Social engineering and email compromise are on the rise
As businesses adopt and depend on increasingly advanced digital technology, the risks of doing business evolve. And while larger organisations have strengthened their cybersecurity systems and protocols, smaller firms become more vulnerable – because cyber-criminals know their weak spots make them easier targets.
“There are two types of businesses: those who have been hacked, and those that will be,” Macquarie Group’s Associate Director - Fraud Investigations Jonathan Martin told the audience at Macquarie Bank’s breakfast briefing, Fraud awareness and resilience.
The data paints a worrying picture. Every year, Australian organisations lose $60million to cybersecurity breaches - but spend just 6% of their digital budget on cyber security.1 And according to Scott Curley, Director - Professional Risks and Trade Credit, GSA Insurance Brokers, every 39 seconds, a hack occurs – with 43% of cyber attacks targeting small and mid-sized businesses.
Yet a 2017 survey found 56% of Australian small businesses don’t have cyber protection – or assume it’s already covered through their business insurance.2
Curley said that’s a common myth. Professional indemnity, business and public liability insurance won’t cover things like cyber extortion, data loss through a hack, or third party costs.
“We insure our office buildings, even though they have sprinklers and a back to base fire alarm. But 99% of your revenue might be generated online, and you don’t think to protect that aspect of your business,” he said.
The changing face of fraud
Martin described the many different ways criminals are now extracting money from businesses – from ATO scams to fake documents and malware. “People trust too easily. They don’t look at the details – but hackers do.”
He is seeing an increase in payment modification, and daily reports of email compromise. “It’s important to verify any new instructions – call the sender to check it’s really from them.”
There are now over 200 million forms of malware, and they could be entering your business inboxes on a daily basis.
“Phishing is where you receive an email that appears to be from a trusted source, asking you to do something such as ‘click to verify your details’ or ‘download an attachment’,” explained Martin. That attachment could contain malicious code which injects a new web page into your browser – it might look like your bank’s online banking portal, for example.
“We’re also seeing an increase in ransomware demands – especially in small and mid-sized businesses,” said Martin. “You click on a link or attachment from a ‘trusted’ sender, and it launches a code that encrypts your files or locks down your screens and servers so you simply can’t operate.” With pressure to keep the business running, many business owners pay the ransom – often in bitcoin.
Not all scams come through email. Social engineering, where hackers manipulate people for confidential information, can often happen over the phone.
“Don’t make a payment on impulse. Take a step back if someone phones making urgent demands,” urged Martin.
An exponential effect on business bottom line
“Fraud can cause significant damage. You could lose a month’s turnover, but there are also long lasting damaging effects to reputation and staff morale,” Martin said.
With Australia’s new data breach laws now in place, any organisation with revenue exceeding $3million must comply by ‘promptly notifying individuals at likely risk of serious harm’ of any breach in their personal data.3
Otherwise, you could face fines of up to $2.1million. And even when you do comply, there is the cost of notifying thousands of clients and containing any reputational damage.
Check your internal controls
Many businesses believe their third party providers, such as cloud providers or web hosting platforms, are taking care of this issue. But the cloud is just as vulnerable as a data centre. “We see increasingly reliance on third party services,” said Martin. “Do some due diligence to make sure they’re covered.”
And then how do you protect yourself from the risk of cyber fraud?
First it’s important to get your business systems and protocols in place. Get your systems checked by a reputable IT company to make sure there are no trojans, malware or viruses. Educate your team on what a phishing email looks like, any red flags to watch out for, and how to report an issue if they spot something.
“All this can also happen in their home if they work remotely, so make sure their home wi-fi is secure,” noted Martin.
Outsource your cyber response
Most smaller businesses don’t have the skills to negotiate with hackers or set up a data breach response team. But if you have cyber insurance, your insurer will set up a panel of experts to mitigate the loss and take immediate action.
“They know the first six to 12 hours of response are critical,” said Curley. “If it’s a denial of service attack or ransomware, they’ll check how real the threat is and if necessary pay the ransom.”
You can expect your cyber policy to also take care of the costs of credit card monitoring (if that data is lost) and crisis management, as well as potential third party costs such as litigation, penalties, and notification costs. “In our office alone, we see at least one claim a week for some form of social engineering fraud,” said Curley.
It seems that cyber insurance is the one risk tool your business can’t afford to operate without. But given it’s a relatively new product in Australia, it’s worth getting a broker’s advice first.