In IBM’s 2017 Cost of Data Breach Study, it was revealed that the average cost of a data breach for Aussie businesses is declining. While that is good news, businesses that are affected by cyber crime are still looking at an average cost of around $2.51 million per incident. When you consider the costs involved in investigating the incident, notifying the victims, the loss of customers and the loss of the data itself, it’s easy to see how that would add up to millions.
So what exactly is cyber crime and what can businesses do to protect themselves against it? Security Specialist, Nikolai Hampton, from Impression Research and Engineering Manager, Marc Dergacz from RedEye are here to answer all of our cyber security questions.
What you’ll learn in this article:
- What is cyber crime
- The state of cyber crime in Australia
- How to implement your own security policy
- More about Nikolai and Marc
What is cyber crime?
Cyber crime is when a person or group accesses a device or an online account illegally for profit or for other malicious reasons. It includes holding data for ransom, stealing funds from bank accounts, corporate or personal identity theft or selling stolen information. Cyber crime can be highly lucrative and is fairly easy for criminals who target businesses with little or no cyber security measures in place. Some common types of cyber crime include:
Short for “malicious software”, a general term for software installed on a device that intentionally causes damage to it, including spyware, viruses, trojan horses, and more.
Software that is installed on a device without the user knowing, that presents pop-up ads to the user within programs they are using.
Emails or websites that appear genuine but are designed to obtain information including personal details and bank accounts.
Cleverly worded content in the form of an email or website designed to trick users into downloading malware or giving out personal information.
Software that blocks or encrypts data on a device until the user pays a fee. This is extortion and paying the fee almost never solves the problem.
Software installed on a device without the user knowing in order to steal information.
Software that is disguised as a genuine and useful file but contains hidden code designed to install when the fake “trojan horse” file is installed.
Software installed without a user’s consent that corrupts and duplicates itself across multiple programs within a device, much like a contagious biological virus.
Cyber crime in Australia
Cyber crime is out there and can have a real impact on your business. Let’s look at some quick stats for Aussie businesses from StaySmartOnline:
43% of cyber crime
is aimed at small businesses
80% of malicious data breaches
involve stolen or weak passwords
59% of Australian organisations
experience some level of cyber crime each month
Businesses open themselves up to cyber crime by using weak passwords, having poorly maintained servers and limited cyber security processes.
The average time taken to resolve a cyber attack is 23 days – can you afford the business disruption, lost revenue and information/productivity loss?
How to reduce the risk of cyber crime
There are simple steps you can take to protect your business and your customers. It only takes a day or two to plan, an hour each week to manage and maintain and a few hours each quarter to review.
Step 1: Don’t panic! Form a working group to make plan for cyber security
It’s important that you have senior management approval driven by a desire to make things better. The working group should represent a cross section of your business activities – people from HR, finance, customer support, sales, IT, security etc. Security doesn’t exist in a vacuum. It needs to support the objectives and functions of the business. This team might also form the basis of your very own SIRT (Security Incident Response Team), who can spring in to action to respond effectively to security events.
Step 2: Make sure your plan is policy-driven
You’re going to need a security policy whether you do it proactively or reactively (after a threat has occurred) so the sooner the better! The policy might include a description, goals, controls, remedies, responsibilities, document ownership and a review date.
Building a policy generally starts with understanding your business assets, from computers and network equipment, to your bank accounts, customer data and staff. The policies you develop will implement controls that reduce risks to these assets. For example, if your asset is a customer email list, your controls might include things like:
- Emails to the customer list must always be sent BCC
- The correct use of the BCC field should be cross-checked by another member of the comms team
- Only Barry and Susan are permitted to send bulk emails
- The mailing list should only be accessible from authorised comm’s team computers
The actual assets, risks and controls you chose to focus on will depend entirely on how your business operates.
For most organisations, identifying and assessing risk to assets is the most complicated part of the process. It takes some technical understanding of current security threats and likelihood in order to make informed risk decisions. You should be able to identify many risks and threats yourself, and then engage with security experts to review your work and further identify risk management concerns.
Step 3: Implement the plan
Many parts of the plan can be implemented without any security expertise. For example, your security policy may require that staff don’t reuse passwords between work and social sites. Implementing the policy would involve communicating the new password policy, its reasons and what staff are expected to do.
Other policies will require input from technical, IT, or even finance resources. Maybe the plan needs someone to ensure the VPN software is running the latest version, configure network firewall rules, or perhaps the finance team is responsible for regular changes to the online banking password.
Step 4: Make cyber security a team activity
Your policies also need continual monitoring (or assurance) – the policies aren’t worth anything if people ignore them. Make sure your teams all understand what is happening and why. You can also involve your SIRT (from Step 1).
Step 5: Maintenance and review
Because your business needs change and security threats always evolve, it is important that you regularly review your security policies. You should schedule a regular meeting to at least ‘glance’ over your existing policies and identify what sections are still appropriate, what sections need review, and any new threats that have been identified. The security incident response team should also review and adjust security policies following a security breach, or a newly discovered threat.
- If your executive team would like you to quantify a security return on investment, use this resource
- Signup to free update emails, like Stay Smart Online Alert Service for the latest information
- Security policy 101: How to develop security policies for your business
- Quick Dirty Guide to Security Policy Creation
Australia has a Notifiable Data Breaches (NDB) scheme, which means businesses must notify individuals whose personal information is involved in a data breach which is likely to result in serious harm. Government and organisations with a $3m+ annual turnover, private sector health service providers and other businesses must be across the scheme.
About Nikolai and Marc
Marc is RedEye’s Engineering Manager and has almost twenty years’ experience in software development, infrastructure and information security. Marc is an information security expert and ensures RedEye clients are covered for information security and privacy. He is dog-Dad to Casper who is also a RedEye security expert and office dog.
Nikolai is a trusted security policy and technical specialist with more than twenty years’ experience in security systems analysis, policy development, DFIR, security project management and implementation. Nikolai holds a Master’s degree in cyber security and has co-authored several peer-reviewed academic and industry research papers. He has presented at Australian and international security conferences and covers a wide range of security topics including policy, digital forensics and reverse engineering.