Protecting Your Business
A cyber security incident that impacts a small business can be devastating. Unfortunately, those at the Australian Cyber Security Centre (ACSC) see the impact of cyber security incidents each and every day, on individuals, large companies, and small businesses.
As part of a larger Government agenda we all need to play a small part in the national objective of protection against cybercrime. ICB and ACSC are reaching out to small/medium business to assist with the basic foundations and techniques to protect small business against critical cyber related attacks.
As small businesses are a large contributor to Australia’s prosperity they need to understand the risks. ICB understands that owners and operators of small businesses don’t have much time to spend on comprehending the complexities of the internet or establishing complicated responses to potential risks.
By educating ICB members on mitigation strategies and tools to help business be prepared for cyber-attacks, we can all work together as a community to protect businesses, their information, suppliers, and customers. Cyber security starts with the right mindset, culture, awareness-raising and implementation. Culture and mindset of how we adopt practices and then share this with clients in the way we reach out.
During the 2020–21 Financial Year the ACSC observed:
- Over 67,500 cybercrime reports, an increase of nearly 13% from the previous financial year.
- Self-reported losses from cybercrime total more than $33 billion.
- Approximately one quarter of reported cyber security incidents affected entities associated with Australia’s critical infrastructure.
- Over 1,500 cybercrime reports per month of malicious cyber activity related to the coronavirus pandemic (approximately 4 per day).
- More than 75% of pandemic-related cybercrime reports involved Australians losing money or personal information.
- Nearly 500 ransomware cybercrime reports, an increase of nearly 15% from the previous financial year.
- Fraud, online shopping scams and online banking scams were the top reported cybercrime types.
- An increase in the average severity and impact of reported cyber security incidents, with nearly half categorised as ‘substantial’.
Source: ACSC Annual Cyber Threat Report 2020-21 | Cyber.gov.au
The Most Common Cyber Threats
Cyber threats are continuing to grow in complexity and cannot be overlooked as digital platforms are now the way we do business. It is an imminent problem, but as Bookkeepers we can help business to be cyber-savvy.
Fake Invoice Scam or Phishing
Let’s start with arguably the most popular phishing template out there – the fake invoice technique. Phishing emails are used by cybercriminals and are created to look like official messages, mimicking phrasing and logos from well-known organisations. Phishing emails ask for a variety of personal information, passwords, and credentials, leading to compromised digital systems.
Like many phishing attacks, this scam relies on fear and urgency, pressuring an end user to submit a payment for goods or services they’ve never even ordered or received. Time pressure emails are high risk, so be aware and – if in doubt – verify details through a known contact. You need to know you are dealing with a legitimate authority. The Accounting and Bookkeeping community are the obvious targets for this sort of attack. Invoice fraud is very common and can bypass security systems.
To verify if an email or message is legitimate, find a source you can trust! Visit the official website or call the advertised phone number. Do not use the contact details provided in the email or message, as these could be fraudulent also.
Business Email Compromise
Business email compromise is a type of email cybercrime scam in which an attacker targets a business to defraud the company. Business email compromise is a large and growing problem that targets organisations of all sizes across every industry around the world. These scams have cost businesses billions of dollars in potential losses.
Email account compromise, or email account takeover, is a related threat that is increasing in an era of cloud-based infrastructure. These scams are difficult to detect and prevent. They leave businesses vulnerable to attacks, potentially leading to identity theft and compromising systems, with businesses experiencing significant financial loss as well as compromised access to business and loss of personal information.
Ransomware attacks are typically carried out via malicious but seemingly legitimate email links or attachments. A ransomware attack is a form of malware attack in which an attacker seizes the user’s data, folders, or entire device until a ransom fee is paid. Ransomware attacks exploit open security vulnerabilities by infecting a PC or a network with a phishing attack or via malicious websites.
Ransomware comes from legitimate-looking links, but the link when opened locks the organisation’s files until a ransom fee is paid. The ACSC advise is not to pay, but to seek ACSC advice if this happens to your business.
Business email compromise (BEC) and Phishing emails
- BEC involves executive fraud, legal impersonation, invoice fraud and data theft – invoice and bank details changed via email and payment systems compromised.
- In 2019 $85.2 million in losses from business email compromise were reported to Australian government agencies.
- Spearfishing is a highly targeted method of stealing confidential information by sending fraudulent messages to victims, often directing them to enter personal information into a fake website.
- Once personal information is entered, it is sent to the cyber adversaries, and your account is compromised. You may not be aware that your credentials were stolen!
− Department of Home Affairs
How To: Mitigation Strategy – Worth the Time & Effort
Update Your Software and Devices
Keeping your operating system and applications up-to-date is one of the best ways to protect yourself from a cyber security incident.
If you receive a prompt to update your computer, phone, apps, or other software, you should install the update as soon as possible.
Turn on automatic updates to make sure you’re always using the most secure version.
Activate Multi-Factor Authentication (MFA)
Multi-factor authentication is one of the most effective ways to protect against unauthorised access to your accounts.
MFA is a security measure that requires two or more proofs of identity to grant access to your accounts.
Turn on MFA for all your accounts, starting with the most important ones (email, online banking).
Backup Your Data and Devices
Backing up is a precautionary measure, so that your data is accessible in case it is ever lost, stolen or damaged.
Backups will allow your business to recover from a cyber incident (such as ransomware) and will help to minimise downtime.
Set up an automatic backup system to regularly back up your important data.
Set Secure Passphrases
Where MFA is not possible, use passphrases to protect your accounts and devices.
Passphrases use a phrase or sentence as your password. Compared to a password, passphrases are more secure and easier to remember.
Create a unique passphrase for every account and device. Consider using a password manager to help remember your passphrases.
Australian Cyber Security Centre
Become an ACSC Partner
For individuals and families that would like to be kept up-to-date with relevant information
For businesses, large or small, that would like to be kept up-to-date with relevant cyber security information for their businesses
For organisations with responsibility for networks, experts in cyber security such as academic and not-for-profit institutions
To register your interest to become a Business Partner,
please contact firstname.lastname@example.org
Where To Go For Help
Call the ACSC 24/7 hotline on 1300 CYBER 1300 292 371
Report a cyber security incident to the ACSC at www.cyber.gov.au/acsc/report
How Cyber Mature is Your Business? Use the Assessment Tool and Find Out!