Season 1 Episode 2: Cyber risk considerations for new and growing businesses
Bastien: For businesses starting up these days they face the challenge of small budgets and often not generating revenue; they’re just not thinking about cybersecurity from day one. It’s something that we really need to address in Australian culture. We had a customer come to us and ask us to hack into their system, what they wanted us to find out was how easy it would be to move money out of their environment. The combination of flaws on their part as a business was that they had weak passwords and a very loose office environment where complete strangers could easily walk in and out. That’s one of the exploits we used, we walked into their office and quickly identified who was the accounts person, then we used a keylogger to essentially record the keystrokes on the keyboard. We watched them for a few days and we noticed they were using a big bank that essentially had a system that would allow you to upload in and out transactions using an APA file. An APA file is an easy way to upload ten, twenty, fifty, a hundred different transactions to a bank account for execution in a row. We were intercepting that file and changing bank accounts details to ours, and leaving the account details and amounts the same. So when they uploaded the file they would look at the file and look at the account screen quickly, they would see that the total added up and the names look correct, then they processed it and just transferred $100,000 into our bank account.
There are some pretty simple things that can be done to stop that from happening. They had some issues with passwords, they had no software that was able to detect a keylogger installed on the box, and they had very poor social engineering rules. So having people walk in and out of the office that you don’t know is a huge risk to any business. A really simple way to protect yourself from that is if you see someone in your building and you don’t know who they are, as part of the onboarding process you can teach all your staff a simple question like “how was your weekend?” and all staff can be trained to answer in a funny and specific way. So if they answer incorrectly you can call security or the police.
The organisations actually perpetrating these crimes are very effective, they’ll sit there and watch communications between customers, admin people, accounts people for quite some time. They will actually get an understanding of the language to use, of what might be an appropriate question, what might be an appropriate push. They really mimic the behaviour of the customer and the startup to extort money, and they’re getting better and better at it. We’ve created a framework for startups and even some really interesting pricing models that grow with them as they mature. It’s super important that they take security seriously from day one.
An example of a company that hasn’t done that well was a small startup generating a little bit of revenue. They had an admin person that processed all the invoices, did all the banking, customer service, and management. They hadn’t thought about cybersecurity at all and unfortunately they were the victims of some invoice fraud, which we see increasingly more of in Australia. A lot of our clients that come to us now just have invoice fraud or email fraud. There are some very simple things that you can put in place to completely prevent that, and these guys that are setting up these criminal enterprises overseas are essentially exploiting weaknesses in social engineering, email phishing, and invoice fraud to extort reasonably large amounts of money out of small businesses that just can’t afford it.
In this case the customer lost $43,000, which for a startup is not something that is particularly palatable. What actually happened here is that the admin person went away on holidays and they had poor password security. They managed to get access to an Office 365 account, using that account they sent a message to the customer saying that as a business they’ve changed their banking records and details, please pay the invoice as much as you can. They’d also been watching the customer interaction and this particular startup had been hassling the customer for a while, so it wasn’t unusual for them to contact them and ask for money to be paid. Bank accounts were changed, $43,000 was lost, uninsured, a huge hit to the startup.
So we know these days the face of the hacker has changed, it’s no longer the hoodie-wearing teenager defacing websites. They’re well organised criminal organisations whether they be local or offshore. Fergus, you’ve been in the cyber risk industry for twenty five years and have seen it change, what are some examples you’ve got of this?
Fergus: It’s very interesting what happened and I’ve been monitoring trends in this. So Verizon, the large global internet and network company, every year release their data breach investigations report. Their forensics team are involved in investigating these actual breaches that have happened globally. It’s a bit of a bible for those of us who work in security, and what it said for the first time in 2017-18 is that more than fifty percent of the breaches they investigated were perpetrated by organised crime.
So the cyber landscape has changed for all businesses. When I first started in this industry the sort of crimes that we’d see from a cyber risk point of view would be more like website defacement and those kinds of things. Now we’re seeing sophisticated attackers, organised criminals who are well resourced, some of them even have call centres when they’re trying to extort money from people or to get people to pay bills that they shouldn’t. That’s the landscape changing and I think that’s very concerning and it’s not going to get any better. So vigilance from the customers point of view is essential, no matter what size they are.
Bastien: We see that hackers look for the easiest way to get funds. This is why they’re doing it. They’re either getting data and selling it on the dark web for a price, as Fergus alluded to, whether that be personal identifier information or medical records, because they’re valuable on the dark web. But the easiest way to get money out of any business in Australia or worldwide is to take control over their invoicing system and redirect funds to a bank account of their choosing. It’s something that Australian businesses fall for perhaps more than other countries because of our trusting attitude.
