The Phishing Season is Open in Australia - Is your Business Prepared ?

Cyber security, Data Breaches, Email Phishing Scams, compromised and stolen credentials – these are the new buzz words of the modern era.

They are also words that should frighten business operators that are not prepared.

Most people have probably received a phishing email or scam of some description. The way we all do business in the modern world now has changed and with increased mobility, it has become common place to share and collaborate with peers, send links and ask people to reply to emails or click on attachments or “log in” to access and download documents. Unfortunately, there are elements of society that are maliciously seeking to capitalise on the new mode of business and use these scams to access confidential information, and security credentials like usernames, valid email addresses and passwords. These scams and other related cyber breaches have been an increasing problem for business operators for some time now.

The Notifiable Data Breaches Scheme was introduced in February 2018. Since that time reportable entities have had to notify the Office of the Australian Information Commissioner (OAIC) of breaches where personal information has been compromised that might cause serious harm to the individual. A total of 305 cyber incidents have been notified to the OAIC since the scheme was introduced and some reportable statistics are now becoming available. The OAIC statistics suggest cyber incidents are having a major impact on businesses in terms of compromises to personal information as this is the trigger for notification obligations under the Scheme.

The Statistics Report for the quarter ended 30 June 2018 has now been released. This is the first report for a full quarter and gives us an indication of the type of cyber incidents that are being notified to OAIC.

The latest OAIC statistics suggest Cyber security breaches involving phishing emails and compromised or stolen credentials are the most common breaches that are being reported under the Scheme.

A full copy of the report is available for download on the OAIC website – www.oaic.gov.au.

By way of summary, the report identified the following:

1. There were 242 notifications for the period 1 April 2018 – 30 June 2018.
2. Human error was the cause of 36% of the notifiable incidents.
3. Malicious or criminal attacks accounted for 59% of the notifiable incidents.
4. System faults were notified as the cause for only 5% of the incidents.

The OAIC refers to “cyber incidents” as including phishing emails, malware, ransomware, brute-force attacks, compromised or stolen credentials and hacking by other means.

The statistics suggest that the main source of cyber incidents were caused by or related to compromised or stolen credentials – i.e. usernames and passwords, pin numbers etc.

Compromising credentials through phishing emails (those emails that ask you to click on something or reply to them) accounted for 29% and brute-force attacks accounted for only 14%.

Cybercrime is on the increase across the world and Australia is clearly becoming a target. The Australian Cyber Security Centre (ACSC) Threat Report released in October 2017, identified Cybercrime as a pervasive threat to Australia’s national and economic prosperity as phishing scams and credential harvesting malware threats continue to increase and specifically target Australia.

A full copy of the report is available for download on the Australian Cyber Security Centre website – www.acsc.gov.au

What can we do?

The age old adage that prevention is better than cure still remains true. The takeaway point from the OAIC Report is that many cyber incidents are occurring because of the human vulnerability factor such as clicking on a phishing email or disclosing passwords or pin numbers. The Report is a timely reminder that the weakest link in cyber security might still be the people, not the IT or the systems in place.

Fortunately this is something that most businesses operators have a degree of control over and with appropriate education and training of staff, the front line defence against the cyber security war can be improved.

A media release by the OAIC stated that data breaches can be greatly reduced by:

1. Ensuring staff responsible for handling personal information receive regular training;
2. Implementing strong password protection strategies; and
3. Raising staff awareness about the importance of protecting their passwords and other credentials.

The Australian Cyber Security Centre has prepared a guide that outlines mitigation strategies aimed at protecting credentials which is also available on their website.

In addition to the recommendations by the ACSC, businesses should also consider:

1. Preparing and implementing a strategy to mitigate Cyber Security Incidents.
2. Whether they have a plan to follow when (not if) a cyber incident occurs in their business – is a data breach response plan needed?
3. Whether the business has insurance to cover a cyber security breach and does the policy adequately cover the cost of responding to a cyber incident and potential losses that might arise?
4. Whether the business has a cyber security policy in place, or does it need one?

WRG’s Commercial Solutions team can assist with helping businesses assess their exposure to risks and help them get ready to deal with data breaches and implement strategies to reduce cyber security risks.

Contact our office to make an appointment and find out more about how we might be able to assist your business.