Everyone grasps, on some level, that cyber-security – or more correctly, the cyber-crime at which cyber-security is aimed – is a big problem. But when you really look into it, the scale of the cyber-crime problem is truly staggering. According to leading industry research firm Cybersecurity Ventures, cyber-crime is predicted to inflict US$6 trillion ($8.1 trillion) in damage globally in 2021, up from US$3 trillion in 2015: if it were measured as a country, that would make cybercrime the world’s third-largest economy, after the US and China. Cybersecurity Ventures’ 2020 Official Annual Cybercrime Report says cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind: it is bigger than the illegal drug trade. The report quotes Jack Blount, former chief information officer at the United States Department of Agriculture (USDA), and now chief executive officer at enterprise security software company INTRUSION, as saying: “Every American organization — in the public and private sector — has been or will be hacked, is infected with malware, and is a target of hostile nation-state cyber intruders.” In fact, Blount prefers the term “cyber-warfare” to “cyber-crime.” Last year, Chinese tech giant Huawei admitted that it endures about one million cyber-attacks on its computers and networks every day. Cyber-security consultant Tony Barnes, director of Cyber Research Group, told this writer last year, “When you switch servers on, they’re like magnets in the way they attract attacks.” Barnes said that showing organisations the scale of the constant attacks on them is a penny-dropping moment: “When people visualise it, it scares the pants off them,” he said. The level of threat is reinforced seemingly every week with news of high-profile hackings and data breaches. Last month, Prestige Software, a company that services hotel reservation platforms for Hotels.com, Booking.com, Expedia and more, reportedly left exposed the data of millions of those sites’ customers, including names, credit card details, ID numbers and reservation details. Also in November, US networking equipment vendor Belden admitted to being hacked, and even global cyber security firm Sophos owned up to suffering a data security breach. Breaking news This week, cybersecurity firm FireEye was the victim of a state-sponsored cyber-attack. The $3.5 billion FireEye identifies the culprits of some of the world’s major cyber hacks and counts Sony and Equifax as its clients. According to FireEye, one of ASX listed WhiteHawk's vendors (see below), the hack was carried out by “a nation with top-tier offensive capabilities.” Though not named, fingers have been pointed at Russian intelligence agencies. Hackers accessed FireEye's internal network and stole its red team tools, which could be useful in mounting new attacks around the world. FireEye CEO, Kevin Mandia said of the attack, "Based on my 25 years in cyber security and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities... The attackers tailored their world-class capabilities specifically to target and attack FireEye.They used a novel combination of techniques not witnessed by us or our partners in the past." The breach is now being investigated by the FBI and Microsoft. “The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack while American attention — including FireEye’s — was focused on securing the presidential election system,” Mandis said. This is potentially the biggest known theft of cybersecurity tools since 2016 when ShadowBrokers group targeted the NSA and dumped their hacking tools online. This list of major hacks – just in 2020 – from IT newsletter/website ZDNet makes sobering reading. However, the silver lining to the cyber-crime pandemic is that there are very smart people working on cyber-security solutions – and in many cases, these companies are investable stocks. As befits the scale of the problem, cyber-security is emerging as one of the biggest secular investment theme of the 2020s. The Australian Securities Exchange (ASX) hosts a small but intriguing group of cyber-security companies, including: WhiteHawk (WHK) Headquartered in Virginia, USA, WhiteHawk developed and operates the first online cybersecurity exchange, enabling businesses of all sizes to manage cybersecurity threats. This year, WhiteHawk has won a range of contracts (and contract extensions) across four main sectors — the US government sector (a US agency and a department), the manufacturing sector, the financial sector and the Defence Industrial Base (DIB), the term for the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet US military requirements. WhiteHawk has built its cyber-risk-focused business model to give it commercial and technical agility, being able to partner with the best open data and AI-enabled platforms, allowing the company to continually evolve to align with customer needs and appetites. It has positioned itself well in the US cyber-risk market, across companies and organisations of all sizes, and is now seeking to increase its business internationally. Read: Delivering Cybersecurity Solutions Tesserent (TNT) Cyber-security and network services company Tesserent provides “Internet security-as-a-service” for a customer’s computer infrastructure, including firewall, authentication, anti-virus, anti-malware/spyware, intrusion detection, and security event management, typically provided on a subscription basis. Its customers – both Australian and international – come from the government, corporate and education fields. The company’s products and services include network perimeter security, secure internet connectivity, data storage services, and internal network security services. The company has made a series of high-value strategic acquisitions recently, and in November, Tesserent announced that it will step into the “real” world, with a new joint venture with New Zealand firm Optic Security Group that will incorporate both cyber and physical security solutions. Senetas (SEN) Senetas provides data encryption hardware, engineered for high-speed networks, to major corporations and governments. Senetas’ encryptors now protect network transmitted data in more than 35 countries, and are used by customers ranging from government organisations with highly sensitive information, for example, the US defence forces, to commercial and