Do you process, transmit or store more than 10,000 financial transactions per year?
YesNo, less than 10,000
Do you use and keep up to date firewalls and anti-virus protection for all systems?
YesNo
Do you use third parties to complete audits of your system and security on a regular basis?
YesNO
Are all portable devices password protected? (mobile phones, laptops, tablets, etc)
YesNo
Do you have encryption requirements for all data including portable media?
YesNo
Do you have back-up and recovery procedures for business critical systems, data and info assets?
YesNo
Do you outsource any part of your network, including storage?
Yes, we use third party providers.No, all managed in house
Do you store sensitive information on web servers?
YesNo
Do you know of any loss payments, fines or penalties being made on your behalf?
YesNo
Are you aware of any matter which might give rise to a claim or loss under such insurance?
YesNo
Have you suffered any loss or claim but not limited to a regulatory, governmental or administrative action brought against you, or any investigation or information request concerning any handling of personal info?
YesNo
The applicant or any subsidiaries have any knowledge of any loss payments, fines or penalties being made on behalf of any applicant or any person proposed for coverage any cyber policy or similar insurance?
YesNo
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Business Insurance Quote
Contact details:
Sections
Property & Contents
Yes, please quoteNo, thank you
Public & Products Liability
Yes, please quoteNo, thank you
Cyber Liability
Yes, please quoteNo, thank you
Theft & Money
Yes, please quoteNo, thank you
Computers & electronic equipment
Yes, please quoteNo, thank you
Business Interruption
Yes, please quoteNo, thank you
Machinery Breakdown
Yes, please quoteNo, thank you
Your quote request has been sent successfully, one of our brokers will contact you today! Close this notice.
Mandatory data breach notification laws within Australia came into effect on 22nd February, 2018 and with new regulations come new challenges for Australian business owners and employees surrounding information security and data breach response. Many organisations are facing regular scams and cyber attacks from criminals using sophisticated methods. Claims data reflects a majority of incidents stemming from a lack of employee security awareness within the business.
As of February 22nd organisations will be required to conduct an assessment of whether an eligible data breach occurred within 30 days of becoming aware that a suspected breach has occurred. If that organisation has evidence to believe that there has been an eligible breach, it must notify The Office of the Australian Information Commissioner as soon as they are able to do so.
Responding to an attack or breach can be extremely costly as business interruption expenses escalate quickly. The average time for an Australian SME organisation to resolve a data breach or attack is 23 days. Could your business continue trading without access to client information, websites, ordering or payment processing systems? We recommend performing a precautionary third party cyber risk review as soon as practicable.
Tips For Data Breach Response
The tips below are from a recent article by Reece Corbett-Wilkins, Associate at Norton Rose Fulbright from Insurance Law Tomorrow , which highlights five important steps to take before & after a data breach.
Develop and test internal response processes to ensure that potentially notifiable incidents are identified and reported to the legal / risk management function as early as possible. Valuable time can be lost in this initial phase.
Seek the assistance of external legal counsel and other service providers, where appropriate, to limit the potential exposure following an incident. External providers can advise organisations on whether remedial action can be taken to avoid the risk of harm from eventuating, which may remove the need to notify affected individuals and the Privacy Commissioner.
Although affected individuals and the Privacy Commissioner must be notified where required, organisations and agencies should not adopt a strategy of notifying all incidents as a matter of course. This is not the intention of the legislation and will cause notification fatigue. On the other hand, organisations and agencies should have a sound legal basis for not notifying, after having received external legal advice where appropriate.
Where an organisation or agency chooses to notify, the notification campaign should be well structured to monitor post notification liability risk from affected individuals, stakeholders and regulators. Organisations and agencies should manage their ongoing regulatory and claims risk post notification.
Notify insurers as soon as possible and obtain consent from insurers before taking any key steps or incurring costs. This will ensure that cover is not jeopardised due to late notification.
How will insurers respond?
