Cyber attack calls for tougher law

News last week about a cyber attack on Papua New Guinea’s Finance Department is a wake-up call for the country to seriously consider having a cyber-security policy in their organisation. Cybernatic Global Intelligence chief executive officer RAVIN PRASAD spoke to Business reporter PETER ESILA about some of the measures to take.
Cybernatic Global Intelligence chief executive officer Ravin Prasad said business in PNG are still ignorant about cyber security and its system. – Azer Newspic
Ravin Prasad

QUESTION: How do you see developments in PNG’s cyber-security in organisations?

PRASAD: According to a statement released by Finance Minister Sir John Pundari, the Department of Finance’s integrated financial management system (IFMS) suffered ransomware attack at 1am on Oct 22.
Attackers infiltrated the IFMS core server, affecting its payment system which manages access to hundreds of millions of dollars in foreign aid money.
The former general manager of PNG’s national cyber security centre Robert Potter, said, in a Bloomberg report, that “to attack a developing country and their infrastructure during a health crisis is pretty shameful”.
Sadly, if organisations in PNG are under this assumption, then this incident should be a wake-up call.
Cyber criminals will target anyone across the globe who are easy targets of cyber-attack.
And, in this instance, its PNG Government departments, banking and finance, telecommunications and resources industry.
Cybernetic Global Intelligence with its local business partner Datec has been working in PNG on cybersecurity awareness since 2017.

How can we make sure such never happen again?
Companies in PNG are still ignorant about cyber security and their systems/networks is currently highly vulnerable to cyber-attacks.
This attack could have been avoided if the Government departments had implemented cyber security policies and procedures within their department.
During the Coronavirus (Covid-19) pandemic, the entire world is experiencing a huge increase in cyber-attacks targeting the banking and financial sector, government, telecommunication, and healthcare institutions.
PNG organisations and Government departments cannot, for one moment, think they will not face a cyber-attack.
Below are concerning and worrying statistics for PNG businesses recent survey conducted by our technical cyber security team.
Yet little to no action has been taken up in improving the cyber security posture by the Government and private business sector in PNG:

  • 85 PER CENT of organisations in PNG do not have formal cyber security policy/framework;
  • 90 PER CENT of organisations in PNG have not recently performed penetrations testing (cyber-attack simulation);
  • 86 PER CENT of organisations in PNG have not delivered cyber security training to all their staff;
  • 85 PER CENT of organisations in PNG do not have separate cyber security budget;
  • 92 PER CENT of organisations in PNG do not maintain a centralised register of cyber incident; and,
  • 90 PER CENT of organisations in PNG have not conducted a web application testing.

As the CEO of a global cybersecurity organisation, I regularly catch up with industry leaders and board members across the globe, and fully understand and appreciate some of the challenges senior executives and board members face every day when it comes to cyber security.
Below are some of the key questions every business board, executive and Government department in PNG needs to ask themselves every day when it comes to cyber security attacks.
Organisations that do discuss these key topics below in their board meetings and fail to implement these strategies will be hacked.
They are:

  • WHEN was the last time you tested your IT infrastructure against cyber-attacks? Most critical being how secure is our organisation?
  • HAVE we documented cyber security policies and procedures for our organisation?
  • HAVE we performed risk assessment to detect internal and external threats?
  • HOW frequently are we performing vulnerability assessment and penetration tests on our network to identify weaknesses/vulnerabilities in the network?
  • DO we conduct web application assessment? Did you know compromised web applications lead to data breach?
  • DO you have daily monitoring logs reports which confirms your organisation is not being attacked?
  • DO we have a patch management policy within our business and how often is this managed and updated?
  • DO you currently have mechanism to detect the vulnerabilities, are you fixing them on priority?
  • WHAT preventive / detective controls have we implemented for data breaches?
  • HAVE you implemented secure VPN for staff working remotely during the Covid-19?

Are we aware of all regulatory and non-regulatory cyber security compliances such as the international organisation for standardisation 27001?
Some organisations in PNG have purchased the latest cyber security solutions but they do not know how to configure and monitor their systems for cyber security.
Every month, we send out vulnerabilities reports and advisories.
This ransomware attack is a wakeup call for PNG.
If they do not take positive steps towards improving cyber security, I am sure there will be many more cyber-attacks in future targeting the major Papua New Guinea industries.

What is Cybernetic Global Intelligence?
Cybernetic Global Intelligence is an international accreditation forum Accredited ISO 27001 Certified, PCI-DSS QSA (qualified security regulation) global cyber security firm.
We help companies protect their data and minimise their vulnerability to cyber threats through a range of services.
Our services are carried out by certified cyber security specialists who have made protecting companies from cybercrime their key mission.
Cybernetic Global Intelligence is backed by more than 20 years of experience from leading cyber security experts and researchers from all around the world.
We are an emerging and quickly growing company with an exceptional advantage.
Our cyber security experts are not only employees but also stakeholders in the business.
This provides us with committed and empowered employees who are constantly acquiring new qualifications and striving to stay at the forefront of cyber security.
We are located in the heart of Brisbane’s CBD, yet, have a global presence with clients spanning the the Asian-Pacific region, Europe, the United States, Middle East, PNG and, of course, Australia and New Zealand.