Cybercrime is a threat to every Australian business: are you prepared?
Article3 min12 February 2019
It’s not a matter of if, but when. That’s the unsettling consensus among leading risk management experts about the chance of the average Australian business, or individual for that matter, becoming a target of cybercrime.
According to the Australian Government, the annual global cost of cybercrime is around $600 billion. In Australia, the estimated economic impact on businesses and individuals during 2018 was $7 billion.
Perhaps it’s already happened to you or your business. Well, you’re not alone.
The issue recently exploded into the headlines when Australia, Canada, Japan, New Zealand, the United States and United Kingdom named China as the architect behind the biggest data theft in history following the indictment in the US of two Chinese nationals for cybercrime.
It’s alleged they were part of an elite state-sponsored hacking group known as APT10, which since 2014 had targeted business working in dozens of sensitive industries such as aviation, manufacturing, oil and gas exploration, information technology and defence contracting.
The attacks targeted large-scale managed service providers and had the potential to undermine global economic growth, national security and international stability, Foreign Minister Marise Payne and Home Affairs Minister Peter Dutton said in a joint announcement. China denied the claims.
These latest attacks are part of a much larger problem.
Here in Australia the government has established the Australian Cyber Security Centre in Canberra to combat the threat, combining the resources of the Federal Police, Defence Intelligence Organisation, Australian Security Intelligence Organisation and the Department of Home Affairs.
“Billions of cyber events orchestrated by criminal, and nation state attackers are aiming at the very heart of the Australian Government, business and our public life,” former Australian Prime Minister Malcolm Turnbull revealed in his address at the Centre’s opening in August last year.
Know your enemy
Everyone who has a computer, smartphone or email address is vulnerable to cybercrime.
Gokul Srinivasan, Associate Director at global risk consultancy, Control Risks, says there are three primary perpetrators:
Nation State Attackers: Highly sophisticated and well-funded, their motivation is economic, political and industrial to “further the agenda of their government.”
Cyber Criminals: Increasingly well-funded and organised, these are the biggest threat to Australian businesses and individuals, and they are in it for financial gain.
Activists: Also known as ‘hacktivists’, these are smart people with extreme agendas. They are publicly embodied by the group Anonymous Collective, known for cyber-attacks against governments and institutions.
“Small businesses shouldn’t think their diminutive size makes them safe,” Gokul Srinivasan, Control Risks
The threat for businesses
There are two main threats for businesses.
By far the most popular scam is called phishing, a sub-category of spam, which uses emails to trick people into handing over sensitive information such as banking details or money.
Victims may also be conned into downloading malicious software with various criminal purposes such as data ransom or recording keystrokes to reveal sensitive and potentially valuable information.
Then there are hackers who target corporate IT platforms. The motivation is almost always money, though the techniques vary.
For example, Mr Srinivasan says a common method cyber criminals use is to hack into a system, encrypt a company’s data, and demand payment before unlocking the information.
Prevention better than cure
The good news for businesses is that there’s plenty they can do to minimise the threat.
The first step, says Mr Srinivasan, is to prepare for a cyber attack with the expectation that: “It’s not a matter of if, but when.”
Understand where your company is most vulnerable, who the likely assailant would be and what they may be after.
He says small businesses shouldn’t think their diminutive size makes them safe because their operation may not be a primary target – it could be one of their clients.
Prepare, Protect, Detect, Respond and Recover
For Bianca Wirth, Manager Corporate Security Education and Awareness at IAG, “having a cyber threat detection and response team in place is critical.
“Someone must oversee a defined process,” she recently told the Information Technology Professionals Association.
“There is a five-step methodology that has become popular. It works on the principles of Prepare, Protect, Detect, Respond and Recover.
“The idea is that you are never going to eliminate 100 per cent of security threats, so you have people, processes and tools in place to stop as much as possible and then have a strategy to be able to respond and recover after an incident with the goal of minimising damage.”