Cyber insurance providers in Australia have a panel of experts assembled to resolve your particular incident quickly and cost effectively. Assistance is available 24/7 as insurance providers understand the importance of immediately rectifying the issue and returning to business as usual. These experts consist of incident response IT investigators, forensic accountants, lawyers, public relations and crisis management consultants. Working with a team of specialists to manage the notification process helps reduce unnecessary downtime and expenses.
Dedicated claims specialists will be assigned and should regularly communicate with you to investigate and manage the situation from start to finish.
Many insurers and brokers can assist with data breach response plans however individual organisations should prepare and test a plan catering to their operational nuances. We recommend keeping a physical copy of your incident response plan on hand as past attacks have seen plans and procedures stored on the network become encrypted and inaccessible.
Cyber insurance has been thrown around a lot in recent media articles due to the constant cyber threats faced by Australian organisations but reports have shown that in the U.S. 60% of companies who suffer a cyber attack will go bankrupt within 6 months. This percentage is staggering, many predict that it will be a very similar situation when more data is available for the Australian market.
The 2018 Allianz risk barometer report from 1,911 risk experts across 80 countries indicates that business interruption and cyber incidents rank as the number 1 & 2 major threats to companies through 2018 and in the future.
Aside from technical solutions, awareness and a strong security culture are the most important factors when preventing cyber attacks. A majority of cyber insurance claims stem from relatively simple methods like email phishing rather than the complex attacks which are seen in films. Let’s review some cyber insurance claims and see how these organisations were impacted and the costs covered by cyber insurance.
Hardware Store
Company background: Australian hardware store with approximately 20 employees and annual revenue of $5 million.
Description of event: In a standard case of phishing, an employee at a hardware store ignored internal policies and procedures and opened a seemingly innocuous file attached to an email. The next day the hardware store’s stock order and cash registers started to malfunction and business trade was impaired as a result of the network failing.
Resolution: The hardware store incurred over $100,000 in forensic investigation and restoration services. They also had additional increased working costs of $20,000 and business income loss estimated at $50,000 from the impaired operations. Total costs associated with the event came to $170,000.
Professional Services Firm
Company background: A professional services firm with 25 employees and approximately $7 million in annual revenue.
Description of event: A rogue employee accessed the human resource platform of a professional service provider. The employee acquired and sold social security information on the black market before being apprehended by law enforcement. Thereafter, several cases of identity theft were perpetrated against the professional service provider’s employees.
Resolution: The professional service provider engaged a forensics investigator and outside compliance counsel. It also notified employees of the breach, established a call centre, and provided monitoring and restoration services to impacted employees. Total costs associated with the event $75,000
Bottom Line
As can be seen by the above cyber insurance claims and previous articles hereand here, Australian businesses are vulnerable to a wide variety of scams and attacks from both internal and external sources.
Cyber insurance is a cost effective way to mitigate the expenses faced by all businesses after an attack or data breach.
Contact Cyber Insurance Australia today for a review of your existing insurance policies and a competitive quote.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Many professional groups and associations are beginning to advise their members of the upcoming regulation changes which are going to impact the way businesses approach data and security.
As of February 22 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017will commence for Australian organisations. The amendment to the privacy act has been long overdue and will require organisations covered by the Australian Privacy Act 1988(Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach.
Data breach notification laws have been in the US since 2002 and have slowly been adopted by most states since inception. Europe has also passed the General Data Protection Regulation(GDPR) which was designed to harmonize data privacy laws across Europe. The updated regulation will be enforced from 25 May 2018 at which time organisations in non-compliance will face heavy fines.
What is a Notifiable Data Breach?
A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
An eligible data breach arises when the following three criteria are satisfied:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
this is likely to result in serious harm to one or more individuals and
the entity has not been able to prevent the likely risk of serious harm with remedial action
Examples of a data breach include when:
a device containing customers’ personal information is lost or stolen
a database containing personal information is hacked
personal information is mistakenly provided to the wrong person.
Failure to notify could result in fines of $360,000 for individuals and $1.8 million for organisations according to the OAIC.
What is the Notifiable Data Breaches Scheme?
