Australian business are failing on cybersecurity, what should your business be doing to stay safe? TechBrain investigates.
By Adam Turner
Rather than just taking advantage of the latest security vulnerabilities, most cybersecurity attacks against Australian businesses rely on the same old tricks to sneak past your defences.
Hollywood would have you believe otherwise, but most cybersecurity attacks are perpetrated by “scammers” rather than “hackers”. They view small businesses as soft targets and their methods focus on both technological vulnerabilities and human frailties – using age-old confidence tricks and social engineering techniques to get their hands on your money.
Two of the most common business cybersecurity threats are cryptolocker ransomware attacks and phishing scams, both of which involve scammers tricking your staff into doing their bidding.
Scammers target unsuspecting staff throughout your organisation, which is why cybersecurity must be viewed as a business threat rather than just an IT threat, says Mike Fernando – Technical Manager with Perth-based business IT support provider TechBrain.
“Small businesses aren’t doing enough to recognise that the threat landscape has changed,” Fernando says. “Scammers are no longer satisfied with tricking people into thinking they’ve won the lottery or found true love online, these days scammers are actively targeting small businesses with sophisticated schemes aimed at key staff.”
“Whether they’re trying to fool your people into paying a bogus invoice or simply trick them into opening an infected attachment, it’s the same basic idea – they’re aiming to strike the right person within your organisation who will unwittingly do their dirty work for them.”
Scams are getting more sophisticated
While some scammers are chasing a quick score, others embark on sophisticated multi-stage attacks such as Business Email Compromise scams.
Rather than installing ransomware, an infected email attachment might download a keystroke logger to silently steal passwords and study business behaviours. Armed with this information scammers can wait for the perfect opportunity to send a fake email, seemingly from a senior executive, asking a subordinate to transfer money to an offshore account or hand over sensitive information like customer lists.
A scammer’s patience can pay off; US toy maker Mattel handed over US$3 million to con artists earlier this year, with a Mattel finance executive believing they were following orders from the CEO. Mattel managed to get its money back, but most small business victims aren’t as fortunate.
There’s no magic bullet when it comes to business cybersecurity, TechBrain’s Fernando says. Static endpoint security software is no longer sufficient and businesses must take a layered approach, such as deploying Unified Threat Management suites which incorporate firewalls and network intrusion prevention along with gateway-level anti-virus and anti-spam.
Be careful on the cloud
If your business relies on cloud service providers, don’t assume that they’re employing all the latest security measures, for example Advanced Threat Protection does not come standard with Microsoft Office 365 hosted email.
“Security is like an onion,” Fernando says, “your trusted IT service provider can help put these layers of defence in place but you need to ask whether your security policies match your expectations of your security systems.”
“You can put a deadlock on your office door and install a monitored alarm, but these won’t thwart intruders if a fraudster can walk in and bluff their way past reception.”
Security training should instil staff with the skills to spot phishing attempts, along with the confidence to question unusual requests and verify them via other channels. Strict protocols should be in place when it comes to transferring funds, along with procedures for handling security incidents such as a virus outbreak.
Keep in mind that not all attacks come via email. Fake invoices can just as easily arrive via fax or in the post. It’s also easy to drop your guard when you receive a frantic phone call from someone with an urgent request, such as fast-tracking an unexpected money transfer before their boss realises they forgot to put through the paperwork
It’s tempting to bend the rules for someone who sounds like they’re afraid of losing their job, but are they really playing you for a fool? Sometimes a healthy sense of scepticism and determination to stick with established security protocols are your best line of defence against scammers.