attacks.

The attack “will take a lot of time and attention away from that”.

Faced with similar situations, around a third of ANZ businesses opt to pay off ransomware attackers and move on, according to newly released data from IDC and Rubrik.

Some 18 per cent of respondents said they had been hit by ransomware in the past 24 months, and 29 per cent of those infected had opted to pay the ransomware demands to recover their data.

A mushrooming threat

The panellists also explored the likelihood that cybercriminals would try to interrupt delivery of the COVID-19 vaccine, which in the scenario had become available mid 2021 and force families and businesses to triage its delivery.

“A lot of these technology investments have been made in recent years to prepare for trying to ramp up production of vaccines that will be very important for us to recover in the long term,” noted Serge Maillet, country segment manager for industrial networks and cyber security with industrial giant Siemens.

“These investments are really there to help increase their operational efficiency as well as their production capacity,” he continued, noting that the pharmaceutical supply chain would be on “very high alert” for the “unfortunate reality” of cyber security compromise.

High-risk industries have long anticipated interruptions to critical processes and sensitive operational technology (OT) systems, already successfully targeted in incidents such as May’s cyber attack on the UK electricity grid.

Measures such as the Australian government’s new Critical Infrastructure Centre, and standards efforts around hardening critical infrastructure, would also need to protect COVID-19 vaccine production and distribution.

A matter of trust

Attacks on healthcare bodies would further complicate disaster scenarios, with co-health executive capability lead Christopher Turner warning about “large scale, large and whole of community impacted events” as the virus recovery shifts to the next stage.

“There’s a strong need to think about a broader community resilience model,” he said, arguing that human adaptability would prove critical.

“While our systems might be down, and the interconnectedness of our systems might be down... at the end of the day healthcare is a human product. Efficiency and effectiveness may be interrupted, but the capacity for us to maintain doing what we do, won’t be.”

In the meantime, businesses need to approach cyber security protection as “a key thing in their armoury as a small business”, Tim Daly, chief security officer with Australian Energy Market Operator (AEMO), advised, calling it “absolutely imperative” that business continuity strategies maintain “absolute primacy” throughout the COVID-19 recovery.

With coherent backup and “some really basic fundamentals,” Daly added, “hopefully you can ensure the ability to recover – but you still need to put in the work to get the right expertise and advice to protect your systems and your data.”

These protections would be tested during the final stage of the scenario, with Australia hit by what Price called a “significant coordinated cyber attack… systematically shutting down core interconnected digital infrastructure across the systems and companies contracted to deliver the vaccine” including pharmaceutical companies, hospitals, and large medical centres.

Ongoing outages, varying from a few hours to a few days, “are being described by the media as a form of digital lockdown, drawing bows to the physical lockdowns of 2020,” Price said in painting a worst-case scenario in which cyber attacks cripple the core supports of everyday life.

With business fighting to maintain continuity and families in crisis as cybercriminal attacks affect their everyday lives, Price said, trust – building it, maintaining it and protecting it – will be key to maintaining social cohesion in a scenario where “our ability to trust the digital infrastructure, and the data that it carries, has really been tested.”

“We do need to understand what all of this means in context for each organisation that exists in our economy.”