The NDB scheme requires organisations covered by the Australian Privacy Act 1988(Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. Failure to notify could result in fines of $360,000 for individuals and $1.8 million for organisations according to the OAIC.
Investigating whether a notifiable data breach has occurred involves deciding whether, from the perspective of a reasonable person, the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach. For the NDB scheme a ‘reasonable person’ means a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach.
This notice must include recommendations about the steps that individuals should take in response to the data breach. The Australian Information Commissioner must also be notified. Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
Not all data breaches are notifiable — the NDB scheme only requires organisations to notify when there is a data breach that is likely to result in serious harm to any individual to whom the information relates. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the OAIC. There are also exceptions to notifying in certain circumstances.
What happens if your IT services provider or other third party with access to your network suffers an attack or data breach which allows your data to be exposed?
The legislation says that if more than one entity holds the same personal records, a breach at one could constitute a breach at the other. However it also considers that both organisations have complied with their notifiable data breach scheme obligations if only one notifies. Organisations are also allowed to decide amongst themselves which will be responsible for the reporting.
For more information about assessing a suspected data breach, please visit the OAIC Assessing a breach page.
or
For more information about notifying individuals about a breach, please visit the OAIC notifying individuals page.
Cyber Insurance
How does cyber insurance fit into the upcoming notifiable data breach changes? Cyber insurance policies are designed to assist a business or organisation with incident mitigation following an attack or breach using various resources and financial compensation. The majority of cyber insurers provide 24/7 incident response hotlines to assist businesses as soon as the incident is discovered with specialist vendors available for overall damage control.
Benefits of a cyber insurance policy include;
Access to the insurers response team
Assistance investigating and resolving data security
Privacy commissioner investigation costs
Cover for civil regulatory fines & penalties
The insurer can advise on the obligation to notify and draft the notification
Legal & public relations support
Customer notification and credit monitoring costs cover
Cover for impacts to profits & increased costs of working
Points to think about before 22 February 2018;
Review existing insurance policies for cyber exclusions and limits of cover
Arrange and test a business continuity plan which specifically addresses a cyber attack or breach
Draft a data breach notification plan
Review contract management and ensure that due diligence is done on contractors’ policies, particularly in the areas of IT security and personal information storage and collection
Only collect and store personal information if it is necessary
Test and ensure information security procedures for effectiveness
Contact Cyber Insurance Australia today for a free review of your existing insurance policies or to get a competitive quote.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Cyber risk management is a hot topic for businesses across all industries, many high profile breaches have been in the media from financial institutions, healthcare organisations, law firms and IT companies. The construction industry is no different and definitely on the radar for cyber criminals.
In a piece written for VirginiaBusiness.com, Collin J. Hite, leader of the Insurance Recovery Group and the Data Privacy and Security practice at Hirschler Fleischer says, “The situation is getting so bad that businesses, large and small, finally are realizing that the question is not if they will get breached, but when. The construction industry is not immune from data breaches.”
Difficulties facing the construction industry
For many construction industry decision makers there is a mistaken belief that their organisations are not at risk because their business does not deal with the general public, have an online presence or handle large amounts of credit card information. While some may not consider construction to be a target, cyber criminals can see the vulnerabilities. Construction firms have access to large amounts of information such as confidential employee information, intellectual property, project plans and drawings, financial data and accounts, contractor details, etc.
Traditionally workers in the construction industry haven’t had to bat an eye lid regarding cyber security which has contributed to an overall lack of security awareness, training and skepticism towards cyber risks and insurance.
The Internet of Things is also presenting new challenges for the industry as terrific new equipment and methods are created with connectivity in mind. For example, internet connected field equipment which can be remotely controlled is hurriedly implemented for it’s efficiency but less forethought is given towards the security of these devices.
High Profile Incidents
Let’s take a look at some major cyber incidents which were targeted at various areas of the construction industry.
“The attackers got access to login credentials for Target’s computer network from one of their vendors, Fazio Mechanical. An employee fell victim to a phishing scam that allowed malware to be installed on the company’s computers. Fazio had access for electronic billing, project management, and contract submission and not because they were remotely monitoring and controlling any of the HVAC and refrigeration systems at any of their stores.”
