As it launches its highly secure VeroCard multi-factor authentication device after years of development, Australian cybersecurity firm VeroGuard Systems is on track to create hundreds of new security and engineering jobs in Adelaide and Melbourne by 2023. The firm – which emerged from Adelaide’s Defence-heavy innovation sector and now enjoys a strategic partnership with the CSIRO and a global partnership with Microsoft – has spent 17 years refining the technology behind its newly launched VeroCard. Described as a ‘personal high security card’, Verocard is a handheld digital wallet that offers, among other things, strong enough security that it can be used for everything from a tamper-proof digital ID to a fully fledged EFTPOS terminal. Backed by recent certification to Payment Card Industry (PCI) Pin Transaction Security (PTS) standards, the device – which functions as a rugged ‘black box’ hardware security module (HSM) – has been designed to provide non-repudiable authentication to all manner of online services. Its robust design caught the attention of Microsoft, with which the VeroGuard CEO said the company is “engaged in signing a contract to secure Office 365”. That deal will provide more than 1.56 billion Office users with access to “the first PIN-based FIDO2 device… if you are migrating all of your ID management into the cloud, you can get one of those.” VeroCard’s use cases had gotten a significant shot in the arm through the COVID-19 pandemic, VeroGuard told Information Age, with companies increasingly worried about maintaining the security of key information as employees log on remotely. Australian consumers and businesses have become increasingly concerned about privacy and security, with a recent Office of the Australian Information Commissioner (OAIC) report finding data privacy is now the top consideration when choosing digital services – and that 26 per cent of Australians don’t trust companies to protect their data. Providing a high-security way to tighten control over access to those services “is a clever way to give confidence to the public,” The CEO explained, “and to companies that are afraid. Now that everybody works from home, they want to make sure nobody else can log into their corporate systems.” The technology would also be a leveller for small businesses “who have nothing in the market,” he added. “If you go to BHP, of course they have everything secure – and they paid millions of dollars for this – but if you’re a small business, how are you going to secure yourself? Everybody identifies SMEs’ migration into the cyber market as almost impossibly difficult.” Making security innovation pay The Microsoft deal is a strategic coup for VeroGuard, who's core team came from Dynamic Data Systems – who developed the world’s first mobile EFTPOS system in 1993 and worked with Australia’s Big Four banks to introduce it. The team understood the internet’s potential to scale secure transaction networks years ago, and worked to bring VeroGuard’s HSMs online in a “uniquely bizarre” effort that would leverage hosted .NET infrastructure to support massive transaction volumes. Seventeen years after this initial revelation – and on the back of $110m in investment, the integration of similar levels of security and functionality into a small form-factor, PIN-driven device marked a significant step forward. VeroGuard’s partnership with CSIRO has given the company access to its cloud-based TrustStore technology, which allows the system to split data packets across multiple servers in a way that provides what the company called “an ultra-secure ecosystem of trusted members for sharing, transacting, communicating and using data”. That ecosystem supports VeroGuard products including VeroMod, VeroVault and VeroVision – and now enables the new VeroCard solution, which CSIRO Data61 director John Whittle called “a unique sovereign security platform [enabling] the protection of Australian businesses and infrastructure like never before.” “This is a fantastic example,” Whittle said, “of how our national science agency partners with industry to deliver real-world solutions with the potential to create jobs.” Just how many jobs? By the end of 2022 the company will grow from its current staff of 50 – 20 in its Adelaide manufacturing hub and 30 in its Melbourne development centre – to 176 total staff. By the end of 2023, this will have grown to “close to 500” people, he adds, as expected surging demand and an expanding product pipeline drive the company to actively recruit banking, cybersecurity, defence, and payment specialists as well as technical experts such as .NET architects and software engineers. VeroGuard’s commitment to Adelaide has been public record for several years, but increasing investment in the city’s innovation infrastructure – including its selection as the base for the Australian Space Agency (ASA) and related industries – drove it to this year re-commit $57.5m for a high-tech manufacturing site in Adelaide’s northern suburbs. David Braue - 26 November 2020 Source: https://ia.acs.org.au/article/2020/security-device-promises-jobs-boom

Australian healthcare provider UnitingCare Queensland has been hit by what appears to be Windows ransomware, with the company saying it was hit by a "cyber incident" on Monday. The statement said some of the organisation's digital and technology systems were inaccessible due to the incident. Nine News said the impact due to ransomware and was much wider. The broadcaster reported that all operational systems, including internal staff email and booking of patient operations, forcing staff to use pen and paper instead. It also said that the Wesley and St Andrews War Memorial Hospitals in Brisbane had their systems taken down. None of the common ransomware operators have yet listed the UnitingCare Queensland attack on their notification websites. According to its site, "UnitingCare also provides aged care, disability supports, health care and crisis response in Queensland through Blue Care, Lifeline, The Wesley Hospital, St Andrew’s War Memorial Hospital, Buderim Private Hospital and St Stephen’s Hospital. And we provide community, aged care, disability and mental health support in the Northern Territory through ARRCS." The organisation's statement said: "As soon as we became aware of the incident, we engaged the support of lead external technical and forensic advisers. We also notified the Australian Cyber Security Centre of the incident and are continuing to work with them to investigate the incident. "Where necessary, manual back-up processes are now in place to ensure continuity of most services. "Where manual processes cannot be implemented, services are being redirected or rescheduled accordingly. "Due to the recency [sic] of the incident, it is not possible to provide a resolution timeframe at this stage, however our Digital and Technology team are working to resolve this issue as swiftly as possible." Last year, two prominent Australian healthcare providers were hit by ransomware. Regis