Elon Musk and NASA ban corporate use of Zoom over privacy concerns

SpaceX (Elon Musk’s aerospace manufacturer company) recently banned its employees from video conferencing via Zoom on account of “significant privacy and security concerns”.

NASA soon followed suit, along with U.S. law enforcement who issued a public warning regarding the security of the skyrocketing app.

The security concerns surrounding Zoom initially gained the spotlight alongside their sudden blow-up following cascading work-from-home arrangements for COVID-19. The first notable privacy shortcoming came in the form of “Zoombombing”, wherein uninvited guests could join a video conference to essentially run amuck. This ranged from intentional attempts to eavesdrop on confidential conversations, and simple trollery in the form of abuse, pornographic material, and general disruptive behavior.

In addition to this, multiple security concerns and exploits have been discovered over the past weeks, such as this major flaw that allowed accounts to be hijacked quite easily, as well as thousands of Zoom accounts being found for sale on the Dark Web.

And as recently as April 15th, two new exploits were discovered on both Windows and MacOS that could enable unauthorised parties to spy on Zoom meetings.

Zoom CEO Eric Yuan has done the respectable thing and owned up to the security concerns by issuing a public apology, and statement of action following these significant concerns, citing an unexpected, gigantic increase in the Zoom userbase (going from 10 million daily users up to 200 million since December.)

Regardless of whether you’re on Zoom, Slack or another video conferencing provider, here are a few easy things you and your colleagues can do to keep your conferences secure:

  • Keep an eye on the participants in your conference

This is especially important for larger conferences, wherein unidentified or unauthorised persons can slip under the radar more easily. If you’re in a meeting of more than just a small team, it’s a good idea to assign a moderator who can keep track of participants.

  • Be aware of your surroundings

Everyone has a story about accidentally sharing the wrong information in a conference (including myself). Be mindful of what’s up on the whiteboard in the background, and if you’re screen-sharing make sure you close confidential or embarrassing tabs.

  • Limit confidential information through conferences

In light of these recent security concerns, it’s important to be mindful that video-conferences are another potential source of data leaks and security concerns. Limit the information you discuss in conferences to ensure that it isn’t leaked or eavesdropped on by malicious parties.

Finally, it’s important to note that while Zoom is currently in the limelight for security concerns, it’s likely that you’ll find similar issues on other video-conferencing services that simply aren’t as publicised at the moment.

Regardless of the platform you use, remember that video-conferencing is always another platform that you’re sharing data on. Conferencing should always be treated with caution and appropriate security policies accordingly.

For more information on work-from-home security, visit portal.cyberaware.com/remote

Travelex pays $2.3 million USD ransomware bailout: Ransomware cases silently rise during COVID-19

If your business faced a ransomware attack, would you pay the hacker?

It’s estimated by Kaspersky that 45% of business employees are unaware of how to handle a ransomware attack, and especially given the current circumstances, this is a critical cybersecurity opening for many organisations.

Wherein the majority of organisations are used to a conventional security structure with secure office networks, firm access control policies, and countless on-site security measures to reduce risk, countless workers are now suddenly minimising or totally missing these security measures in place for stock-standard home networks and a plethora of exploitable risks that come with the move.

In 2019, it was also estimated that 15 percent of all ransomware victims chose to pay the ransom. However, it is widely recommended that ransomware should be treated similarly to a real-life hostage situation: never pay the ransom.

Not only does this not guarantee that the hacker will remove the ransomware, but it also incentivises them to target you and similar businesses again.

A recent example of a massive ransomware payout was that of Travelex in December 2019. Travelex is a foreign currency exchange that services businesses across 26 countries, and in response to a targetted attack by the prominent hacker group, the Sodinokibi gang, Travelex paid out a sum of $2.3 million dollars.

The Sodinokibi gang held 5GB of encrypted data at ransom to accomplish this payout, which they promised to delete upon payout. The issue is that while the payout did prevent the attackers from publishing the sensitive data, there is no way of knowing whether they actually deleted the information.

And considering that this is a criminal group, it only stands to reason that they’d keep it as a further avenue of exploitation and profit.

While the Travelex incident was late last year, research indicates that ransomware attacks have gone up significantly throughout the COVID-19 pandemic, especially against businesses in the health industry.

