Black swan events in cyberspace. Is your proprietary information making you a target?

The cyber-security environment is changing so rapidly, unthinkable events are now becoming reality.

Recent attacks affecting Optus and Medibank have involved the unauthorised access and release of Personally Identifiable Information(PII), resulting in devasting impacts. Yet PII is not the only form of information that we need to secure. Most organisations hold other information that will cause major loss or damage if compromised.  

If we look at the ever-advancing biotechnology industry as an example, there is a whole world of potentially valuable data to be exploited.  Hospitals, universities, pharmaceutical and agricultural companies all produce, collate, store, and share Sensitive and Confidential Information (SCI) that could be misused, stolen, or sold to cyber-criminals.

Consider the following hypothetical scenario:

·       You are the operator of a ‘High Containment Laboratory’. That’s the kind of place that works on highly infectious and security sensitive pathogens like anthrax and the plague.  Recent biosecurity audits have indicated that many of these laboratories are not well defended against cyber-attacks.

·       Your lab falls victim to an attack from a sophisticated cyber-criminal syndicate. One that looks to exploit common system vulnerabilities and weak cyber-defences.  This is a common issue for laboratory networks world-wide. They find their way into your IT systems though unpatched applications, spend time looking around and exfiltrate all the data they can find. They’re not really sure what data they have, but it looks interesting enough.

·       The perpetrators post your data for sale on the dark web. Maybe they try to ransom you, but that’s not the end game. Instead, they find a host of eager buyers who are interested in recent vaccine research, gene-editing outcomes, and genomic sequencing. It’s a goldmine for nefarious microbiologists and biotech gurus.  

·       The lucky buyer of your data has been recruited by a known terrorist group who wants to make headlines by manufacturing a novel bioweapon.  Aside from valuable research data, they now have the DNA sequence for high-risk pathogens, along with access to methodologies and expertise.  

·       Using readily available DNA-editing technology and the data stolen from your high-containment lab; the corrupt scientist can take a low-risk pathogen and turns it into a killer pathogen. By altering its genome, they have increased its infectivity and pathogenicity and created a novel virus set to be released in the coming days, all without stepping foot into the high containment lab.  

This isn’t the storyline from a best-selling crime novel. The advancement of biotechnology and increasing vulnerability of cyber-biosecurity makes this a potential reality.

So what’s the moral to the story?

You may not be holding sensitive information on biological pathogens; however most organisations hold some form of proprietary information that could cause harm if breached. Potential harm to people, harm to the organisation itself, or maybe even harm to society. This Sensitive and Confidential Information (SCI) is the corporate alterative to Personally Identifiable Information (PII).  It’s information that we need to protect through robust cyber-defences and good management practices.

Whilst we used a vivid example in this article to illustrate the importance of protecting your SCI, there are some important take-aways for every organisation:

·       Do you know what SCI you hold?

·       Is this data well protected?

·       Do you know its value to others?

·       How would you respond if it was compromised?  

At Sention, our business is to look at current and emerging threats, analyse what they mean, and help protect your organisation before impact occurs. Go to www.sention.com.auto find out more.

‍