was hit by the Windows Maze ransomware in August while Anglicare Sydney was hit by unspecified ransomware in September. The last data breach report from the Office of the Australian Information Commissioner showed that health service providers were at the very top when it came to the number of notifications. Commenting on the incident, Rick McElroy, principal cyber security strategist, VMware Security Business Unit, said: "Ransomware-as-a-service has risen in popularity, providing cyber criminals with the necessary tools to carry out these types of attacks. "This has created the opportunity for millions to easily target healthcare organisations. Compounding these risks is the adage of affiliate programs for ransomware groups, providing new and unique ways for malware operators to have others deploy their payloads for a cut of the eventual profits. We’re also seeing a lot of secondary extortion, in which cyber criminals look to profit twice from an attack, forcing organisations to not only pay to decrypt data, but also to prevent sensitive data from being sold or released publicly." McElroy said it was necessary for healthcare organisations to understand the evolving threat landscape but that was just half the battle. "There are three things to keep in mind to help stay one step ahead of attackers: next-generation anti-virus, end-point protection and IT tracking tools. "Endpoint protection platforms should incorporate defences for each phase of ransomware attacks: the delivery, propagation, and encryption stages. It’s important for organisations to ensure they can easily provision access to new users while maintaining data privacy, compliance, and security practices.” VeroGuard chief executive said: "Medical institutions have been under pressure for many years to integrate clinical, hospital, allied health, insurance, state and federal systems together, and now, new technologies such as artificial intelligence, big data, analytics and virtual reality will add further complexity and greater vulnerabilities to already stressed systems. "Like most industries the focus on cyber detection and remediation in healthcare has been, and will continue to be, simply inadequate. With the average time to identify a breach increasing to more than 207 days in 2020, most of the damage is done before a breach is uncovered. Staff education is important however humans remain susceptible to attacks particularly in high pressure environments such as hospitals." Sam Varghese - 27 April 2021 Source: https://itwire.com/security/healthcare-provider-unitingcare-queensland-hit-by-ransomware.html

Cyber-security incidents reported by victims fell during the 2020-21 financial year, the Australian Cyber Security Centre says in its annual threat report, adding that there was also a drop in the most severe types of incidents. A total of 1630 incidents were reported, with the categorisation ranging from 1 (most severe) to 6 (least severe). In 2020-21, there were no incidents that were in either category 1 or 2. But a higher proportion were classified as category 4 that in the previous financial year. The highest number of reports of cyber crime during the financial year 2020-21 came from Queensland (30%), with Victoria just behind (29%). The highest average financial losses were reported by victims in South Australia and Western Australia. Total losses totalled about $33 billion. The number of cyber crimes reported was up by about 13% year-on-year, with 67,500 reports received, and the ACSC said in its report that it had categorised a higher proportion of the reports as "substantial" in impact this year. A graph showing the incidents during the two years, 2019-20 and 2020-21, indicated that there was a spike in April last year which was attributed to a bulk extortion campaign. More than 1500 incidents related to the pandemic were reported every month, with three-quarters of them relating to the loss of money or personal information. There were about 500 ransomware incidents reported, an increase of about 15% from the previous financial year. The report can be downloaded here. Satnam Narang, staff research engineer at security shop Tenable, said the findings underscored much of what security professionals had been seeing and warning about. "Cyber criminals are operating with a fierce determination now more than ever before," he said. "The COVID-19 pandemic and the shift to remote work has provided new opportunities to both scammers and financially-driven thieves alike. "The 15% increase in ransomware attacks can be largely attributed to the rise in ransomware-as-a-service groups, which enables cyber criminals to make a significant profit, and the adoption of double extortion tactics. "Not only do organisations have to worry about computers in their network being encrypted, but they also have to worry about ransomware groups stealing their sensitive data and threatening to publish them on the dark web if their ransom demands are not met. Ransomware has always been considered a prominent part of the game so to speak, but now ransomware has become the game." The chief executive of Australian cyber security company VeroGuard, said: "This assessment reflects a global vulnerability in critical infrastructure security. It is a result of organisations migrating to cloud-based operations that allows access to data and operations via open networks. "It makes sense that business and government want to automate and leverage Internet-based open networks to support mobility, connectivity, and the flow of data. However, the current focus on software-based detection tools, two-factor authentication and biometrics as methods to secure access are clearly not closing the gaps in security when working over the Internet with the cloud. "Greater than 90% of attacks and breaches are on users' identity and credentials as accessing a system remotely by assuming an authorised user's identity allows the cyber-criminal to remain undetected for an average of 207 days. This is the logical and only place to focus that action." Sam Varghese - 15 September 2021 Source: iTWire - ACSC reports fall in cyber-security incidents in 2020-21