Regardless of whether or not your business lands in the health sector, here are some precautions you can take pertaining to ransomware, especially in these current circumstances:

  • Be cautious of ransomware scams disguising as COVID-19 apps or services (Read here)
  • Evaluate what security measures are missing due to work-from-home, and do your best to replicate them in employee houses (See my article from last week)
  • Back. Up. Your. Data.

That last step is especially important, as oftentimes the only thing that can give you some leeway in the case of a ransomware negotiation, is if you have a copy of stolen data to restore from. (See Here for more information on developing a back-up plan for your business)

Finally, for more details on staying safe online and covering your work-from-home security, see our remote-working program.

What does COVID-19 mean for password hygiene?

With the advent of remote-working in response to COVID-19, we’re all making necessary adjustments. We’re incorporating new behaviors into our day-to-day life, such as limiting our time out of the house to essential shopping or exercise, and are now using our homes for activities that we’re otherwise used to performing out in the world.

We’re adopting new indoor exercise routines, frequently preparing our own meals in favor of the usual take-out, and have had to establish boundaries between working space and relaxing space within our own houses. Most notably, it’s reported that hand-washing is up by 1000% across the globe (don’t fact check me on that).

While we adjust and make preparations during this unprecedented time, it’s important that we take consideration for some of the subtler changes pertaining to safety as well. One of which being simple password hygiene.

It didn’t take long at all for scammers to jump at this opportunity and roll out a plethora of COVID-19 scams, but this isn’t the only way they’re exploiting and profiting from the masses during this time. Hackers & scammers are well aware that with the move to home-offices, comes a move away from office security.

Things like network security, access control, and general password hygiene are more exposed now than they have been for a long time

In the migration to our home-offices, most of us are taking passwords that were previously used only on secure office networks and entering them into home machines with lower standards of security. Furthermore, systems that we never had to re-log into, or that we’ve forgotten the passwords for, are having their passwords reset for the home-office.

When re-entering or changing passwords for your work systems, it’s a critical time to reconsider how strong they are, and how long you’ve been using them.

To ensure that your passwords aren’t compromised as a result of the change in workplace security.

Make the switch to passphrases.

A passphrase, simply put, is an anagram. Rather than using a simple word with some numbers, it’s encouraged in modern online safety to use complicated passwords. These can be made easily by using a phrase that you’re sure to remember, and flipping it into a passphrase. For example:
”Jack and Jill Went Up The Hill” can be used as a passphrase such as “JaJwUtH”.

Add a few numbers and a symbol to the end of that, and straight away you’ve created a strong, memorable passphrase.

Don’t re-use or share your passphrases.

I like to think of each of my passphrases as though they were my toothbrush: I don’t re-use them too much, and I never share them with others.
In most cases when your passphrase is stolen or compromised, it tends to sit on the dark-web for anywhere between a few weeks to a few months. By changing your passphrases regularly, and by using unique passphrases for each essential login, you prevent cybercriminals from being able to use stolen credentials to access your systems in the long run.

As for sharing them around, if you have team-workers or managerial staff who share a login system with you, it is key that wherever possible you are using separate sets of logins, and most importantly, that those logins are not shared between other systems.

Use a password manager!

Finally, we recommend using a password manager to store your passwords. Between the cyclical news surrounding COVID-19 and our frequently changing workloads as a result of it, our brains are full up.
It’s encouraged to use complex and unique passphrases across a number of devices, but we couldn’t reasonably ask you to remember them all.

This is where password managers come in. Their secure programs that typically plug straight in to your browser, and work like an encrypted encyclopedia of all your login credentials.

Most password managers don’t just remember the passwords, but typically enter them in for you, enable two-factor support, and even create secure, randomly generated passwords for you where needed.

Of all the advice in this article, password managers are likely the most essential. We recommend 1Password, LastPass, and Google Password Manager.

Want To Boost Your Cybersecurity? Forget Your Passwords

Many years ago, when I was a 14-year-old budding computer nerd, I experienced my first data-breach. I’d been playing World of Warcraft for hours on end (I was a kid, quit judging!) when another player offered me an “exclusive” opportunity to test out some new beta weapons and equipment.

All I had to do was enter my logins to the beta-test form, and this promised “exclusive gear” would be added to my account in 24 hours.

An email was sent through with the required form and being young, naive and full of the typical invincibility syndrome that young 14-year-old boys tend to have, I entered my username and password then signed off for the night.

