Almost 1 in 3 Australian adults were affected by cybercrime last year.
Australians are reporting cybersecurity incidents every 10 minutes and it’s costing Australian businesses $29 billion each year.
91% of all hacking attacks by cyber criminals begin with a phishing or spear-phishing attempt that originates from your email inbox.
Criminals can target you whether you are using the cloud or on-premises systems
Viruses and Malware:
- Viruses and malware are types of malicious programs written to corrupt the way a computer operates. They are designed to spread from one computer to another by inserting or attaching themselves to a program or document.
- Viruses and malware have the potential to corrupt or destroy your applications and data.
- Viruses and malware typically do not request any type of payment, they simply attempt to cause harm “because they can”.
Denial of Service (“DOS”) and Distributed Denial of Service (“DDOS”) attacks:
- DOS and DDOS are attacks directed at your internet hosting or email servers. The attack attempts to overwhelm your systems causing a crash or preventing legitimate users from accessing the systems. This is achieved by flooding the target with superfluous requests.
- DOS and DDOS attacks can be motivated by revenge, blackmail and activism.
- Identity theft occurs when a criminal steals sufficient personal information that they can pose as you to commit fraud.
- The thief uses the stolen information to gain access to your financial accounts, your online accounts, and likely creates new accounts and incurs debts in your name.
- A thief requires very little information to start building an identity – a full name and birth date is enough.
- Ransomware comes in a number of flavours – crypto, lockers, scareware, doxware, and others.
- All ransomware is used by criminals to attempt to extort money. A ransomware program will prevent your computers/networks from functioning until the ransom is paid:
- Crypto encrypts your files and they must be decrypted by the criminal.
- Lockers completely lock you out of your device until unlocked by the criminal.
- Doxware, also known as leakware or extortionware, steals files and threatens to publish them unless the criminal receives payment.
- Scareware can claim to have found (non-existent) issues with your machine and demand payment to fix them. Scareware can also claim to have (untruthfully) tracked inappropriate browsing and demand payment to not release details. It can also claim (untruthfully) to have harvested your passwords and demand payment to not lock your machine or publish them.
- Payment does not guarantee resolution. The criminal may simply take the money and you never hear from them again.
- The only safe response to ransomware is to not let it into your system in the first place.
- Spamming sends unsolicited messages to large numbers of recipients for the purpose of advertising, evangelizing, or openly criminal purposes such as phishing.
- Managing incoming spam takes resources. Unmanaged spam carries risk.
- A more serious issue with spam is when criminals hack your email accounts or servers and use your systems to send spam.
Targeted cyber intrusions:
- An intrusion is the act of breaking into a specific computer or network of computers to commit criminal acts. For example, a criminal might execute an intrusion into a public utility control system so that they can initiate unexpected actions (e.g. shutting down a pipeline).
- The intrusion might be achieved by phishing, spear-phishing, malware, etc.
Phishing and spear-phishing:
- These types of crime attempt to extract information from users – usernames, passwords, account details, etc.
- The phishing attack usually comes in the form of an email but it can be text messages, phone calls, or social media.
- Phishing is a broadcast attack targeting many users in the hope of a response. Spear-phishing targets a specific individual and attempts to create a relationship that leads to confidential information being divulged.
- Sometimes employees, consultants, and ex-employees will attempt to commit criminal acts such as sabotage and fraud.
- Often employees will have knowledge of “back-doors” into systems that allow unauthorised access.
Wire Fraud and email fraud:
- These types of fraud are a specific form of criminal activity that make use of electronic communications or digital networks, usually crossing state/federal boundaries.
- A common example of wire fraud is the “Nigerian prince scam”. The goal of the scam is to obtain the target’s financial information, which the scammer will use to access the target’s money.
- Wire fraud also often occurs when a criminal obtains access to business email accounts (through phishing, etc.). The criminal then waits, watching the emails until the business sends an email authorising a large payment. The criminal changes the receiving bank details in the email to their own bank details, and the payment is thus redirected to the criminal’s account. Typically, the money is lost and all relationships involved in the transaction are soured.
Velvet have been looking after my complicated office software for years now. They assist promptly and are professional, I won't use anyone else as it's hard to find someone you can trust in IT and who is very well priced. Highly recommend VELVET SYSTEMS!Angela EBrisbane
Velvet Systems has advised and supported our company since 2017. They provide exceptional service delivered with a personal touch. Their technical expertise is second to none. We rely on them, we trust them, we recommend them.Errol WBrisbane
Always have been very helpful. They get the job done. Have been using them for about 4 years now.LocksmithLogan
Is your organisation vulnerable to an attack?
Are your applications set up to use two-factor authentication (“2FA”)?
- For your cloud productivity applications – for example Office 365 / Microsoft 365 / SharePoint?
- For your social media accounts?
- For accounting application – for example MYOB / Xero?
- For bank and financial institution applications?
- For shopping and eCommerce applications?
Are your passwords secure?
- Do you use a combination of UPPERCASE and lowercase letters, numbers, and special characters?
- Do you avoid the use of family names and birthdays?
- Do you avoid the use the same password for multiple applications?
- Do you have a password management application that can generate and record a unique password for all your applications?
Are your mobile devices and computers secure?
- Are your operating systems and applications patched and up to date?
- Are you using a corporate grade endpoint anti-virus solution?
- Do you ensure screens are locked when staff are away from their devices?
- Do you avoid public Wi-Fi?
- Do you take regular backups?
Are your servers and network environment secure?
- Are your admin passwords designed to restrict admin privileges on a need-to-know only basis?
- Have you changed the network devices default passwords?
- Are you network devices firmware up to date?
- Is your wireless network encrypted, secure and firewalled?
- Are your server operating systems up to date and patched?
Are your emails secure?
- Do you have 2FA setup for all email accounts and your cloud admin portal?
- Do you have email content filtering?
- Does your email portal log geographic location of all login activities?
- Can you block access to applications via location? i.e. no overseas access to web portal?
- Does your email application block spoofed emails?
Are your staff prepared for cybercrime?
- Is the amount of personal data posted online limited?
- Are staff trained to identify suspicious emails and phishing attempts?
- Are staff aware that access to your computers should never be given to unauthorised people?
- Are your staff aware that government agencies will never request payment via gift cards?
Notification requirements in the event of a data breach
Under the Notifiable Data Breaches (NDB) scheme any organisation or agency that the Privacy Act 1988 covers must notify affected individuals and the Office of the Australian Information Commissioner (“OAIC”) when a data breach is likely to result in serious harm to an individual whose personal information is involved.
A data breach occurs when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure. For example, when:
- A device with a customer’s personal information is lost or stolen
- A database with personal information is hacked
- Personal information is mistakenly given to the wrong person
The notification to individuals must include recommendations about the steps they should take in response to the data breach. You should notify the OAIC using our online Notifiable Data Breach form. For more information, see Report a Data Breach.
If you think your personal information may be involved in a data breach, see information for individuals on data breaches.
If you have experienced a data breach please contact us – we can help you manage your recovery.