In late February 2019, Toyota Australia was hit by a major cyber attack that knocked out its online presence and email systems. For days, the automaker had its ability to connect with customers significantly compromised.
The Toyota incident is yet the latest reminder of the disastrous impact of cyber attacks and why companies of all sizes and in all industry sectors need to be vigilant. Systems, users and devices all need constant monitoring and robust security measures in place to prevent such incidents from having significant consequences.
What happened at Toyota?
On 21 February, it was reported that Toyota Australia had suffered from a cyber attack. The company issued a statement that confirmed the attack, which reports indicate Toyota first learned about the day before. The statement noted that the initial analysis showed that no private customer or employee data had been accessed.
The company’s IT teams were working with “international cybersecurity experts to get systems up and running again,” according to the statement.
Four days later, the company’s website continued to display a stark message detailing its effort to recover from the attack. The company created an emergency call centre to address inquiries from customers.
The company has reported it has “no further details about the origin of the attack.”
What impact is the disruption having on Toyota customers?
The web message made note of several important issues affecting its customers. The company reports having only “limited capabilities to respond” to customers. The Toyota VIN Checker function is down, for example.
Of more significant concern is the impact on two important recent recalls facing Toyota customers. One recall, begun in 2018, affects airbags inflators in Corolla and Avensis models. As the airbags age, high temperatures and humidity can cause the airbag to activate with an explosive force that could send metal fragments towards car passengers, leading to serious injury or death.
In December, the company also recalled 2,640 Corollas, this time to replace a transmission assembly that could detach, resulting in a loss of power.
How big a problem are cyber attacks in Australia?
Cyber attacks cost the Australian economy $1 billion annually. Here are some other statistics on the effect on Australian businesses (2017 numbers unless indicated otherwise):
- 516,380 small businesses were victims of a cybercrime
- The average payment was $4,677 for a small- or medium-sized business to recover their data after a ransomware attack
- One in four enterprises suffered 25 hours or more of downtime after being hit by a cyber attack
- Only one in three small- and medium-sized businesses have continuous system backup practices in place
- It cost medium-sized companies $1.9 million to recover from a cyber attack.
In the first six weeks after enacting the Notifiable Data Breaches scheme in February 2018, the Office of the Information Commissioner received 63 notifications. Those numbers have grown steadily, with 242, 245 and 262 breaches reported in the last three quarters of 2018, respectively.
Malicious or criminal attacks accounted for the largest number of data breaches reported in the fourth quarter – 64 percent of all reported incidents. Of those malicious or criminal attacks, 68 percent involved cyber incidents, including:
- Phishing (43 percent)
- Compromised or stolen credentials (24 percent)
- Ransomware (10 percent)
- Brute-force attacks (8 percent)
- Hacking (8 percent)
- Malware (7 percent)
A closer look at the fourth-quarter statistics gives a clearer picture of the sources of attacks, types of attacks, data affected and sectors being targeted (with percentages):
Source of attacks
- Malicious or criminal attacks (64 percent)
- Human error (33)
- System faults (3)
Information disclosed due to human error
- Personal information sent to wrong recipient-email (27.1 percent)
- Unauthorised disclosure via unintended release or publication (17.6)
- Loss of paperwork or data storage device (14.1)
- Personal information sent to wrong recipient-mail (11.8)
- Failure to use BCC when sending email (10.6)
- Unauthorised disclosure-failure to redact (9.4)
- Personal information sent to the wrong recipient (3.5)
Type of data affected
- Contact information (85 percent)
- Financial details (47)
- Identity information (36)
- Health information (27)
- Tax file number (18)
- Other sensitive information (9)
Top industries attacked
- Health services (21 percent)
- Finance (15)
- Legal, accounting and management (9)
- Private education (8)
- Mining and manufacturing (5)
What companies can do to protect themselves?
The Reserve Bank of Australia warned in October 2018 that Australian businesses were vulnerable to cyber attacks and the catastrophic losses that could ensue.
The Cisco 2018 Asia Pacific Security Capabilities Benchmark study noted that Australia was most under attack of the 11 countries evaluated. The numbers are stunning. Ninety percent of Australian businesses report facing up to 5,000 threats daily. Of those companies, a third face between 100,000 and 150,000 daily attacks and 7 percent see more than 500,000 attacks per day.
What can Australian companies do? Here are some of the most critical areas of need.
Companies need to invest in a multilayered approach to protection of hardware, software, systems, networks, access points, devices and users. As seen in the data above, the attacks can come from a deliberate attack by an outside source, but often come from simple human error.
A comprehensive approach includes sound policies, technology and awareness. Together, these tools give your business the right protection to combat attacks.
A next-generation firewall protects your computer network. Firewalls help detect, contain and eradicate unwanted intrusions before serious harm can come to your systems. They also can be used to inspect information sent to and from the company and block access to and from risky URLs.
To protect users from spam, phishing attempts, viruses and malware, your devices need installed software that automatically scans and quarantines suspicious emails and activity. These tools should be automatically updated in the background to ensure continuous protection from threats new and established.
Tools can be deployed that continuously monitor networks, devices, access and usage, using pre-established rules about what is and is not allowed. Automated monitoring tools can detect and detain threats while issuing alerts to key personnel about identified issues.
Business continuity and disaster recovery
Companies need to develop the policies and procedures that will allow for little to no interruptions should a natural disaster or cyberattack occur. These guidelines establish chains of command, protocols and roles (which may be different from typical job responsibilities) during a crisis. These plans should be tested to ensure all components work smoothly and plans should be modified as needed.
Employee awareness and training
It is important that companies invest in their employees to further an understanding of what cyber attacks are, what damage they can do and how workers can prevent them. Showing employees examples of suspicious emails, making sure they understand data privacy policies and testing their responses builds resilience and understanding.
The Toyota Australia incident will not be the last high-profile example of cyberattacks to hit businesses. But preparation can go a long way to reducing the number and impact of such attacks.