Sure enough, I returned the next day to find that my passwords had been changed, all of my character’s clothes and weapons were stolen, and my email account had been compromised. I’d used the same email and password for my World of Warcraft account as I had for my personal email account.

Thankfully, at that time I had nothing of real value to lose from those accounts, and had some very valuable lessons to learn: don’t trust strangers online, and don’t re-use passwords!

Re-using passwords is a big no-no, but let’s be honest, everyone does it. I don’t know a single person who hasn’t re-used a password across multiple logins. It’s quick, it’s easy, and most of all it’s memorable.

The problem with re-using passwords, however, is that if they get stolen or guessed just once, they can then be used to access everything. It’s like cutting a master-key to fit your front-gate, garage and car all in one. And it’s why a silly encounter in an online game led to my email account being hacked.

In most major cyber breaches the logins are often stolen from somewhere unrelated, such as a social media account or streaming subscription, and then re-used for later attacks on bank accounts or corporate systems.

To avoid credential-based attacks, the expectation is that we use a different password for each and every login we have. However, given that the average person now has upwards of 27 online logins to remember, it’s quickly becoming an impossible task to individualise them and is likely why we’re seeing 81% to 87% of people re-using their passwords in the first place.

Following my first data-breach as a kid, my solution to making and remembering unique passwords was to enter familiar names into the Wu-Tang Name Generator. But what if I told you there was a better way!

My advice moving into 2020: instead of trying to remember all of your passwords, try forgetting them instead with password manager!

The way that password managers work is similar to how a browser’s auto-fill works. When logging in to an account, you type in your username & password just once, then your password manager securely stores and remembers them. Next time you log in, the password manager will take care of the grunt-work and log in for you.

The only password you still need to remember is your master key for the password manager itself.

You’re probably thinking that this doesn’t sound safe, but in exchange for this easy login tool, good Password Managers bulk up their security on the master login. Often times, you’re required to know your master-key, have a two-factor authentication code and authorise the device that you’re logging in from.

In exchange for that hassle, you don’t need to write down or remember any of your other passwords.

Further to being an easy and safe solution to remembering passwords, password managers also enable some huge security benefits:

  • Allows for unique passwords: Wherein you’re now limited by the number of unique passwords that a human-brain can remember (or that your desk can fit on sticky-notes), a password manager has a computer-brain, and can probably remember a few more. This means more unique passwords & fewer memory games.
  • Allows for stronger passwords: Most password managers will automatically suggest complex passwords for you. Instead of using common hackable passwords like donald or password123, a manager enables the use of complex, strong passwords like “t3cH^1©4l j4r30n” without ever needing to type or remember them!
  • Easy Use of Two-Factor: IBM estimates that over 80% of cyber-attacks in the last decade could have been prevented with two-factor and strong passwords. Modern password managers both facilitate stronger passwords, and often come pre-installed with automated two-factor support. In short, this means that any login or hack attempted against your account(s) needs not only the password, but also the two-factor key you set up as well.

Some password managers I’d recommend are LastPassOnePass (my preferred choice), and the updated Google Password Manager with Two-Factor enabled.

Moving into 2020, free up some of that precious brainpower and let a password manager do all that pesky remembering for you!

Author: Leonard Bernardone

Preparing for Black Friday Sales

Another year, another “Black Friday Crowds rampaging through Walmart” Youtube compilation for me to relax too while doing my online Christmas shopping! But for those of us who prefer to shop online and avoid the probability of being trampled to bits over a discounted microwave, there are still some big risks to consider.

Australians are seeing some of the largest damages from online scams to date, with reported losses of over $4 million in 2019 (a staggering $700k increase from 2018’s total losses). The amount of Australians who shop online has been steadily increasing every year, with the national average going up an ever further 20% in 2018, and cybercriminals are increasing their efforts accordingly. 