industrial organisations, banks and global financial transactions systems providers, cloud and data centre service providers and small businesses. Senetas’ services segment offers its customers absolute control over file sharing and data sovereignty through its platform ‘SureDrop’. In 2020, Senetas acquired Israeli cyber-security firm Votiro, a leading provider of Content Disarm and Reconstruction (CDR) technologies, which markets its Disarmer and Secure File Gateway solutions globally for a wide range of applications, including file-transfer, email, removable devices and collaboration platforms. archTIS (AR9) Canberra-based archTIS has developed a cloud-based software-as-a-service (SaaS) security and collaboration platform called Kojensi, which arose out of a solution built for the Australian Department of Defence, and further developed in trials involving a number of Australian Federal Government agencies, including the Commonwealth Attorney General’s Department (AGD) and the federal Aged Care Royal Commission. The system has subsequently been deployed in the AGD, the Commonwealth Ombudsman and the Australian Criminal Intelligence Agency, and the first non-government clients, in aerospace giant Northrop Grumman and Western Australia’s Curtin University. archTIS is marketing the Kojensi platform to industries that service the government, and which also need to share sensitive and classified information. Kojensi is hosted within a protected cloud environment accredited by the Australian Signals Directorate (ASD). The platform is being marketed as a secure content and collaboration cloud service, which offers a combination of enterprise content management capabilities, collaboration tools and workflows. Instead of using passwords, the Kojensi platform creates an electronic “fingerprint” on the data or documents, determining who can access the material, where, and when. VeroGuard Also, Australian company VeroGuard is targeting a dual listing on the ASX and Singapore’s SGX over the next 12 months, as it seeks to commercialise its VeroCard product, which centres around the creation of a unique digital identity for individual users, based on the interbank communication protocols, applied to the internet. The VeroCard technology – which will be manufactured in Adelaide – removes traditional password and online identity problems, and guarantees a user’s identity online: company CEO says it is “impossible to hack,” as there is no known source of encryption. In October, VeroCard received the highest security certification available from the US-based Payment Card Industry Security Standards Council. For investors who want a broadly diversified exposure to the cyber-security theme and the expected boom in cyber-security spending, the ASX also hosts the BetaShares Global Cybersecurity ETF (exchange-traded fund), under the code HACK. The HACK portfolio is 89.5% invested in US companies, with Israel (3.3%) and the UK (3.1%) the next-largest allocations. Systems software dominates the industry breakdown, at 51.9% of the portfolio, followed by IT Consulting (15.4%), internet services and infrastructure (12%) and communications equipment (11.9%). HACK is designed to track (before fees and expenses) the Nasdaq Consumer Technology Association Cyber-Security Index, which comprises 43 companies. This is a diversified collection of companies, but most are small and mid-cap companies that are not well-known in Australia. At present the five largest holdings are: Crowdstrike Holdings (6.7% of the portfolio), Okta (6.3%), ZScaler (6%), Accenture (6%) and Cisco Systems (5.9%). Since inception in August 2016, the HACK ETF has earned its Australian investors 19.2% a year, lagging its index, on 19.8% a year. In the three years to November 30, HACK generated 21.4% a year, versus 22% for the index. HACK costs 0.67% a year in management fees. It is not currency hedged, so returns can be affected by foreign exchange fluctuations. James Dunn - 10 December 2020

Computershare co-founder Tony Wales and trucking magnate Ian Cootes are among those to have poured $100 million into an Australian-made cyber-security platform that is now being piloted after 17 years in development. Where that invention took existing interbank communication protocols and applied them to the airwaves, VeroGuard seeks to apply them to the internet. "Our technology is indecipherable when two switches talk to each other," the CEO says of the technology he patented in 2003. "There's no known source of encryption – it's impossible to hack." However, he says he initially grew frustrated with trials involving his technology, which attempted to secure internet banking – the problem being the internet itself. "The internet was built not to be secure. There is no identification layer on purpose, as it was designed for sharing everything," he says. With no immediate prospect of serious revenue from securing banking applications, in 2016 the technology was pivoted to tackle a bigger problem – that of assuring identity for all online transactions. Cyber crime will cost the global economy $US10.5 trillion ($14.4 trillion) annually by 2025, according to a report this month from California-based research house Cybersecurity Ventures. It found an identification breach was at the heart of 85 per cent of online thefts. To try to prevent such breaches, the CEO says he took his technology back offline, and armed it with hardware. VeroGuard developed what it calls a "personal high security card" or "Verocard"', which resembles a small pocket calculator, and is set up using Australia Post's identification protocols. Users enter their assigned PIN numbers when prompted by an application they are trying to access. Microsoft 365 is already integrated with VeroGuard, as is a tender management platform from Morton Blacketer, which co-ordinates tenders for state governments around Australia. The technology removes traditional passwords and online identity problems, and guarantees a user’s identity online. This technology should not be comparied with the two-factor verification now offered by most online banking portals, where an SMS code is sent to a customer's phone. "People suggested we put VeroCard inside the phone, but the phone is the mother of all evils when it comes to cyber security," VeroGuard CEO says. "The fact that the