On Monday, 28 February 2022, AIC Vic was lucky enough to have Jane Forsythe, Assistant Director with the Cyber Security Outreach team at the Department of Home Affairs, present a webinar to members on ‘Cyber Security Threats Faced by Businesses’. The presentation by Jane was engaging and provided some interesting cybercrime case studies as week as tips and advice for implementing protective cybercrime measures in the workplace.
The Cyber Security Outreach team connects small to medium businesses with cyber security advice and information to enable them to operate securely online. The team works closely with the Australian Cyber Security Centre (ACSC), which leads the Australian Government efforts to improve cyber security across the Australian economy.
The ACSC received over 67,500 cybercrime reports over the last financial year – or one every eight minutes. This is an increase of nearly 13 per cent from the previous year and largely attributed to Australians working remotely during the pandemic. Further, medium sized businesses incurred the highest average financial loss due to cybercrime, which was on average $33,400 per breach.
Last week, an ASIC alert was issued, urgently encouraging Australian organisations to strengthen their cyber security position given the developing situation in the Ukraine. We encourage all members to review their cybersecurity measures and determine whether changes and improvements are needed.
Cybercriminals and the Property Sector
If you missed the session or would like a recap here are Jane’s most important take aways for Conveyancing Businesses:
- Cybercriminals are targeting the property and real estate sector to conduct business email compromise (BEC)
- They gain access to emails and impersonate parties to a property transaction e.g., Conveyancers and insert illegitimate bank details for settlement or rental payments. Victims assume this is legitimate and unknowingly send payments to the cybercriminal’s account.
- AIC Vic has received firsthand accounts of our members being targeted by cybercriminals in this way.
How to protect your Business
- Complete your due diligence & think critically.
- If you receive an email asking you to transfer funds to a new account:
- Do not transfer any funds before you have taken steps to ensure the email is legitimate.
- Contact the party sending the email by telephone and confirm that the bank details are correct. Call them on the telephone number you would usually contact them on. Do not use a new or unfamiliar phone number that might be included in the body of a suspicious email.
- Check the sender’s email. Is it the same email that you normally receive emails from? Or is it slightly different?
- If you receive an email asking you to transfer funds to a new account:
- Train your employees to think critically like you and be able to identify suspicious emails.
- Use MFA or Multi Factor Authentication.
- MFA is one of the most effective ways to protect against unauthorised access to your valuable information and accounts. This is because multiple pieces of information are required before a cybercriminal can gain access to your account, which makes it harder for cybercriminals to hack in.
- Replace passwords with passphrases.
- For example, a password example would be ‘Password1’ whilst a passphrase is something like ‘crystalonionclaypretzel’.
- A passphrase is at least 14 characters long and contains a random mix of unpredictable words.
- Don’t use the same passphrase across multiple accounts. However, you can mix the words in your passphrase around to change it up.
- Turn on automatic software updates.
- These updates provide improved versions of your software (programs, apps and operating systems) and protect from ‘new software bugs’ which are constantly being found.
- Back up devices to an external, disconnected hard drive.
- A backup is a digital copy of your Businesses’ most important information.
- USB and Cloud are some examples of back up devices. You can also set up automatic back-ups.
- By backing up devices, if your Business does become a victim of cybercrime, you will still have access to important information to allow the Business to continue operating.
- Avoid sharing ‘personally identifiable information’ online.
- Examples would be date of birth, place of birth, address and phone number.
- Prepare your response to a cyberattack and have a ‘Incident Response Plan’.
- ACSC has developed a guide and template which you can access here.
- Subscribe to the ACSC alert service and become an ACSC Business Partner.
- You will then receive a subscription to the ACSC Alert Service and timely information to assist in keeping your systems and networks safe.
Resources & Hotline
There is an ACSC Cyber Security Hotline which can be accessed by calling 1300 CYBER1 or 1300 292371. The hotline is free for all Australians to access cyber security advice and assistance.
Here are some ACSC resources shared by Jane to get your business on the right track:
- gov.au/learn/resources-library
- COVID-19: Cyber security tips when working from home | Cyber.gov.au
- Remote access scams | Cyber.gov.au
- COVID-19 Protecting Your Small Business | Cyber.gov.au
- Wi-Fi – private and public | Cyber.gov.au
- Securing your business tools | Cyber.gov.au
- Small Business Cyber Security Guide | Cyber.gov.au
- Detecting Socially Engineered Messages | Cyber.gov.au
Conclusion
When faced with a potential cyberattack, a few simple extra steps can be the difference between being the target and becoming the victim. Becoming the victim has potential repercussions for your clients and your business so it’s important to understand the cybercrime risks and have a plan in place to protect your business.
ACSC encourages all businesses to report attempted and actual cybercrime to them via the ACSC website. This is important so that ACSC can better understand the impact of cybercrime on the economy and so that resources can be appropriately directed.
Cassandra Piacentini
Membership and Programs Manager