We recommend sharing these seven safety tips in the office to close out the week, especially for the colleague browsing 20+ tabs in search of the best deals:

  1. Don’t open PDF catalogues in emails. How many infected attachments does it take to cause a ransomware outbreak? Not many! Any deals/offers should be in the email itself, not hidden in a risky PDF.
  2. Watch out for fake websites in emails. If an email convinces you to shop at a particular store, dodge the risk of a scam email and just Google search the store directly for a safe link.
  3. Watch out for gift card scams. Gift cards are the recurring most popular item on wish lists, and attackers will often ask for payment via Gift Cards themselves. Don’t get stuck laundering money by mistake, or purchasing a dead card.
  4. Keep your money off of public Wi-Fi. The thing about public Wi-Fi is… it’s public. You don’t know who else is sitting on that network and monitoring your transactions. Switch to mobile data or wait until you’re home/at the office.
  5. Checkout using safe payment gateways. Have you ever seen those scams where a fake EFT reader is put onto an ATM to steal funds? Lately, scammers have been doing the same thing on website checkouts! They intercept your order and steal your card data using a tactic called e-skimming. Always check for https, or just stay safe using services like Paypal. 
  6. Switch to credit, or limit your spending account. If you must use a debit card, make sure it has a limited spend-per-day and transaction alerts set up with your bank.
  7. Classic advice: Don’t Click Popups. If an offer sounds too good to be true, it is. Hit that beautiful x button and move on. 

Did we get them all? What? “No” you say? Well, please leave a comment below! Let us know what you’ll be doing to stay safe online this Black Friday/Cyber Monday. 

Have a scam-free weekend people! 

Hackers capitalise on Covid 19: Exploiting the sudden boom of at-home workers

The immediate and rapid migration from our workplaces to the household has greatly expanded the cybercrime landscape:

Cyber-criminals across the globe are tailoring their efforts to remote workers and developing new scams designed specifically to exploit individuals during this vulnerable time.

As we leave the office and migrate to our respective homes, we need to take a step back and consider a few things:

  1. We’re taking our office with us: not just the pens and pencils, but our sensitive company data and system logins. Assets that we as individuals need to keep safe during the transition to working from home.
  2. In doing this, we’re simultaneously leaving behind one of the biggest benefits of working in the office: security.

Amidst the endless news-cycle of COVID-19, we’re seeing constant public safety warnings extending not only for our hygiene and physical wellbeing, but also our mental health, socialisation, and cybersafety.

The Australian Cyber Security Centre (ACSC)and countless government bodies are warning of the surge in online risks and vulnerabilities that COVID-19 has introduced.

All of a sudden, we’re incurring dangers of network security, access control, data management and a whole slew of cyber-security necessities that the majority of us have never had to consider before.

For cyber-criminals, this is an opportunity to profit and exploit like never before. To put it into an analogy, it’s as if the all of the shopfronts in the world have unanimously removed their locks and taken their inventories out on to the streets.

Countless workplaces have just had their security scattered to employee households with little-to-no central safety measures, and to ensure that both staff and the organisation at large are operating safely during these changing times. there are two key factors that every business needs to account for:

  1. Network security: This means a centralised standard of VPN, secure Wi-Fi and access control to any data and systems of the organisations when accessed remotely

This is typically performed by a dedicated I.T. team, member of staff or service provider. In the event that you haven’t already arranged this, I’d recommend moving fast to get ahead of the demand.

Already companies such as Cisco Systems Inc have seen a 1000% increase in demand for support services that cater to work-from-home security setups. Ensure that all members of your team are working from home under company networks and a secure connection.

  1. An individual understanding of risk and cyber safety: While working from home, you’ll find yourself facing a whole range of new cyber-threats and scams specifically designed to capitalise on individual mistakes. From opening the wrong email to clicking the wrong link, we’re all at risk of exposing corporate data from our own household if we aren’t careful.

You can expect to see scams that play on concerns surrounding COVID-19, especially on matters of personal safety and job security.

Already, cyber-criminals are disguising key-logging scams, malicious viruses and password theft as urgent warnings or health tips pertaining to COVID-19. (You can report and read on said scams via the Scamwatch website)

This is common practice for scammers: Finding a hot topic of public concern or vulnerability and using it to exploit those in distress for a profit. Even as recently as the Australian Bushfire Crisis, scams were quickly tallied by Scamwatch to be in the hundreds, some with damages in the thousands. (Further reading & advice regarding Australian Bushfire Scams can be found via the ACCC)

Considering COVID-19 is a global crisis and incomparable epidemic, expect to see plenty of scams. Make sure to operate with both caution and a hefty grain of salt. We’re all surrounded by a lot of information at the moment. A lot of it bad news. We’re inundated and the majority of us are feeling overwhelmed. It’s especially important during this time in which we may not be processing things at our usual standards, that we take a step back and reconsider what we’re looking at online.

