On reflection, the warning signs were there. The email address it was sent from was unrelated to our company. The CEO’s usual signature was not on there.

Yet this simple scam was very nearly successful because it created a sense of urgency which people are programmed to respond to. What does the CEO want? We must respond!

In the world of cybercrime, manipulating people in this way is a form of so-called social engineering. There are lots of different ways cybercriminals can appear as a trusted entity and manipulate people into carrying out specific actions, or divulging information. Another common example is those text messages you might have received, supposedly from your children impelling you to send money for something urgent.

Smart people fall for cyberattacks

Our purpose in sharing this story is to let other businesses know just how easy it is to fall for a scam. How do we avoid having senior staff – often highly experienced and very clever people – jump into action.

While we might hear a lot in the news about cyberattacks on big enterprises like Optus and Medibank, the truth is it’s a huge problem for SMEs too. The government’s annual Cyber Threat report puts the average cost per cybercrime report to over $39,000 for small business and $88,000 for medium business. A previous attack a couple of years ago at Oasis costs $50K with the bank eventually assisting to the tune of $15K. This was a more sophisticated scam.     

These sorts of emails are received by companies every day. Whilst many get picked up automatically by security software before we ever see them, some still slip through and make it to our inboxes.

Phishing attempts are getting progressively more sophisticated and complex. They can be multi-stage attempts that involve sending emails from accounts inside the organisation. Such emails are far harder to distinguish as a cyberattack because they defeat all the normal mental safeguards people put in place. The consequences can be devastating.

Ransomware, for example, involves locking up your files – often gaining access through a phishing scam and malware – and demanding a ransom to release them. The criminals may also threaten to leak your confidential information online. And even if you pay the ransom, there’s no guarantee they’ll release your files. A report from security firm Sophos found that 80 per cent of Australian respondents were hit by ransomware attacks in the last year. Our CEO recently spoke to 25 CEOs, three of which had been subject to ransomware attacks, two had paid the requested ransom and one did not and lost their data.   

Time to take action.

The lesson here is to prepare for a cyberattack by taking action.

Of course, the issue is most SMEs don’t have the resources to properly protect themselves. Like insurance, cybersecurity isn’t a top priority until you need it, and by then it’s too late.

However, investing in cybersecurity is just that, an investment. The mitigation of the risk that the business could not function as files become inaccessible is really risk management 101. The measurement of the impact of lost time, lost business and the damage done to customer relationships needs to be weighed against the investment costs to help mitigate.

In addition ASIC has made it clear that directors are going to be increasingly liable for cybersecurity breaches where there has been perceived dereliction of duty.   

Getting Practical

A good start might be regular training of staff on good cyber hygiene and how to recognise threats. It’s also important to have business procedures and processes in place – a series of checks and balances to ensure any emails and other communications are always vetted before being acted upon. Having our senior staff call the CEO to check before acting saved us from a much more serious incident.  

The Australian Cyber Security Centre’s Essential Eight is an excellent resource for the basics such as data backup and ensuring you have multi-factor authentication.

If you feel you may need some help from the experts we have worked with Tesserent (who focus on mid to large companies), one of our clients, Rivium, was acquired by Tesserent (TNT) in 2019, Robert Silver now at Tesserent; I’m sure would be very helpful in directing you around cyber protection options.

Security Centric another client, focus’ mainly on SME’s. Sash Vasilevski, the owner, and CEO would also be a good contact if you’re looking to get started on protecting yourself. 

Don’t wait until it’s too late.

Good luck and stay cyber-safe. 

References

ACSC Annual Cyber Threat Report, July 2021 to June 2022, Australian Cyber Security Centre, 4 November 2022
https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022

Cybersecurity a ‘No. 1’ risk for company directors: ASIC, AFR, 9 January 2023
https://www.afr.com/politics/federal/cybersecurity-a-number-one-risk-for-company-directors-asic-20230103-p5ca13

Essential Eight, Australian Cyber Security Centre
https://www.cyber.gov.au/acsc/view-all-content/essential-eight

Survey: 80% of nation’s firms hit by ransomware, AFR, 29 November 2022 https://www.afr.com/technology/survey-80-percent-of-nation-s-firms-hit-by-ransomware-20221125-p5c1a4

The Nerds have won, Troubleshooters Podcast with Mike McGrath & Robert Silver, 10 May 2021 https://www.oasispartners.com.au/podcast/the-nerds-have-won/

Tesserent
https://tesserent.com/

Security Centric
https://www.securitycentric.com.au/