Everyone grasps, on some level, that cyber-security – or more correctly, the cyber-crime at which cyber-security is aimed – is a big problem. But when you really look into it, the scale of the cyber-crime problem is truly staggering. According to leading industry research firm Cybersecurity Ventures, cyber-crime is predicted to inflict US$6 trillion ($8.1 trillion) in damage globally in 2021, up from US$3 trillion in 2015: if it were measured as a country, that would make cybercrime the world’s third-largest economy, after the US and China. Cybersecurity Ventures’ 2020 Official Annual Cybercrime Report says cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind: it is bigger than the illegal drug trade. The report quotes Jack Blount, former chief information officer at the United States Department of Agriculture (USDA), and now chief executive officer at enterprise security software company INTRUSION, as saying: “Every American organization — in the public and private sector — has been or will be hacked, is infected with malware, and is a target of hostile nation-state cyber intruders.” In fact, Blount prefers the term “cyber-warfare” to “cyber-crime.” Last year, Chinese tech giant Huawei admitted that it endures about one million cyber-attacks on its computers and networks every day. Cyber-security consultant Tony Barnes, director of Cyber Research Group, told this writer last year, “When you switch servers on, they’re like magnets in the way they attract attacks.” Barnes said that showing organisations the scale of the constant attacks on them is a penny-dropping moment: “When people visualise it, it scares the pants off them,” he said. The level of threat is reinforced seemingly every week with news of high-profile hackings and data breaches. Last month, Prestige Software, a company that services hotel reservation platforms for Hotels.com, Booking.com, Expedia and more, reportedly left exposed the data of millions of those sites’ customers, including names, credit card details, ID numbers and reservation details. Also in November, US networking equipment vendor Belden admitted to being hacked, and even global cyber security firm Sophos owned up to suffering a data security breach. Breaking news This week, cybersecurity firm FireEye was the victim of a state-sponsored cyber-attack. The $3.5 billion FireEye identifies the culprits of some of the world’s major cyber hacks and counts Sony and Equifax as its clients. According to FireEye, one of ASX listed WhiteHawk's vendors (see below), the hack was carried out by “a nation with top-tier offensive capabilities.” Though not named, fingers have been pointed at Russian intelligence agencies. Hackers accessed FireEye's internal network and stole its red team tools, which could be useful in mounting new attacks around the world. FireEye CEO, Kevin Mandia said of the attack, "Based on my 25 years in cyber security and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities... The attackers tailored their world-class capabilities specifically to target and attack FireEye.They used a novel combination of techniques not witnessed by us or our partners in the past." The breach is now being investigated by the FBI and Microsoft. “The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack while American attention — including FireEye’s — was focused on securing the presidential election system,” Mandis said. This is potentially the biggest known theft of cybersecurity tools since 2016 when ShadowBrokers group targeted the NSA and dumped their hacking tools online. This list of major hacks – just in 2020 – from IT newsletter/website ZDNet makes sobering reading. However, the silver lining to the cyber-crime pandemic is that there are very smart people working on cyber-security solutions – and in many cases, these companies are investable stocks. As befits the scale of the problem, cyber-security is emerging as one of the biggest secular investment theme of the 2020s. The Australian Securities Exchange (ASX) hosts a small but intriguing group of cyber-security companies, including: WhiteHawk (WHK) Headquartered in Virginia, USA, WhiteHawk developed and operates the first online cybersecurity exchange, enabling businesses of all sizes to manage cybersecurity threats. This year, WhiteHawk has won a range of contracts (and contract extensions) across four main sectors — the US government sector (a US agency and a department), the manufacturing sector, the financial sector and the Defence Industrial Base (DIB), the term for the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet US military requirements. WhiteHawk has built its cyber-risk-focused business model to give it commercial and technical agility, being able to partner with the best open data and AI-enabled platforms, allowing the company to continually evolve to align with customer needs and appetites. It has positioned itself well in the US cyber-risk market, across companies and organisations of all sizes, and is now seeking to increase its business internationally. Read: Delivering Cybersecurity Solutions Tesserent (TNT) Cyber-security and network services company Tesserent provides “Internet security-as-a-service” for a customer’s computer infrastructure, including firewall, authentication, anti-virus, anti-malware/spyware, intrusion detection, and security event management, typically provided on a subscription basis. Its customers – both Australian and international – come from the government, corporate and education fields. The company’s products and services include network perimeter security, secure internet connectivity, data storage services, and internal network security services. The company has made a series of high-value strategic acquisitions recently, and in November, Tesserent announced that it will step into the “real” world, with a new joint venture with New Zealand firm Optic Security Group that will incorporate both cyber and physical security solutions. Senetas (SEN) Senetas provides data encryption hardware, engineered for high-speed networks, to major corporations and governments. Senetas’ encryptors now protect network transmitted data in more than 35 countries, and are used by customers ranging from government organisations with highly sensitive information, for example, the US defence forces, to commercial and industrial organisations, banks and global financial transactions systems providers, cloud and data centre service providers and small businesses. Senetas’ services segment offers its customers absolute control over file sharing and data sovereignty through its platform ‘SureDrop’. In 2020, Senetas acquired Israeli cyber-security firm Votiro, a leading provider of Content Disarm and Reconstruction (CDR) technologies, which markets its Disarmer and Secure File Gateway solutions globally for a wide range of applications, including file-transfer, email, removable devices and collaboration platforms. archTIS (AR9) Canberra-based archTIS has developed a cloud-based software-as-a-service (SaaS) security and collaboration platform called Kojensi, which arose out of a solution built for the Australian Department of Defence, and further developed in trials involving a number of Australian Federal Government agencies, including the Commonwealth Attorney General’s Department (AGD) and the federal Aged Care Royal Commission. The system has subsequently been deployed in the AGD, the Commonwealth Ombudsman and the Australian Criminal Intelligence Agency, and the first non-government clients, in aerospace giant Northrop Grumman and Western Australia’s Curtin University. archTIS is marketing the Kojensi platform to industries that service the government, and which also need to share sensitive and classified information. Kojensi is hosted within a protected cloud environment accredited by the Australian Signals Directorate (ASD). The platform is being marketed