It’s especially easy at the moment to click the wrong link or open the wrong email by mistake. To avoid falling into a malicious or compromising situation, slow down while you’re checking your emails and try your best to stay mindful while you navigate through your work-day.

In addition to staying aware of the current scams surrounding COVID-19, you can further protect yourself by keeping work devices and home devices separate. We recommend that you both refrain from doing work on personal systems and keep your personal accounts logged off of your work-devices to prevent cross-contamination of potential threats between work and home.

Finally, here’s a quick-guide image to follow for some work-from-home essentials:

For more information on staying safe at home and protecting your corporate data, we’ve developed an awareness program tailor-made to working from home: https://portal.cyberaware.com/remote

Is Your Business Set For The New Mandatory Data Breach Notification Laws?

New mandatory data breach notification laws take effect in Australia on 22 February 2018. This latest legislation seeks to protect consumers’ personal information, it requires that public agencies and private organisations, report all eligible data breaches to the affected individuals and the Privacy Commissioner. An eligible data breach occurs when there is unauthorised access to, exposure or loss of personal information held by an agency or organisation, which is likely to cause serious harm to those individuals. As yet, there is no definite measure of serious harm. However, we may consider serious harm to include physical, financial, and reputational damage, as well as adverse emotional or psychological impact.

This mandatory notification applies to all public and private entities that are governed by the existing Privacy Act, which includes organisations that have an annual turnover exceeding $3 million. Mandatory reporting also applies to those companies that make under $3 million and are in the business of handling personally identifiable information (PII) such as names, social security numbers, personal contact and credit information, as well as health and financial records. If an organisation is related to another that is governed by the Privacy Act, then that organisation is also subject to the mandatory data breach notification requirement.

Current State of Preparedness

Although the Privacy Amendment (Notifiable Data Breaches) Bill of 2016 had established the upcoming mandatory reporting requirement, there is some unpreparedness among organisations-especially small businesses. According to a recent survey, 44% of Australian businesses reported that they were not ready for the mandatory notification requirements. This may have resulted from a mistaken belief that small firms would not be subject to the new legislation. It may also be the case that information security has long been viewed as the domain of IT professionals, and so sufficient attention has not been directed to this aspect of business operations. However, given our growing digital economy with increasing cyber threats, it is becoming clear that the usual risk management framework must now also consider the mitigation of cyber risks.

The Process of Mandatory Data Breach Notification

If an organisation suspects that it may have been subject to unauthorised access, disclosure or loss of personal information, that may cause serious harm to any of its stakeholders, then it has 30 days to investigate and conclude whether or not an eligible data breach occurred. However it may not be prudent to wait an entire month before deciding on the eligibility of a data breach. The factors to consider when an organisation needs to determine if an eligible data breach has occurred include:

·      the type and sensitivity of the information in question;

·      whether or not steps were taken to protect the information (for example, data encryption)

·      how likely it is for the protection measure to be breached (such as the encryption being cracked) and the information revealed;

·      the scope of the potential serious harm to affected individuals; and

·      any other relevant factors.

In the case of an eligible data breach, the company must prepare a formal statement for the Privacy Commissioner and each of the affected parties. This statement must include details on the nature of the data breach, and the remedial actions to protect those adversely affected. In cases where it may not be possible to inform every affected individual, then the statement must be published on the company’s website. We recommend that legal counsel be obtained in the unfortunate event of a data breach, so that the organisation can be sure that all aspects of the mandatory notification requirement are met.

Non-Compliance Consequences

Failure to report eligible data breaches will be costly in several ways. The Privacy Commissioner is empowered to apply fines in cases of non-compliance with the mandatory notification requirement. Individuals (such as sole traders and general partners) may face fines of up to $360,000, while corporate organisations may have to pay fines up to $1.8 million.

However the consequences of non-compliance not only originate from the Privacy Commissioner. The Privacy Act enables an individual to make a representative complaint (on behalf of several affected parties) directly to the Privacy Commissioner. There is also the possibility of class actions being initiated in the wake of a data breach. Another pressing concern is the loss of consumer and investor trust. This goodwill is vital for a company’s success, and non-compliance may be perceived as a lack of trustworthiness, which may then have greater adverse effects on the organisation in question.

Compliance Matters

We recommend a two-pronged approach of both prevention and corrective measures to ensure full compliance with the new mandatory data breach notification law.