phone is not secure is why online banking fraud is such a problem." The VeroCard last month received the highest security certification available from the US-based Payment Card Industry Security Standards Council, which VeroGuard claimes validated its "ultra-secure credentials". A couple of hundred VeroCards are in circulation on a pilot basis, and after winning $14.2 million in grants and loans from the SA government, they are being made by re-trained automotive workers on a 30,000 square metre site in Adelaide's Edinburgh defence industries precinct. However small businesses are another target market because they are seen as a soft target by hackers. "SMEs don't really understand all the cyber security products out there, but a piece of hardware that offers them military-grade protection should cut through," says Nic Nuske, a former IBM executive hired to help commercialise his pivot into identity verification. "Coming from IBM, that kind of development cycle is not unusual," he says. "This is not just another app." Michael Bailley - 23 November 2020 Source: https://www.afr.com/technology/impossible-to-hack-the-100m-aussie-cybersecurity-company

How will organisations deal with another potential crisis - cybercrime - as they rightfully ask employees not to come into the office? In a very short period of time, businesses are establishing plans to deal with COVID19. Whilst the majority of business and Government have continuity plans including pandemic response, a long list of organisations are struggling to execute those plans effectively. A key action by many and most organisations, at possibly different points in their plans, involve work from home initiatives. However, as COVID19 becomes a reality, many organisations are becoming exposed to the fact that they have risk accepted or ignored the probability that their employees, suppliers and customers would need to access and use critical systems over open networks that have, till now, run through closed proprietary networks.] COVID19 is putting employees in a seemingly impossible position to work with authentication and encryption systems that are not satisfactory for protecting critical systems and data over open networks. The need to provision secure access with strong authentication becomes paramount to avoid another inevitable crisis from exposing critical systems and data to open networks – cybercrime. Cybercrime is already the fastest growing crime in the world and poor execution of work-from-home cyber security will exacerbate the threat many times over. Rather than accepting higher levels of risk by trying to utilise existing authentication methods, organisations must apply high levels of assurance to ensure they don’t expose critical systems and data to the cyber criminals. The platform that completely and uniquely solves this dilemma is Australian owned and developed VeroGuard Systems. The VeroGuard Platform allows organisations immediate access to a global first that works by applying flexible risk-based policies, cloud Single Sign On and universal high assurance authentication methods to secure access to cloud apps, data and the corporate network whilst meeting business, risk management and full compliance needs. Developed in Melbourne, manufactured by ex-automotive workers from a purpose built high security facility in Adelaide, VeroGuard Systems can provide for open networks an ATM level guarantee to the identity of users, complete user credential protection online and bank to bank level encryption of data in transit, all from a simple to use ‘high assurance’ platform. Jointly developed with the CSIRO, VeroGuard Systems can also provide ultra-secure protection for data at rest that is being accessed by users over the cloud through the same authentication platform. Contact : Nicholas Nuske | CEO VGS | nicn@veroguard.com.au | 0418 360 215

Every day we read about a new threat to personal, government and business systems despite, the billions of dollars spent annually on cyber security. In fact at least one in four people reading this will personally experience an identity breach in the next two years. Direct losses are often covered however the reality is that we all ultimately pay for the economic impact of cyber-crime. Recent cyber-crimes have also had dramatic political and social outcomes that have arguably changed the course of history. It is estimated that the economic impact of cyber-crime in Australia will exceed $15 billion this year and Forbes estimates that the cost is tripling every two years. The actual cost, including the significant costs of building cyber security layers, are becoming increasingly apparent, and are clearly unsustainable on their current trajectory. If these new threats are not enough many of us are also carrying a few battle scars of escalating IT costs or project blowouts as we try to implement better customer services. Everyone is grappling with the complexity that has built up over many years -multiple networks (open and closed) on premise and cloud based applications, millions of devices, software for every function and the challenge of trying to recognise and manage what access users have in each environment. Meanwhile smartphones and platforms have transformed how people go about their lives moving from organisational dependence to individual control. Whilst we are designing systems to make our customers lives easier online, we are often having to trade off either security or convenience. Entering in long strings of numbers, multiple steps to select street signs in pictures, all adds to complexity of the user experience online. Further we are also expecting users to trust organisations and give up unique information (which can’t be reset when breached) like facial features or fingerprints. The bottom line is: it’s hard for anyone to realise the benefits of digitisation when grappling with the complexity of mixed architectures, threats of cyber-crime and escalating costs and risks associated with both. Time to stop paving the same path! Many of our current systems were created to work as private networks, where access to individuals and devices can be controlled with rules and audit trails. Although the concept of the internet dates as far back as the 1960’s and the World Wide Web went mainstream in the mid 90’s, the opening up of these systems