as a secure content and collaboration cloud service, which offers a combination of enterprise content management capabilities, collaboration tools and workflows. Instead of using passwords, the Kojensi platform creates an electronic “fingerprint” on the data or documents, determining who can access the material, where, and when. VeroGuard Also, Australian company VeroGuard is targeting a dual listing on the ASX and Singapore’s SGX over the next 12 months, as it seeks to commercialise its VeroCard product, which centres around the creation of a unique digital identity for individual users, based on the interbank communication protocols, applied to the internet. The VeroCard technology – which will be manufactured in Adelaide – removes traditional password and online identity problems, and guarantees a user’s identity online: company CEO says it is “impossible to hack,” as there is no known source of encryption. In October, VeroCard received the highest security certification available from the US-based Payment Card Industry Security Standards Council. For investors who want a broadly diversified exposure to the cyber-security theme and the expected boom in cyber-security spending, the ASX also hosts the BetaShares Global Cybersecurity ETF (exchange-traded fund), under the code HACK. The HACK portfolio is 89.5% invested in US companies, with Israel (3.3%) and the UK (3.1%) the next-largest allocations. Systems software dominates the industry breakdown, at 51.9% of the portfolio, followed by IT Consulting (15.4%), internet services and infrastructure (12%) and communications equipment (11.9%). HACK is designed to track (before fees and expenses) the Nasdaq Consumer Technology Association Cyber-Security Index, which comprises 43 companies. This is a diversified collection of companies, but most are small and mid-cap companies that are not well-known in Australia. At present the five largest holdings are: Crowdstrike Holdings (6.7% of the portfolio), Okta (6.3%), ZScaler (6%), Accenture (6%) and Cisco Systems (5.9%). Since inception in August 2016, the HACK ETF has earned its Australian investors 19.2% a year, lagging its index, on 19.8% a year. In the three years to November 30, HACK generated 21.4% a year, versus 22% for the index. HACK costs 0.67% a year in management fees. It is not currency hedged, so returns can be affected by foreign exchange fluctuations. James Dunn - 10 December 2020

Computershare co-founder Tony Wales and trucking magnate Ian Cootes are among those to have poured $100 million into an Australian-made cyber-security platform that is now being piloted after 17 years in development. Where that invention took existing interbank communication protocols and applied them to the airwaves, VeroGuard seeks to apply them to the internet. "Our technology is indecipherable when two switches talk to each other," the CEO says of the technology he patented in 2003. "There's no known source of encryption – it's impossible to hack." However, he says he initially grew frustrated with trials involving his technology, which attempted to secure internet banking – the problem being the internet itself. "The internet was built not to be secure. There is no identification layer on purpose, as it was designed for sharing everything," he says. With no immediate prospect of serious revenue from securing banking applications, in 2016 the technology was pivoted to tackle a bigger problem – that of assuring identity for all online transactions. Cyber crime will cost the global economy $US10.5 trillion ($14.4 trillion) annually by 2025, according to a report this month from California-based research house Cybersecurity Ventures. It found an identification breach was at the heart of 85 per cent of online thefts. To try to prevent such breaches, the CEO says he took his technology back offline, and armed it with hardware. VeroGuard developed what it calls a "personal high security card" or "Verocard"', which resembles a small pocket calculator, and is set up using Australia Post's identification protocols. Users enter their assigned PIN numbers when prompted by an application they are trying to access. Microsoft 365 is already integrated with VeroGuard, as is a tender management platform from Morton Blacketer, which co-ordinates tenders for state governments around Australia. The technology removes traditional passwords and online identity problems, and guarantees a user’s identity online. This technology should not be comparied with the two-factor verification now offered by most online banking portals, where an SMS code is sent to a customer's phone. "People suggested we put VeroCard inside the phone, but the phone is the mother of all evils when it comes to cyber security," VeroGuard CEO says. "The fact that the phone is not secure is why online banking fraud is such a problem." The VeroCard last month received the highest security certification available from the US-based Payment Card Industry Security Standards Council, which VeroGuard claimes validated its "ultra-secure credentials". A couple of hundred VeroCards are in circulation on a pilot basis, and after winning $14.2 million in grants and loans from the SA government, they are being made by re-trained automotive workers on a 30,000 square metre site in Adelaide's Edinburgh defence industries precinct. However small businesses are another target market because they are seen as a soft target by hackers. "SMEs don't really understand all the cyber security products out there, but a piece of hardware that offers them military-grade protection should cut through," says Nic Nuske, a former IBM executive hired to help commercialise his pivot into identity verification. "Coming from IBM, that kind of development cycle is not unusual," he says. "This is not just another app." Michael Bailley - 23 November 2020 Source: https://www.afr.com/technology/impossible-to-hack-the-100m-aussie-cybersecurity-company

How will organisations deal with another potential crisis - cybercrime - as they rightfully ask employees not to come into the office? In a very short period of time, businesses are establishing plans to deal with COVID19. Whilst the majority of business and Government have continuity plans including pandemic response, a long list of organisations are struggling to execute those plans effectively. A key action by many and most organisations, at possibly different points in their plans, involve work from home initiatives. However, as COVID19 becomes a reality, many organisations are becoming exposed to the fact that they have risk accepted or ignored the probability that their employees, suppliers and customers would need to access and use critical systems over open networks that have, till now, run through closed proprietary networks.] COVID19 is putting employees in a seemingly impossible position to work with authentication and encryption systems that are not satisfactory for protecting critical systems and data over open networks. The need to provision secure access with strong