“Multiple sources close to the investigation now tell this reporter(Brian Krebs) that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.” Krebs on Security.
German Steel Mill
The German Federal Office for Information Security (BSI) detailed in a report that attackers used booby-trapped emails to steal logins that gave them access to the mill’s control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report.
In its report, BSI said the attackers were very skilled and used both targeted emails and social engineering techniques to infiltrate the plant. In particular, said BSI, the attackers used a “spear phishing” campaign aimed at particular individuals in the company to trick people into opening messages that sought and grabbed login names and passwords. The phishing helped the hackers extract information they used to gain access to the plant’s office network and then its production systems.
Once inside the steel mill’s network, the “technical capabilities” of the attackers were evident, said the BSI report, as they showed familiarity with both conventional IT security systems but also the specialised software used to oversee and administer the plant.
Turner Construction was the victim of a spear phishing scam in March when an employee sent tax information on current and former employees to a fraudulent email account. Hackers spoof the “From:” field in an email to make it appear to come from a trustworthy source, say from your CEO or CFO. Typical spear phishing scams include messages requesting personal information on employees such as names and addresses, Tax details, corporate banking account information, or login credentials.
In the case of Turner Construction, the information provided to the fraudulent email account included full names, Social Security numbers, states of employment and residence as well as tax withholding data for 2015. All employees who worked for the company in 2015 were affected by the data breach. Turner, which is headquartered in New York, is one of the largest construction management firms in the U.S. with offices in 24 states.
Cyber Insurance Can Help Protect Your Business
The cyber insurance market has already seen a surge in demand for stand alone cyber liability insurance policies as a direct result of the Notifiable data breach regulation which is set to begin from February 22nd 2018. A cyber insurance policy can protect against many potential incidents, including loss of data, cyber extortion, business interruption, identity fraud and malicious data damage.
A good policy will also cover defence costs and the cost of public relations experts, which is very important when considering reputational damage and loss of business which a data breach is shown to cause. A recent study showed that following a data breach or cyber attack, stock prices fall an average of 5%. Thirty-one percent of consumers impacted by a breach stated they discontinued their relationship with an organization that had been breached, and 65 percent lost trust in that organization.
Current scams and prevention methods should be regularly circulated for employee knowledge. There are a number of third parties offering a wide range of solutions such as All Secure IT Services which offer customised managed services for all IT needs or DDM Security Systems which offer email security and encryption solutions.
One email can breach the entire network and as a result we suggest getting employees to subscribe to and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates or join the monthly newsletter at cyberinsuranceaustralia.com.au
Contact us on 1300 462 923 to discuss insurance options today.
Another month and another list of email scams being targeted at Australian business owners, let’s dive in and take a look at a few of the nefarious, clever and also simple ways criminals are attacking Aussies. September has been a big month despite major media coverage lacking after the previous Petya & Wannacry attacks.
Each day millions of malicious emails are sent to individuals and business owners with ever increasing sophistication. The scammers responsible for the below scams are part of well organised and funded criminal groups which put increasing amounts of effort into their activities.
Throughout September, Telstra has been impersonated multiple times from different scammers trying to leverage the telecommunication giants reputation and email billing system. As can be seen in the first image below, scammers have duplicated the Telstra email bill format, wording and branding from authentic bills in an attempt to increase legitimacy. Typically these scams advise that an outstanding amount is overdue and to follow the provided links for immediate payment. This scam however notifies many recipients that their account is actually in credit and is relying on the curiosity of victims to click without looking for suspicious warning signs.
The above email link initiates a malicious file download which is designed to steal sensitive information. In this instance scammers are using randomised account numbers, we recommend checking for warning signs such as sending address and a lack of personalisation. Official Telstra bills will have account holder information and personalisation.
A similar Telstra email scam made the rounds this month, not as sophisticated as the above duplicated email but just as malicious. As seen below, the email contains very few errors and ironically contains official links to other pages such as the Telstra email fraud page warning about exactly these emails.
