How much could ‘Free Wi-Fi’ be costing you?

We can all appreciate the availability of an Internet connection when we are away from our home or office connectivity. Some people are on limited data plans, so very often, love the fact that they can save their data and use free Wi-Fi. Free public Wi-Fi is now commonly available throughout most Australian cities as a result of renewed investment in this area. While it is good to have greater accessibility, public Wi-Fi is often unsecured, which makes it fraught with multiple threats to the security of consumers’ personally identifiable information (PII) and banking credentials.

A number of news outlets have conducted experiments to show how easy it is for cybercriminals to access personal and financial information by using public Wi-Fi to hijack mobile devices. In each case, the unwitting participants in the exercise are astonished at how easy it was to convince them to sign on to the rogue Wi-Fi networks and the extent of the exposure of their confidential information.

Last year McAfee conducted a survey of 1200 Australians, of which 42 percent said that they believed that their personal information was as safe when they connected to Wi-Fi while on vacation as when they were at home or at work. This is compounded by the fact that 62 percent of these respondents also indicated that they either did not know or did not care if they were using a secure Wi-Fi connection.

A related survey by Symantec, found that 83 percent of Australians have used public Wi-Fi to log into their email accounts, share media online and even check their bank balances. The prevalence of Wi-Fi connectivity in retail spaces has also influenced consumers to access their financial accounts on unsecured Wi-Fi networks.

A study conducted by lead researcher Dr. Ian McShane at the RMIT University corroborates this trend. The most used public Wi-Fi networks were provided by restaurants and cafes, followed by shopping centres and hotels, and then parks and city squares. Approximately 10 million Australians have accessed public Wi-Fi networks, with 2 million persons conducting financial transactions, and one million performing work-related duties such as accessing emails and sharing files on these networks. According to McShane, Australia ranks as the sixth highest on an international scale for cyber attacks. Public Wi-Fi is also a popular hotspot for criminal activity, so appropriate care must be taken when accessing any such networks.

It is also not enough for adults to be careful when using public Wi-Fi. A lot of children have their own mobile devices (or frequent access to family devices), which generally means that they are accessing Wi-Fi as well. This means that children need to be monitored whenever they are using the Internet, and older children must also be educated about safe Wi-Fi use.  According to Alex Merton-McCann, McAfee cybersecurity blogger, it is important to manage Wi-Fi use among children, especially when vacationing.

The inappropriate use of public Wi-Fi can be very costly. In December 2017, a diner lost $155,000 worth of Bitcoin when he used a restaurant’s unsecured public Wi-Fi. The man had logged into his Bitcoin account at the restaurant to check his account balance. The cybercriminals moved the stolen funds to an untraceable account. Companies located in Japan and South Korea, have also suffered significant financial losses as a result of cyber criminals hijacking digital currency accounts. The vulnerability of these digital currency accounts also extends to payment cards and other online payment vehicles.

According to Dr. Mark Gregory of RMIT University, the implementation of widespread public Wi-Fi in Australia means that government, industry and consumer agencies should develop awareness campaigns on the matter of public Wi-Fi security. Merton-McCann emphasised that it is best to avoid public Wi-Fi to ensure personal and banking information security. Admittedly, it can be difficult to reduce public Wi-Fi use to zero, so as a compromise, consumers should never access personal and banking accounts while using these networks. Public Wi-Fi security can be improved through the use of Virtual Private Networks (VPNs) and also by ensuring that websites and services accessed operate under HTTPS.

What everybody really needs to know… about Cyber Security and Australian Banks

The recent Mandatory Breach Notification legislation has brought the issue of cybersecurity to the forefront of national dialogue. The Australian Prudential Regulation Authority (APRA) asked banks, insurers and superannuation funds to be aware of the risks of cyber attacks.

The Australian banking industry reported a cash profit of $31.5 billion for 2017 and a 6.4% growth rate relative to 2016. It is also important to take into account our nation’s $2.6 trillion superannuation pool, as well as the vast numbers of customers who conduct daily online banking activities. Understandably these facts render the industry, and its customers, as prime targets for cybercriminals.

APRA’s executive board member Geoff Summerhayes indicated that a major data breach at any Australian financial institution is “probably inevitable”, and could even adversely impact the longevity of that institution.  Unfortunately, a number of financial institutions have yet to fully consider how they would handle an online attack, which would be guaranteed to generate significant and costly risks.

According to Summerhayes, cybercrime is a growing and lucrative industry. In the face of the relatively slower adaptation of institutions to the reality of rapidly evolving cyber crime, virtual criminals are reaping huge benefits with very little prospect of being apprehended.

The APRA believes that cyber risk is a significant prudential threat to financial organisations. Large corporations that invest heavily in their own cybersecurity have a reduced risk of an attack resulting in sufficient damage to put them out of business.

