The cyber security landscape is constantly evolving, but some things never change. The current threat landscape bears the typical theme of malicious actors taking advantage of crises with a view to capitalising on them. This was no different during the COVID-19 pandemic and more recently with the tensions between Russia and Ukraine that could have cyber security implications globally. This guide is an overview of some recent trends that highlight the importance of cyber security for all organisations, including not-for-profits.
Impacts arising from scams in Australia
The Australian Competition and Consumer Commission (ACCC) recently released a report on scam activity for 2021. Indications are that actual losses to scams in 2021 were over $2 billion. Investment, payment redirection (business email compromise) and romance scams caused the most losses. Prevalent contact methods used for scams included voice, text message and social media platforms with payment methods used being bank transfer as well as cryptocurrency.
The increasing use of social media and messaging apps to stay connected and exchange information present security and privacy risks. The Australian Cyber Security Centre (ACSC) has released recent guidance to assist organisations and individuals with the secure usage of these platforms.
Cyber security impacts arising from the tensions between Russia and Ukraine
Over the past months, the ACSC has urged Australian organisations to urgently adopt an enhanced cyber security posture following increased global cyber risk. For not-for-profits, this means continuing to focus on cyber security fundamentals:
Be vigilant with communications you receive such as emails and text messages, particularly those that portray a sense of urgency or request donations to charities. These may be scams or phishing attempts with requests to click on links or give up information
Use strong passwords protect access to all your IT systems, and multi-factor authentication on your important user accounts
Keep your devices and applications updated – vulnerabilities in devices and software provide opportunities for malicious actors to compromise your IT systems and information
Understand the steps you would take in the event of a cyber security incident. Contact the ACSC for assistance in the event of a cyber security incident that impacts the operations of your organisation.
Ransomware has affected organisations around the world and, in recent times, more so in the space of essential services and critical infrastructure. The Australian Cyber Security Centre (ACSC) noted a 15% increase in ransomware reports in the 2020-21 financial year. In May 2021, JBS Foods, a global meat and food processing company with a presence in Australia, had operations disrupted by ransomware; the same month saw an outage in the network of Colonial Pipeline, a US fuel pipeline operator. This led to the panic buying of fuel, a spike in energy prices and the declaration of a state of emergency in some US states.
Not-for-profits haven’t been spared from such attacks. The health care and social assistance sector was the second-highest reporting sector of ransomware-related incidents in Australia, according to the ACSC Cyber Threat Report 2020-21. With the health sector under pressure due to the pandemic, cyber actors viewed health organisations as more vulnerable.
Holding organisations to ransom by the introduction of malware that locks organisations out of their own information systems seems to be the preferred method of cybercriminals. Malicious actors use personal information found within social networks and other social engineering tactics to launch phishing and spear phishing attacks to deploy ransomware. Phishing-style compromises tend to originate via email, messaging applications and SMS. One common technique is ‘double extortion’, where ransom payments are demanded to unlock encrypted data, and then once more to ensure it is not released into the public domain.
The exploitation of publicly reported security vulnerabilities within applications and IT systems allows state-sponsored and cybercriminal actors to act quickly and catch organisations by surprise. The successful infiltration of IT networks results in stolen data and compromised personal accounts. This kind of attack will be used for improper gain as online technologies continue to extend into all facets of life, such as with Internet of Things devices.
Use of stolen credentials
According to the recent 2022 Verizon Data Breach Investigations Report (DBIR) stolen usernames and passwords are the second most common threat, behind ransomware, facing small organisations. With stolen credentials, access to systems provides opportunities for the theft of personal information, access into other IT systems or networks, or an avenue for ransomware.
Business email compromise
Business email compromise (BEC) refers to cybercriminals impersonating a stakeholder such as a supplier or staff member to scam an organisation. This can happen via phishing emails or pretexting, which is the human equivalent of phishing where a malicious actor attempts to impersonate a business partner or bank employee, for example, to gain access to login information. It can result in the loss of funds or products. BEC scams caused the highest losses to businesses with combined losses of $227million in 2021. While BEC scams have impacted organisations for years, these scams have become more prevalent and more successful during the pandemic. The shift to remote work means staff are less able to personally verify email requests with colleagues than they would have been when staff worked alongside each other. Organisations purchasing pandemic-related supplies have been especially targeted by these scams.
As networks and supply chains bind us ever closer together, such methods will continue to be a means by which malicious actors can compromise organisations, particularly via third parties such as suppliers or contractors.
While this type of cyber attack may target organisations that have basic cyber hygiene practices in place, it presents cyber criminals with a path to impact a number of organisations at scale via a single supplier compromise, for example.
Data privacy breaches
Data privacy breach trends from the Office of the Australian Information Commissioner (OAIC) Notifiable Data Breach report (July-December 2021) indicate that criminal attacks were the primary source of data breaches reported, with human error and system faults being the other major sources. Phishing, compromised/stolen usernames and passwords and ransomware were the main causes of these data breaches. The health sector in Australia remains the sector with the highest reporting rate of data breaches. The most common types of personal information involved in a data breach are an individual’s contact information, identity information and financial details.
Improving security practices within organisations to uphold data privacy is key to bolstering digital trust and driving the protection of personal information.
What to do to keep your organisation secure
The advice for organisations to protect themselves against these threats consists of tried and true methods, including the following taken from the 2022 Verizon Data Breach Investigations Report:
Know where sensitive or valuable information is located and apply appropriate measures for protection from a process and technical perspective
Train staff on how to recognise phishing attempts, use passphrases and have processes in place to prevent business email compromise scams such as out-of-band methods for verifying change of bank details
Implement the ACSC Essential 8 mitigation strategies as a primary technical mechanism to prevent and reduce the impact of a cyber security incident. These measures include employing multi-factor authentication and keeping IT systems and applications up to date
Do not reuse passwords across user accounts. Consider the use of a password manager to store passwords and also to share passwords securely when required
Know who your key suppliers are in terms of the risk profile they present: what they do for your organisation and their link to your key business processes. Ask cyber security questions of your suppliers and ensure supplier contracts include expectations to maintain the security of your information and other measures such as data backups, where applicable
Understand how your data backups work and ensure you can restore from backup if required
Use antivirus software for your devices
Have a cyber security incident response plan that outlines roles and responsibilities and steps you would take in the event of a cyber security incident. Report cyber security incidents via ReportCyber to assist the ACSC with understanding the Australian cyber threat environment.
The ACSC has a series of personal security guides available with information on how to protect yourself from cybercrime. We all have a role to play in securing our digital environment and being cyber smart. For more information on the basics to have in place to secure your organisation refer to our guide on the domains of cyber security.