Cyber criminals are cashing in on coronavirus – how safe are you?
As we log on to our home Internet for work, study and even social events, cyber risk expert Mark Jones explains how the pandemic is influencing security issues – and what we can do about it.
Growth in cyber attacks is nothing new and many of us continue to grapple with how best to protect and prepare ourselves against incidents, especially in the context of COVID-19.
This period of unprecedented alarm and uncertainty, coupled with the growing sophistication of cybercriminals, has nurtured the perfect breeding ground for cyber attacks. This year alone, attacks have robbed 24,000 Australians of their personal details, up 55% compared to the same period last year.
It's not just personal details that scammers are after, it's money. Recent Scamwatch figures show that Australians have lost more than $3.6 million to scammers since the start of the pandemic. And the methods employed by cyber criminals are becoming increasingly sophisticated.
This new risk landscape is constantly changing, particularly in the era of remote working. It's also characterised by multiple points of vulnerability that cyber-attackers will exploit, if given the chance.
We can see this with some of the initiatives and relief measures that have been introduced by the government to provide financial support for those hit hard by the impacts of the pandemic. Ironically, some of these measures – such as early access to super – are being used by scammers to access people's money and personal information for financial gain.
Considering this new reality, we must all reassess our attitudes and approaches to cyber security so that we can equip ourselves with the right defences.
Tricks of the cyberattack trade
A lot of cyber attacks and cyber security issues stem from genuine mistakes or oversights.
According to the latest Notifiable Data Breaches Report by Office of the Australian Information Commissioner (OAIC), between January and June 2020, more than one third of data breaches were the result of human error, such as the inadvertent disclosure of personal information in an email sent to the wrong recipient, up 7% on the previous 6 months.
Even in the case of a malicious or criminal attack, which accounted for 61% of breaches in the 6 months to June 2020, human error was acknowledged as an underlying factor. These results show the critical role that individuals play in cyber defence.
Another notable trend is the significant rise in ransomware attacks, up a staggering 150% compared to the previous report. Ransomware is a type of malicious software designed to block access to data or a computer system until you meet the demands or conditions set out by the attacker. For example, a monetary payment (which is what you'd expect if it was a typical ransom situation).
Likewise, data breaches resulting from social engineering or impersonation increased by almost 50%, with government impersonation scams alone costing victims $1.26 million so far this year, according to the Australian Competition and Consumer Commission (ACCC). These attacks rely heavily on human interaction to manipulate people into breaking security procedures in order to gain access to systems or networks.
For example, a criminal might create a fake social media account that looks very similar to the real account of someone you know. When undetected, they could try to impersonate your friend to get personal or financial details from you – such as asking for a loan to tide them over between paydays.
Data breaches from phishing, where the target is contacted and lured into providing sensitive information, remain the leading source of malicious attacks.
There have even been reports of scammers targeting those seeking out furry companions during the pandemic, with Australians losing almost $300,000 to puppy scams so far this year.
What's clear from these trends is the tendency for scammers to take advantage of the heightened levels of stress and emotion associated with COVID-19.
With many of us still working from home, cyber hygiene measures must become a non-negotiable to ensure the protection of personal information. This is like hand-washing, but for our digital footprint. These measures can include steps such as using multi-factor authentication on your devices, being wary of suspicious emails and mindful of the sensitivity, or classification of your conversations.
Low-tech fundamentals, such as correctly disposing of or storing confidential printed material and ensuring licences and certifications are up to date, can also have serious implications for individuals and businesses if not considered in the working from home environment.
If you can't change it, change your attitude
Amidst the ongoing threat of cyber attacks, recent studies have highlighted an apparent disconnect between individuals' awareness of cyber security threats and their application of best practices.
In a recent analysis of national sentiment in 2020, only 26% of respondents reported having concerns about cyber security while working from home – the area of least concern – which suggests that more Australians are neglecting their online safety.
The report indicates that Australians are more focused on accessing health services for themselves and their family, under the assumption that their employer will manage security issues for its remote workforce.
But let's take a look at some "worst-case" scenarios that this assumption could lead to:
- If you're not mindful of the sensitivity or classification of your conversations when using collaboration tools such as WhatsApp, attackers may gain access to documents you share and use them to target you, your company and people you know.
- Allowing licences or certifications to expire could place your company at risk of litigation or significant reputational damage.
None of us needs the stress that these types of scenarios would cause. So what can we do to reduce the risk? Some steps you can take today to help protect yourself and others include:
- Keep your work and personal data as separate as possible. If you can't use two different devices, talk to your company about other solutions that can help reduce security and privacy risks.
- Do a quick cyber security health check: change any weak passwords and make sure you use different passwords for each account, check your software is up-to-date and make use of multi-factor authentication options.
- If you get unsolicited text messages, calls or emails, ask questions before you take any action (including giving out details or confirming your details). If you're unsure, visit the government's Scamwatch website to check for known scams or to report suspicious activity.
- Get in touch with the security and risk management team at your company and ensure you know where to report any suspicious activity, so you can assist with early detection.
- Ask your employer about what security measures you are responsible for (i.e. installing the latest patches on all your devices) so you understand your role in keeping company data safe.
- Make use of online security and privacy tutorials. They provide easy to follow steps to help you protect your profile.
In the context of this ever-evolving pandemic, the gap between cyber security risks and our individual defences appears to be widening. But we can create stronger protection against cyber attacks by learning more about the threats, working together and sharing responsibility for our personal and work security – both at home and in the office.
Mark Jones is an associate managing director in the cyber risk practice of Kroll, a division of Duff & Phelps, based in Melbourne, Australia. He leverages more than 20 years of experience in information security, cyber security, governance and technology risk management services. Mark is an active industry speaker and panellist at various cyber security events and conferences. He is also a member of the Information Systems Audit and Control Association (ISACA), International Information Systems Security Certification Consortium (ISC2), and Australian Information Security Association (AISA).
Disclaimer: The views and opinions expressed in this article (which may be subject to change without notice) are solely those of the author and do not necessarily reflect those of Finder and its employees. The information contained in this article is not intended to be and does not constitute financial advice, investment advice, trading advice or any other advice or recommendation of any sort. Neither the author nor Finder has taken into account your personal circumstances. You should seek professional advice before making any further decisions based on this information.
Images: Getty Images, supplied (Mark Jones)