authentication becomes paramount to avoid another inevitable crisis from exposing critical systems and data to open networks – cybercrime. Cybercrime is already the fastest growing crime in the world and poor execution of work-from-home cyber security will exacerbate the threat many times over. Rather than accepting higher levels of risk by trying to utilise existing authentication methods, organisations must apply high levels of assurance to ensure they don’t expose critical systems and data to the cyber criminals. The platform that completely and uniquely solves this dilemma is Australian owned and developed VeroGuard Systems. The VeroGuard Platform allows organisations immediate access to a global first that works by applying flexible risk-based policies, cloud Single Sign On and universal high assurance authentication methods to secure access to cloud apps, data and the corporate network whilst meeting business, risk management and full compliance needs. Developed in Melbourne, manufactured by ex-automotive workers from a purpose built high security facility in Adelaide, VeroGuard Systems can provide for open networks an ATM level guarantee to the identity of users, complete user credential protection online and bank to bank level encryption of data in transit, all from a simple to use ‘high assurance’ platform. Jointly developed with the CSIRO, VeroGuard Systems can also provide ultra-secure protection for data at rest that is being accessed by users over the cloud through the same authentication platform. Contact : Nicholas Nuske | CEO VGS | nicn@veroguard.com.au | 0418 360 215

Every day we read about a new threat to personal, government and business systems despite, the billions of dollars spent annually on cyber security. In fact at least one in four people reading this will personally experience an identity breach in the next two years. Direct losses are often covered however the reality is that we all ultimately pay for the economic impact of cyber-crime. Recent cyber-crimes have also had dramatic political and social outcomes that have arguably changed the course of history. It is estimated that the economic impact of cyber-crime in Australia will exceed $15 billion this year and Forbes estimates that the cost is tripling every two years. The actual cost, including the significant costs of building cyber security layers, are becoming increasingly apparent, and are clearly unsustainable on their current trajectory. If these new threats are not enough many of us are also carrying a few battle scars of escalating IT costs or project blowouts as we try to implement better customer services. Everyone is grappling with the complexity that has built up over many years -multiple networks (open and closed) on premise and cloud based applications, millions of devices, software for every function and the challenge of trying to recognise and manage what access users have in each environment. Meanwhile smartphones and platforms have transformed how people go about their lives moving from organisational dependence to individual control. Whilst we are designing systems to make our customers lives easier online, we are often having to trade off either security or convenience. Entering in long strings of numbers, multiple steps to select street signs in pictures, all adds to complexity of the user experience online. Further we are also expecting users to trust organisations and give up unique information (which can’t be reset when breached) like facial features or fingerprints. The bottom line is: it’s hard for anyone to realise the benefits of digitisation when grappling with the complexity of mixed architectures, threats of cyber-crime and escalating costs and risks associated with both. Time to stop paving the same path! Many of our current systems were created to work as private networks, where access to individuals and devices can be controlled with rules and audit trails. Although the concept of the internet dates as far back as the 1960’s and the World Wide Web went mainstream in the mid 90’s, the opening up of these systems to outsiders has been gradual. We are still grappling with the convergence of mixed systems (open and closed), the trillions of devices connected to the internet and the millions of applications co-existing in hybrid environments without any real standards for proving identity (the internet was purposely developed without an identity layer). The answer to the emerging change have been mostly to keep developing and layering on more and more of the same architectures – re-paving the same cow path in an effort to keep up. We need a new Security Architecture In this world of joined up data/services, mixed private and public data, AI driven cognitive systems and sophisticated algorithms, more flexible security architectures that switch between open and closed networks seamlessly, together with a trusted universal ID and verifiable authentication, are essential. Paving the same path has meant that we are not only building tomorrow’s legacy of problems, but we are also increasingly exposing citizens to the potential threats emerging with the internet of things, such as riding in hijackable machines like autonomous buses and cars. A risk managed approach may have unacceptable outcomes. So, if we have the luxury of designing this new security architecture and trusted distributed system from the ground up, how would it look? It is made for the internet, and can switch millions of private connections from user to user across the internet, in and out of open or closed environments. Users can control their own ID and consent, and store their own ID information, not organisations. It uses secure methods that can remove the occurrence of any unauthorised use of an ID. Its security can protect a transaction or transmission against hijacking or interception. It can work securely over multiple systems, operating systems and platforms. It can provide the user with the tools to have complete confidence in the party at the other end of a transaction or communication. At this point, many people would propose Blockchain or Distributed Ledgers as a possible solution, certainly billions of dollars are pouring into R&D to explore this. While it continues to have much data integrity potential, a number of recent publications have highlighted that Blockchain is yet to solve the security, identification, scalability and privacy features required for an identity platform. One that gives the power of identity and privacy to its users If we could rapidly implement a security architecture that switches private connections between individuals and organisations, we would be able to manage our living and working lives with confidence. At the heart of this is the capability to prove authentication of identity and security and to manage privacy. It can be argued that this requires a shift from traditional organisation-bound identity credentials to externalising and aggregating the identity with the true owner – the user. Consumers want