A Google search of coronavirus returned about 2.8 billion results, while cyber security yielded a paltry 600 million or so. Yet with so many people working remotely, we greatly increase the points of entry and risks of security breaches.
The other virus
In 1983, a professor at the University of Southern California, Len Adleman, is credited with coining the term “computer virus”1 to describe self-replicating software that spreads by attaching itself to existing programs. Six years later, “cyber security” entered the English lexicon. Today, the Australian Government Information Security Manual defines it as “Measures used to protect the confidentiality, integrity and availability of systems and information.” 2
While many cyber security resources recommend that updating and patching the vast array of hardware and software combinations businesses use is the minimum first line of defence, significant technology risks remain. This paper looks at one of the most recognised weak links in cyber defences – people. The term “people” goes beyond employees and IT teams. It includes business owners, boards and management who are prioritising the protection of data and digital assets, just as they protect physical assets.
As Chairman of Telstra and logistics giant Toll Group, John Mullen has learned some hard lessons. On 10 March he said, "It is an element of human behaviour that creates these entry points or the chink in the armour. It is rarely the actual firewall that didn't work."3
Why it matters – the cost of cyber crime
The Australian Criminal Intelligence Commission reports that the Cyber Security Review, led by the Department of the Prime Minister and Cabinet, found that cyber crime is costing the Australian economy up to $1 billion in direct costs alone.4 This number will likely have to be revised up in light of the sustained cyber-attacks on business, infrastructure and government services this year.
Over the last few years, penalties associated with privacy violations have been increasing across the globe. In Australia, at the moment, penalties for non-compliance with the Privacy Act can reach between $2 million and $10 million for businesses and up to $500,000 for individuals.5
Emails a major source of fraud
The CEO of Telstra Andy Penn said in a 6 May AFR article that Telstra blocks 23 million malicious email messages every day. Mr Penn went on to say that "COVID-19 has amplified that risk because so many of us are now working and studying from home. This means activities we used to undertake within the traditional firewalls of enterprises, governments and education institutions are now being completed from home over VPNs".6
The CBA Cyber Outreach and Research team published a Special Edition of its quarterly newsletter detailing email payment fraud7, with the team highlighting that in the majority of cases, the perpetrator imitates one of two parties:
- A supplier or business partner – posing as genuine suppliers, fraudsters submit instructions to alter the supplier’s bank account to one they have access to;
- The CEO, director or another senior executive of the organisation – the fraudsters request account staff to urgently pay a supplier or business partner via a nominated bank account accessible to them.
As payments move toward real-time settlement, the window for the freezing and recovery of payments misdirected due to deception is diminishing.
In the same Signals Special Edition7, our Cyber Outreach Team provide a checklist of four basic countermeasures to prevent business email compromise:
- Multi-factor authentication.
- Conditional access rules for cloud-based email.
- Enforce password policies.
- Educate staff to identify phishing campaigns.
Passwords – easy entry points
Over 8 billion accounts and half a billion passwords have been exposed in data breaches8, making it evident that many don’t get the basics right. You can check if your credentials, such as email addresses and passwords, have been exposed at haveibeenpwned.com (a free online resource created by Troy Hunt, a Microsoft Regional Director and MVP awardee for Developer Security).
The CommBank Signals publication9 noted recent analysis from NordPass (a password manager app) “which looked at 500 million passwords leaked in various data breaches in 2019, found that ‘12345’ and ‘123456’ were still the most popular passwords being used to ’secure’ millions of accounts”. Its findings are supported by a 2019 study for the UK’s National Cyber Security Centre and Department for Digital, Culture, Media and Sport that found 23.2 million hacked accounts had used the password ‘123456’. Other high-risk, common passwords were ‘test1’ and ‘password’10.
Furthermore, LastPass’ 2019 ‘State of the Password’ report, found that employees reuse their passwords 13 times on average. Yet once breached, a password used for private or personal purposes, can open the door to business systems and data.
In a February 2020 presentation11 to the RSA conference of cyber security professionals, Microsoft’s Director of Identity Security said that every month 1.2 million accounts are breached. That’s the equivalent of 0.5% of all accounts.
Microsoft says updating legacy email protocols and enabling two-factor authentication (2FA – for example, entering a code sent to your mobile phone is required in addition to your password) can greatly reduce the risk of compromise, in conjunction with the use of strong unique passwords.
How to strengthen passwords
Unfortunately, most of us simply can’t memorise a unique complex password for our growing number of online accounts. Apple has recognised the challenge and provides a built-in password manager: iCloud Keychain, which joins a number of password manager apps for both smart phones and desktops, which have developed solutions to generate, securely store and even enter strong passwords for us, but relatively few people use them.
The Australian Cyber Security Centre advises for passwords that “the longer it is, the stronger it is!”12 It recommends passphrases made up of at least four words and at least 13 characters in length, ideally something meaningful to you so it’s easy to remember.
But avoid common quotes and including names, dates of birth and other information that may be publicly known or accessible because cyber-attackers are increasingly sophisticated and well organised. They conduct detailed surveillance of people and businesses, harvesting information from a wide variety of sources, then patiently wait for maximum benefit before striking.
Biometric alternatives – safer but still fallible
Only seven years ago we began unlocking iPhones with a fingerprint. By November 2019 hackers demonstrated that any smartphone fingerprint lock can be broken in 20 minutes13, using less than $200 of hardware. Apple dropped the use of fingerprints in its iPhone 11, in favour of facial recognition.
Even confirming the authenticity of financial instructions, amendments and approval of payments through voice or video calling isn’t risk-free these days. Deep Fake technology, which manipulates video and audio using artificial intelligence (AI), “can be used to make people believe something is real when it is not,” according to an October 2019 CNBC report14.
As reported by the Wall Street Journal15, it’s a lesson the CEO of a U.K.-based energy firm learnt first-hand. In March 2019, criminals used AI to impersonate the voice of the CEO of the firm’s German parent company. Thinking he was acting on his boss’ instruction, the CEO transferred €220,000 (AUD$370,000).
And, of course, while passwords or PINs can be changed, the same cannot be said for your fingerprints, face or voice.
Despite these demonstrated weaknesses, biometrics offer greater security and convenience than passwords. Importantly, they can also break down barriers for the ‘unbanked’ – including those who can’t read or write, have limited financial literacy or have disabilities.
Education brings greater protection
As the pandemic causes many businesses to struggle for cash flow and to form new business relationships, take extra care authenticating information provided. The simplest thing any business can do is to make sure you and your people know how to protect your data assets.
How we can help - educational resources for you
As businesses move workforces to working from home, many employees may not have had adequate, updated and regularly reinforced training. If that’s the case, it’s easier to fall victim to increasingly sophisticated attacks.
To stay up to date on the latest cyber security trends, subscribe to Signals https://www.commbank.com.au/business/support/security/signals.html