to outsiders has been gradual. We are still grappling with the convergence of mixed systems (open and closed), the trillions of devices connected to the internet and the millions of applications co-existing in hybrid environments without any real standards for proving identity (the internet was purposely developed without an identity layer). The answer to the emerging change have been mostly to keep developing and layering on more and more of the same architectures – re-paving the same cow path in an effort to keep up. We need a new Security Architecture In this world of joined up data/services, mixed private and public data, AI driven cognitive systems and sophisticated algorithms, more flexible security architectures that switch between open and closed networks seamlessly, together with a trusted universal ID and verifiable authentication, are essential. Paving the same path has meant that we are not only building tomorrow’s legacy of problems, but we are also increasingly exposing citizens to the potential threats emerging with the internet of things, such as riding in hijackable machines like autonomous buses and cars. A risk managed approach may have unacceptable outcomes. So, if we have the luxury of designing this new security architecture and trusted distributed system from the ground up, how would it look? It is made for the internet, and can switch millions of private connections from user to user across the internet, in and out of open or closed environments. Users can control their own ID and consent, and store their own ID information, not organisations. It uses secure methods that can remove the occurrence of any unauthorised use of an ID. Its security can protect a transaction or transmission against hijacking or interception. It can work securely over multiple systems, operating systems and platforms. It can provide the user with the tools to have complete confidence in the party at the other end of a transaction or communication. At this point, many people would propose Blockchain or Distributed Ledgers as a possible solution, certainly billions of dollars are pouring into R&D to explore this. While it continues to have much data integrity potential, a number of recent publications have highlighted that Blockchain is yet to solve the security, identification, scalability and privacy features required for an identity platform. One that gives the power of identity and privacy to its users If we could rapidly implement a security architecture that switches private connections between individuals and organisations, we would be able to manage our living and working lives with confidence. At the heart of this is the capability to prove authentication of identity and security and to manage privacy. It can be argued that this requires a shift from traditional organisation-bound identity credentials to externalising and aggregating the identity with the true owner – the user. Consumers want power, comfort, convenience and security, so for any solution to be quickly and effectively adopted it should: Deliver a simple ID credential with a single re-usable way to login. Provide the user with complete control over usage and any changes to identity details. Be able to be used with any system, device and operating system. Have security that protects the end user and allows them to trust who they are dealing with online. Being innovative does not have to be risky! The real risk is that we don’t shift our mindsets quickly enough from always looking at established technologies to seeking out the innovations which are being specifically designed for mixed architectures such as Melbourne based VeroGuard or Sydney based Meeco. New architectures can deliver the true citizen centric models we desire by converging security, identity and convenience together, in turn delivering a new level of trust for the economy of people. We have an extraordinary opportunity and some might say responsibility to pursue and trial these step change security solutions that protect all Australians across domains, particularly those developed in our own back yard. Considering what is at stake with cyber crime impacts, a sustainable digitization path which more people can use and trust is essential and, the opportunity is massive for those leaders who open new paths that at the same time could actually reduce their ongoing risks. Source: https://www.themandarin.com.au/83810-rethinking-digital-identity/

Australian businesses are facing a rising tide of cybersecurity threats and despite $6bn of forecast spending on the sector this year it remains a huge headache for companies. New Zealand’s stock exchange, NZX, is just one high profile business that has been hit by a string of cyber-related incidents over the past few weeks. Cybersecurity threats are increasing for three reasons the chief executive of Australian cybersecurity company VeroGuard Systems told Stockhead. "Firstly, current methods of identity and credential protection are failing because of a lack of secure digital identity and credentials when accessing systems and data online. Stolen user credentials are the most common point of attack in hacking attempts. Secondly, extended supply chains and the Internet of Things have increased the number of potential entry points for hackers, making companies more vulnerable to attack. Half of organisations in an IBM Ponemon Institute survey said they had suffered a security breach through one of their vendors. Thirdly, cyber criminals are becoming more effective and efficient at harvesting personal data in social, government and corporate systems. It takes an average of 206 days to identify a cybersecurity breach and 73 days to contain it, according to the IBM Ponemon Institute survey. The threats and breaches have accelerated during COVID-19 and the current pandemic is exacerbating the already compromised position,” WFH creating a weak point for cybersecurity Remote working as a response to the pandemic is placing IT professionals in a difficult position as they try to rapidly scale access to non-critical domains for work-from-home (WFH) employees. “The scale of WFH and uncertainty of a rapidly changing pandemic allows cyber criminals greater options and opportunities for cyberattacks,” he said. The threat level for cyberattack can increase for WFH employees because