power, comfort, convenience and security, so for any solution to be quickly and effectively adopted it should: Deliver a simple ID credential with a single re-usable way to login. Provide the user with complete control over usage and any changes to identity details. Be able to be used with any system, device and operating system. Have security that protects the end user and allows them to trust who they are dealing with online. Being innovative does not have to be risky! The real risk is that we don’t shift our mindsets quickly enough from always looking at established technologies to seeking out the innovations which are being specifically designed for mixed architectures such as Melbourne based VeroGuard or Sydney based Meeco. New architectures can deliver the true citizen centric models we desire by converging security, identity and convenience together, in turn delivering a new level of trust for the economy of people. We have an extraordinary opportunity and some might say responsibility to pursue and trial these step change security solutions that protect all Australians across domains, particularly those developed in our own back yard. Considering what is at stake with cyber crime impacts, a sustainable digitization path which more people can use and trust is essential and, the opportunity is massive for those leaders who open new paths that at the same time could actually reduce their ongoing risks. Source: https://www.themandarin.com.au/83810-rethinking-digital-identity/

Australian businesses are facing a rising tide of cybersecurity threats and despite $6bn of forecast spending on the sector this year it remains a huge headache for companies. New Zealand’s stock exchange, NZX, is just one high profile business that has been hit by a string of cyber-related incidents over the past few weeks. Cybersecurity threats are increasing for three reasons the chief executive of Australian cybersecurity company VeroGuard Systems told Stockhead. "Firstly, current methods of identity and credential protection are failing because of a lack of secure digital identity and credentials when accessing systems and data online. Stolen user credentials are the most common point of attack in hacking attempts. Secondly, extended supply chains and the Internet of Things have increased the number of potential entry points for hackers, making companies more vulnerable to attack. Half of organisations in an IBM Ponemon Institute survey said they had suffered a security breach through one of their vendors. Thirdly, cyber criminals are becoming more effective and efficient at harvesting personal data in social, government and corporate systems. It takes an average of 206 days to identify a cybersecurity breach and 73 days to contain it, according to the IBM Ponemon Institute survey. The threats and breaches have accelerated during COVID-19 and the current pandemic is exacerbating the already compromised position,” WFH creating a weak point for cybersecurity Remote working as a response to the pandemic is placing IT professionals in a difficult position as they try to rapidly scale access to non-critical domains for work-from-home (WFH) employees. “The scale of WFH and uncertainty of a rapidly changing pandemic allows cyber criminals greater options and opportunities for cyberattacks,” he said. The threat level for cyberattack can increase for WFH employees because of poor wifi security, stretched support services, a lack of robust digital identity infrastructure and increased pressure on company detection systems and IT personnel. VeroGuard’s platform protects online privacy by providing identity security that eliminates cyber threats and is easily and rapidly deployable for companies. The company is currently raising investment from sophisticated and professional investors in a pre-IPO funding round. ASX tech stocks with cybersecurity applications have been a focus for investors. Malware, account hijacking and targeted attacks Malicious software or malware, account hijacking and targeted attacks are the top three types of cybersecurity breaches, according to computer security firm McAfee. “Cybersecurity attacks are on the rise as cyber criminals are leveraging the world’s need for information on COVID-19 as an entry point into systems across the globe – and this is of great concern to all industries, including the finance sector,” McAfee Asia-Pacific regional director Joel Camissar told Stockhead. “What started as a trickle of phishing campaigns and the occasional malicious app swiftly turned into a surge of malicious URLs and capable threat actors.” The software security firm observed 375 threats per minute, and WFH has increased the exposure of companies to potential cybersecurity breaches, its July quarter report said. Opportunistic cyber criminals are targeting employees working from home during COVID-19. “Cyber criminals see a remote, distracted and vulnerable workforce as opportune targets,” Camissar added. Top internet protocol address locations for external cloud account attacks from January to April include Brazil, China, India, Laos, Mexico, New Caledonia, Thailand, the US and Vietnam, McAfee said. There were 518 incidents of personal data breaches in the first half of 2020, up 16 per cent on the corresponding 2019 half year, the Australian Information Commissioner said. Criminal attacks accounted for 61 per cent of all data breaches in the period, Camissar said. Cybercrime outpaces cybersecurity spending Spending on cybersecurity is soaring and in Australia is expected to exceed $6bn this year, due to the increased challenges of COVID-19, up from $4bn last year, according to VeroGuard. "Even this level of spending may not be enough, and it has already exceeded industry estimates of reaching $4.7bn by 2026, he said. Despite the amount of money being spent on cybersecurity, the costs of cyber-crime are growing more quickly The economic impact from cybersecurity is estimated to reach $US6 trillion in 2021, up from $US600bn in 2017,” he said. The security cost of protecting global publicly accessible computer cloud systems is set to reach $US700bn by 2022, or twice the $US350bn value of the system itself. Adding to the issue of cybercrime, is Australia’s apparent skills shortage in cybersecurity." “Australia has substantial gaps to other countries on developing local cybersecurity technology, innovation and companies,” VeroGuard's CEO said. “The investment in cyber security is not keeping up with the rate of losses from cyber-crime.” Countering cybersecurity threats Governments could help to lower the risk of cybersecurity threats by building a secure identity platform for its citizens and business that can eliminate credential compromise. “Detection and remediation as a priority simply has not worked and will not catch up to the increased sophistication of threats. The criminals have larger incentives and rewards to build the resources that avoid detection.” Governments also need to beef up the cybersecurity resilience of Australia’s critical infrastructure such as water, power and traffic systems, and build on its sovereign capability. “Cyber threats are starting to be recognised for the significant disruption they can cause on our economy and welfare. We need to treat the cyber threat equally to attacks by sea, air and ultimately land particularly knowing that they can be launched from anywhere in the world, without notice.” September 10, 2020 | Mike Cooper Source: https://stockhead.com.au/tech/cybersecurity-threats-escalate-during-covid-19-pandemic/

