Email phishing gives hackers the easiest and most common entry to an organisation’s data network. (Reuters: Kacper Pempel)
Forget sequences from blockbuster films of gangs breaking into secure buildings, avoiding guards to attach a “tap” to a blinking server. Real hackers walk through the front door by sending you an email.
- A hacker stays inside an organisation on average for eight months before being found
- Most hacks start with a simple opening of an email
- The best protection is at an individual level, installing security patches when available, as well as two-factor authentication
“Ninety per cent of cyber attacks worldwide begin with an email. Most organisations don’t really look at their email security that carefully,” said Michael Connory, chief executive of Security In Depth.
“Everybody is vulnerable. Australian organisations have no idea how vulnerable they are.”
After a cyber breach of the Federal Parliament’s computer network and a warning from one of Australia’s most senior military figures that the threat of similar attacks is on the rise, experts are pleading with Australian businesses to take the threat seriously.
“The easiest way for an attacker to get into an organisation is by phishing, by email,” Mr Connory explained.
It’s simple. Somebody in an organisation opens an email and are directed to click on a link, usually something that requires an action such as: “You need to update your details”.
When the person logs in, they inadvertently give their username and password to a hacker.
The information is then used to get into the broader computer systems of an organisation.
Security In Depth chief executive Michael Connory says on average companies take 8 months to discover they’ve been hacked (ABC News: Daniel Ziffer)
Consumers feel the impact of breaches through the potential for identity theft.
Vast amounts of personally identifying detail is available online, and criminals don’t need much to get you in trouble.
“Your Tax File Number, your driver’s licence number, date of birth … from that small amount of information they could begin to set up companies, obtain credit, start to obtain loans, run up huge debts,” Mr Connory noted.
“A vast array of damage.”
For businesses, the danger goes beyond losing important data or confidential files.
Almost half of data breaches in Australia are in health and finance, where organisations risk losing the vital trust of customers and their ongoing business.
Patch, patch, patch
Cyber security expert Dr Suelette Dreyfus from the School of Computing and Information Systems at the University of Melbourne said Australian businesses could easily trim their exposure in two simple ways.
“Patch, patch patch! Upload all of those security updates from the operating system, and set it to auto-update,” Dr Dreyfus said.
“The other is to set up two-factor authentication … for all of your accounts; your Google, your Facebook, your Twitter, because now those things are your outward view to the world.”
Two-factor authentication is common in online banking products.
Entering your username and password on the website prompts a text message to your smartphone that includes a four or six digit code. Without submitting the code, you can’t get in to your accounts.
“The vast majority of threat that Australian businesses face, in a cybersecurity sense, is from criminal elements,” Dr Dreyfus added.
“But there’s also the risk of industrial espionage, stolen IP (intellectual property). This stuff matters”.
Information Warfare Division chief Major General Marcus Thompson warns there may not be the resources available to fight a major cyber-attack. (Supplied: Department of Defence)
Major General Marcus Thompson told AM the threat of cyber attacks on the military is on the rise, but it was the broader capacity for the Australian Government to respond to a big fight in cyber space that kept him up at night.
“I have a concern, and I know this concern is shared by many of my colleagues and mates throughout the national security community, that in the event of a significant incident on Australia in cyber space, the resources that would be required to respond might not exist at the scale that might be required,” Major General Thompson said.
Major General Thompson leads the Information Warfare Division, which was set up in mid-2017 with the aim of providing both defensive and offensive cyber capabilities.
The threat isn’t hypothetical. Organisations as varied as global shipping giant Maersk and the United Kingdom’s National Health Service have suffered losses and disruption from cyber attacks.
In Australia, our biggest banks are currently trying to contact 100,000 customers, whose personal data may have been affected by a major breach at valuation firm, LandMark White.
The breach, revealed in The Age and The Sydney Morning Herald, could include birthdates, personal contact information and property valuations.
As a result, the Commonwealth Bank, ANZ and NAB have suspended use of the stock exchange listed firm.
In January, the details of 30,000 Victorian public servants and contractors were stolen in a data breach, after a Victorian Government staff directory was downloaded by an unknown party.
Mr Connory, who describes himself as an “ethical hacker”, says tens of thousands — if not hundreds of thousands — of people have the skills to break into an organisation (recently his 14-year-old daughter, having watched a YouTube video, gave it a go).
“It’s simple,” he said.
“It takes us about 22 minutes to get access inside a company.”
Security In Depth recently researched 119 organisations, and found that for more than third, usernames and passwords that would give a hacker access were available on the dark net — an anonymised network only accessible using specific software.
“Most of the time a hacker will just sit there, watching,” Mr Connory said.
“In Australia, on average, a hacker will stay in an organisation for eight months before they’re even found. They’ve got access to emails, financial statements, to confidential company IP (intellectual property), they’ve got access to customer databases.
“By staying ‘in’ an organisation for such a long time they can start to see and read and be privy to a huge range of sensitive information.”
You might be the problem, but you’re also part of the solution.
Dr Dreyfus said companies need to train staff better in cybersecurity, to acknowledge that most problems begin through a seemingly innocuous email, and that a system is only as strong as its weakest link.
“They need to train their employees to understand, ‘Ah! This is the risk to the profitability of the whole company if we don’t come together and behave in better cybersecurity ways’,” she said.
“Herd immunity’ matters. If you can get your entire company up a little more, in their posture, it will be much better off as a whole.”