of poor wifi security, stretched support services, a lack of robust digital identity infrastructure and increased pressure on company detection systems and IT personnel. VeroGuard’s platform protects online privacy by providing identity security that eliminates cyber threats and is easily and rapidly deployable for companies. The company is currently raising investment from sophisticated and professional investors in a pre-IPO funding round. ASX tech stocks with cybersecurity applications have been a focus for investors. Malware, account hijacking and targeted attacks Malicious software or malware, account hijacking and targeted attacks are the top three types of cybersecurity breaches, according to computer security firm McAfee. “Cybersecurity attacks are on the rise as cyber criminals are leveraging the world’s need for information on COVID-19 as an entry point into systems across the globe – and this is of great concern to all industries, including the finance sector,” McAfee Asia-Pacific regional director Joel Camissar told Stockhead. “What started as a trickle of phishing campaigns and the occasional malicious app swiftly turned into a surge of malicious URLs and capable threat actors.” The software security firm observed 375 threats per minute, and WFH has increased the exposure of companies to potential cybersecurity breaches, its July quarter report said. Opportunistic cyber criminals are targeting employees working from home during COVID-19. “Cyber criminals see a remote, distracted and vulnerable workforce as opportune targets,” Camissar added. Top internet protocol address locations for external cloud account attacks from January to April include Brazil, China, India, Laos, Mexico, New Caledonia, Thailand, the US and Vietnam, McAfee said. There were 518 incidents of personal data breaches in the first half of 2020, up 16 per cent on the corresponding 2019 half year, the Australian Information Commissioner said. Criminal attacks accounted for 61 per cent of all data breaches in the period, Camissar said. Cybercrime outpaces cybersecurity spending Spending on cybersecurity is soaring and in Australia is expected to exceed $6bn this year, due to the increased challenges of COVID-19, up from $4bn last year, according to VeroGuard. "Even this level of spending may not be enough, and it has already exceeded industry estimates of reaching $4.7bn by 2026, he said. Despite the amount of money being spent on cybersecurity, the costs of cyber-crime are growing more quickly The economic impact from cybersecurity is estimated to reach $US6 trillion in 2021, up from $US600bn in 2017,” he said. The security cost of protecting global publicly accessible computer cloud systems is set to reach $US700bn by 2022, or twice the $US350bn value of the system itself. Adding to the issue of cybercrime, is Australia’s apparent skills shortage in cybersecurity." “Australia has substantial gaps to other countries on developing local cybersecurity technology, innovation and companies,” VeroGuard's CEO said. “The investment in cyber security is not keeping up with the rate of losses from cyber-crime.” Countering cybersecurity threats Governments could help to lower the risk of cybersecurity threats by building a secure identity platform for its citizens and business that can eliminate credential compromise. “Detection and remediation as a priority simply has not worked and will not catch up to the increased sophistication of threats. The criminals have larger incentives and rewards to build the resources that avoid detection.” Governments also need to beef up the cybersecurity resilience of Australia’s critical infrastructure such as water, power and traffic systems, and build on its sovereign capability. “Cyber threats are starting to be recognised for the significant disruption they can cause on our economy and welfare. We need to treat the cyber threat equally to attacks by sea, air and ultimately land particularly knowing that they can be launched from anywhere in the world, without notice.” September 10, 2020 | Mike Cooper Source: https://stockhead.com.au/tech/cybersecurity-threats-escalate-during-covid-19-pandemic/

Australia's patchwork of cyber regulations, lack of standards, a mishmash of regulators and poorly implemented technical controls in government and business are exposing the nation to a cyber attack, according to expert submissions to the cyber strategy review. Submissions also highlighted the need for a dedicated cyber security minister and a single regulatory authority to harmonise regulation and standards for both the private and public sector. Paul Fletcher oversees cyber security as part of his communications and arts responsibilities, within the mega infrastructure portfolio. Noting the need for government leadership, experts also highlighted the need for federal and state governments to get their own houses in order. "Trust from business and the general public will only be strengthened if the government is seen to be taking cyber security seriously for its own entities across the whole government space, not only at the federal level, but also state and territories," PWC wrote in its submission. "The government’s low cyber security maturity presents a challenge for it to assert a leadership position." This comes as Labor's cyber spokesman, Tim Watts, has highlighted the numerous audits which have shown lax accountability for the poor cyber practices of many federal agencies. The review comes four years after the initial cyber strategy was developed, a first attempt to create a national approach to building greater cyber resilience. Piecemeal regulation The new strategy has become more significant after Prime Minister Scott Morrison revealed an ongoing cyber campaign against Australia by a "sophisticated state entity." The strategy was due to be released earlier this year, but has been delayed and is expected to be released in the next couple of months. Unlike say, Germany, Australia does not have a specific overarching cyber security act. Deloitte's submission to the review noted the regulatory environment is made up of a group of industry-specific regulations and guidelines, including specialist financial, energy, telecommunication and health regulations. There are also privacy, cyber crime and interception laws which relate to cyber security. PwC called for critical infrastructure regulation to be expanded to cover other sectors such as transport, manufacturing, telecommunications, agriculture / food production, mining, health and pharmaceuticals. Noting the interplay between a variety of standards and regulation UNSW's Allens technology hub said the new strategy should integrate all of these initiatives to be effective. 