This week is national Privacy Awareness Week, an annual initiative of the Office of the Australian Information Commissioner (OAIC) that raises awareness of privacy issues and the importance of protecting personal information.
Malicious or criminal attacks are deliberately crafted to exploit known vulnerabilities for financial or other gain. Many cyber incidents exploit vulnerabilities involving a human factor, such as unwittingly clicking on a malicious link and disclosing passwords.
If you own or run a business, there are simple steps you can take to protect your information online.
While no single mitigation strategy is guaranteed to prevent cyber security incidents, implementing our recommended Essential Eight makes it much harder for cyber criminals to succeed.
Human factors matter
The Australian Cyber Security Centre (ACSC) receives a wide range of reports, for example:
- Payroll fraud emails that spoof the emails and signature blocks of staff, and are sent to HR/payroll areas appearing to ask for a change in bank account details for the current or next pay – sometimes successfully, passing wages into the wrong hands.
- Fake Australian Taxation Office (ATO) themed emails and scam calls demanding tax file numbers and payments.
- Scammers claiming to be from ICT service desks seeking to convince staff to reveal their multifactor authentication credentials.
- A small business owner who received a fraudulent email with a fake invoice and unwittingly paid thousands of dollars into the bank account of a cyber criminal.
- Hit with a ransomware attack, a company’s operating systems were encrypted and they had no off-site backups. A private firm helped with data retrieval and, adhering to Australian Government advice, no ransom was paid.
Malicious intent is the primary motivation behind most data breaches reported under the Notifiable Data Breaches (NDB) scheme, but human error is a key factor, according to the latest data from the OAIC.
An employee may send information to the wrong person or click on a link that results in compromised user credentials – usually a user name and password.
It’s your information, your money, and, sometimes, your livelihood, that’s at stake. So it’s important to protect it. There are mitigation strategies available to you and your workers.
Before implementing mitigation strategies, such as our Essential Eight, we recommend that organisations identify which systems require protection, which adversaries are most likely to target your systems and what level of protection is required.
For example, Australian businesses with in-house IT support could consider:
- Protecting key systems by:
- Enable Multi-Factor Authentication on all Remote Desktop Protocol (RDP) services
- Log all connections and monitor for unusual activity
- Ensure all systems have a supported operating system and patches
- Checking that your systems are not visible to well-known Internet scanning tools
- Restricting access to RDP services to authorised networks only
Australian businesses with managed IT support could consider:
- Making sure you and your provider(s) have:
- contractual arrangements based on an up-to-date assessment of threats
- clearly defined and agreed roles and responsibilities
- established appropriate monitoring of all management traffic for at least 90 days
Our guidelines for system management, the Australian Government Information Security Manual, can help organisations to use their risk management framework to protect information and systems from cyber threats.
What to do if your company is breached
Contact IDCare at idcare.org if you or your colleagues have experienced identity theft.
Go to the ‘Have I been Pwned?’ website to see if email accounts have been breached.
If your organisation has been a victim of a cybercrime, report it to the Australian Cybercrime Online Reporting Network (ACORN).
To learn more about the OAIC Notifiable Data Breaches scheme, go to the OAIC website.
To report a cyber security incident, email firstname.lastname@example.org or call 1300 CYBER1 (1300 292 371).