Telstra’s outgoing boss, Andy Penn, has put cybersecurity firmly back on the news agenda during his exit speech from the telecommunications firm. During his speech, Penn named Australia an ‘attractive and active target for malicious actors and cybercriminals.’ Penn said that in the last 12 months, Telstra has intercepted more than 1 million malicious emails and 200 million scam calls, and is blocking more than 1500 scam text messages every minute.
During his speech, Penn singled out a cyberattack that impacted transport and logistics company Toll back in 2020, but more recently there have been numerous ransomware attacks targeting universities, healthcare and other sectors across 2021-2022.
Why are businesses today more at risk?
Businesses large and small are at risk – from the country’s largest media firms and telcos to the smallest of family-run operations. A recent survey conducted by the Australian Cyber Security Centre found that SMBs who outsourced their IT security believe they are better protected than they really are, and that one in five SMBs did not know the term ‘phishing’.
At the same time, almost half of SMBs rated their understanding of cybersecurity as ‘average’ or ‘below average’ and had poor cybersecurity practices, while almost half of small-to-medium-sized businesses reported they spent less than $500 on cybersecurity per year.
When scams get social
The ensuing two years have shown more prescient strains of ransomware attacks, in the form of ‘social engineering,’ targeting universities, healthcare and other sectors. Social engineering is the practice of manipulating people into giving up confidential data. The days of Nigerian princes soliciting your help with dubious international money transfers are long gone.
Social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, prompting them to reveal sensitive data, click a malicious link, or open a malicious file. Criminals use social engineering tactics because it is usually easier to exploit the natural inclinations to trust than it is to discover ways to hack software.
Because of these human fallibilities, email hijacking is rampant. Hackers, spammers, and social engineers are daily taking control of people’s email accounts, and once a criminal manages to hack or socially engineer one person’s email password, they will have access to that person’s contact list, and likely their social networking contacts as well.
Once the criminal has control, they can send emails to all the person’s contacts or leave messages containing a link or download on all their friend’s social pages. Using a compelling story or pretext, these messages may urgently ask for help, use phishing attempts with a legitimate-seeming background, ask for donations to a charitable fundraiser, or present a problem that requires ‘verification’ of personal information by clicking on a displayed link.
The types of data these criminals are seeking varies, but usually involve tricking a victim into giving passwords or bank information, or accessing their computer to install malicious software. There are thousands of variations to social engineering exploits, limited only by the criminal’s imagination. Victims may experience multiple forms of attacks in a single campaign.
Malware, where victims are sent an urgently worded message and tricked into installing malware on their devices, has an ironic twist where the victim will be informed that malware has already been installed and that the sender will remove the software if they pay a fee.
It is not surprising that social engineering emails have resulted in an $80 million loss across Australian businesses in the 2021 financial year. People are always the weakest link when it comes to cybersecurity, and business leaders are not yet doing enough to prioritise training and awareness to ensure their employees know how to identify social engineering threats.
The importance of this is underscored by the extent to which remote working has severely impacted the information security of firms, creating vulnerabilities that can be exploited.
The move to mobile
As users are steadily moving away from desktops and favouring mobile devices instead, it was only a matter of time before hackers altered tactics. Many employees access corporate networks via their personal devices. As more sensitive and potentially high-value tasks are carried out on these devices, mobile security threats are fast becoming a growing concern.
Mobile malware is malicious software that targets the operating systems on mobile phones. Cybercriminals scam users of mobile devices by using applications to deliver mobile malware. For firms that depend on mobile phones to do business or who allow employees to use their own devices as part of a BYOD policy, the threat is very real and needs to be addressed.
Opening a wrong email or a malicious website can lead to someone falling victim of a form of mobile malware known as the drive-by download. These variants are automatically installed on a device and can unleash spyware, malware, adware or a bot that can use a mobile device to send viruses to other people within an firm or scan the network for a way in.
Protecting your business
Businesses should implement strategies like setting up and performing regular backups. A backup is a digital copy of your most important information that is saved to an external storage device or to the cloud. The best recovery method for a ransomware attack is a regular offline backup made to an external storage device and a backup in the cloud.
You can set up automatic backups in your system or application settings. Password and multi-factor authentication (MFA) are key. MFA means there are two checks to prove your identity before you access your account. For example, you may need to supply a code from an app and your password. This makes it more difficult for someone to access your account.
Staff should be highly aware of any incoming threats, and taught to immediately delete and block any request for financial information or passwords. If they are asked to reply to a message with personal information, it’s a scam. Requests for help or offers of help should be rejected. Legitimate companies and organisations do not contact people to provide help.
Spam filters should be set to high. Devices should be secured by installing anti-virus software, firewalls, email filters and keeping these up-to-date. According to Penn, educating people about ransomware is the best way to prevent them from happening. Implementing security awareness training is the best, and perhaps only, way to ensure your business is watertight.
Ajay Unni is the founder of StickmanCyber, a business that helps companies mitigate their cyber-security risks. Ajay named the company after the countless stick figures he used in flow charts, throughout his years in the software and cyber-security industry. Ajay Unni has over 30+ years’ IT industry experience, with over 15 years as a cyber-security specialist.