Fergus: What are the hackers capable of once they’ve gained access to your systems?
Bastien: I mean how long is a piece of string? Everything from monitoring your conversations within emails… From my point of view when we’re tasked with breaking into an organisation, once we have that email access we’re looking for key things such as instructions to transfer money, what financial systems they use, what resourcing systems they use, and what banking systems they use. If we’re talking about simply access to a machine then we can watch keystrokes. Realistically, once the hacker has control over your laptop and you use that laptop for personal purposes, they can very easily take photos using the webcam. It seems perhaps paranoid to put a cover over your camera but if you haven’t taken cybersecurity seriously I would one hundred percent be sticking that bandaid over the camera over your laptop. Mark Zuckerberg’s a good example, he’s not being too paranoid because he would be the target of thousands of cyber attacks a day.
You’ve got to remember the goal is to extort money, data, and IP. Businesses these days are paying thousands of dollars for contact databases, whether that might be a list of CIO’s, HR managers – these lists are expensive. Medical research companies are paying thousands of dollars for medical records of Australians for legitimate purposes, but at the same time a hacker can sell these through shelf companies and skirt that world of illegally getting records and then move over to a legal means of selling them. So the list is as large as your imagination can make it. We’ve got access to every peripheral, every input method and every output. Be it a printer, camera, mouse inputs, usage patterns, your location. Something as simple as a pattern of an executive who earns a lot of money; if a criminal could advise a local gang that the whole family isn’t going to be there that weekend then they can go into the house and disarm the alarm system and steal whatever it may be.
Criminals are inventive people. The hackers are perhaps more timid and stay in the background, but the criminal organisations out there that are willing to buy this information, whether it be location, data, IP, lists – they’re out there and they’re paying a lot of money.
Fergus: Social engineering fraud has been around for as long as humanity, people have been committing these kinds of trickster crimes for centuries. I think that what has changed now is that we’ve become a lot more dependent on technology to do the same things that are traditional crime. For example, if someone manages to convince a partner company or a customer to transfer money into a bank account that’s one of the criminal’s bank accounts, that’s crime. Not necessarily a cybercrime because you could’ve done it with a fax machine or cheque fraud. The fact that it’s been around for so long and the reason why it’s become so much of a concern (and it’s a huge amount of money that gets lost each year) is because a lot of people are not adequately securing their systems. We go back to the same things that Bastien and I harp on about all the time: strong passwords, use encryption, know where your data is, and these kinds of things.
Bastien: We see startups are really trying to find their own feet and develop their own business processes. If they think about cybersecurity from an early stage they really only have to follow three high level steps. The first one is to understand what makes them valuable as a business, often with startups it might be IP that they’ve developed, data that they hold, it might also be people or consulting, it could also be the invoicing coming in and out, which is a hugely important thing for a startup to protect. Once you properly understand what is in your small business you need to properly protect it. The first step to that is to define it and understand what the impact would be.
Fergus: But for startups one of the key things that could be crippling is reputation and brand damage. If you’re starting up and you have a data breach, it’s going to be very bad for your brand reputation and you may not be able to survive further in business. Larger companies tend to be able to survive these issues even though they are taking financial penalties. When we enter more medium sized businesses, which is any business in Australia that’s turning over more than three million dollars in revenue annually, they’re susceptible to the mandatory data breach notification laws. These laws, or the Privacy Act as it’s called, says that if a customer has a breach and they lose some private information (it can be of their employees, customers, pretty much any data that they hold) from a hacking event (or someone drops a USB key in a carpark or someone loses their laptop and it’s not encrypted and secured) then that organisation has thirty days to notify the privacy commissioner and the people whose data they’ve lost. If they don’t then they’re susceptible for a fine of ten million dollars or ten percent of their revenue for the first year!
That new penalty came up from what was about two million and no revenue penalty, but we’ve just changed it to become more in line with the laws in Europe. This is something that all businesses need to take into account. If you say that you don’t turn over more than three million dollars in a year, then we start looking at what type of records you hold. If you hold any healthcare records, it doesn’t matter how much revenue you have, you still have to notify. Also education, aged care records, these sort of things are what the hackers tend to be after and you need to understand the consequences.
Bastien: Pretty serious stuff. For startups one of the first steps of our bundle is giving them an awareness on how criminals are breaching into organisations. The first step is to educate yourself on how we’re hacking. So when we hack into a startup/SME/large enterprise we extort the staff, we extort their inexperience, we extort their trust, and we use that to gain information. We’ve given them access to a portal that provides training videos that really shows how we use simple passwords to gain information. It also shows how we use emails to get access into an organisation, how we use phone calls to get access on site, how we use keyloggers and devices. Even simple things like a clean desk policy can really put a thorn in a hacker’s side and stop us from putting something really simple like a USB stick into your laptop which is collecting information, because you’ll see that straight away (whereas someone with a messy desk isn’t).
