Over 800 data breaches were reported in 2018 and the frequency of cybercrime attacks is increasing.
Official figures released by the Office of the Information Commissioner (OAIC) show that in the last quarter of 2018, the number of reported breaches hit 262, a 7 percent increase from the previous quarter.
Another incident compromised the data of up to 500,000 people.
The bulk of the breaches were caused by malicious attacks, with cybercriminals responsible for 64 percent of the breaches, while human error accounted for 33 percent.
Small and medium businesses regarded as easy targets for cybercrime
What does this tell us? The answer is unfortunate, but simple: No one is safe from cyber attacks and small to medium-sized businesses are regarded as easy targets.
Aura Information Security Australia manager Michael Warnock was recently quoted by the Australian Financial Review as saying that mid-sized companies are a “happy hunting ground” because management in such firms is either unaware of the extent of the risks, or reluctant to allocate adequate resources to combat cybercrime.”The harsh reality is, cyber attacks will continue to grow in both frequency and complexity over the coming year and Australian businesses are a target,” he said.
“Both business and IT teams should accept the threat is present, implement ongoing training to teach employees to recognise potential threats, adopt responsible data protection behaviour and allocate sufficient funds to cover protection measures commensurate with their organisation’s risk profile.”
According to OAIC, the health sector was the worst affected industry for data breaches, with 54 reported breaches in the quarter, followed by financial services with 40 and legal and management services with 23.
WatchGuard Technologies’ Mark Sinclair also spoke about the issue and said that while it is impossible to have perfect security, the best practice approach is to have a well-balanced cybersecurity strategy that spread funds across threat prevention, detection and response, user education, business continuity, and disaster recovery.
“The IT security industry breeds acronyms and buzzwords and it can be difficult to decide how much security is enough for an individual business. In the end, though, it’s still “your” business, your data, your reputation, your assets, your money,” he said. As a business owner, you should specifically be asking how to invest in cybersecurity and ultimately what returns should you expect?
Assessing the effectiveness of cybersecurity
Adopting, implementing and operating a cybersecurity strategy takes time, money and expertise.
While you can educate yourself on the threats your business may face, it’s often a good idea to engage a specialist cybersecurity firm to audit your practices and recommend infrastructural and practice changes.
The audit process will include network, systems and operational testing as well as training for you and your team to ensure that human error is reduced as much as possible.
Return on Investment
As with everything related to business, fighting cybercrime requires a budget. If your business has never been a victim of cybercrime, it can be hard to evaluate exactly what your return on investment is.
On the other hand, businesses that have been victims of cybercrime know full well what the impact – both financial and reputational – can be. Some businesses have been totally ruined as a result of cybercrime. It can seem to be money needlessly spent until you actually need it.
Another step you can take to protect your business is to take out a cyber insurance policy. With average premiums for SMBs usually in the range of $2,000 – $3,000 annually, there is research to indicate that the majority of businesses who take out cyber insurance consider their premiums reasonable in light of their risk.
A 2017 report by industry leaders Cyber Aware shows that 40 percent of cybercrime incidents are costing Australian businesses between $1000 and $5000 and about two-thirds of businesses are unable to recover these costs. The report also found that there were some misconceptions in where 40 percent of small to medium-sized businesses think that they can protect against cybercrime by restricting their online activity.
This is not the case and brings about the adverse effect of less website traffic, visibility and activity.
Cybercrime activities to look out for
The Australian Cyber Security Centre advises that the most common cyber attacks you should be prepared for include ransomware, phishing and social engineering.
Ransomware is malicious software that makes data or systems unusable until the victim makes a payment. It is the fastest growing malware threat, targeting users of all types and affecting businesses around the world.
Phishing is where untargeted, mass emails are sent to many people asking for sensitive information (such as bank details), encouraging them to open a malicious attachment or visit a fake website that will ask the user to provide sensitive information or download malicious content.
- Distributed Denial of Service
A Distributed Denial of Service (DDoS) attack is when legitimate users are denied access to computer services (or resources), when the service is overwhelmed with requests from multiple sources.
- Scams targeting businesses
Australian businesses are a common target for a range of scams, with adversaries using advanced social engineering techniques to target staff members and enhance the perception of being legitimate.
- Secondary targeting
This is where adversaries prey on small networks which are connected through their IT systems to a target organisation of higher value. It can enable cyber adversaries to exploit customer data and networks through a range of direct and indirect means.
- Targeting bulk personally identifiable information
Australian networks holding large numbers of records of personally identifiable information (PII) are often targeted by cyber adversaries. Cybercriminals may use the stolen information for identity theft or attempt to extort money from organisations and individuals by threatening to release the stolen data.
- Unauthorised cryptomining
CERT Australia has reported an increase in cryptocurrency mining (cryptomining) malware, used to exploit the processing power of systems globally. Cryptomining software uses a system’s processing power to solve complex mathematical problems, which verify existing digital currency transactions.
Do you need help to protect your business against cyber attacks?
Do you need help in mitigating cybercrime risk? Dexterous Group and our partners Cyberaware can help you make your business as safe as it can be. Call us today on +61 2 9167 8880 or send us an email on firstname.lastname@example.org.