Australia's patchwork of cyber regulations, lack of standards, a mishmash of regulators and poorly implemented technical controls in government and business are exposing the nation to a cyber attack, according to expert submissions to the cyber strategy review. Submissions also highlighted the need for a dedicated cyber security minister and a single regulatory authority to harmonise regulation and standards for both the private and public sector. Paul Fletcher oversees cyber security as part of his communications and arts responsibilities, within the mega infrastructure portfolio. Noting the need for government leadership, experts also highlighted the need for federal and state governments to get their own houses in order. "Trust from business and the general public will only be strengthened if the government is seen to be taking cyber security seriously for its own entities across the whole government space, not only at the federal level, but also state and territories," PWC wrote in its submission. "The government’s low cyber security maturity presents a challenge for it to assert a leadership position." This comes as Labor's cyber spokesman, Tim Watts, has highlighted the numerous audits which have shown lax accountability for the poor cyber practices of many federal agencies. The review comes four years after the initial cyber strategy was developed, a first attempt to create a national approach to building greater cyber resilience. Piecemeal regulation The new strategy has become more significant after Prime Minister Scott Morrison revealed an ongoing cyber campaign against Australia by a "sophisticated state entity." The strategy was due to be released earlier this year, but has been delayed and is expected to be released in the next couple of months. Unlike say, Germany, Australia does not have a specific overarching cyber security act. Deloitte's submission to the review noted the regulatory environment is made up of a group of industry-specific regulations and guidelines, including specialist financial, energy, telecommunication and health regulations. There are also privacy, cyber crime and interception laws which relate to cyber security. PwC called for critical infrastructure regulation to be expanded to cover other sectors such as transport, manufacturing, telecommunications, agriculture / food production, mining, health and pharmaceuticals. Noting the interplay between a variety of standards and regulation UNSW's Allens technology hub said the new strategy should integrate all of these initiatives to be effective. 'Outdated' policies "Failure to consider these interactions may result in overlap and confusion, and further contribute to the piecemeal approach to the appropriate legal framework for cyber security in Australia." Identity provider Vero Guard Systems told the review "policies and standards used today are outdated. " Vero manufactures dedicated identity hardware offering identity solutions for government and business that avoids the use of multifactor verification and biometrics. "Rapid changes to and in technology obsolete frameworks and protocols in relatively short cycles. Cyber-criminals exploit these gaps because policy focus is on detect and mitigate rather than prevention." Vero joined other submitters noting the variety of regulators overseeing cyber "Currently there is no evidence that a government, association or organisation is responsible for managing cyber risks in the economy," Vero wrote. Standardised approach EY called out the lack of a standardised approach to cyber security. EY said there is no overarching framework or standard, with the federal government security manual (the ISM) not used much beyond government. EY noted the five pillars approach used by the US Department of Home Security had created an economy-wide approach for cyber security management. "A standardised approach provides strategic direction, identifying what mature risk and control environments look like." "The difference between a regulatory approach and a standards-based approach is about an enforcement regime around the standards," EY APAC cyber partner, Richard Watson told The Australian Financial Review. "You’re not creating a new set of standards for regulation, you’re just enforcing the global best practice. "What they’ve done in the US - and is now being raised here by the Federal Government - is to have regulators specify the minimum maturity score and begin to fine people if they fall short of that," Mr Watson said. Deloitte observed that cyber enforcement is dealt with by "multiple regulatory bodies that have differing touchpoints with cyber issues, with each agency and regulatory body having varying enforcement priorities, functions and powers." "For example, the Australian Crime Commission and Australian Federal Police may deal with cyber crimes, while the Office of Australian Information Commissioner (OAIC) may deal with breaches involving personal information." Deloitte noted this meant penalties may vary significantly and be disproportionate. "The OAIC can seek penalties of up to $2.1m for breaches of the Privacy Act, which only covers personal information, but there is a gap for system breaches that do not involve personal information but may still affect the Australian community and businesses through issues such as operational disruption." Tom Burton - 10 July 2020 Source: https://www.afr.com/politics/federal/cyber-regulatory-mishmash-exposes-nation-to-attack-20200709-p55ar1

