Cyber conversations: teaming up on security

It’s often said collaboration is key. At ANZ, it’s one of our core values - not only among teams within the organisations but also with our community and business partners.

We’re fortunate to have a strong partnership with the Australian Cyber Security Centre (ACSC), Australia's trusted authority and operational lead on cyber security. The ACSC focuses on making Australia the most secure place to connect online.

Whether it’s big business, critical infrastructure, government, the military, individuals at home, or small to medium enterprises, the ACSC can help everyone navigate a safer, more secure cyber experience experience while offering a 24/7 hotline for help and advice.

Current cyber threat environment

As the economy and society move online and we become more sophisticated in our use of technology, technology becomes more sophisticated – but so too does crime.

Whenever there's a significant crisis, we find the volume of scam messages and cyber intrusions increase.

When people are anxious, there's an urgency - they want information – and they're more likely to click on a malicious email. It's a time when people aren’t always thinking properly.

Unfortunately, criminals take advantage of that vulnerability and they exploit people during these times. We often see coming up to Christmas and the festive season there are more scams out there.

In our recent conversation Abigail Bradshaw highlighted some of the most common threats in the cyber landscape.

        Internet of Things (IoT) devices

The proliferation of Internet of Things (IoT) devices (think Alexa, Siri, your smart fridge). These devices are collecting data with applications to just about anything. Abigail explains this creates what we call an “increase in the threat surface”  bad online actors can target.

“When you have an increase in the threat surface, there's far more opportunities for criminals and malicious cyber actors to prosecute,” Abigail says.

“And of course, that's been propelled forward by COVID-19, when so many people have been forced online to provide and obtain information or services, or just to continue their lives or work from home or do home schooling online,” she says.

        Business email comprise

Cybercrime is the biggest threat to Australian small and medium-sized businesses. ACSC cybercrime reports submitted via ReportCyber last year recorded self-reported financial losses of more than $33 billion (AUD) in the 2020-21 financial year.

“We received 67,500 cybercrime reports - that's about one every eight minutes, says Abigail.

“This represents an increase of nearly 13 per cent from previous years.”

“As far as small and medium businesses go, we're concerned about the increase in what we call business email compromise.

We saw a massive increase in business email compromise last year, and the average amount of each one of those attacks was $54,000 (AUD). That can really wipe out a small business.”

        Ransomware

The other major trend – one that has become a high profile global issue – has been ransomware.

“It's very bad when a ransomware attack hits a critical infrastructure provider. We've seen big attacks overseas in the United States hitting a meat manufacturer and a fuel line - it can be absolutely devastating if a ransomware attack impacts a small business and wipes out their customer records, their financial records,” Abigail says.

“Last year, we had 500 ransomware attacks reported to us in the extreme, an increase of 15 per cent compared to the previous financial year.”

        Out of date software/devices

We’ve all become reliant on apps which acquire our data to obtain services and information. All of those apps have software which needs to be updated frequently. As the software on your phone or devices becomes out of date, people find bugs or loopholes or mistakes in the code that need to be corrected.

Abigail says in the past the ACSC team has observed cybercriminals prosecuting those weaknesses and vulnerabilities in software within weeks to months. Now that’s getting worse.

“In the last 12 months, we've noticed the criminals are really good at prosecuting those vulnerabilities within days and sometimes hours of there being a public disclosure. We've got a really big emphasis at the moment in encouraging businesses to have great patching practises,” she says.

“What that means is when you get that little message on your smart device that says there's an update ready, do you want an update now or later? Always say now. Always put the default to automatic updates and have your phone or your device plugged in and patch as quickly as you can.”

Our experience from a bank’s perspective mirrors these trends. We've seen an increase in threat in our own environment; we're now blocking around 15 million malicious or suspicious emails a month. Before the pandemic, it was about four million a month – that’s a substantial increase.

I recently spoke with ANZ CEO Shayne Elliott on  business email compromise as it is such a common situation now and so many organisations are finding very sophisticated business email compromises as intelligence gathering becomes easier and more accessible for criminals.

With regards to ransomware, it's about crime and a lot of smaller threat actors buying services, buying ransomware-as-a-service or other threat packages they can use to target large numbers of organisations and people because they can see an opportunity to profit out of this crime.

This has really changed the game. The sorts of sophisticated attacks that used to be only available to a small number of criminals is now available to a much larger group and that's why we're seeing an increasing volume.

Networks are key

I see our partnership with the ACSC as a very important one. The ACSC provides invaluable sources of information and we work together to promote good cyber practises such as sharing threat intelligence.

As a bank, we have good visibility in networks across Australia and overseas so we can keep an eye on what's happening in the cyber world.

Traditionally, we've had a really good network of sharing information informally through the cyber industry. We talk to our partners, we talk to government about what we're seeing. Now, we're working to formalise and automate that pipeline of communication to ensure we can reach other people including our customers, with information that helps them protect themselves, faster.

We work closely not only with the ACSC as a central organisation, but also with their outreach services around Australia called Joint Cyber Security Centres, where we come together in a trusted environment to work with cyber security professionals from across industry.

We're talking all the time and working on how we can work together to share information to help our customers and people across the community and more broadly to make sure we're all safe from cyber-attacks.

Preparation better than cure

Being prepared is so important. There is not one silver bullet that will save you from cybercrime rather it is a range of different things working together. These things need to be practised to ensure they will work for you if cybercrime does happen.

When people come and talk to us about their concerns, we encourage what we call a ‘defence-in-depth’ approach.

Essential mitigation strategies for cyber threats include simple things like setting up multi-factor authentication (MFA) for your apps, backing up your documents and patching (updating software). All of these things can be done both in the workplace and at home.

Aussie businesses and organisations should also consider implementing the ACSC’s eight key strategies to mitigate cyber security incidents – known as the Essential Eight – to make life much harder for cybercriminals attempting to compromise systems.

We always encourage victims of a scam or any sort of security incident to report it as soon as possible to us and to the authorities. Sometimes we can take steps to recover and make sure no one else gets impacted by the same threat. We can publicise what's happening or inform our partners at the ACSC.

Never be embarrassed if something's gone wrong. Always report it - quickly. A lot of people don't want to admit they've been a victim to a scam and they don't report it until it's too late because they are embarrassed.

As soon as you think something might be wrong, let people know. Let the authorities know, let your bank know. It can make all the difference.