Defence Minister Linda Reynolds has insisted the government is strongly committed to strengthening cyber resiliency across Australian business, following the crippling ransomware attack on logistics giant Toll Group.
The attack, which brought one of Australia's largest logistics operators to its knees, highlighted the enormous cost and complexity of rebuilding after a major cyber incident. Jonathan Sharrock of Cyber Citadel spoke about the challenge of recovery, describing the scale of the task facing companies like Toll Group.
Rebuilding from Scratch
Sharrock explained that the cost and complexity of recovering from a ransomware attack are often vastly underestimated by businesses until they experience one first-hand. The process of restoring systems, verifying data integrity and ensuring the threat has been fully eradicated is painstaking and expensive.
"You are pretty much starting from scratch." — Jonathan Sharrock, Cyber Citadel
The complexity of backup restoration presents its own challenges. Even organisations with robust backup strategies can find the recovery process fraught with risk. Restoring from backups is not simply a matter of pressing a button — it requires careful sequencing, verification and testing to ensure that compromised data or malware is not reintroduced into the environment.
"Another problem is that you bring the systems back online before you have got rid of whatever caused it." — Jonathan Sharrock, Cyber Citadel
The One Per Cent Problem
"A company can have 99 per cent of its security in good shape, but it only takes the other one per cent." — Jonathan Sharrock, Cyber Citadel
This observation underscores a fundamental truth about cyber security: the asymmetry between attack and defence. An organisation must defend every point of entry, every system and every user — while an attacker only needs to find a single weakness. Even companies that have invested heavily in their security posture remain vulnerable if any gap exists in their defences.
Dwell Time and CEO Attitudes
One of the most concerning aspects of modern cyberattacks is dwell time — the period between an attacker gaining access to a network and the attack being detected. On average, dwell time sits at around six months, meaning that threat actors can spend half a year inside a company's network, mapping systems, escalating privileges and preparing their attack before anyone notices.
Sharrock argued that CEO attitudes need to change. Too many business leaders treat cyber security as a cost centre rather than a critical business function, only paying attention after an incident has occurred. The mindset needs to shift from reactive to proactive, with security embedded into the fabric of business strategy rather than bolted on as an afterthought.
The Garden Shed Analogy
Think of it like a garden shed. Over the years, you keep adding tools, equipment and supplies without ever properly organising or securing the shed. Eventually, you have no idea what is in there, what still works and what might be a hazard. The same is true of many corporate IT environments — decades of accumulated systems, applications and devices, many of which are poorly documented, unpatched or forgotten entirely.
Even well-organised companies with strong security practices can struggle against well-funded adversaries. State-sponsored attackers, in particular, represent a uniquely difficult challenge because they operate with effectively unlimited resources and time. These adversaries can afford to be patient, methodical and persistent in ways that financially motivated criminals often cannot.
Published in Financial Review — 18 February 2020.