Don’t Be the Next Business to Fall Victim to a Data Breach

Ninety per cent of data breaches begins with a phishing attack and email scams cost Australian businesses $22 million a year. But what is phishing and how does it differ from spam?

The terms spam and phishing both describe different types of unwanted email businesses may receive, but there are key differences that businesses need to be aware of to avoid becoming the next data breach scandal. While spam is merely a general nuisance, phishing can cost your company $100,000 per incident.

Spam is generally easy to identify as unwanted email and does not contain any malicious intent in general. We are probably all familiar with emails trying to sell counterfeit pills and shifty SEO services.

Phishing, on the other hand, gives the appearance of coming from a trusted source, but contains malicious content, such as:

• Viruses or ransomware; or
• Malicious links which trick the recipient into handing over their passwords in order to gain access to a system using their credentials.

To quote one of our cybersecurity experts Iron Bastion:

Phishing is a social engineering technique used to get a foothold within a company. Criminals use that foothold to hack the company from the inside to steal money or customer data, to defraud clients, and to commit payment redirection fraud or Business Email Compromise Fraud.

For businesses, phishing attacks constitute a serious threat. According to research, phishing attacks are the number one precursor to data breaches.

If your business has an annual turnover of over $3 million, it is subject to the Privacy Act 1988 and the recently introduced Notifiable Data Breach Scheme. In circumstances of sensitive personal information being stolen, your organisation may be required to notify of the breach regardless of annual turnover.

The number of reported data breaches involving sensitive information (Source: Notifiable Data Breaches Quarterly Statistics Report: 1 April — 30 June 2018, OAIC)

For instance, if your staff receive personal documents over emails for the 100 point checks on a regular basis, a single compromised mailbox would trigger the mandatory reporting obligation. See the Office of the Australian Information Commissioner advice to clarify your reporting obligations further.

Why Outdated Advice Will Not Protect You

According to Iron Bastion, spam is mostly a technical issue which is able to be managed through the use of spam filters which are deeply integrated into email hosting services.

Phishing, on the other hand, is a combination of human and technology problem that requires a multifaceted approach. Cybersecurity awareness training courses, phishing simulation exercises and anti-phishing email technologies are examples of good practices.

Sadly, “common sense” tips are rather ineffective (read more) to combat phishing as organised cybercriminals typically possess multiple technical and soft skills these days. If these top tips were effective, the number of phishing sites would not grow year after year in the past decade according to Google Safe Browsing.

If “common sense” tips were genuinely effective, phishing would not be on the rise since 2006

Iron Bastion says cybercriminals will speak perfect English, be familiar with the profession of their target, and use terminology informed by insider knowledge. Such sophistication is motivated by the profitability of cybercrime which exceeds that of the drug trade. This is why phishing awareness training for employees is so important. Your staff need to be prepared to recognise the most common scams, as employees are the last defence line when your business is in the cross hairs of organised criminals.

Pixel perfect phishing email, cloned from a legitimate one. All the links go to actual AGL site except the “Download bill” and “Make a payment”

How Awareness Training Can Protect Your Business

Organisations are not powerless to deal with phishing say Iron Bastion as there are steps that any business can take. Firstly, each organisation needs to understand the risks they are most likely to face. For example, healthcare firms might be targeted for health information or with ransomware, whereas conveyancing firms are targeted with payment redirection scams.

This is where cyber security awareness for your staff plays an essential role and training tailored to your organisation’s particular risk profile. You can further identify and understand segments of your staff vulnerable to social engineering through running phishing simulations and educate them with the appropriate content. Cybersecurity awareness training can be classroom based, feature online webinars or a questionnaire.

We published a few tips here to help you identify phishing attempts: https://blog.ironbastion.com.au/five-ways-to-detect-phishing-emails/

Once initial phishing awareness training has taken place, Iron Bastion recommends the business run a phishing simulation as a follow-up (with the consent of management) to test vulnerability to email-based social engineering attacks. A phishing simulation should be run at least once a month with training carried out quarterly.

About Iron Bastion

Iron Bastion are Australia’s phishing and cybersecurity experts. We provide cybersecurity consulting with specialised solutions to combat phishing. Our team are qualified cybersecurity professionals, and all our staff and operations are based in Australia.

Contact us for a free cybersecurity consultation or sign up to our managed services today.

Originally published at blog.ironbastion.com.au on October 24, 2018 and was written by Rosie Williams.