Despite it’s lack of branding, many Australians were thrown by the well worded format and very close sending address to the official Telstra email bill address.
Xero
The below Xero email courtesy of Mailguard shows a very convincing Xero invoice which has been sent to Australian businesses. The email presents a PDF containing the invoice details in a very similar fashion to the official Xero emails. This scam relies on randomised amounts from random business names to intrigue recipients into checking the invoice.
The PDF is not an attachment but instead a link to download malware onto the recipients machine. The sending address appears to be legitimate at first glance but quickly you’ll notice the unusual ending of “@ post.xero.inc-r.com”, a good reminder to always check the sending address.
AusPost has been impersonated in the past but this particular scam uses Microsft OneDrive branding for the emails. The malware arrives as “AusPost Service Notification” with a randomised subject line similar to ‘AusPost Track – 123456789 -100-98765 Monday September’. Recipients are prompted to view the delivery details in OneDrive using the link provided.
Once clicked, the link takes recipients to a random web page where they are urged to download a .zip file containing malicious software designed to encrypt their information in exchange for a bitcoin ransom. According to the Australian Government, identical scam emails have also been seen impersonating the Australian Federal Police and e-Toll.
ASIC
Similar to previous ASIC scams we have written about in July, April and May. The government department was once again the victim of a large run of malicious emails from cyber criminals looking to impersonate the ASIC brand and reputation.
A sample email seen below shows how well duplicated this attempt is. The spelling and grammar has very few mistakes, they have used legitimate branding lifted from official documents and included links to the official privacy policy and ASIC help section. The two main red flags are the sending address , asic.transaction. no-reply@ ato.gov.autsl.com which according to Mailguard was registered 24 hours prior in China and the lack of individual personalisation.
Recipients are prompted to click a link to download their renewal notice. The link presents a suspicious .zip archive to download which contains malicious files designed to steal personal information. Look out for suspicious ASIC emails as they are a never ending target of impersonation by cyber criminals.
This was a small sample of the malicious emails which arrive in inboxes every day. Many scams operate in a similar fashion but use different brands for legitimacy, we will continue to report scams each month in an attempt to help raise awareness. Thanks to MailGuard for their regular blog updates on scam emails circulating in Australia.
In the event that your business is impacted by a cyber attack, data breach or email scam, cyber insurance is a cost effective way to mitigate the expenses, reputational damage and financial loss.
Subscribe to the newsletter and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
Does your organisation rely on third parties and have you signed agreements with these parties?
Do you know what obligations have been assumed in these agreements?
Does the contract cover losses or damages that arise from a data breach or cyber event?
Does your current insurance coverage clearly cover requirements of these contracts?
These are important questions facing Australian businesses as a greater reliance on technology and third-party vendors continues to increase significantly.
As public awareness of cyber risks and attacks continues to increase, more decision makers are requesting contractual cyber insurance liabilities be specifically addressed similarly to public liability.
Why is cyber insurance appearing on contracts?
Many Australian organisations are beginning to see contractual cyber insurance requirements across a wide variety of industries as cyber risk awareness increases. One way for organisations to protect themselves from financial loss, the expense of regulatory fines, penalties and reputation damage in the event of a data breach is to require contractors and vendors, with access to customer and employee personally identifiable information, to carry a cyber insurance policy.
Currently it’s common practice for vendors to provide proof of certain types and amounts of insurance cover and in some cases having their business named as an additional insured on vendor insurance policies. The types of losses, damages, and costs that arise from a data breach are often not covered by the standard insurance policy requirements listed in typical vendor contracts. Businesses without contractual cyber insurance requirements may leave themselves exposed to unexpected and uninsured losses.
Costs which can follow a breach
Many surveys have indicated that executives are unaware of the full scope of direct & indirect costs which can arise from a cyber attack or data breach.
Direct costs can include:
Forensic IT expenses to determine the cause of the breach and extent of data loss
Business interruption and increased working costs to keep the business operating as usual
Breach notification and response costs
Legal fees
Public relations expenses
Providing credit monitoring and identity theft restoration services
Indirect costs can include:
Loss of income
Goodwill and reputational damage
Should you require vendors to have cyber insurance?
