According to the Australian Cyber Security Centre (ACSC) Annual Cyber Threat Report, the “deterioration of the global threat environment was reflected in cyberspace”. In Australia alone, more than 76,000 cyber crime reports were made to the ACSC over the 2021-22 financial year, which is one every seven minutes, an increase of nearly 13% from the previous financial year. Australia also saw self-reported losses from cyber attacks total more than $33 billion. And it is not just vulnerable individuals being targeted. Large organisations who, arguably, have invested significant time and money into cyber defences are falling victim too, highlighting the sheer scale and sophistication of cyber crime today.
On 13 October, Medibank announced it was the victim of a cyber attack after a notorious Russian cyber gang stole the personal information of 9.7 million Australian customers. The hack began with the theft of credentials belonging to an individual with access to Medibank’s internal systems. The stolen information includes (but is not limited to) names, dates of birth, addresses, contact information, credit card details, ID documents, and medical histories. As a result of this attack, those affected have become vulnerable to blackmail, fraud, identity theft, and targeted scams. Click here to read a recent The Sydney Morning Herald article on the Medibank cyber attack.
Less than one month prior, on 22 September, nearly 2.1 million Optus customers had their personal information, including (but not limited to) names, dates of birth, addresses, contact information, passport numbers, driver’s licence numbers, and medicare numbers stolen as a result of an internal system vulnerability. Optus has not released a statement on how the data was accessed, however, it has been reported that it was through a lack of authentication required on an Optus application programming interface (API). Home affairs minister, Claire O’Neil, has commented that the data vulnerability was a result of Optus “leaving a window open”. Click here to read a recent The Conversation article on the Optus cyber attack.
A few days prior to this, on 15 September, ride-share giant Uber fell victim to a social engineering-style cyber attack. Uber stated that a contractor’s account was compromised, where the attacker likely purchased the individual’s password on the dark web after the individual’s personal device was infected with malware. Uber has confirmed there was no evidence the attack successfully accessed customer or user data stored in its cloud. Nonetheless, the hacker did gain access to Slack messages, a communication tool used by Uber’s finance team to manage invoices, and the company’s dashboard HackerOne, where it stores vulnerable reports. Click here to read a recent The New York Times article on the Uber cyber attack.
Those are just three recent examples of sophisticated cyber attacks on large organisations that, presumably, have significant cyber security defences in place – and as we witnessed in the media coverage, these attacks cause long-lasting reputational damage, service disruptions, and financial strain. According to the ACSC Report, the average cost per cyber crime for small businesses is more than $39,000 and for large businesses is more than $62,000. On top of this, there is the financial strain on the individual victims impacted.
In summary, the ACSC highlighted the following trends from the 2021-22 financial year:
• “Cyberspace has become a battleground.”
• “Australia’s prosperity is attractive to cybercriminals.”
• “Ransomware remains the most destructive cybercrime.”
• “Worldwide, critical infrastructure networks are increasingly targeted.”
• “The rapid exploitation of critical public vulnerabilities became the norm.”
The risk of cyber crime, on both an individual and business level, is at critical levels. No one is immune. According to the ACSC Report, “Australia’s best defence in a rapidly evolving cyber threat environment is to build resilience across businesses and organisations, and among individuals.”
Building Resilience
As a financial advisory firm, we have been aware for many years of the importance of vigilance when it comes to the protection of client data and client assets. We routinely stress-test our infrastructure and ensure we have appropriate digital and human protections in place at all times and we implement regular cyber security education programs for all members of our team.
Many of our clients will know about our MGD Client Portal, which was developed to keep our clients’ data safe in this rapidly evolving cyber threat environment. It uses multiple layers of security controls to provide the highest level of protection to clients and their data, it uses the same level of encryption used by global financial institutions, it supports multi-factor authentication, and there is no transactional functionality to move or withdraw funds.
But regardless of what we do as a firm, we know that cyber security is only as strong as the weakest link, which is why cyber security on an individual level is absolutely paramount.
So how do we as individual humans become more cyber resilient? Here are some proactive measures we can all take to protect ourselves, our families, our households, our businesses, and our digital assets:
• Arm yourself with knowledge. Educate yourself about what is happening, stay ahead of the game in understanding how the threats are evolving, and learn about what you can do to strengthen your defences (and, importantly, keep improving your defences as the threat evolves).
• Be vigilant and smart in what you do online and offline. For example, think twice before clicking a link in an email or providing information over the phone.
• Understand if any of your data, such as your email, has been subject to a known data breach (you can easily check this via Dehashed).
• Take password selection and management seriously; this includes not using the same password for multiple accounts, ensuring your passwords are strong, and considering the use of a password manager (ACSC has further information on password security).
• Use two-factor authentication on all sites containing sensitive information (such as banking and other financial information) – yes, it can be inconvenient, but it’s significantly safer when it comes to protecting the security of your data.
• Consider using a Virtual Private Network (VPN) whenever you’re online (this Forbes article discusses what a VPN is and some of the features and benefits of VPNs).
The grim reality is that the situation is not going to get better. It’s only going to get worse. And so, it is critical that we take the necessary steps to protect ourselves and our digital assets – because we are all vulnerable.
If you would like to discuss any of the above themes in more detail, please arrange a conversation with your adviser or our office by calling (07) 3391 5055 or via email.
Further Reading
ACSC | Easy steps to secure your devices and accounts
This article provides an outline of the simple steps you can take to secure your devices and accounts.
ACSC | Personal Security Guides
This page contains a series of guides to help protect you and your families from cyber threats, including how to dispose of a device securely and how to ensure your children use the internet safely.
ACSC | Cyber security tips when working from home
This article provides nine strategies that can help protect you, your work, and your household when you are working from home.
This website provides information on how to recognise, avoid, and report scams.
This website provides online safety presentations to parents, carers, and teachers on how young people use technology, the challenges they might face, and how to get help and support if something goes wrong online.
Any advice included in this communication is general and has been prepared without taking into account your objectives, financial situation or needs. As such, you should consider its appropriateness having regard to these factors before acting on it. Any tax information refers to current laws, is not based on your unique circumstances and should not be relied on as tax advice. Before you make any decision about whether to acquire a certain financial product, you should obtain and read the relevant product disclosure statement.