In recent years, we’ve seen a dramatic rise in the sophistication, scale, and impact of cyber attacks. As companies strive to ensure their own, and their customer’s online safety, the repercussions of not doing so have increased. We look at a snapshot of the most prevalent cyber security threats today and what you can do to best protect your enterprise against the risk of attack in the future.
The facts and figures
The Australian Cyber Security Centre (ACSC) release a report each year detailing the state of cyber security threats aimed at Australians.
In the most recent report, they identified 47,000 cyber incidents representing a 15 percent increase on the previous year. Unsurprisingly, the ACSC found most cyber crimes were motivated by fraud and the potential for financial gain.
The report stated that identity theft was still a current concern as cyber criminals continue to seek access to large amounts of personal information to facilitate other financial crimes.
The scale and diversity of the Internet of Things (IoT) posed significant security risks, with more and more devices integrated into networks. These devices, such as tablets, smartphones, CCTV cameras or other integrated smart technology are not always designed with security as their highest priority, and these vulnerabilities expose users to more possible security breaches.
However, the ACSC identified ransomware as the most prevalent financially-motivated cybercrime within a global context. It’s also one of the most successful, and therefore ransomware’s popularity as the tool of choice for cybercriminals was expected to continue.
According to another recent study by the digital security company, Fortinet, more than 4,000 ransomware attacks happen daily, infecting around 30,000 – 50,000 devices every month. They also found that 63 percent of organisations affected by ransomware experienced business-threatening downtime and conceded these figures were probably vastly under-reported.
Cybercrime and business
The private sector continues to be targeted, with an 11 percent increase in industries which have not traditionally been targeted in the past. These include Australian organisations in the sectors of accommodation, hospitality and automotive services, as well as airlines, causing disruption as well as targeted attempts at gaining intellectual property and commercially sensitive information.
Due to the sheer number of people involved and the depth of online exposure, organisations are particularly vulnerable to malicious emails and phishing scams. These types of targeted attacks, often known as business email compromise (BEC), were responsible for losses of over $20 million, according to the Australian Criminal Intelligence Commission (ACIC)’s 2017 report into organised crime. In just the first quarter of 2016-2017, 243 cases of BEC had already been reported to the ACIC.
BEC are sophisticated, highly targeted attacks. Cybercriminals research information from sources such as social media, websites and online reports, which they then use to convince an employee to give out information or perform an action. Often the cybercriminals impersonate a senior member of management, such as a CEO to trick an employee into transferring vast sums of money urgently to their own accounts.
Mandatory data breach reporting
In the face of the increasing risk of cybercrime threats and in an effort to curb its ill effects, Australia introduced new regulatory legislation. From March 2018, Notifiable Data Breach Scheme (NDB) was enacted. Rather than being optional, all attacks where personal information has been unlawfully accessed, and where serious harm could come to the affected individuals, must now be reported to the Office of the Australian Information Commissioner (OAIC).
The law applies to all Australian Government agencies and businesses (except not for profit organisations with an annual turnover of less than AU$3 million) and requires an organization to promptly notify affected individuals of the breach or face the prospect of having severe financial penalties imposed. Companies holding personal information must also be seen to take every precaution to protect it and reduce the risk of a data breach occuring.
Prevention is better than cure
There are steps an organisation can take to reduce their risk of becoming a successful target of cyber crime.
One of the key elements to protect businesses is to use a good firewall. Firewalls can stop up to 50 percent of cyber attacks before they even hit the corporate network. Operating systems and software should also be kept up to date, ensuring that patches to any known vulnerabilities are applied efficiently.
Education of all employees is also key. Staff should be able to identify phishing emails or potentially malicious links, with knowledge of processes or response recovery to follow in the case of computer infection or an attempt of a CEO scam.
– Natasha Poynton