Prevention Measures

The mandatory notification requirement means that organisations need to establish robust information security systems, or review their existing systems in light of this new legislation. Information security covers all the cyber-safe policies and procedures governing the collection, storage and retrieval of personal data. However companies will need to do more than merely install commercial security software. The latest data-stealing malware are being delivered via email, which means that users at all levels of an organisation need to be trained to navigate and actively support the information security framework. Small businesses may need to outsource certain security needs to IT vendors. Therefore it is also important that all vendors are employing the latest cyber security innovations and are ready to quickly comply with any requests for updates and formal reports.

Corrective Measures

In the event of an eligible data breach, it is useful to have a set of templates and procedures on hand. It is vital to have a detailed incident response plan which includes an organisation’s breach assessment criteria, templates to notify affected parties and the Privacy Commissioner, and procedures to implement remedial measures. We recommend that any incident response plan be tested with all members of an organisation and external vendors, so that each person is aware of their role in responding to any possible data breaches. We further recommend that all organisations obtain legal counsel to ensure that all elements of the mandatory notification requirement are conducted appropriately.

The mandatory data breach notification law will definitely alter the way in which businesses operate within Australia. Other countries such as the USA, Germany, Canada and the UK already have such legislation in place, so successful adaptation to these new requirement have already proven possible. We urge all Australian organisations to become familiar with their new legal obligations, to access all of the available resources and services, for both information security and notification support.

Beware of Real Estate Hacking Attacks

Hacking attempts are not just a problem for large corporations. Unfortunately, cybercriminals are equal opportunists, a fact which has been corroborated by the recent real estate hacks. The Australian real estate industry is valued at approximately $14 billion, which makes it a tempting target for these criminals.

Consumer Affairs Victoria reported that a few of the state’s homebuyers were victimised in an email scam and they lost over $200,000. The buyers said that they received emails containing contracts of sale and trust account details for the payment of their deposits. This first email was then followed by another email, which instructed the hapless buyers that there was an error in the original email and that they should deposit their funds in an alternate account. These criminals hacked the real estate agents’ email accounts and used the second round of emails to divert the funds to their bank accounts.

Unfortunately a similar case of virtual fraud occurred in the real estate sector last May. The Real Estate Institute of New South Wales reported that a real estate agency’s online bank account was hacked and $757,000 was siphoned away in a series of transfers.

There are significant losses associated with such cyber hacks. Director of Consumer Affairs Victoria, Simon Cohen advises that persons who are purchasing their homes do their due diligence before making deposit payments. He recommends that buyers beware of emails that give different banking information. In fact, it is always best for buyers to call their real estate agents to verify all payment details before transferring any funds. Any individual or business that discovers that payment was made to an incorrect account should contact their respective financial institutions immediately. Furthermore, real estate agencies are encouraged to regularly review and secure all online systems to rebuff any hacking attacks. If you become a victim of cybercrime, we recommend that you make a formal report to the Australian Cybercrime Online Reporting Network.

We all operate in a globally connected world and we face increasing threats. Therefore it is prudent to adopt the best cybersecurity practices to protect ourselves and our assets.

How much could ‘Free Wi-Fi’ be costing you?

We can all appreciate the availability of an Internet connection when we are away from our home or office connectivity. Some people are on limited data plans, so very often, love the fact that they can save their data and use free Wi-Fi. Free public Wi-Fi is now commonly available throughout most Australian cities as a result of renewed investment in this area. While it is good to have greater accessibility, public Wi-Fi is often unsecured, which makes it fraught with multiple threats to the security of consumers’ personally identifiable information (PII) and banking credentials.

A number of news outlets have conducted experiments to show how easy it is for cybercriminals to access personal and financial information by using public Wi-Fi to hijack mobile devices. In each case, the unwitting participants in the exercise are astonished at how easy it was to convince them to sign on to the rogue Wi-Fi networks and the extent of the exposure of their confidential information.

Last year McAfee conducted a survey of 1200 Australians, of which 42 percent said that they believed that their personal information was as safe when they connected to Wi-Fi while on vacation as when they were at home or at work. This is compounded by the fact that 62 percent of these respondents also indicated that they either did not know or did not care if they were using a secure Wi-Fi connection.

A related survey by Symantec, found that 83 percent of Australians have used public Wi-Fi to log into their email accounts, share media online and even check their bank balances. The prevalence of Wi-Fi connectivity in retail spaces has also influenced consumers to access their financial accounts on unsecured Wi-Fi networks.