However, APRA surveys showed that while there was an increasing awareness of cyber risks, improvements still need to be made. While some companies may have documented incident response policies to counter any possible virtual attack, these plans have not been tested and incorporated into their overall disaster recovery framework.

In light of these circumstances, the APRA has revealed its first prudential standard on information security, which will set the minimum requirements for the sector to manage cyber risks. Financial institutions will be required to conduct regular testing of their cyber defenses, implement strong detection systems, and delegate senior staff members to be in charge of cybersecurity. According to Summerhayes, these preventative measures will strengthen the banking sector, reduce the likelihood of successful virtual attacks, secure Australians’ confidential information and support national stability.

Cybercrime – The Human Element Beyond IT

ybercrime is on the rise. Not only are rates of cybercrime increasing but its breadth and depth have reached a level of sophistication that is disproportionate to our defences. It has now become a well-organised operation perpetrated by highly skilled professionals with the capability to undermine organisations large and small.

The American based Target Corporation was the object of one particularly damaging case of cybercrime. In December 2013, Target publicised that the credit card details of 40 million customers had been the subject of cyber theft; and an additional 70 million customers had personal information including their names, addresses, email addresses and phone numbers stolen.

Closer to home, organisations are regularly scanned for weaknesses in their defences as the sophistication of cybercrime evolves, with harmful malware having the capacity to sit unnoticed for weeks before an actual theft takes place.

Our very real problem that we are now faced with is that organisations are not necessarily able to compete with this new level of sophistication. Moreover, the risk of cyber attack has always been viewed as a function of IT and responses to cyber threat have been acted upon as such.

But the IT security function alone is not an adequate enough to safeguard against this new sophisticated cyber threat. In order to build a strong defence, organisations must look beyond the IT based nature of conventional cyber crime and understand the contribution that humans often make in cyber breaches.

Organisations have become extremely savvy at building robust fire walls that are able to block just about any potential threat; however these defences are redundant if they have not been able to predict what may be planned against them.  It is critical that organisations maintain a channel into the cyber community networks where potential attacks are being plotted, in this way they will be armed with information about where their potential weaknesses are as a business.

In order to stay ahead of the cyber criminals, organisations need to acknowledge that its people that commit crimes, not computers; and that unfortunately it can be people from within organisations that are complicit in these crimes. Cyber criminals are able to infiltrate at any point of weakness, which can often mean exposing the vulnerabilities of staff or someone close to the organisation who is able to access, test and deploy malware into the system.

The Three Lines of Defence model is the ideal way to mitigate risk across an organisation. The first line of protective controls includes building a strong fire wall to secure the network. This line of defence acts as the gatekeeper of the traffic which may or may not pass through. The second line of defence revolves around watching out for external threats such as analysing conversations in chatrooms, and engaging in network vulnerability tests. Lastly, measures must be taken to protect the organisation from internal threats. This may include conducting background checks of staff, ensuring that sensitive information is only available to a select few.

The Three Lines of Defence model is a great start to circumventing any potential cyber threat. However this can only take an organisation so far, as the unpredictable nature of the human condition can ultimately leave an organisation vulnerable to cyber threat, especially in the current environment where threats may emanate from within and outside of the organisation.

Cyber Security – the insider threat

Generally when we think of online hackers, we think of faceless perpetrators whose intention is to scam us out of our hard earned money in one swift malicious attack.

But what if the actual threat of cybercrime is right in front of you, in plain sight?

Organisations of all sizes are at risk of cyber threat from within their own organisation. While companies spend a considerable amount of time and energy on evading external cyber threats, experts have argued that more than 60% of attacks are coming from within the walls of a business.

Many of these attacks have been intentional, however there have been cases where attacks have been committed inadvertently. This can happen staff may become careless with data or accidentally undermine a company’s secure IT systems.

One local case where an internal threat occurred from within was at fashion brand Showpo, whose customers were reporting that they’d been contacted by its competitor. Information began to surface implicating an internal source had obtained personal information and shared this with the competitor.

A UK analysis of insider cyber threat cases found that the motivators behind internal attacks are usually centered around financial gain and revenge.

With the rise in internal cyber threats, the Federal Attorney General’s department has overhauled its ‘Managing the insider threat to your business’ publication which aims to educate managers on how to best navigate their approach to internal cyber security. They suggest implementing sound recruitment procedures which include thorough checks of new staff and tighter security controls on internal access to data.

Experts suggest that it’s important for organisations to be as vigilant towards external cyber threats as internal threats and that there are many ways to do this by monitoring staff behaviour, directing funding and educating employees.

