Protect your business against cyber criminals.
The potential for cybercrime has grown dramatically over the past few years as cyber criminals continue to adopt more profitable and effective tactics. According to Deloitte, many organisations are still unprepared to deal with different types of attacks and – at best – are aiming to mitigate the risk, rather than prevent the attacks in the first place.
As an insurer, managing and protecting people and businesses from risk is what we do. As part of our global contribution leadership, Zurich produces the Global Risk Report – in strategic partnership with the World Economic Forum – which is an analysis of the interconnected and rapidly-evolving nature of global risks.
Tellingly, over the past two to three years, cyberattacks and related incidents have been named among the most likely and most potentially impactful global risks in our Report, costing the global economy an estimated US$445 billion per year[i]. To put this in perspective, the cost of crimes in cyberspace is now higher than many economies’ national incomes.
Here in Australia its costing individuals and their businesses between $1 billion and $17 billion every year, and recent high-profile data security scandals such as the leaked Panama Papers are shining a harsh light on the importance of data safety, especially for small businesses. Now, more than ever, clients want to be confident that the businesses they trust with their sensitive information are reliable and treat their data with safety and respect.
The good news? Despite the level of negative media scrutiny at the moment, it has been revealed that the financial services industry is the “most trusted” in Australia when it comes to clients’ data privacy[ii], overtaking government as leaders.
However consumer trust is hard won – particularly in the financial services industry – and advisers should always be looking for ways to deepen trust and engagement with their clients. So with cybersecurity continuing to be significant risk in the digital age, it may be time to review your business’ security to safeguard against the loss of vital business data and most importantly, your customers’ trust.
Meet your legal obligations
At the most basic level, all small business owners should be in adherence with the Privacy Act 1988 (Privacy Act),which contains 13 Australian Privacy Principles (APPs) that most private sector organisations must follow when they handle personal information.
There are stricter obligations for sensitive information such as an individual’s health, race, ethnicity, religious beliefs and sexual orientation. For example, businesses must not collect sensitive information about an individual unless the individual has consented and the information is reasonably necessary for the entity’s functions[iii].
Other important data protection acts include the Telecommunications Act 1997 (Cth) and the Spam Act 2003 (Cth).
Beware ransomware
Trojan horses (programs that claim to rid your computer of viruses but instead introduce viruses onto your computer) have been the traditional battleground for antivirus software for decades and thankfully, as a consequence, most of us have become pretty savvy at spotting and protecting ourselves from this threat. It isn’t the time to be resting easy however, as a newer, tougher player – ransomware – has entered the game which online criminals use to block access to your critical files until they’re paid to release them[iv]. Typical ransom demands are about $300, according to the Symantec report, but victims—including companies and government agencies—can often be induced to pay more for access to their data.
Last year, the FBI registered 2,453 complaints about ransomware attacks that cost users more than $1.6 million USD. In the Asia-Pacific region, Australia is the most targeted country when it comes to ransomware and is ranked fairly high globally as well. There was a 141% increase in ransomware attacks in Australia last year and this growth is expected to continue well into 2016[v].
And as the attacks have proven lucrative, they’ve also grown more sophisticated. Some of the ways computers and mobile devices can be infected include[vi]:
- Links in emails or messages in social networks. In this type of attack, the victim clicks a malicious link in an email attachment or a message on a social networking site. Perpetrators of this type of scam are becoming very creative, for example sending out fake LinkedIn invitations that are virtually indistinguishable from the real thing. As soon as you click on ‘view profile’, the damage is done.
- Pay per install. This popular method attacks computers that are already part of a botnet (a group of infected computers under the control of criminals called botmasters) further infecting them with additional malware. Bot herders (criminals who look for security vulnerabilities, are paid to find these opportunities).
- Drive-by downloads.This form of ransomware is installed when a victim clicks on a compromised website. Researchers have seen an increase in this method recently, with users of some streaming video portals particularly vulnerable.
The concerning thing is that currently there are some ransomware which authorities do not know how it is distributed, such as Jigsaw which not only encrypts your files, but also deletes them if you take too long to make the ransom payment of $150 USD. The Jigsaw Ransomware, named after the iconic character that appears in the ransom note, will delete files every hour and each time the infection starts until you pay the ransom.
Protect yourself (and your clients)
- Use reputable antivirus software and a firewall.
- Back up often. If you back up files to either an external hard drive or to an online backup service, you diminish the threat. Ideally you should back up data every six months or less.
- Enable your popup blocker. Popups are a major tactic used by cyber criminals, so use your blocker to avoid even accidentally clicking on an infected popup. If one does appear, remember the buttons within a popup might have been reprogrammed by the criminals, so do not click on them.
- Exercise caution. Don’t click on links inside emails, and avoid suspicious websites. If your PC does come under attack, use another computer to research details about the type of attack. But be aware that criminals are advanced enough to create fake websites that may recommend their own fake antivirus software or their de-encryption program.
- Disconnect from the Internet.If you receive a ransomware note or similar virus, disconnect from the Internet so your personal data isn’t transmitted back to the criminals. If you have backed up your data, you can re-install software. If you don’t feel comfortable doing so or you are unable to start fresh, you may need to take your computer to a reputable repairer.
Don’t negotiate with cyber criminals
Governments do not negotiate with terrorists, so similarly experts do not encourage people to give in to cyber criminals. It only funds the criminals to continue developing more advanced and sophisticated ways of delivering that ransomware to your computer. What’s more, there is never a guarantee that after you pay the hackers will give you the decryption key to unlock your data. And even if you do pay the ransom and end up getting your information back, there’s a good chance the hackers will come after your data again asking for more money because they know how willing you can be.
The thing to remember is if you don’t have a back-up and you don’t have protection, you are gambling. Not just with your own information but that of your clients.
——–
[i] World Economic Forum. The Global Risk Report 2016. 11Th Edition.
[ii] Deloitte, Australian Privacy Index 2016.
[iii] Hogben, U, ‘Data protection for small entities’, The Sydney Morning Herald, 10 May 2016.
[iv] Melendez, S, ‘Ransomware Attacks Are Still On The Rise, Experts Warn’, Fast Company, 1 June 2016.
[v] Lui, S, ‘Ransomware Cybercriminals Love Australia’, Life Hacker Australia, 14 April 2016.
[vi] How Ransomware Infects Computers, Intel Security.
