properly configuring and monitoring firewalls to protect against cyber-attacksupdating and patching software and operating systems consistently and in a timely mannerproviding regular, mandatory cybersecurity awareness training to staffallocating inadequate human, technological, and financial resources to manage cybersecurity.As a result of those failures, ASIC said in its court filing, “A FIIG employee inadvertently downloaded a .zip file containing malware whilst browsing the Internet. The malware allowed a threat actor to remotely access FIIG’s network and perform network-based lateral movement and privilege escalation.” About days later, ASIC said, “The threat actor obtained access to a privileged user account on FIIG’s network and began downloading FIIG’s data.” CISOs wanting to avoid a fate similar to FIIG’s should take note of the annexes to ASIC’s complaint. These list 12 key actions for securing enterprise infrastructure that FIIG had failed to implement at various times, and six risk management measures it had not taken.FIIG reportedly learned of the potential cybersecurity incident on June 2, 2023, when contacted by the Australian Cyber Security Centre. According to ASIC, the company was unaware of the breach before this notification and did not begin investigating or responding to the incident until June 8, almost a week after being alerted.ASIC Chair Joe Longo emphasized the case should serve as a warning to all companies about the dangers of neglecting cybersecurity systems.”Cybersecurity isn’t a set-and-forget matter,” Longo said in the statement. “All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’S ACSC.”ASIC rarely takes cybersecurity enforcement action. In a previous case it brought in May 2022 the Federal Court ruled that AFS licensee RI Advice had breached its license obligations by failing to have adequate risk management systems for cybersecurity risks.Nevertheless, Longon noted, “Advancing digital safety and resilience is a strategic priority for ASIC. We have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3845092/australian-financial-firm-hit-with-lawsuit-after-massive-data-breach.html
