Australian businesses are increasingly becoming targets for cyber crime, according to the first national unclassified cyber security threat report.
The Australian Cyber Security Centre (ACSC) today released its Threat Report 2015, which warns businesses could be targets for malicious activities even if they do not realise they are of interest to cyber criminals.
The centre compiled the report after partner agencies provided information about the threats Australian networks face from cyber espionage, cyber attacks and cyber crime.
The report cites statistics that show in 2014 the national computer emergency response team, CERT Australia, responded to 11,073 cyber security incidents affecting Australian businesses.
Of those, 153 involved threats to systems of national interest, critical infrastructure and government, categories that ACSC considers could significantly affect Australia’s economic prosperity.
Energy, banking and financial services, communications, defence and transport were identified as the top five industries assisted by CERT Australia regarding cyber security incidents in 2014.
The theft of intellectual property or commercially sensitive information online was identified as one of the biggest issues for businesses, with far reaching implications such as impaired reputations, profitability and competitiveness, reduced business opportunities and undermined business models.
The report identified future trends in cyber crime activity, including an increase in the number of cyber security criminals with enhanced capabilities, a rise in “spear phishing”, ransomware and other cybercrime, as well as the increased use of sophisticated software, web defacements and headline-grabbing social media hijacking.
The report also said many sectors are yet to invest heavily in cyber security and businesses may be hesitant to report incidents.
ACSC co-ordinator Clive Lines said the cyber threat to Australian organisations is growing but the report could serve as a resource for businesses.
“If every Australian organisation read this report and acted to improve their security posture, we would see a far more informed and secure Australian internet presence,” Lines said.
AVG security advisor Michael McKinnon told SmartCompany the report made a couple of good, clear points about the sorts of cyber threats facing the business community.
“The first point the document makes clearly, is that businesses don’t chose to be targets, they’re all targets,” McKinnon says.
“I know lots of SMEs don’t believe they would ever be a target, but it’s important to understand what a cyber-adversary is.”
McKinnon says the report highlights the fact threats are broad-ranged, which means it is important businesses understand there are “so many different adversaries at play here”.
“The threat is so broad it includes foreign governments, organised international crime groups, national crime groups, petty thieves, also ex-employees and those disgruntled with your businesses,” he says.
McKinnon says business owners needed to develop an understanding of what some of the cyber threats are, such as “spear phishing”.
“Make sure there is someone in the business who knows what these things are and actively working to mitigate risks associated with them,” he says.
McKinnon says businesses should be actively reporting security incidents as the consequences are often broader than those that affect the business alone.
“Many businesses want to sweep it under carpet, do not want to acknowledge they have been compromised, they don’t want reputational damage,” he says.
“It’s really incumbent on business owners, for protection of the country and their business success, if you do see something happen to your business, report it.”
“You’ll potentially stop it happening to the next business.”
McKinnon’s top four strategies to protect your business from around 85% of cyber threats:
- Application white listing – be careful which software you are running, be selective and make sure software is approved by managers. Ensure employees are not given ability to run whatever software they want to install.
- Patching your software – update your internet browser and Adobe Flash
- Patching your operating system – make sure you’re updating your systems. If relying on an IT company, make sure you’ve reached out to them and they’re doing a proper review regularly.
- Restrict administrative privileges – restrict the administrative access to employees that only absolutely need to have access.