Yesterday, hundreds of thousands of Queensland businesses and homes were put at risk as a result of a cyber attack on a major Qld Industry Group with the email account of a CEO being hacked.
Yesterday, CEO of the Chamber of Commerce & Industry of Queensland (CCIQ), Stephen Tait was advised that he was the victim of a cyber attack called phishing. Phishing email messages, websites, and phone calls are designed to steal money. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer by creating a link in an email from a well known and trusted source. The incidence of these scams have increased rapidly over the past couple of years with reported scam emails coming from Qld Government, Fed Ex, Australia Post, Commonwealth Bank, Woolworths, Ikea and many more. It is frequently done when cyber criminals falsely represent a trustworthy source and send a downloadable link.
Cybercrime is an issue which affects many Australians. As Australia’s reliance on technology grows, the cost and incidence of cybercrime is expected to increase. And whilst cyber security remains the top priority for many Australian businesses – it is still that….merely a priority to sit on an agenda with no real progress as management put their heads in the sand.
The Financial Review last week published an article, warning boards of the risk of law suits from shareholders, as a result of those who dare to ignore the risks of data breaches and cyber security.
Jamie Wilson of YDF says, “today boards need to place increase emphasis on digital security. Digital security today, is what financial literacy was 20 years ago, a must for each board member and not just the responsibility of the Financial Controller or Finance Committees. This is now true of our digital landscape and our cyber security, it is not enough to leave this in the hand of our IT departments or our cyber security departments, every board member and CEO must be knowledgeable about the different forms of cyber security and be able to answer basic questions about an organisations security”.
CCIQ is not the first Australian business to be the victim of a cyber attack not will it be the last. But according to their website, CCIQ represent over 400,000 Queensland small and medium sized businesses, thus putting them directly at risk.
At 4.56pm Stephen Tait tweeted “Well, my firstname.lastname@example.org account has been hacked. So don’t open anything from me with an attachment. And no need to let me know – my phone has gone nuts all morning – I’m onto it.” Not a robust communications plan to address a significant risk to over 400,000 businesses by any means.
Starting 22 February 2018, organisations with obligations under the Australian Privacy Act 1988 will be required to comply with the Notifiable Data Breaches (NDB) scheme. The NDB scheme requires organisations to notify individuals affected by a data breach that is likely to result in serious harm. There is also the requirement to notify the Australian Information Commissioner, the head of the Office of the Australian Information Commissioner (OAIC). Where it is uncertain if a data breach is likely to result in serious harm, there is the obligation to conduct an assessment of the breach.
Unfortunately, our privacy acts are still reactive and not proactive enough to get our boards and management actually doing something to prevent cyber crime. In the United Kingdom, harsher penalties have been introduced as a result of businesses who experience a data breach which has resulted in signification action across all industry sectors.
Ciaran Martin, CEO of the National Cyber Security Centre (UK), addressing the growing threats within cyber space at The Times Tech Summit, said “we (CEOs) need to think about attacks that do damage to individual corporations and people’s confidence in the digital economy. …as CTOs and as technology leaders and CIOs, we can channel your experiences into practical advice.”
Jamie Wilson, CEO of Your Digital File says, it’s important that management take action as soon as possible. “Whilst we have a new legislative requirement to notify of breaches, this is more about delivering trust to our customers, our employees and our partners. We need to be proactive about security to ensure we are safeguarding our database, our employee records and our customer records. Organisations need to have a communications plan in place to ensure that we are doing everything in our power to inform the public of risks and to provide them with the necessary steps to protect themselves. It’s about being trustworthy and honest but overall it’s our responsibility to keep each other safe from harm.”
YDF recommendations for Cyber Security Breaches:
1. Take steps to make sure the risk of cyber attacks is low – it’s too late once it happens you have put everyone at risk.
- Store information in an encrypted location
- Don’t use the same password for every account
- Change your passwords frequently or use password storage accounts such as 1Password.
- Take the steps to educate your staff on safe digital practices
2. In the event that there is a security risk/breach be honest and open with the people that could be affected:
- Never be dismissive about a notification from friends or colleagues about a potential threat coming from your email
- Assess the risk and give people a call to action – either download, update, delete or otherwise.
- Be quick to notify all staff, customers and partners and anyone else affected on your database. Thank people for bringing it to your attention as we all need to work together
- Establish a communication – dedicated email or phone number to assist people who might have an issue. Ensure that all social media, websites issue warnings and a call to action.
3. Start communicating and sharing important and critical data on an encrypted platform.
4. Take steps to make sure it does not happen again. Get in some security experts to go over how you use your data, where you store it and how you share it.
Take the CEO test
As a CEO or director of your organisation, can you answer the following questions?
1. Can you operate your own security features or do you get somebody else to do it for you?
2. If someone spear-phished you as a CEO or an executive, what would they get? What data would they have access to? If you had an insider threat – and you may, from a disgruntled employee – what will they have access to?
3. What did your last pen test tell you? That’s fairly straightforward. People tell us about the test they did on their own employees with fake emails and how many people clicked on the links. “It was 55% last year and it’s 25% this year – isn’t that great progress?” It could be, but it depends who those 25% are. If it includes your system administrators, it doesn’t matter. Which people clicked on the link? These are questions we should be encouraging directors to ask.
4. What did your last anomaly detection report tell you? What did it tell you about what attackers were doing – and did you know what they were doing?
5. If something does happen, how are you going to cope with it? What is your incident management plan – who are you going to put out on the media who will authoritatively tell people what you do or don’t know.
“Cyber crimes are happening more frequently and cyber criminals are using more sophisticated methods and tools especially ones using social engineering techniques to fly under our radar. Unfortunately, as individuals we tend to have practices and procedures that put ourselves and others at risk. We tend to trust emails from people we know. We make assumptions about attached documents that fit the profile of the communications we have with each sender instead of second-guessing whether an attachment was expected.
If we click on links in emails without a second thought we are putting not only our own data at risk but the data of any individual stored on our phone or our computers. When using a business email account or when exchanging email about sensitive topics, we have a responsibility to assess the risk that a cyber attack may be in progress.
Cyber security is a joint responsibility on behalf of corporations and it’s individual members. It only takes one lapse in concentration to potentially bring the whole company to its knees; so stay vigilant and double-check your choices with a security expert if you aren’t sure about something.”
At Your Digital File, we prioritise cyber security because we care so much about the digital future globally. We’re doing it by providing a world class platform for people to store, and share their digital assets. Your digital assets include anything that is private, confidential, identifiable and critical to your personal and business life.
Your Digital File is a world class cloud based platform which allows the secure storage, sharing and signing of digital documents. Your Digital File is committed to the providing a secure solutions to support a safe digital future.
For more information please contact: Carolyn.Grant@yourdigitalfile.com