'Outdated' policies "Failure to consider these interactions may result in overlap and confusion, and further contribute to the piecemeal approach to the appropriate legal framework for cyber security in Australia." Identity provider Vero Guard Systems told the review "policies and standards used today are outdated. " Vero manufactures dedicated identity hardware offering identity solutions for government and business that avoids the use of multifactor verification and biometrics. "Rapid changes to and in technology obsolete frameworks and protocols in relatively short cycles. Cyber-criminals exploit these gaps because policy focus is on detect and mitigate rather than prevention." Vero joined other submitters noting the variety of regulators overseeing cyber "Currently there is no evidence that a government, association or organisation is responsible for managing cyber risks in the economy," Vero wrote. Standardised approach EY called out the lack of a standardised approach to cyber security. EY said there is no overarching framework or standard, with the federal government security manual (the ISM) not used much beyond government. EY noted the five pillars approach used by the US Department of Home Security had created an economy-wide approach for cyber security management. "A standardised approach provides strategic direction, identifying what mature risk and control environments look like." "The difference between a regulatory approach and a standards-based approach is about an enforcement regime around the standards," EY APAC cyber partner, Richard Watson told The Australian Financial Review. "You’re not creating a new set of standards for regulation, you’re just enforcing the global best practice. "What they’ve done in the US - and is now being raised here by the Federal Government - is to have regulators specify the minimum maturity score and begin to fine people if they fall short of that," Mr Watson said. Deloitte observed that cyber enforcement is dealt with by "multiple regulatory bodies that have differing touchpoints with cyber issues, with each agency and regulatory body having varying enforcement priorities, functions and powers." "For example, the Australian Crime Commission and Australian Federal Police may deal with cyber crimes, while the Office of Australian Information Commissioner (OAIC) may deal with breaches involving personal information." Deloitte noted this meant penalties may vary significantly and be disproportionate. "The OAIC can seek penalties of up to $2.1m for breaches of the Privacy Act, which only covers personal information, but there is a gap for system breaches that do not involve personal information but may still affect the Australian community and businesses through issues such as operational disruption." Tom Burton - 10 July 2020 Source: https://www.afr.com/politics/federal/cyber-regulatory-mishmash-exposes-nation-to-attack-20200709-p55ar1

Existing methods to detect and nab cyber criminals are likely to be ineffective in the years ahead, judging from the projections of consulting firm PwC, the chairman of the digital identity provider VeroGuard claims. Chief executive of VeroGuard, said the Joint Policing Cybercrime Co-ordination Centre, announced by the Federal Government on Monday, was a welcome initiative. But, he added, PwC modelling had estimated the direct costs to business from cyber incidents to be about $10.1 billion annually, with projections of a total GDP loss of $114.9 billion by 2031. Home Affairs Minister Karen Andrews announced the setting up of the centre — known as the JPC3 — which would start operations from March next year. The centre will be led by Assistant Commissioner Justine Gough, who will operate a new Cyber Command. “By cracking down on cyber crime and enhancing the nation’s cyber security, the Morrison Government is protecting Australians and securing our economic recovery,” Andrews said. “This AFP-led cyber crime centre will be cutting edge, and will ensure Australia is leading the world on cyber security. “Australians work hard for their money and the AFP is working tirelessly to prevent cyber criminals from scamming, stealing, and defrauding them. “The JPC3 will super charge our efforts to seize criminals’ money and assets, put offenders behind bars, and protect Australian’s digital data.” However, VeroGuard's CEO said the PwC modelling led to the inference that the current approach of detecting and deterring cyber criminals was anticipated to be ineffective in coming years. "To us, the most obvious opportunity for government and business is to address the single largest weakness of living and working online that results in breaches," he said. "That is the inability of existing platforms to offer strong verification and absolute protection of users identity when communicating and transacting over the Internet. "We believe the highest priority for government and business has to be to build the infrastructure that properly protects users and machines digital identities. "Any other cyber security measure is simply proving to be ineffective when a criminal uses legitimate credentials to illegitimately access systems and data.” Sam Varghese - 30 November 2021 Source: iTWire - Digital ID expert says reducing cyber crime will need new thinking

