"I told you so!"

 

I used to be head of cyber security for a store that sells peanuts. Well, it wasn't peanuts, but for the sake of this story and several confidentiality agreements I've signed over the years, let's go with that.

Every month or so, all of the cyber security peeps from the peanut stores all around the country would get together and share stories. It was cathartic in a way: one would say "last month I lost nearly half a million dollars in peanut sales to cyber fraud!" and all would commiserate and offer to buy drinks at the pub that evening for the unfortunate soul who'd lost the most. 

Importantly though, we'd also share intelligence. We never discussed what sort of peanuts we each sold, or what new and amazing flavours our store would be introducing in the coming months, but we would certainly share details about the types of cyber fraud we'd observed in our stores recently. This elevated the cyber security resilience of all peanut stores, without giving away a competitive advantage to any one store. The government became involved, helping share relevant information from their perspective, and the larger peanut stores even helped out with internships and staff secondments between the stores and government.

I remember one particular peanut store, one of the largest four stores in the country, turned up at our meetings time after time and reported "losses have gone up, but I still haven't been successful implementing multi factor authentication!" The equation was quite simple back in those days. You can imagine the risk assessment: 

Cost of implementing multi factor authentication: $3M 

Yearly losses to cyber fraud: $2.9M

Decision: wear the loss 👌

Of course we can see with hindsight that this decision is quite short sighted, however at the time it may well have been the right thing to do from the point of view of those who are in charge of risk management. Who knew that cyber fraud in peanut stores would escalate as rapidly as it did? 

However during that time, imagine the glee with which the cyber fraudsters marauded that peanut store! It was easy to find out which controls each peanut store had implemented, and when one large one hadn't implemented MFA whilst the other three large stores did have MFA, that's who they targeted. Eventually the equation tipped far enough into the present day that the decision was made to implement MFA, so the cyber fraudsters went after the smaller peanut stores whilst they all caught up. "Don't be the slowest gazelle!"

Over the past few days we've seen several superannuation (Australia's retirement savings scheme) funds targeted by attackers, with some customers reporting $0 balances in their online portal. Just today the ABC reported that customers of one fund had actually asked the company to enable multi factor authentication on their accounts to protect them. Perhaps those customers read my earlier blog on MFA 😁

Or perhaps those who asked for MFA are representative of the clued-in, sensible, risk-mitigating people many of us have become. We vote with our feet and walk into a different peanut store, if we don't feel secure transacting with a peanut store that doesn't offer simple anti-fraud controls which, let's be honest, have been around for over twenty years. Either way, this turn of events represents a crisitunity: A crisis which presents an opportunity for us all to learn and improve. You now have more than enough fodder for your risk assessment justifying the implementation of multi factor authentication, if the ASD Essential Eight's recommendation wasn't enough already. 

And now, all this talk of peanuts has made me hungry, especially after that delicious cup of coffee. I think I'll buy some peanuts (from a store I trust!)