Not many things can bring a business to its knees inside a day, but cybersecurity fraud is one of them.
Big business, at least, knows what it’s doing, even if that sector is far from immune from attack. For small-to-medium enterprise, however, the risks remain very real and the margin for error even tighter. While big business has the luxury of giant cash reserves and resources to fix problems quickly, many SMEs are unknowingly flying without a net.
The nature of cyber attack is such that every business, entity and individual is now just a heartbeat away from potential disaster. Many of us know this already and are working to combat it, but are your security measures enough? Are you constantly reviewing your operations? Do you have a crisis plan? Are your staff consistently kept in the loop on risks and best practices? Do you have enough and the right type of insurance to weather any storm?
In my professional realm, lawyers face unique challenges handling client confidential material with its accompanying ethical obligations, but the lessons learnt in one sector are applicable across the board. Cyber attacks are continuously mounted in a myriad of different ways but with similar themes. As we have seen recently, no-one, not even federal parliament, is safe.
Here, then, are four vital issues to consider – as relevant and critical for the top end of town as they are for small business.
Insurance alone is not enough
An instinctive reaction to risk is to recognise and insure against it. This is not so easy in the world of cyber attack. It is necessary to recognise that two policies need to react: cybersecurity insurance and crime insurance. They are separate and distinct even though they may overlap. One alone is not enough. Check what you have.
But that is not the end of it. Having just returned from the Lloyd’s insurance market in London, it is plain that underwriters themselves are still coming to grips with the area and are wary, and rightly so. Their potential risk is enormous. Correspondingly, the scope of cover being offered is limited and there are exclusions. You will never be able to cover all your potential losses so you will remain partially uninsured. Failing to bring yourself within the scope of cover by not understanding the exclusions leaves you with nothing. Additionally, ‘off the rack’ cyber insurance packets or add-ons to other existing policies are as good as useless, and worse still, can instil a sense of false security. Check your policy and check it again. And, needless to say, get advice from a decent insurance broker.
Invest heavily in your own protection
If insurance alone cannot protect then what you would otherwise spend on policy premium, and more, must go into ICT. You need to be at the top of your game with current software and practical protections, including adequate staffing policies: no data sticks (from clients for example), no personal unprotected devices in the workplace, regulation audits and so forth.
If the fire-walled business is ‘the castle’, it is only secure if those within don’t lower the draw bridge. Which brings me to my third point – the threat of social engineering.
Underwriters are no longer referring to this area of risk in terms of cybersecurity but, rather, social engineering. The tool kit of the cyber- criminal largely turns on the ability to unlock the human capacity for being drawn in by habit: the habit to open attachments, the habit to follow direction, the habits drilled into us through the entire digital era.
We can rush in without natural suspicion, whereas what is required now is suspicion at every turn. Thus it is vital and necessary to educate our workforces and ourselves, and for ICT managers or business owners to be across current scams. If you don’t have the requisite skills to do this, outsource the task to those who do.
These types of attacks typically include ransomware resulting in ‘lockdown’, the hacking and altering of financial details contained in unencrypted email to redirect financial payments to the thief, and theft of sensitive, commercial-in-confidence and confidential information. For lawyers who must ethically protect client privileged information, this sort of attack is a nightmare.
The best return for effort in this fraught area is education to combat the insidious nature of social engineering and to help staff re-learn the rules of the digital age. Good insurance can provide live expert technical assistance to negotiate with those seeking the ransom, including, on occasion, negotiating payments to unlock a system, and locating and containing viruses.
Your obligations if breached
If your organisation is breached, depending upon your size and the nature of your business and the breach, there are mandatory statutory obligations to report data loss to the Office of the Australian Information Commissioner under the notifiable data breaches scheme. This is a big deal — to rub salt into the wound — because failure to do so is serious, as are the penalties.
The laws apply to businesses and not-for-profit entities with a turnover of $3 million in turnover, government agencies and some other classes of business. There are also threshold criteria to determine whether an organisation needs to notify breaches. For lawyers, there are added obligations if there is a loss of client privileged data. Your own industry may have its own regulator to whom you owe responsibilities in addition to those owed to Commonwealth agencies. Legal advice may be required to understand your statutory obligations, ethical and regulatory responsibilities, and avoid penalties.
Self-help is the required approach in this exponentially increasing and dangerous world of cyber-criminals. No-one is going to do it for you: not insurers, nor ICT experts and not the state, although you may need to account to it. Alert and alarmed is how I would describe my own state of mind. No level of vigilance is ever enough.
The recent approach taken by an affected customer of an underwriter says it all. Banks are notoriously slow to react to prevent the distribution of stolen money in instances of cyber fraud. This customer, having had $10 million stolen, chose not to rely on the bank to prevent the transfer but, rather, flew a representative to Thailand that night, so they were able to walk into a Bangkok bank the following morning to prevent the transfer being completed.
The only way we can wrestle with this evil, the only way to protect our livelihood and the interests of our customers, is to assume the responsibility squarely ourselves. To quote Benjamin Franklin: “An ounce of prevention is worth a pound of cure.”
Morry Bailes is managing partner of Tindall Gask Bentley Lawyers and immediate past president of the Law Council of Australia.
Want to comment?
Send us an email, making it clear which story you’re commenting on and including your full name (required for publication) and phone number (only for verification purposes). Please put “Reader views” in the subject.
We’ll publish the best comments in a regular “Reader Views” post. Your comments can be brief, or we can accept up to 350 words, or thereabouts.
InDaily has changed the way we receive comments. Go here for an explanation.