Cyber security company VeroGuard Systems has announced plans to build an advanced manufacturing facility in Adelaide's northern suburbs with a promise to create almost 600 new jobs in its first three years. The Melbourne-based company is investing $57.5 million in building the manufacturing centre to produce its cyber security products, and intends to also open an operations centre for customer service and digital back end infrastructure. The State Government is contributing just over $6 million to the project through its Economic Investment Fund and expects many former Holden workers to find employment at the centre. Premier Jay Weatherill said the company intended to recruit 424 of the 596 required employees from the northern Adelaide region. "It's extraordinary that the company has chosen South Australia as its base of operations and it's a testament to what we offer here in South Australia," Mr Weatherill. "A high-tech manufacturing future is a vision for South Australia's economic growth here and we're seeing a company that's seeing the possibilities and investing here in South Australia." Move makes sense for VeroGuard VeroGuard chief executive Nic Nuske said making the move from Melbourne to Adelaide made sense for the company — particularly a move to Edinburgh in the northern suburbs. "Advanced manufacturing for us is extremely well developed in South Australia and there were a lot of highly skilled people, as well as very passionate people around delivering what we needed in this location." "[In Edinburgh] we are right in the centre of the defence programs and obviously as a developer of security products it's really critical that we have an eco system around us that reflects us." Mr Nuske said VeroGuard had also developed relationships with local universities, particularly University of Adelaide. Ex-Holden worker joins VeroGuard workforce Former Holden worker Kym Denhartog has already secured a job with VeroGuard and said the timing could not be more perfect. Mr Denhartog worked for Holden for 16 years before working for a component manufacturer up until last month when it closed. "There are a lot of skilled people that are currently out of work, and I think for this to start up is probably perfect timing for a lot of those people," he said. "This is fantastic, the advanced manufacturing, to be here in the northern suburbs is a positive sign for the state and the area." Construction of the manufacturing centre is expected to begin early next year and should take between six and eight months to complete. In the mean time, the company will be setting up a temporary facility to begin production. Source: https://www.abc.net.au/news/2017-11-19/veroguard-manufacturing-centre-create-600-jobs-northern-adelaide/9166290 Related article: Company Director Magazine

The NSW branch of the Labor Party appears to have suffered a Windows ransomware attack, with the Avaddon strain having been used to attack the party's network. Contacted for comment, a party spokesperson told iTWire: "The matters raised are of serious concerns. We have referred the matter to police and we are conducting a full investigation." This is the second attack by this gang on an Australian entity over the last few days, with the website of the Telstra dealer, Schepisi Communications, having been taken offline after it was hit. On its site on the dark web, the group said NSW Labor had about 10 days left to make contact and "co-operate with us". Else, it said, data that had been stolen would be leaked. It claimed data about contracts, confidential information and contracts, drivers' licence details, passports, employment contracts, and resumes had been stolen. The Avaddon gang also threatened to hit the party's website with a distributed denial-of-service attack and claimed that any data that had been encrypted would not be able to be decrypted using any external tool. Photocopies of an Australian passport, a driver's licence and a number of other documents have been posted online. Avaddon has not been used in many attacks as other strains of Windows ransomware. Prior to the attack on the Telstra dealer, only two other hits were reported by iTWire: one on an aircraft leasing asset manager and the other on a small businessman in Columbus, Ohio. The security firm Emsisoft, which specialises in tackling ransomware, said in its latest report on the cost of ransomware in 2020 that there had been 2775 attacks on Australian organisations, based on submissions made to the ransomware identification service, ID Ransomware. But this was believed to be only a quarter of the actual number, Emsisoft added. Chief executive of sec outfit VeroGuard Systems, said: “Any organisation that holds valuable personal or business data on their servers is a target for cyber attacks. Unfortunately for political parties like NSW Labor, these factors are exponentially increased due to the sensitive nature of the data they hold, and the publicity and disruption hackers can generate from these attacks. "What this attack shows is that no organisation is immune to attack. In fact, the frequency and likelihood of these attacks, which recently includes schools and hospitals, has been further exacerbated by the current trend to move everything to the cloud, providing cyber criminals with greater attack options. "Protecting access to our systems The most important requirement for safeguarding cyber infrastructure is to positively assure the authentication of a user requesting access to the cyber infrastructure and services. All privacy safeguards in place are useless if a hostile intrusion can be disguised as coming from an assumed trusted source.” Sam Varghese - 7 May 2021

Existing methods to detect and nab cyber criminals are likely to be ineffective in the years ahead, judging from the projections of consulting firm PwC, the CEO of the digital identity provider VeroGuard claims. The chief executive of VeroGuard, said the Joint Policing Cybercrime Co-ordination Centre, announced by the Federal Government on Monday, was a welcome initiative. But, he added, PwC modelling had estimated the direct costs to business from cyber incidents to be about $10.1 billion annually, with projections of a total GDP loss of $114.9 billion by 2031. Home Affairs Minister Karen Andrews announced the setting up of the centre — known as the JPC3 — which would start operations from March next year. The centre will be led by Assistant Commissioner Justine Gough, who will operate a new Cyber Command. “By cracking down on cyber crime and enhancing the nation’s cyber security, the Morrison Government is protecting Australians and securing our economic recovery,” Andrews said. “This AFP-led cyber crime centre will be cutting edge, and will ensure Australia is leading the world on cyber security. “Australians work hard for their money and the AFP is working tirelessly to prevent cyber criminals from scamming, stealing, and defrauding them. “The JPC3 will super charge our efforts to