We believe so, businesses currently require their vendors or contractors to indemnify them for public liability, professional indemnity and other current lines of insurance while completing the work. The same consideration should be shown for personally identifiable & sensitive data which could be compromised while the work is undertaken. Serious harm can be caused to an individual or business as a result of a data breach, anything from financial loss, emotional or reputational damage and even physical damage has been shown to occur.
All third parties who have access to customer or employee personally identifiable information should be having a conversation about sharing or transferring the risk of loss through cyber insurance if there is a data breach. Cyber insurance policies, among other things, typically cover the cost for computer and data loss restoration, notification costs, credit monitoring, and liability to third parties from your failure to handle, manage, store, and control personally identifiable information belonging to others.
The majority of Australian businesses collect and store data about their clients which in most cases is managed by an IT managed services group. According to a May 2016 Ponemon Institute report, 75% of the Australian IT and security professionals surveyed stated that the risk of a third party’s breach is a serious concern and increasing within their organizations.
Current Government View
Regulators in Australia have increased their efforts to bring cyber risks to the attention of organisations with both the Office of the Australian Information Commissioner (OAIC) and the Australian Investments and Security Commission (ASIC) providing regularly updated information and resources.
“While in its infancy in Australia, the rapidly growing cyber insurance market may help enforce improved cyber security performance.” “Although some organisations may be implementing international cyber security standards that all organisations can achieve, others are not doing so. In our interconnected world, a solid baseline of cyber security practice is critical to achieving confidence online.” — Australian Government Cyber Security Strategy
The Australian government has recently established a Notifiable Data Breaches scheme to address the growing concern around data breaches and privacy. Full details can be found here – OAIC
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017established a Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme requires organisations covered by the Australian Privacy Act 1988(Privacy Act) to notify any individuals likely to be at risk of serious harm by a data breach. This notice must include recommendations about the steps that individuals should take in response to the data breach. The Office of the Australian Information Commissioner (OAIC) must also be notified.
Organisations will need to be prepared to conduct quick assessments of suspected data breaches to determine if they are likely to result in serious harm.
If the Privacy Act 1988 (Privacy Act) applies to your business, you will need to be aware of the risks of a failure to secure data where that failure results in a breach of the Privacy Act. The Privacy Act requires entities to take reasonable steps to protect personal information such as customer details. Significant penalties may apply to you if they are responsible for a breach of the Privacy Act. These include fines of up to $360,000 for individuals and $1.8 million for corporations as well as the potential for a compensation order being awarded.
At Cyber Insurance Australia we believe the Privacy Amendment will continue to drive contractual cyber insurance requirements in the future as more organisations are made aware of their costly responsibilities towards data security.
We will continue to update this page with further developments as the landscape changes for Australian businesses.
Contact us to discuss upcoming changes which may impact your business.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
The ACORN or The Australian Cybercrime Online Reporting Network has released the second quarter 2017 cyber crime report to help raise awareness and provide tips for business owners. ACORN offers a place for Australians to report attacks and find advice about the ever evolving digital risk landscape.
An August 2017 report from cyber security firm Webroot surveyed 600 IT leaders from SMEs in Australia, the US and UK to calculate the average business cost resulting from a cyber attack.
In Australia, they estimated the average cost at $1.89 million, half of the Australian respondents to the survey also believe that their business would face costs of more than $1.3 million if customer records or critical business data were lost.
The ACORN has seen an average of 130 reports per day so far this year and an increase of 76 reported events from the first quarter 2017 results. The top form of reported cyber crime continues to be scams and fraud at 51%, this includes ransomware, business email compromise and other forms of email fraud which we wrote about in more depth, Email Fraud & Cyber Insurance.
According to industry reports, 91% of cyber attacks originate with an email and aim to trick or confuse the recipient. Every day a flood of malicious emails are targeted at Australian businesses with evolving tactics and exploits, making it as important as ever to educate staff, update continuity plans and institute a robust security solution. The average interruption to an Australian business from a cyber attack takes 23 days to resolve.
