A recent report from Deloitte shows that Australian institutions face the highest risk of cybercrime in the Asia Pacific region. Ironically, the reason why we are heavily targeted is because our IT infrastructure is so well developed. The prevalence of interconnected systems and devices increases the risk of organisations being affected by cyber-attack. Countries with advanced technology infrastructure such as Japan, Korea and Australia are nine times more vulnerable than other economies.
A lack of dedicated cyber-security specialists is also to blame. Individuals with the right skills and experience are expensive and hard to find. This allows cyber-criminals to more easily use social engineering tactics to exploit inadequate internal controls and trick employees into revealing sensitive information.
Be aware of social engineering – The art of deception
Social engineering involves using social interactions to build trust with an individual in order to gather information. With a basic understanding of your corporate structure, along with information gained from social media, hackers can easily engineer targeted, personalised attacks on specific employees. This can also lead to identity theft, where an attacker uses that personal information to commit fraud.
Identifying social engineering attacks
There are countless types and variations of social engineering. However, some are more common and targeted to the corporate space. Keep an eye out for:
1 – Email from someone you know – Your boss, a colleague or a friend: The hacker manages to get access to a person’s email password and gains control of the email account sending malicious emails to all contacts. As most people have the same passwords for many accounts, most hackers also get access to a person’s social network.
2 – A Business Email Compromise (BEC) attack: This is a common form of social engineering whereby cyber-criminals impersonate a senior business leader such as the CEO, attempting to persuade an employee or business partner to transfer money or reveal sensitive information. These attacks are highly focused and targeted to specific employees, which makes them hard to recognise and helps them to slip through spam filters.
This messages will trigger:
- Curiosity: As the link comes from a known source, it’s very likely that the reader will get curious and will just click on the link. The result? The reader is now infected will with malware and the hacker will probably get gain access to the reader’s contacts to keep spreading the virus malware.
- Trust: When a friend or a colleague sends you a photo or a document, the first reaction is to open it, even if the reader has no idea what the file is about. Same as above, by doing it so, the computer will be infected and the malware or virus propagated to the reader’s contacts.
Attackers are being very successful with these methods as emails seem legit legitimate and from known sources. In my opinion, these emails are hard to spot and can easily get you while you are in a rush and don’t have time to verify the information. The general rule of thumb is, if you were not expecting an email from a colleague or friend with a link or downloadable material, check before clicking!
3 – Phishing: This is another common form of cyber-attack. It occurs when criminals use a fraudulent website, email, SMS and or social media to obtain sensitive personal information, such as passwords and financial data. The fraudulent site or messages looks legitimate and victims usually fall into this trap as the messages appear to come from a respected organisation like PayPal or Westpac.
Most data breaches come from phishing and is the most exploited form of social engineering.
These messages usually will present the reader with a scenario, such as:
- The message will present the reader with a problem and will require the person to “verify” some sort of information by clicking on the displayed link and providing information in their form. The link and forms usually look legit and most likely, will have a warning for the person to act soon, that’s how hackers get readers to act on impulse.
- The reader will receive a message asking for help or support for charity and humanitarian causes, such as natural disasters. With so many political and religious issues around the world, charitable work has become more popular and hackers are taking advantage of peoples’ goodwill.
- Prize or winner message from a lottery or a dead an inheritance from a relative. The message on the email will request either the reader’s bank details to transfer the money to, or the reader’s personal information, such as your Tax file number, to prove who they are. The result is straightforward if the reader follows the hacker’s instruction, the reader’s identity will be stolen and subsequently, their bank account emptied compromised.
Don’t become a victim
Automatic email filters can identify and block some of these suspicious emails, but as hackers grow more sophisticated their emails become harder to spot. Even the best email filters will let some messages through. That’s why it’s essential for employees to be able to qualify the legitimacy of emails – for example, CBA will never send an email from a Hotmail address, or ask someone to provide their password via email.
Some of the basics of business security…
- Attachments to emails from an unknown contact should never be opened, especially if they are executable files. These files often contain malware – malicious software designed to damage your operating system, steal documents information, or install keyloggers that track every keystroke and take snapshots of your desktop.
- In doubt, contact your IT support as hackers can even spoof the sender details, making a message appear as if it comes from a known contact. For this reason, unexpected requests for funding or financial information should also be treated with caution.
- Develop a comprehensive security policy that addresses both people and technology. Employee education is paramount, and cyber-security training should be compulsory for all staff members. Train your teams and reward their efforts when they successfully block or identify cyber-attacks, as this will encourage them to become security advocates.
- Update, update, update! It’s no easy task to properly configure firewalls and email filters for maximum security, keep computers, software and applications updated, however, this is key for the ongoing protection of your business. Make sure your business has a dedicated IT security engineer or an IT provider to keep your IT system on track.
- Perform regular backups. We highly recommend external backups to the cloud in the case your business gets infected and you temporarily lose access to files and documents.
- Conduct tests. Humans need to be trained, so if your business has already established a security policy and staff training, make sure you test the level of security within your business. Become a hacker for a day and send random emails to see if there are any gaps. Don’t forget to praise those that block any sort of attack.
- Ongoing training and communication. Pretty much every week there’s a new virus or new attempt to target corporations. Make sure your business is on top of it with occasional security training and regular notifications to all staff members when a virus is doing the rounds.
- Slow down. Hackers are targeting impulsive responses with messages of urgency or people that are time poor. An email probably won’t deal with a life-death situation, so it can wait. Take a deep breath and go back to any emails you are unsure about after 10 minutes.
In today’s competitive environment, sourcing a dedicated IT security engineer can be difficult and expensive. It’s no easy task to keep everything up and running properly as well as keeping all systems updated. It’s even harder to create, enforce and develop an internal culture where security is one of the top priorities.
If your resources are limited and you want to make sure your business is protected against the increasing number of cyber-attacks in Australia, it might be a good idea to outsource your cyber-security needs to an experienced IT support provider. If you’d like to know more, then contact Bremmar today on 1300 991 351 or email email@example.com.