Existing methods to detect and nab cyber criminals are likely to be ineffective in the years ahead, judging from the projections of consulting firm PwC, the chairman of the digital identity provider VeroGuard claims. Chief executive of VeroGuard, said the Joint Policing Cybercrime Co-ordination Centre, announced by the Federal Government on Monday, was a welcome initiative. But, he added, PwC modelling had estimated the direct costs to business from cyber incidents to be about $10.1 billion annually, with projections of a total GDP loss of $114.9 billion by 2031. Home Affairs Minister Karen Andrews announced the setting up of the centre — known as the JPC3 — which would start operations from March next year. The centre will be led by Assistant Commissioner Justine Gough, who will operate a new Cyber Command. “By cracking down on cyber crime and enhancing the nation’s cyber security, the Morrison Government is protecting Australians and securing our economic recovery,” Andrews said. “This AFP-led cyber crime centre will be cutting edge, and will ensure Australia is leading the world on cyber security. “Australians work hard for their money and the AFP is working tirelessly to prevent cyber criminals from scamming, stealing, and defrauding them. “The JPC3 will super charge our efforts to seize criminals’ money and assets, put offenders behind bars, and protect Australian’s digital data.” However, VeroGuard's CEO said the PwC modelling led to the inference that the current approach of detecting and deterring cyber criminals was anticipated to be ineffective in coming years. "To us, the most obvious opportunity for government and business is to address the single largest weakness of living and working online that results in breaches," he said. "That is the inability of existing platforms to offer strong verification and absolute protection of users identity when communicating and transacting over the Internet. "We believe the highest priority for government and business has to be to build the infrastructure that properly protects users and machines digital identities. "Any other cyber security measure is simply proving to be ineffective when a criminal uses legitimate credentials to illegitimately access systems and data.” Sam Varghese - 30 November 2021 Source: iTWire - Digital ID expert says reducing cyber crime will need new thinking

Cyber security company VeroGuard Systems has announced plans to build an advanced manufacturing facility in Adelaide's northern suburbs with a promise to create almost 600 new jobs in its first three years. The Melbourne-based company is investing $57.5 million in building the manufacturing centre to produce its cyber security products, and intends to also open an operations centre for customer service and digital back end infrastructure. The State Government is contributing just over $6 million to the project through its Economic Investment Fund and expects many former Holden workers to find employment at the centre. Premier Jay Weatherill said the company intended to recruit 424 of the 596 required employees from the northern Adelaide region. "It's extraordinary that the company has chosen South Australia as its base of operations and it's a testament to what we offer here in South Australia," Mr Weatherill. "A high-tech manufacturing future is a vision for South Australia's economic growth here and we're seeing a company that's seeing the possibilities and investing here in South Australia." Move makes sense for VeroGuard VeroGuard chief executive Nic Nuske said making the move from Melbourne to Adelaide made sense for the company — particularly a move to Edinburgh in the northern suburbs. "Advanced manufacturing for us is extremely well developed in South Australia and there were a lot of highly skilled people, as well as very passionate people around delivering what we needed in this location." "[In Edinburgh] we are right in the centre of the defence programs and obviously as a developer of security products it's really critical that we have an eco system around us that reflects us." Mr Nuske said VeroGuard had also developed relationships with local universities, particularly University of Adelaide. Ex-Holden worker joins VeroGuard workforce Former Holden worker Kym Denhartog has already secured a job with VeroGuard and said the timing could not be more perfect. Mr Denhartog worked for Holden for 16 years before working for a component manufacturer up until last month when it closed. "There are a lot of skilled people that are currently out of work, and I think for this to start up is probably perfect timing for a lot of those people," he said. "This is fantastic, the advanced manufacturing, to be here in the northern suburbs is a positive sign for the state and the area." Construction of the manufacturing centre is expected to begin early next year and should take between six and eight months to complete. In the mean time, the company will be setting up a temporary facility to begin production. Source: https://www.abc.net.au/news/2017-11-19/veroguard-manufacturing-centre-create-600-jobs-northern-adelaide/9166290 Related article: Company Director Magazine

The NSW branch of the Labor Party appears to have suffered a Windows ransomware attack, with the Avaddon strain having been used to attack the party's network. Contacted for comment, a party spokesperson told iTWire: "The matters raised are of serious concerns. We have referred the matter to police and we are conducting a full investigation." This is the second attack by this gang on an Australian entity over the last few days, with the website of the Telstra dealer, Schepisi Communications, having been taken offline after it was hit. On its site on the dark web, the group said NSW Labor had about 10 days left to make contact and "co-operate with us". Else, it said, data that had been stolen would be leaked. It claimed data about contracts, confidential information and contracts, drivers' licence details, passports, employment contracts, and resumes had been stolen. The Avaddon gang also threatened to hit the party's website with a distributed denial-of-service attack and claimed that any data that had been encrypted would not be able to be decrypted using any external tool. Photocopies of an Australian passport, a driver's licence and a number of other documents have been posted online. Avaddon has not been used in many attacks as other strains of Windows ransomware. Prior to the attack on the Telstra dealer, only two other hits were reported by iTWire: one on an aircraft leasing asset manager and the other on a small businessman in Columbus, Ohio. The security firm Emsisoft, which specialises in tackling ransomware, said in its latest report on the cost of ransomware in 2020 that there had been 2775 attacks on Australian organisations, based on submissions made to the ransomware identification service, ID Ransomware. But this was believed to be only a quarter of the actual number, Emsisoft added. Chief executive of sec outfit VeroGuard Systems, said: “Any organisation that holds valuable personal or business data on their servers is a target for cyber attacks. Unfortunately for political parties like NSW Labor, these factors are exponentially increased due to the sensitive nature of the data they hold, and the publicity and disruption hackers can generate from these attacks. "What this attack shows is that no organisation is immune to attack. In fact, the frequency and likelihood of these attacks, which recently includes schools and hospitals, has been further exacerbated by the current trend to move everything to the cloud, providing cyber criminals with greater attack options. "Protecting access to our systems The most important requirement for safeguarding cyber infrastructure is to positively assure the authentication of a user requesting access to the cyber infrastructure and services. All privacy safeguards in place are useless if a hostile intrusion can be disguised as coming from an assumed trusted source.” Sam Varghese - 7 May 2021