Digital360 on 25 July 2017

The rise of cyber crime is a new challenge for Australian SMEs

Cyber crime costs the Australian economy at least $1 billion each year. As our lives and businesses become more intertwined with the online world, the financial and personal stakes of being a victim of cyber crime have also increased.

These days, most of us are aware of common attacks such as email and phishing scams. But the sophistication of these attacks is increasing. For instance, earlier this year a widespread phishing scam impersonating a Google Docs request spread so quickly it required Google to intervene directly.

Even if you are not the target of a scam, the online services you use can be compromised. For example, data from LinkedIn, including 117 million emails and passwords, was leaked online in 2016. Due to the prevalence of password reuse across online services, security breaches of this scale can have a wide-ranging impact.

The rise of ransomware

This year, however, has been the year of ransomware – a type of malware that steals or locks the victim's data. Two attacks, dubbed WannaCry and Petya, have gained particular notoriety. The attacks swept the globe in May and June, causing large scale disruption and chaos.

In Australia, two large companies, TNT and Mondelez International, were severely affected. Cadbury's factory in Hobart was shut down while TNT struggled to keep pace with orders and invoicing. In TNT's case, the attack resulted in the permanent loss of critical business data.

hobart factory

The highly automated factory ceased production following the ransomware attack. Photo courtesy of ABC News: Scott Ross

Only 42 per cent of Australian organisations have an operational incident response plan.

The consequences of these attacks are beyond mere inconvenience. They represent a real business cost. In 2016, a report by PwC found that 65 per cent of Australian organisations experienced cyber crime in the previous 24 months. More than one in 10 reported losses of over $1 million.

Many Australian businesses are vulnerable to these threats. According to the PwC report, only 42 per cent of Australian organisations have an operational incident response plan when it comes to cyber crime. Just 40 per cent described their first responders as fully trained.

What are the common hacks for Australian SMEs?

Attacks on large enterprises such as Mondelez and TNT capture the headlines. But it's smaller businesses that make up the long tail of cyber crime victims, with approximately 85 per cent of scammers first making contact via email or phone. In other words, it's not large scale attacks like WannaCry or Petya that are doing the most damage.

The ACCC found that ransomware is one of the most significant scams, along with false billing and overpayment. And the data suggests that scams are on the rise. The ACCC's Scamwatch program found reported business scams were up more than 30 per cent in 2016.

The problem is bigger than most realise. According to Deputy Chair of the ACCC Dr Schaper, the frequency of attacks are likely to be underestimated. As smaller businesses are often willing to pay hackers rather than risk losing data, they are less likely to inform authorities about the attack.

"They think it's too much trouble to report, or it will get back their insurers who will hit them with higher premiums," Dr Schaper told the ABC.

Assistant Cyber Security Minister Dan Tehan also suspects the problem is widely underreported. Speaking with The Australian Financial Review, Mr Tehan said, "Our recommendation is not to pay the criminals but ultimately that's up to the business owner".

What is the government doing to protect smaller business?

At a Council of Small Business Australia (COSBOA) forum in May, the Reserve Bank's cyber security chief Andrew Pade observed the changing tactics of cyber criminals. Mr Pade said that cyber criminals are switching their focus to smaller targets.

"Just like you have your car serviced every year, that's what small businesses need to do with cyber security," Mr Pade told the forum.

Chairman Paul Nielsen also said one in five small businesses experienced a cyber extortion attack last year. Not only that, experts are suggesting this figure is likely to increase.

The government has recognised the rising threat of digital attacks and cyber crime. As part of this focus, there have been specific measures ruled out to train and protect small business from new digital threats, including $15 million dollars to the Council of Registered Ethical Security Testers (CREST).

The government's plan is to give small businesses access to cyber security tests by accredited providers, helping them take more responsibility for their cyber security. The plan also includes grants to assist businesses in getting security tested. These measures are expected to be rolled out over 2017 and 2018.

cyber attack

A Cadbury computer under ransomware attack. Photo courtesy of Leon Compton (Twitter)

What steps should businesses take to improve cyber security?

While there are costs to increasing digital security, small businesses should consider it as seriously as physical security systems. Digital assets are increasingly as important as physical ones.

"We know small business are often reluctant to upgrade their systems, it's expensive and time consuming," ACCC chair Michael Schaper told the ABC. "However, financial loss and the loss of data can just kill a small business."

Digital assets are increasingly as important as physical ones.

There are inexpensive ways to protect a business. Updating computer systems with security patches is one of the most cost effective ways to keep threats at bay. Unfortunately, despite the ease of this measure, Australians are ignoring critical security updates.

Research published by Flexera Software is startling. Almost 9.9 per cent of Australian PC users had unpatched Windows operating systems in the first quarter of 2017. This is a significant rise from 5.9 per cent in 2016.

"Frankly, if you wait two months to apply a critical Microsoft patch, you're doing something wrong," says Kasper Lindgaard, the Senior Director of Secunia Research. Speaking to The Financial Review about the latest ransomware attacks, Lindgaard says that businesses need to teak more responsibility for digital threats.

"Businesses need to wake up and start taking these types of threats and risks seriously. There is simply no excuse."

Both WannaCry and Petya exploited a known vulnerability in Windows. Although Microsoft had released a critical update months before the attacks, hundreds of thousands of unpatched computers remained vulnerable. This allowed the malware to spread quickly around the globe.

Dan Tehan, the Minister Assisting the Prime Minister for Cyber Security, said the latest ransomware attacks should act as a “wake-up call” to all Australian businesses.

“All businesses should immediately update their Windows operating system with the latest security patches and there are instructions on the Australian Cyber Security Centre website to do this,” he said in a statement to the Herald Sun.

Quick tips to protect your business online

  • Update software frequently – Software companies regularly release updates with security patches. Making sure that computers are up to date removes an attacker's ability to exploit known loop-holes.
  • Avoid password duplication – Eliminate password reuse and regularly update company passwords. Enterprise password managers are tools to help organisations manage a range of unique, unbreakable passwords for all their online services.
  • Perform regular data backups – Ransomware scammers rely on the information they steal being valuable to the business. With regular backups, lost or encrypted data can be recovered without payment to the scammers.
  • Do not click on or reply to suspicious emails – Phishing scammers will often imitate large, well, known organisations. Remember that utility companies and government organisations such as the ATO will not ask you to transfer money to personal bank accounts.

For more tips on protecting your business online, refer to the Australian government’s Stay Smart Online website for business. Digital360 is an official partner of Stay Smart Online.