Combating Cyber Crime
Cybercrime really emerged from the shadows last year as first the Kmart and then the David Jones data hacks unfolded. While in those cases, no credit card information was shared, personal details, including identity data and delivery addresses, were compromised. And when you consider that cybercriminals could target online cheating website Ashley Madison or global giant Sony Pictures with such dramatic results, what hope does small business have?
There lies the challenge for business. Cybercrime is no longer just a problem for online or big business. The threat is real and imminent for all businesses that collect or use data and operate in the connected world.
SMEs: low-hanging fruit
Hackers are moving away from larger organisations to focus on small to medium enterprises (SMEs), which represent an easy target – often described as “low-hanging fruit” – compared to larger entities protected by complex security measures.
In January 2016, 38.6 per cent of all detected phishing attacks (where an email appears to be from a known individual or business, but is actually from a criminal hacker wanting to steal personal data) targeted organisations with fewer than 250 employees, according to the latest Symantec Monthly Threat Report. The most targeted sectors were identified as “finance, insurance and real estate”.
Cyber-exposure is set to increase as technology becomes more integrated with the internet. Over time, more electronic systems – from those in cars to building infrastructure – will be networked. This will grow the number of data pathways, giving more opportunities for cybercrime in unexpected places.
What are the threats?
The financial and accounting space is one of the most targeted sectors for cybercrime, due to the nature of their daily activities and tendency to store sensitive client data. Some common forms of cybercrime include:
- Ransomware and extortion: This usually involves malware infecting the company network, which locks all access to systems, with a ransom message demanding payment in order to regain access to systems.
- Financial transfer phishing: The target is any form of financial transaction between entities, for which the hacker will send a fake communication with incorrect bank details in an attempt to direct the transaction to the hacker’s account.
- Data exfiltration: Once a hacker has infected an entity with malware, they may decide to be more discreet, stealing as much confidential data as possible without detection. The stolen data can then be sold or used to commit financial fraud.
- Internal threats: Simple human error with no malicious intent, for instance losing a company laptop containing client data, can have serious repercussions. Malicious attacks by disaffected employees can also be devastating.
- Common software exposure: One of the scariest threats from an industry standpoint is the systemic exposure posed by attacks on common forms of software used by an entire industry group. One example of this scenario involves exploiting a security loophole in a common system – such as a piece of bookkeeping software – resulting in data from thousands of practices being locked and held to ransom.
How to defend against this ever-evolving threat?
Detection and security go hand-in-hand when dealing with the threat of cybercrime. There isn’t a one-size-fits-all solution, but basic risk management includes:
- Ensuring security software is patched and updated regularly. Quite often, companies set and forget their IT security systems. An outdated system is unable to detect new threats, so updating software regularly is essential in a climate where new threats are identified daily.
- Focusing on physical security in addition to network security. All the software in the world won’t help if there is unrestricted access to your office space.
- Making sure that there is a strong focus on people when designing IT security measures. Human error is often the weakest link in any IT security system, which is why it’s so important that all staff, right across the business, understand the IT security measures and escalations that are in place.
- Encrypting sensitive data. While not unbreakable, encryption is a good habit to get into when data is being transferred or stored. It adds another layer of protection.
- Not storing unnecessary data. Only keep what is required for business and regulatory purposes. Storing unrequired data represents unnecessary exposure.
- Implementing two-factor security measures where appropriate. An example would be a password and PIN combination. This space will evolve as biometric technology becomes more accessible.
- Maintaining a balance between prevention and detection. Without measures to detect anomalies in the system, a breach may go unnoticed for months.
- Restricting administrative privileges. This reduces the number of targets and decreases the probability of a large-scale breach occurring if a hacker obtains employee credentials.
- Drafting a cyber-specific business continuity plan. This is essential to ensure your breach response is well-planned and the recovery process can begin as soon as possible. The Australian Cybercrime Online Reporting Network has an online reporting tool that can help you assess whether an event should be referred to law enforcement, as well as further resources on cyber events and reporting.
Right here, right now
“Our biggest issue is to convince our clients that the risk of cybercrime is real and here now. Many of our smaller clients think it is only the big companies that are targeted,” says Drew Fenton, managing director of Fenton Green, CPA Australia’s preferred professional indemnity policy supplier.
Fenton says policies can do the heavy lifting for clients after the cybercriminals have left the building, so to speak.
“When clients take out insurance cover, most insurers will have a suite of experts – including computer, PR and forensic – to assist in their recovery. However, many clients are becoming more savvy about recovery strategies. Some of our clients take out this cover not for the insurance, but for the risk mitigation (benefit of cover) on the other side of a cyber event.”