The education and awareness platform is a really important part of the onboarding and start up process for small businesses. Straight away it develops that culture within them that cybersecurity is important and here’s how the criminals are currently exploiting Australian and all businesses around the world to take money away from them, and they can’t afford to have that money taken away from them. So the first step for us is to always educate the business.
The second step is for them to become compliant. We’ve been talking about the notifiable data breaches act and other things that small businesses do have to contend with. If you don’t go about it the correct way it’s going to cost your business so much that it may actually end your business, or you may think that protecting yourself against it is actually cost prohibitive but it’s not. When we talk about startups a lot of the times all of their services are in the cloud. One of the scariest things I get told by SMEs is that all of their services are in the cloud and that they don’t have to worry about security. From a hacker’s point of view that’s my dream. All I have to do then is capture your username and password and once I’ve got that I have access to your entire business.
Your contact’s database, IP, your customer’s, emails – everything is at my fingertips from any internet cafe anywhere in the world. It becomes a problem of privilege access management, which is a fancy way of saying: use your accounts to access anything we want. Whereas before when we were using on-premise solutions it was more a problem where startups maybe once a year would upgrade their operating systems or run security patches, and that was how we got into organisations back then. But now it’s actually easier for us with all these services in the cloud because people use passwords like their football team, their dogs, parents, dates of birth etc.
We’ve covered off that startups need to educate themselves and any staff that they bring onboard, they also should consider what we call security operations. That is when we monitor their cloud environments, the individual’s using their business services, and things like emails for unusual behaviour. I call that user behaviour analytics and what that does is it instantly gives you compliance, and that means that if you get taken to court when someone’s breached into your data and stolen some people’s information and credit card details, it can be considered harmful to those individuals.
If you’re dragged into court you can hand on heart say that you had software installed and unfortunately got breached, but you’re not going to get a fine if you take cybersecurity seriously. If you go into court and say, “look, we’re a startup and we haven’t really thought about cybersecurity, we don’t have the money for it,” that’s when they’ll issue the fine and it could end your business very easily. The fines have gone up significantly to align themselves with global standards and they are more than enough to end a large business let alone a startup. So make sure that you have that security, user behaviour analytics, security operations centre, security incident, and event monitoring. What that allows a startup to do is to completely outsource.
Fergus: If worse comes to worse for an organisation, in terms of the fact that if you look at the inevitability of a potential breach which has really become the standard, certainly in the US there’s a saying “another day another data breach.” So if we look at the inevitability of it, what’s become mature in recent years is cyber insurance. A lot of people will say, “we’ve already got insurance” because they’ve got professional indemnity insurance or general liability insurance, and insurance is generally a grudge purchase anyway.
“So what would I need cyber insurance for?” The key thing here is that if there’s no physical damage then traditionally property or other insurances won’t cover it, so there’s a gap in the insurance program. A lot of people think that only big companies would want to buy insurance, but that’s not true because there are policies out there that can easily cover the damage from likely circumstances that are less than a thousand dollars a year. It’s not expensive for a small business to get up to a million or two million dollars worth of coverage.
Bastien: There’s even some cases to be made that all our media attention is good media attention. If you do happen to have a breach and you solve it well, moving away from the small business mindset, look how well the Red Cross addressed their breach when they lost a whole heap of records relating to their people’s sensitive records. They did a good job and I think they actually saw an increase of people donating blood after that. That shows how a well managed breach can actually help and create attention. If you know how to do it and you rely on a well set up insurance policy to help you with PR and marketing and incident response teams, or look to an organisation like us to help you, it can actually be a relatively minor road bump as opposed to something that’s going to end your business overnight.
Educate yourself and make sure you’ve defined what’s important to your business and those things that are important to your business are effectively protected by controls that are adequate. Make sure that you’ve got a system in place to detect and report on breaches, and finally get someone like us to actually test to make sure that these controls you’ve put in place are appropriate so that you’re not going to get a nasty surprise. If you do those four simple steps then you’re going to have a reasonable culture addressing cybersecurity from day one. Controls don’t just generally mean technology controls, this is a big trap for startups who believe they’ve got the firewall, security incident event monitoring or the latest endpoint protection. Controls also include policies and procedures. They are just as important, if not more important, than technology solutions. So if they’ve addressed the four pillars they’re in a good spot.