Protect your ‘primary asset’
A spate of recent high-profile data breaches underlined the danger that such attacks pose to both businesses and clients alike.
In some cases, criminals may pursue a ransom while in others they might then use customer information to target individuals directly.
“We’ve recently seen a massive uptick in attempts to crack into people’s accounts,” says Crowther. “They’re targeting retailers, trying to get access to customer accounts and steal credentials or steal any credit they might have.”
As a result, businesses need to be on high alert. Schirru says it is essential customer data is treated as a business priority. Key to this is clarifying what information the business actually needs from customers and what their responsibilities are when recording it.
“If they securely store customer data — and only hold customer details they actually need — then even if they were to be targeted for a breach, they’re less likely to actually suffer any type of information loss and, consequently, a financial loss.”
Mitigate this $227 million threat
Often an attempt on a business will first show up in an inbox, with 91% of all cyberattacks starting with email4, according to Microsoft.
One of the most common methods is known as a Business Email Compromise attack in which criminals impersonate a known person in order to fraudulently obtain access or money — sometimes even sending a message from an authentic email address.
In Australia, they cost businesses $227 million in 2021, the most of any scam affecting businesses, according to the ACCC.5
In one example, Glotzer explains that a property buyer received an invoice they were expecting from an agency and paid over $50,000 into the account nominated in the invoice. The email address the communications originated from was legitimate, but the bank details were not. The money was diverted immediately from the nominated bank account and stolen from the property buyer.
In this instance, the customer willingly transferred the money, albeit unknowingly to the wrong account. Not only did the property buyer lose their money, but they also still owed the sum transferred into the fraudster’s account to the legitimate vendor.
In sectors where substantial sums of money are commonly being transferred, the risks posed by these types of scams are particularly acute.
“If your business is making large payments to suppliers and they are writing to you to confirm that they’ve changed their banking details, how are you validating the legitimacy of this information? What are the processes that you are identifying and establishing to help mitigate the risk of fraud?” says Glotzer.
One simple way is to use agreed and distinct communication methods.
“If you receive a change of account message from a supplier, standard practice should be to contact their business verbally to validate the communication and account details, to make sure it’s legitimate. And check that the number that you call on the invoice matches your system records, as fraud is increasingly sophisticated and seemingly authentic. It might take a little extra effort, but it could save your business financially.”
Strengthen your weakest link
Types of attacks can differ, but many rely on the same thing to be successful: human error. In any process, people are going to be the primary target.
“If you look at scams and the way that they’ve evolved, it’s all around social engineering,” says Schirru. “Why would I bother trying to break into your house for example if I can convince you to open the front door and help me load the truck?”
To that end, all it takes is one staff member to fall victim to exposing the entire business. Business owners cannot monitor every threat their entity faces but they can ensure their employees’ training is up to speed on how to spot a warning sign.
This might involve running simulations of phishing emails to check that staff are recognising red flags— such as spelling mistakes, urgent language, and dubious links — and reporting anything suspicious they might receive. In other cases, it might be ensuring you have systems in place for dealing with incoming calls.
Businesses need to remain vigilant and ensure they are validating who they’re speaking with when dealing with external communications.
Not every small business has the scale to employ a full cybersecurity division, but that does not mean they do not have other resources at their disposal.
“Most businesses would be working with a managed service provider or MSP. Those are there to help businesses manage documents in the cloud, their websites, their cyber risk frameworks and data storage practices,” says Glotzer.
“Businesses should be thinking about how they’re partnering with their MSPs and making sure they have a clear checklist of the things you want them to be covering and advising you on.”
In an inflationary environment, business leaders may be looking to cut as many costs as they can, but they cannot risk skimping on security.
“You need to look at it like a form of insurance or business continuity plan, where you’re paying a premium to help protect against huge downside risk,” says Glotzer.
“Any asset that has a value should be protected, be it personal property, or a business. People wouldn’t consider leaving their homes unnecessarily vulnerable to theft. Cybersecurity protects business value, and client trust.”
In fact, if costs are a concern, a compelling business case could be made for engaging external partners.
“It can be really advantageous because it’s usually far cheaper and it means you get access to far more experience and knowledge than you would ever be able to build internally,” says Crowther.
Prepare for the worst
While business leaders are treating cybersecurity as a key priority, things can still go wrong. In case they do, it is crucial contingency plans are ready to go.
“If there’s a fire, employees know that they’ll need to evacuate the building and meet at a certain location down the road. The same principles go for your cybersecurity,” says Schirru.
“You’ve got to have playbooks in place on how to respond to an event. That might involve things around who to report to, what cascading communications look like and what other prudent risk management practices are there.”
For those plans to kick into action, there must also be a culture of transparency. Mistakes inevitably will be made so staff need to feel comfortable reporting them.
“Once someone discovers an event, they have to make it known as quickly as possible so that you can actually do something about it,” says Schirru.
That should include informing your bank — and possibly your partners and suppliers — about what has happened, he adds.
“If something has happened to one of our Business Banking customers, which could ultimately impact their customers, then that is something they need to bring to our attention as quickly as they can, so that we can find out first what happened, what the scale of it is and what we can do to remediate.”
While banks cannot advise a business directly, Macquarie may be able to direct customers to its fraud team if they are worried about a particular event or compromise.
But even when things go wrong, Schirru reminds customers they should never disclose their banking details, passwords or security codes to anyone, including their own bank.
When assessing their cybersecurity, robust businesses start by analysing where the biggest risks lie.
“You have got to understand what is most valuable and ask yourself what someone would want to steal and that will change industry to industry. For law firms it might be sensitive documents whereas for a construction company, it could be intellectual property,” says Crowther.
“So, you rank your assets in terms of what could hurt you, whether it’s the reputational risk or losing a competitive advantage, and then you figure out your strategy to defend against it rather than the other way around.”
There are no guarantees that what works today will work tomorrow. Businesses should be periodically checking that they have adequate protections in place.
“There is never going to be a single way to protect against cyber criminality. It is important to agree on the governance frameworks that businesses have to help manage ongoing risk,” says Glotzer.
“The risks will evolve as cybercriminals get better at what they do. It’s imperative to stay abreast of change.”