seize criminals’ money and assets, put offenders behind bars, and protect Australian’s digital data.” However, the CEO said the PwC modelling led to the inference that the current approach of detecting and deterring cyber criminals was anticipated to be ineffective in coming years. "To us, the most obvious opportunity for government and business is to address the single largest weakness of living and working online that results in breaches," he said. "That is the inability of existing platforms to offer strong verification and absolute protection of users identity when communicating and transacting over the Internet. "We believe the highest priority for government and business has to be to build the infrastructure that properly protects users and machines digital identities. "Any other cyber security measure is simply proving to be ineffective when a criminal uses legitimate credentials to illegitimately access systems and data.” Sam Varghese - 30 November 2021 Source: iTWire - Digital ID expert says reducing cyber crime will need new thinking

VeroGuard Systems has become one of only three Australian companies with a Common Criteria international standard (ISO/IEC 15408) for computer security certification. VeroGuard Systems can now deploy their platform in defence and other high security environments that require Common Criteria certification. Utilising the same methods guided missile systems use for their communication systems, the VeroGuard Platform is certified for secure access over open networks to all systems and data. The digital identity platform system architecture was designed by wireless EFTPOS pioneer and VeroGuard Systems. “VeroGuard is proud to be an Australian company, providing cutting-edge sovereign technology to the market which is currently dominated by global companies,” the CEO said. “Common Criteria certification provides our customers confidence that they cannot get better protection than our platform for verifying who is accessing their systems and data. This is an ‘out of the box’ zero trust solution.” “VeroGuard’s digital identity platform is the world’s only digital ID platform for open networks that uses Hardware Security Module (HSM) to HSM communications. It uses a ‘personal high security card’ (a Hardware Security Module known as VeroCard) with a PIN, which removes traditional password, low security hardware and software tokens and online identity issues – guaranteeing a user’s identity online.” “The VeroCard has also received the highest security certification available for a PIN entry device (PCI PTS 5.1). An integral part of the certification was VeroGuard System’s advanced manufacturing facility in the Edinburgh defence precinct north of Adelaide, which manufactures VeroCard.” VeroGuard Systems is also partnering with Kyndryl to provide government and enterprise customers access to the platform. Collin Penman, Kyndryl Partner – Cyber Security Practice A/NZ says: “As the principal Systems Integrator for VeroGuard, Kyndryl welcomes the announcement of Common Criteria Certification for VeroGuard HSM for Open Networks. This represents a standout success of sovereign technology innovation, and demand for a higher level of security authentication, non-repudiable identification, and high attainment of cryptographic security that the Australian Defence and Federal Government Agencies market is seeking. Now the technology has been certified, Kyndryl and VeroGuard look forward to expanding on initial deployments and continuing to successfully engage the Australian market and beyond.” Australian Cyber Security Magazine - 21 February 2022 Source: https://australiancybersecuritymagazine.com.au/defence-certification-for-veroguard-systems/

Australian cyber security company VeroGuard Systems has become one of three Australian companies with a Common Criteria certified product, opening new opportunities to deploy its VeroGuard Platform in defence and other high security environments. Common Criteria is an international standard (ISO/IEC 15408) for computer security certification. Reportedly utilising the same methods guided missile systems use for their communication systems, the VeroGuard Platform is certified for secure access over open networks to all systems and data. “VeroGuard is proud to be an Australian company, providing cutting-edge sovereign technology to the market which is currently dominated by global companies,” The CEO said. “Common Criteria certification provides our customers confidence that they cannot get better protection than our platform for verifying who is accessing their systems and data. This is an ‘out of the box’ zero trust solution." According to the company, VeroGuard’s digital identity platform is the world’s only digital ID platform for open networks that uses Hardware Security Module (HSM) to HSM communications. It uses a ‘personal high security card’ (a Hardware Security Module known as VeroCard) with a PIN, which removes traditional password, low security hardware and software tokens and online identity issues – guaranteeing a user’s identity online. The VeroCard has also received the highest security certification available for a PIN entry device (PCI PTS 5.1). An integral part of the certification was VeroGuard System’s advanced manufacturing facility in the Edinburgh defence precinct north of Adelaide, which manufactures VeroCard. VeroGuard Systems also recently partnered with IT integrator Kyndryl to provide government and enterprise customers access to the platform. “As the principal Systems Integrator for VeroGuard, Kyndryl welcomes the announcement of Common Criteria Certification for VeroGuard HSM for Open Networks," Collin Penman, Kyndryl Partner – Cyber Security Practice A/NZ said. "This represents a standout success of sovereign technology innovation, and demand for a higher level of security authentication, non-repudiable identification, and high attainment of cryptographic security that the Australian Defence and Federal Government Agencies market is seeking. “Now the technology has been certified, Kyndryl and VeroGuard look forward to expanding on initial deployments and continuing to successfully engage the Australian market and beyond.” Australian Defence Magazine - 23 February 2022 Source: VeroGuard Systems receives ‘defence certification’ - Australian Defence Magazine