“Estimated global losses from cybercrime are projected to hit just under a record US$1 trillion for 2020 as the coronavirus pandemic provided new opportunities for hackers to target consumers and businesses”. Source The Washington Post 7th December 2020.
Australian Cyber Security Centre received 59,806 from July 1st, 2019 – 30th June 2020. 1 report every 10 minutes and this has continued to escalate. These are just the reported ones.
The scale of these attacks goes from an SMB business to very large corporations as per the Toll (hacked twice in quick succession) incidents along with many others who are even much larger. Whole hospital networks came crashing down leaving patients in a precarious position. Government agencies all over the place, look at Transport NSW security scores. They had to hide some of it as it looked so bad. They had 6 months to clean things up and still haven’t.
So, ransomware attacks and spoofing can happen with all types and sizes of organisations, but usually larger companies and organisations are targeted for ransomware as they have access to large amounts of funds. Payment is usually in Bitcoin.
Spoofing is the most common type of cyber incident that we come across which is for the diversion of funds. Here are some examples of requests for assistance that we have worked on:
- City based legal firm – someone gave away their username and password. The criminals get in and then look around for how the money flows. They know the amounts that float around in Trust Funds as they are patient as the rewards can be high. They created a fake payment from the trust fund to the bank. The bank paid the $400k but the firm got their money back. We found the ANZ branch in SA where the funds were temporarily sitting but they would not hold them. Became a Federal Police issue.
- Construction Industry – a use gives away their username and password and then we notice some strange things going on within their 365 platform and our alerting system comes into play and we were able to then cut the out the modifications which were made. Then we go back to the user to get them to reset their account and they were going to put in the same old username and password. If this had been allowed, then the criminals would be in again sending out messages to their clients with fake emails telling them to put funds into ‘the new’ fake account to steal it.
- Importer Wholesaler – Family importation and wholesale business. Good sized turnover business. They have been dealing with an Asian manufacturer for decades. A ‘man-in-the-middle’ attack. Someone is in their system and would have been in there for a while. They capture an order for a container load of good. They hold the order then send a message to the wholesaler to tell them that the manufacturer was changing their bank account which was with the same bank in Malaysia. They then send the wholesaler’s order to the Asian manufacturer. The manufacturer then fills the container and sends the usual invoice which gets captured and the new banking details added using a graphics package to make the changes. Goods arrive as usual, and a payment is made to the supplier, but to the wrong bank. Then a message appearing to come from the admin manager in Australia goes back to the manufacturer to tell them that the owner has been rushed to hospital, delay, delay, delay, money lost.
Some other larger Aussie examples:
- NSW Department of Transport – numerous breaches which they tried to hide once a review was done.
- Channel 9 Media – which includes the AFR and SMH etc. Hacked and unproductive for weeks trying to resolve the issue.
- Our PM revealed sophisticated attacks on all levels of government including Hospitals, Local Government, state owned Utilities etc.
- NSW Dept of Education – just as Term 3 was about to start they get hacked and along with our COVID escalations has pretty much wiped-out Term 3 thus far. Chaos in schools.
The message is that the cybercriminals are after money, and they aim to get it in 2 ways:
- Ransomware is where they take down your system and if you don’t pay then bad luck, it does not come back up. There are remedies that can get you back up and running and which take time but surprisingly many don’t have them in place.
- Spoofing Bank Details – refer to the examples above. They get in and their aim is to divert funds coming to you from your customers.
One of the first major attacks on the internet was the Morris worm or Internet worm of November 2, 1988.
Ransomware and spoofing attacks continue growing and plague Australian businesses and NFP’s.
So, what are we going to do about it?
- Multi-Factor Authentication (MFA) is a must.
My first piece of cyber advice relates to something as basic as the security methods used for accessing corporate computer networks.
We are in favour of the use of MFA as the basis for entry to a corporate computer network. You must have the ability to receive a code from an authenticator app on your phone or one texted to you on your smartphone to put into the system, so it knows it is you. Then you get to log in.
2. The right 365 (SaaS) subscription for each user.
All your messaging and files are either already in the Cloud or partially in there already. Microsoft 365 and its various subscriptions within this product group are Cloud-based.
Best subscriptions because of security inclusions are:
- Microsoft 365 Business Premium
- Microsoft 365 E5.
The time for saving a few dollars on having the lower-level subscriptions is over. You need to protect yourself and this means getting 365 subscriptions that are safer. SaaS = Software as a Service
3. Microsoft is already one of the world’s largest security vendors – currently US $13B in revenue
They have available various security modules that can be added to a subscription or are already included in the more high-level subscriptions like M365BP or E5.
4. You must have Microsoft 365 SaaS backup.
If your site uses Microsoft 365 Cloud Data and it gets compromised and files get lost (Outlook emails and attachments, SharePoint etc.), deleted, or stolen. You must be able to do a recovery. SaaS backup is a must.
5. Server based backup – out of your office to the cloud
Quite a few clients still have a line of business applications that are server-based. This data also needs to be encrypted and backed up off-site and in Go Cloud. Servers fail, data can get encrypted if a breach occurs and data gets lost which all must be recoverable.
6. Security Awareness Training (SAT)
People do give away their usernames and passwords inadvertently.
When we introduce SAT to organisations which includes monthly videos and occasional phishing attack simulations, we see a dramatic increase in awareness and over time fewer people fall for the phishing attacks. Phishing is where you get a message telling you that you need to provide your user name and password in what looks like a legitimate message but isn’t.
7. Top Grade Firewalls
The number one reason we choose Fortinet is for its reputation as a top cybersecurity company, including security solutions for network, endpoint, application, data centre and cloud – with infrastructure designed to work as an integrated solution.
This is the gateway from your office to the internet and it must be secure.
8. Do not use the same password you have been using for years on everything.
Give yourself a commitment to change this now and use different passwords for different sites. Use a password manager, use facial recognition, use trusted devices which if set up properly can be your work pc/laptop, iPhone or Android device.
9. Patch Management
Many attacks start with outdated software. For this reason, not staying up to date with software patches leaves companies vulnerable to any number of information security breaches. As soon as attackers learn of a software vulnerability, they can exploit it to launch a cyber-attack. Organisations that did not update their software are left exposed.
10. Outdated hardware
Not all threats to cybersecurity come from software. The pace at which software updates are released can make it difficult for the hardware to keep up. This, in turn, creates exposures that can put companies’ data at risk. As hardware becomes obsolete replace it. 3-4 years on laptops and desktops and 4-5 years on servers with extended warranties.