The rise of phishing attacks

A recent study by Tripwire has found that more than half of all security professionals surveyed had noticed a rise in phishing attacks at their organisation in the past 12 months. Alarmingly, the survey also uncovered that these professionals believed that their company was ill-equipped to protect themselves against these scams.

It comes as no surprise that the increase of phishing attacks is one of the most significant cyber security threats to organisations today. Therefore it’s imperative to arm all staff and board members with the knowledge to identify these scams in order to protect our company data.

The following list outlines 6 common phishing attacks:

1. Deceptive Phishing

This is the most popular phishing scam used. It occurs when cyber criminals pretend to be a legitimate company with the aim of stealing an individual’s personal information. These emails often use threats to get what they want. Be wary of generic greetings or requests for information that the sender should already have. Errors in syntax and spelling are often a giveaway that you’ve been targeted in a deceptive phishing attack.

2. Spear Phishing

Spear fishing is a more personalised version of deceptive phishing. For example criminals will customise their scam email with the recipient’s name, position, organisation or even phone number, in the attempt to hoodwink the target into believing that they have an established relationship. In much the same way as deceptive phishing, the aim of this scam is to trick the recipient into clicking onto a malicious link, thus exposing their personal data.

3. CEO Fraud

In this scenario, the criminals will impersonate an executive’s email address and use it to request payments and transfers from others within the organisation.

4. Pharming

This new type of phishing scam involves exploiting the internet’s naming system server (DNS) which converts website names to IP addresses. In this type of attack the criminal targets a DNS server and alters the IP address in order to redirect victims to a malicious website, even if the victims entered in the correct website name originally.

5. Dropbox Phishing

Some phishers customise their scam emails to mimic a company or service such as Dropbox. In this scenario a victim is sent a realistic looking email claiming it has come from Dropbox requesting the user to click onto a link which then installs malware onto their computer.

6. Google Docs Phishing

Just like Dropbox phishing, the criminals use the Google brand to lull victims into a false sense of security in order to harvest their personal details. A message is sent to a user to view a document on Google docs, and whilst the landing page is on Google drive, when the victim’s personal credentials are entered they go straight to the criminal.

Smaller companies now more vulnerable to cyber attack

When we hear about cyber hacking crimes, the target of the attack is usually a large corporation or household name; however hackers are increasingly targeting smaller corporations, particularly those of less than $1 billion in revenue.

A recent survey by companies Nationwide and Advisen uncovered that since 2012 the average target company size had decreased by 28%, and alarmingly figures uncovered by the same survey indicate that malicious data breaches had risen by 40% between 2015-2016.

According to a subsequent survey by Beazley Breach Response (BBR) Services, financial organisations of less than $35 million in revenue were targeted more aggressively by hackers when compared to larger institutions. BBR cites the reason smaller companies are targeted is because they are simply more vulnerable. BBR says, “hackers are increasingly targeting smaller financial institutions with less robust data security systems and personnel than larger banks.”

Such is the breadth of cyber hacking proportions globally, its even garnered the attention of the G20. In a statement obtained by Reuters, the world’s largest economies vowed to collaborate in their fight against cyber attacks on the banking industry saying, “we will promote the resilience of financial services and institutions in G20 jurisdictions against malicious use of information and communication technologies, including from countries outside the G20.”

The light shone on cyber attacks by the G20 highlights the changing nature of businesses vulnerable to cyber attack and consequently, that the industry is ill-prepared to deal with such attacks. In order to protect themselves financial institutions should be aware that cyber threats are often indiscriminate and inherent in various sources including unencrypted data, new and unsecured technologies, and unsecured mobile banking.

To ascertain your vulnerability, take our survey or give us a call for a confidential discussion.

Cyber Security – It’s Easier Than You Think

Nowadays, a common problem that most businesses will face is understanding how they can protect themselves from cyber attack and whose responsibility this is.

“Don’t make the mistake of thinking of [cybersecurity] as a technology thing. It’s not,” says Adam Moseley, MD of Schwab Business Consulting and Education at Charles Schwab. Moseley follows by warning, “it is no longer a matter of if, but when, you’re going to be compromised.”

Much of the best advice points out that organisations should adopt the same defence practices as consumers in order to protect themselves against attack.

Mosely explains that these practices should spring from smarter cyber behaviour and better education, “I don’t think there’s a single greater threat to your organizations outside of email…we don’t hesitate to click a link, to open an attachment,” he said; especially when we consider that most malicious links and ransomware are generated via scam emails.

Moseley says that the most prudent organisations will engage a provider to test staff behaviour and provide education around safer cyber practices. He goes on to say that it’s beneficial to rethink behaviour around the simple things like passwords and emails and that cyber security must start with the individual.

Common cyber-security openings, weaknesses and behavioural issues can be resolved with better education. There are many easy and accessible habits that we can all engage in to help protect ourselves.