A study conducted by lead researcher Dr. Ian McShane at the RMIT University corroborates this trend. The most used public Wi-Fi networks were provided by restaurants and cafes, followed by shopping centres and hotels, and then parks and city squares. Approximately 10 million Australians have accessed public Wi-Fi networks, with 2 million persons conducting financial transactions, and one million performing work-related duties such as accessing emails and sharing files on these networks. According to McShane, Australia ranks as the sixth highest on an international scale for cyber attacks. Public Wi-Fi is also a popular hotspot for criminal activity, so appropriate care must be taken when accessing any such networks.

It is also not enough for adults to be careful when using public Wi-Fi. A lot of children have their own mobile devices (or frequent access to family devices), which generally means that they are accessing Wi-Fi as well. This means that children need to be monitored whenever they are using the Internet, and older children must also be educated about safe Wi-Fi use.  According to Alex Merton-McCann, McAfee cybersecurity blogger, it is important to manage Wi-Fi use among children, especially when vacationing.

The inappropriate use of public Wi-Fi can be very costly. In December 2017, a diner lost $155,000 worth of Bitcoin when he used a restaurant’s unsecured public Wi-Fi. The man had logged into his Bitcoin account at the restaurant to check his account balance. The cybercriminals moved the stolen funds to an untraceable account. Companies located in Japan and South Korea, have also suffered significant financial losses as a result of cyber criminals hijacking digital currency accounts. The vulnerability of these digital currency accounts also extends to payment cards and other online payment vehicles.

According to Dr. Mark Gregory of RMIT University, the implementation of widespread public Wi-Fi in Australia means that government, industry and consumer agencies should develop awareness campaigns on the matter of public Wi-Fi security. Merton-McCann emphasised that it is best to avoid public Wi-Fi to ensure personal and banking information security. Admittedly, it can be difficult to reduce public Wi-Fi use to zero, so as a compromise, consumers should never access personal and banking accounts while using these networks. Public Wi-Fi security can be improved through the use of Virtual Private Networks (VPNs) and also by ensuring that websites and services accessed operate under HTTPS.

What everybody really needs to know… about Cyber Security and Australian Banks

The recent Mandatory Breach Notification legislation has brought the issue of cybersecurity to the forefront of national dialogue. The Australian Prudential Regulation Authority (APRA) asked banks, insurers and superannuation funds to be aware of the risks of cyber attacks.

The Australian banking industry reported a cash profit of $31.5 billion for 2017 and a 6.4% growth rate relative to 2016. It is also important to take into account our nation’s $2.6 trillion superannuation pool, as well as the vast numbers of customers who conduct daily online banking activities. Understandably these facts render the industry, and its customers, as prime targets for cybercriminals.

APRA’s executive board member Geoff Summerhayes indicated that a major data breach at any Australian financial institution is “probably inevitable”, and could even adversely impact the longevity of that institution.  Unfortunately, a number of financial institutions have yet to fully consider how they would handle an online attack, which would be guaranteed to generate significant and costly risks.

According to Summerhayes, cybercrime is a growing and lucrative industry. In the face of the relatively slower adaptation of institutions to the reality of rapidly evolving cyber crime, virtual criminals are reaping huge benefits with very little prospect of being apprehended.

The APRA believes that cyber risk is a significant prudential threat to financial organisations. Large corporations that invest heavily in their own cybersecurity have a reduced risk of an attack resulting in sufficient damage to put them out of business.

However, APRA surveys showed that while there was an increasing awareness of cyber risks, improvements still need to be made. While some companies may have documented incident response policies to counter any possible virtual attack, these plans have not been tested and incorporated into their overall disaster recovery framework.

In light of these circumstances, the APRA has revealed its first prudential standard on information security, which will set the minimum requirements for the sector to manage cyber risks. Financial institutions will be required to conduct regular testing of their cyber defenses, implement strong detection systems, and delegate senior staff members to be in charge of cybersecurity. According to Summerhayes, these preventative measures will strengthen the banking sector, reduce the likelihood of successful virtual attacks, secure Australians’ confidential information and support national stability.

Before you go, get a demo of our next-gen security awareness platform and see how we can help reduce your client's human risk.
Thanks, Not Interested
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Thanks, Not Interested
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.