The Australian government has pledged increased spending to secure Australia’s cyber capabilities. However, organisations still need to consider investing resources to manage and minimise cyber attacks.
Cyber attacks can suspend business, diminish stakeholder trust and damage the brand. Additionally, if an organisation fails to take reasonable steps to protect the personal information it holds, business owners may also find they need to deal with the Privacy Commissioner for breaching privacy laws.
Security challenges for companies
There are many security challenges facing individuals and companies. One cause of concern is spear-phishing emails which generally target individuals who are likely to have information or access sought after by the attacker. Often social media profiles, such as LinkedIn profiles, are used to mine information. Once enough information is collated the attacker builds a believable story and sends an email that appears to be from an individual or business that the recipient knows. CERT Australia received reports from a number of Australian businesses of fraudulent emails claiming to be from a senior executive within the company, requesting financial staff transfer funds to an external bank account.
Ransomware a growing concern
Another scam on the rise involves the use of ransomware. This refers to extortion through the use of malware that often locks a computer’s content by encrypting a file on the computer and requiring the user to pay a ransom in order to regain access to the computer. The Trends 2016: (In)Security Everywhere Report, by IT security firm ESET, revealed the growing sophistication of ransomware attacks. Attacks have expanded from desktop computers onto mobile devices.
Australians are being targeted
Cybercriminals are joining forces to provide ransomware-as-a-service and are collaborating at different stages of malicious campaigns. According to some reports, malware creators are willing to pay more for hosts to get malicious code onto computers in Australia. It is unclear why Australians are targeted. Some experts suggest that the willingness of Australians to pay attackers, rather than risk having their operations shut down, cause Australians to be a focus of malicious attacks. However it is not only Australian businesses that are paying ransoms to criminals. Earlier this year a Los Angeles hospital paid 40 Bitcoins (around USD17,000) to unlock files which ransomware criminals had encrypted.
Having a data breach response plan is a must
According to the Office of the Australian Information Commissioner (OAIC), all organisations bound by the Privacy Act should have a data breach response plan to use in the event that personal information is lost or subject to unauthorised access, such as a phishing attack. This will enable organisations to comply with Australian Privacy Principle (APP) 11, which requires organisations to take reasonable steps to protect the personal information it holds.
These plans should describe:
- Who is responsible for managing the response and when they should deal with a breach;
- What should be done if a data breach occurs, including whether the organisation is contractually required to take any specific action;
- Whether to notify affected individuals, key stakeholders and the OAIC; and
- How to review the incident and take action to prevent future breaches.
Implementing a clear data breach response plan will enable an organisation to demonstrate compliance with the APPs. It will also enhance attempts to retain or repair customer trust following a cyber attack.
If you have further questions or require expert advice, please don't hesitate to contact us.
Author - Sheree Hollender, Lawyer