For example:

  • Call email senders to test legitimacy of suspicious comms
  • Keep sensitive data out of emails
  • Pick longer passwords (hackers will find these harder to penetrate)
  • Implement two-factor authentication where available

Addressing cyber security in the workplace doesn’t need to be a daunting exercise. There are many more simple and easily adopted behaviours that will help to protect us all from harmful cyber attack.  Call us to find out how we can help you and your business with educational resources or, to set up a meeting for further discussion.

Legal Consequences for Businesses – Cyber Security

The danger of a cyber security breach lies not only in the breach itself but in its significant legal ramifications. It’s just a matter of time before Australian courts are faced with a cyber security class action, especially considering that the number of cyber security attacks is on the rise.

A recent class action in the U.S brought against credit reporting agency Equifax, highlights the legal implications for organisations that do not have the appropriate security controls in place. The action alleges that Equifax was negligent in protecting the individuals whose data it held because they did not maintain adequate safeguards against unlawful access (which they knew could result in a substantial data breach).

The minimum criteria for a class action in Australia is a group of seven complainants who have a related claim that gives rise to a common issue. In a scenario where a number of people have had their data leaked in the same cyber security attack, like that in the Equifax example, these minimum requirements would likely be met. The difference in the amounts lost or circumstances of the transactions is irrelevant.

ASIC has reported that at least 80% or organisations anticipate a rise in cyber threat over the next 12 months, and that risk should also be the responsibility of the individuals and companies who entrust their information to providers. However, with cyber security threats rising, the legal fraternity’s expectation of those tasked with the responsibility of protecting individuals against these risks is also increasing; and no company is immune – the risk of a cyber attack touches every organisation that collects or maintains confidential property.

Essentially, as cyber attacks increase it is expected that momentum will build in favour of financial compensation for individuals that suffer as a result of such attacks. Even with the best intentions, or a belief that your company is secure, outdated security measures may leave your organisation open not only to security breaches but to considerable litigation.

Cyber security risk is now an enterprise wide issue that necessitates strategic execution. Today’s leaders will be expected to justify the security defences they pull together to protect their organisations from liabilities that cyber hacks can expose them to.

Actively manage your cyber security risk by taking our survey to measure your vulnerability.

2017 Australian Cyber Security Centre (ACSC) Threat Report

Last month the Minister Assisting the Prime Minister for Cyber Security, Dan Tehan MP, released the 2017 Australian Cyber Security Centre (ACSC) Threat Report. This report outlines the types of threats and trends now emerging within the Australian cyber landscape.

Mr Tehan says, “…cyber security is not just the business of national security, but something that must become second nature to all Australians. Cyber security is not just the domain of our intelligence agencies or our defence forces [it’s]… as relevant for mums and dads, small business owners and local communities, to keep their data, their money and their identities secure.”

As we know, the nature of cybercrime is fast evolving; but its impact is not only damaging it’s far reaching, Mr Tehan says, “over the past year, we have seen increased targeting of trusted third parties, particularly service providers. These companies are highly attractive targets as they can provide access into a range of primary targets.”

Cyber criminals employ a range of tactics to infiltrate our data, with ransomware being a popular means of extortion. This type of crime enables cyber criminals access to a large amount of data from a broad range of victims. As we can see it’s not only large corporates who are vulnerable.

Mr Tehan says ransomware is used to take advantage of known weaknesses in our cyber defences and that we need to be on the front foot when it comes to cyber security, saying “backing up data and proven data restoration processes are vital to mitigate data being encrypted, corrupted or deleted by ransomware.”

Read the 2017 Australian Cyber Security Centre Threat Report.

AFP traffic infringement scam

A recent email scam targeting road users has highlighted the case for stronger education around what constitutes good e-mail practice in today’s corporate landscape.

This latest email was sent with AFP branding and alerts the recipient that they have been issued with a traffic infringement notice.

Whilst convincing, on closer inspection small nuances serve as clues that this email scam is far from legit. For example the email had not been personally addressed, the fine listed includes cents and the letter A after the dollar sign, and it lacks any detail about your number plate or the actual offence.

Over recent weeks there have been numerous other scams that play on this ‘notice’ theme, all of which are particularly destructive; as these types of scam emails, if downloaded, can infiltrate your computer and steal your credentials.

A scam email such as this should not be viewed in isolation; this is just one of many potentially damaging scenarios in which someone can be attacked through email. More robust education of staff and board members will better equip them to properly identify phishing scams and malware attempts, which is a must for any organisation’s risk mitigation strategy.

Top
Before you go, get a demo of our next-gen security awareness platform and see how we can help reduce your client's human risk.
WAIT!
Thanks, Not Interested
GET STARTED!
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
GET STARTED!
Thanks, Not Interested
GET STARTED!
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.