01 Oct 2020

Cybercrime & Data Security: What to Know & Protect

Cybercrime is on the rise, with small & medium businesses without resources to maintain data security targeted for data theft, phishing scams & personal information.

Cyber criminals are agile, smart and easily breach data security – they buy kits on the dark web to give them step-by-step instructions on how to hit businesses with a Denial of Service attack for $US6, or use bitcoin to buy compromised emails, passwords and even credit card details.

It’s a cinch for crims to launch phishing attacks to steal passwords and personal information. The Internet of Things - our voice-activated speakers or fitness trackers - is also a “threat vector” for security breaches.

“They target small to medium enterprises and just this year, the confirmed losses reported is over $160m,” says Australian Federal Police Superintendent Mark Cobran, who heads up cybercrime operations in Canberra.

With last month’s Nielsen monthly television ratings held up by a cyber attack and our Prime Minister investing money to prevent rising cybercrime attacks, the risk of being a victim of poor data security is higher now that we work remotely and on the Cloud, or tether to our mobile device for internet access or use a compromised VPN.

“Criminals are motivated by the profit motive – they are trying to steal money or steal information that they can sell. That might be personal details or it could be proprietary details from a business, or even an email contact list or anything else they can sell on the darknet to make money,” Cobran explains.

The COVID-19 pandemic has seen a rise in cybercrime, with hackers exploiting known vulnerabilities in work-from-home tools like Citrix or setting up elaborate scams that look like legitimate government websites or stealing personal information to divert people’s $10,000 superannuation payments into their own accounts.

“They are very agile and use techniques such as contact tracing - for example people receive an email that looks legitimate from the Department of Health saying you’ve been reported as someone who’s been in contact with someone who is COVID positive – or they say people are eligible for a rebate and they ask people to click a link. They use spook websites to look legitimate,” Cobran says.

So how can businesses secure their data?

“The general public needs to become more vigilant,” says Blue Bricks CEO Vikram Sareen, who offers an ethical hacking service to help businesses secure their systems. Startups and small businesses also need to care about data security more than they currently do.

With no shortage of criminals trying to deny, destroy or disrupt businesses - especially small to medium sized businesses holding valuable contact lists or intellectual property on their systems - the Essential Eight is one simple technical guide to data security.

The Essential Eight outlines technical data security steps - ranging from application control through to multi-factor authentication and daily back ups - to mitigate cybercrime risks.

Security experts like Avertro CEO Ian Yip also say that businesses should implement a culture of security and train their staff. Though Vikram Sareen points out that businesses can’t afford to make that training complex.

“Most of the training is extremely boring - it’s a huge amount of complex information downloaded on people. If there is a rewards-based awareness or learning or gamification of how to teach security, then it will make more sense,” Sareen says.

AFP Superintendent Cobran agrees that training is key. ADMA runs privacy marketing compliance training.

“Investigations with major multinational companies who have had data stolen have been caused by a lack of training or lack of rigorous enforcement around what people should do,” Cobran says.

Senior principal research scientist at CSIRO Data 61 Dr Surya Nepal says workplaces need to be talking about security at every board meeting - and not just because the financial regulators have now made cybersecurity a board level responsibility.

“At work, we start a meeting by acknowledging our traditional landowners and then we should be talking about data security. It must be a part of every meeting,” he says, arguing that building privacy and security by design quickly becomes outdated as technology moves on.

“Don’t collect the information you don’t really need. Do you really need a phone number or a credit card details? The more data you collect, the more you make yourself a target.,” Dr Nepal says.

Creating a data security culture

Building privacy and security into a workplace culture not only demands training, but also a documented procedure around what people need to do if a breach occurs.

Hall Chadwick partner David Watt - a forensic accountant who helps quantify the costs of cyberattacks - says key staff need a documented Data Breach Response Plan to know what should be done and in what order.

“It might be a good idea to have that plan written in hard copy somewhere – when faced with ransomware, your systems will be down and you may be isolated from the world of the internet for a period of time until you can get back up and running,” he says.

Once the breach has happened, it’s also important for businesses to review the incident and modify procedures and policies to keep improving their response.

Watt also says each cyber breach tends to cost a business around $250,000 per event - so taking preventative measures is vital. Some businesses may see data security as a black hole for money, but it’s worth investing in to protect your assets, especially data assets.

“You’re under a legal obligation to protect personal data in this country and if there’s evidence to support that you don’t do that there can be fines for the company and the individuals involved,” Watt says.

Need more info?