Cyber Security
The Australian Crime Commission estimates put the annual cost of cybercrime to Australia at $1Billion a year. But the strategy’s report factors worldwide losses from such attacks to be at 1% of GDP. With that reckoning, the real impact on Australia is more likely $17Billion annually”.
Fighting Back from Cyber Attack – Chris Johnson
Sydney Morning Herald: 23-24 April 2016
Historically there has been less investment in security as a whole in Australia than in Europe and North America from a consumer perspective. In typical laid-back Australian fashion, Australians often see themselves as ‘too far away’ to be concerned. Of course in the ‘internet era’, this could not be further from the truth. We are also experiencing an increase in attacks sent within Australia.
A lack of awareness of security at all levels, underinvestment in security, and a shortage of skills have all contributed to making Australia, and the Asia Pacific region, a relatively easy target.
So what does this mean to us in strata? Considering the billions of dollars of transactions online which occur in managing strata, this is definitely an industry which should be concerned.
The Internet at Work
In our business world the internet is used every day. Websites and social media are important vehicles for reaching customers but they’re also potentially risky places. We are now actively embracing ‘The Cloud’.
So what is ‘The Cloud’? Not a heavenly, floating mist of computer data in the sky, but a network of computers distributed around the world and connected by the internet. It is computer programs and data being stored on a computer in a remote location. This is where the trouble can start with so many connections for the hackers and cyber-criminals to gain access to your computer and company systems.
With the internet being always on, workers find themselves spending more than twice as much time using the Internet in the office, than when they’re at home. Notably, the primary work task on the internet is related to the company’s financial activities – banking, invoicing and bill payments but money is a magnet for criminals and it’s our familiarity with conducting financial transactions online that makes us vulnerable which can lead to letting our guard down.
Cybercrime and cybersecurity issues are not rare or isolated – they are a real and expensive problems.
“Financially motivated criminals that exploit and access systems for financial gain are a substantial threat to Australia. Transnational serious and organised cybercrime syndicates are of most concern, specifically those which develop, share, sell and use sophisticated tools and techniques to access networks and systems impacting Australia’s interests”.
Australian Government’s Australian Cyber Security Centre 2015 Threat Report
These are the facts:
- In 2015, 25% of Australians reported as being victims of Identity Theft at some time – up 7% from the previous year.
- Fraudulent credit applications involving identity takeovers in Australia rose 59% in the past two years and 17% in the past 12 months.
- In a recent case a company whose employee system was breached received reports from over 20% of their employees that they had false tax returns filed in their name with funds being placed into a bank account unknown to them.
Protecting Your Business against Cyber Crime
So how can you make sure your business is not affected and what are some of the safeguards in protecting your data?
WiFi Attacks
When you are in public using Free Wifi you have no way of knowing who is actually broadcasting a Wi-Fi signal so when you connect to a network you could inadvertently be sending all of you network traffic to a Cyber Criminal. Security experts would strongly recommend that you don’t use public WiFi under any circumstances. Solutions around this include using your phone as a hotspot, bringing your own mobile Wi-Fi router or potentially even buying a data roaming pack from your mobile phone provider when you travel.
Your internal office WiFi network is also one you should be aware. There is currently a product on the market called WiFi Pinapple which is designed to penetrate WiFi networks.
This little device although legal and available freely becomes an intermediary between your office WiFi and your computer without you knowing so instead of messages and data going between your computer and your WiFi network it goes from your computer, to the pineapple, to the WiFi and the same in reverse. The Pineapple broadcasts itself as your office network while simultaneously bridging a connection through your office Wi-Fi router with its second aerial. The owner of the WiFi Pineapple now has all of your data which you have sent online. This may be sensitive information including passwords, credit card numbers and bank accounts. The WiFi Pineapple also strips SSLS security essentially making websites unsecure.
To defend yourself from being hacked using an office network the following recommendations are important:
- avoid Wi-Fi within your office
- always use a VPN
- check for the padlock SSL
Mobile Hacks
Mobile phones are often neglected from a security standpoint but they represent one of the fastest growing targets for cybercrime. Skycure Research Monitoring report that 25% of all devices are exposed to a network hack in the first month of use.
These are some steps to take to ensure your mobile phone remains secure:
- do not jailbreak your phone
- do not install apps outside of the iTunes or Google Play stores
- do not click on suspect links and
- use virus/malware protection
Email Hacks
One type of email hack is called email spoofing. This is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Distributors of spam often use spoofing in an attempt to get recipients to open, and possibly even respond to their solicitations. Spoofing can however be used legitimately and you will often see it when a company will use a third-party supplier for their email marketing but it looks like the message has come directly from the company.
Although most spoofed email falls into the ‘nuisance’ category and require little action other than deletion, the more malicious varieties can cause serious problems and security risks. For example, a spoofed email may purport to be from someone in a position of authority, asking for sensitive data such as passwords, credit card numbers or other personal information, any of which can be used for a variety of criminal purposes.
Following are some tips for defending yourself against email hackers
- never open non-PDF attachments on email unless you know the source and are expecting them
- don’t enable Macros
- don’t click links in emails – use google instead or paste into a link analyser such as virustotal.com
- use a secure email gateway
- use a web proxy
- backup regularly, store offsite, and test regularly
- segment your network and give as little access as needed
Ransomware
Cyber criminals are scraping personal information from thousands of Australians' social media profiles and using it to trap victims with ransomware, a type of malware that freezes computer files and demands money to unlock them.
The ransomware — appropriately titled 'Locky' — is spreading quickly on the web in various guises, including the well-known Australia Post Email Scam and more recently the AGL Email Scam. What makes the scam so dangerous is that it addresses the recipient with personal information such as their full name, location, workplace and job description — all gleaned from their social media profile and designed to dupe them into thinking the email is legitimate.
The ransomware encrypts files on your PCs, networks and servers.
There are three main options you have with ransomware:
- use security software to try to unencrypt everything
- pay the ransom
- restore from last clean backup
The last and probably the best option is to restore your system to a point before the ransomware hit. This means you need to have a good back-up system.
To defend yourself against these social media hacks there are some simple things you can do
- review your privacy settings in your social media accounts
- don’t connect to strangers
- be suspicious
- if you have any doubt at all, make a call to your IT experts
Identify Theft
What do these companies have in common – LinkedIn, Adobe, Ebay, JP Morgan Chase, Sony and Target? Each of them have had more than 50 million user accounts breached and identities of clients stolen.
Here are some tips to protect yourself from identity theft
- only use complex passwords with numbers, upper/lower case and punctuation
- never re-use passwords
- don’t iterate passwords
- use a good password manager
- use 2-Factor Authentication where possible
Cybercrime is real and not to be ignored. Staying well informed and taking the appropriate actions to protect yourself are the best ways to start. Don’t ever think it couldn't happen to you.
Article written based on a presentation for the SCA National Convention 2016, presented by Timothy Strachan – Special Projects, TPG and Daniel Borin – Director, StrataMax on Cyber Security
www.stratamax.com