The current threat landscape
The escalating armed conflict in the Middle East has materially increased cyber risk for Australian organisations. As S&P Global Ratings recently observed, the war, coupled with broader geopolitical tensions, has driven a significant increase in state-sponsored cyberattacks – including attacks by proxy groups – targeting critical infrastructure, financial services, government and the private sector globally. These attacks typically seek to dislocate essential services, disrupt supply chains and destabilise economies.
Cyber risk analytics firms have reported heightened activity by threat actors and affiliated hacktivist groups since the conflict began. Reports indicate an increase in phishing campaigns, ransomware-style attacks, data exfiltration and malware deployment targeting energy systems, financial institutions and government networks. Critically, supply chain links mean organisations well outside the immediate conflict zone, including in Australia, face indirect but material risk. The UK National Cyber Security Centre has warned that all industries should anticipate increased targeting designed to cause global economic disruption, especially organisations with dependencies in the Middle East. The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has also been actively issuing alerts concerning the exploitation of network infrastructure by sophisticated threat actors, including state-sponsored groups.
This is not a hypothetical risk. Modern conflicts routinely extend into cyberspace. For affected organisations, the consequences can include mandatory regulatory reporting obligations, enforcement actions, economic and reputational harm and litigation.
Recommended actions
In light of the heightened threat environment, we recommend that clients take the following immediate steps.
- Board acknowledgement and oversight
Boards should formally acknowledge the heightened external cyber threat environment at their next meeting. Directors should require the Chief Information Technology Officer (CITO) and Chief Information Security Officer (CISO) (or equivalent roles) to conduct a review of the organisation's current exposure to the external threat landscape and report back to the board on the assessed risk and the specific actions being taken in response. The reporting should address the adequacy of existing security controls, any gaps identified and a timeline for remediation. Active board engagement on cyber risk is increasingly expected by regulators and is consistent with good corporate governance. - Proactive threat intelligence and risk posture review
CITOs and CISOs should be proactively reviewing threat intelligence feeds from the ACSC, industry information-sharing bodies and trusted commercial threat intelligence providers. This includes monitoring for indicators of compromise associated with state-sponsored and hacktivist groups linked to the conflict, reviewing the organisation's risk posture against current attack vectors (including spear-phishing, ransomware and exploitation of network edge devices) and ensuring that detection and monitoring capabilities are calibrated to the heightened threat level. Organisations should ensure they are subscribed to ACSC alert service and are acting promptly on advisories, such as the recent critical advisory regarding exploitation of Cisco SD-WAN appliances. If your organisation uses a Managed Services Provider for your IT services, engage with them to understand how they can support this review and uplift. - Cyber insurance policy review
Organisations should urgently review their cyber insurance policies for exclusions relating to war, armed conflict, or nation-state actors. In the current environment, where the lines between criminal cybercrime and state-sponsored operations are increasingly blurred, there is a real risk that insurers may seek to rely on these exclusions to deny or limit claims. Organisations should engage their brokers to understand the precise scope of any war, conflict or nation-state exclusions, the attribution mechanisms in their policies and any geographic carve-backs that may apply. - Incident response plan testing
Organisations should test their cyber incident response plans now, rather than waiting until a crisis occurs. This includes conducting tabletop exercises that simulate scenarios relevant to the current threat environment, such as a ransomware attack attributed to a state-linked actor, or a supply chain compromise originating from a conflict-affected region. Organisations should proactively identify key response contacts, including forensic vendors, external legal counsel, insurers and relevant regulatory notification contacts and ensure those details are current and accessible. - Supply chain and third-party risk assessment
Organisations should review their supply chain and third-party dependencies for exposure to the conflict and associated cyber threats. Threat actors are known to exploit interconnections between organisations and a compromise of a key supplier or service provider can have cascading effects. This review should prioritise third parties with operations in, or connections to, the affected region, as well as critical technology and infrastructure providers.
Contact Us
Gilbert + Tobin, through its specialist cyber team, is available to assist clients in navigating this heightened risk environment, including advising on board governance obligations, reviewing cyber insurance coverage, conducting incident response readiness assessments and providing 24/7 breach response support. Please contact us to discuss the steps your organisation should be taking now.