Once again Queensland has reported the most incidents with 28% followed closely by Victoria at 27% and New South Whales at 22%. We can also see a very wide age bracket for attacks with 74% of victims between 20 and 60 years of age. Just as technology doesn’t discriminate with age, neither does cyber crime, these attacks are sent to anyone and everyone. Reports have also increased to 7% for the under 20 year old bracket from the 1st quarter report as mobile & iPad take up among younger generations increases.
At this stage there is no silver bullet to protect your business from cyber crime. Security awareness training for staff, strong Information Security procedures, business continuity plans addressing cyber threats and a well defined cyber insurance policy are the main areas for mitigating cyber crime exposure in your business.
Acorn top three tips for staying safe online
In the event that your business is impacted by a cyber attack, data breach or email scam, cyber insurance is a cost effective way to mitigate the expenses, reputational damage and financial loss.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.
It’s time for Cyber Insurance Australia to review some of the new email scams which targeted Australian businesses this July.
Today, as employee education continues to increase, criminals are very fastidious and clever with their malicious email scam attempts. No longer are the email scams poorly worded and as easily spotted by the general public. Criminal organisations are spending considerable amounts of time and money to deceive and scam Australians.
As always, ASIC makes it onto the list with another malicious attempt at using their likeness to fool unsuspecting business owners. Each month different email scams using ASIC branding are sent to millions of Australian email addresses with no end in sight. This particular scam as seen below, informs recipients that their business name is due for renewal. Simply click on the included link to download the renewal notice.
As you may suspect, the attached file is malicious and once opened could contain a virus, ransomware or other form of malicious software designed to interrupt or damage a system or data. These emails typically look well formatted with official branding from the government body or brand being impersonated. In this particular email scam the sending address “ASIC.Transaction. No-reply @ asicdesk.com” is fake and the sending officer “Myra Tango” does not appear to exist as an employee at ASIC.
We previously wrote about other ASIC scams in May, April, February and January. It is safe to say that this won’t be the end of this type of ASIC email scam, we recommend discussing typical red flags with all staff to avoid an accidental incident.
ANZ bank has had a run of very well formatted scam emails targeting their customers during July. The emails inform recipients that their account statement is ready and available to view. Banks within Australian commonly email notifications that account statements are available but with some important differences.
As can be seen in the first screenshot, the body has been well written and the branding is official and taken from legitimate ANZ statement emails. The sender is listed as “statements@ anzcommunications.anz.com” which is the official email address used by ANZ to send their legitimate statement notifications. When hovering over the sender name the actual sending address is “statements@ anzhost.org” which is fake.
Similar to the ASIC scam above, once the recipient clicks the “view statement” button a download is launched which contains malicious software. Malware is designed to steal private information, damage or destroy data and disrupt computer systems.
The below screenshot is a legitimate ANZ statement notification email for comparison. The fake email scam even has the official Australian financial services license details, help desk number and security notice to help establish legitimacy. Official bank notifications will never include the statement or any attachments. Legitimate ANZ emails will prompt customers to view their statement online using the ANZ banking portal.
Australian banks are regular targets for a number of reasons such as high technology adoption by the Australian public. We previously wrote about similar scams mimicking NAB and Citibank in past months.
Both Origin and EnergyAustralia have had another month of email scams targeting Australians. The theme of the scams is to imitate the email invoices sent out regularly by both energy organisations. In each case this month the branding and legitimate email details have been copied almost perfectly in an effort to dupe recipients. The emails show a typical energy email bill notification showing a random amount and upcoming due date. The scam emails contain different amounts and dates in an attempt to avoid detection from security software.
Both emails have a “view bill” button which downloads a .zip file with malicious Javascript contained within. According to MailGuard, the malicious payload is designed to:
Delay the analysis task by a long amount of time.
Steal private information from local Internet browsers
Install itself for autorun at Windows startup.
Example of EnergyAustralia scam email
Example of EnergyAustralia scam email
In some instances the due date has been incorrectly generated as a past date which is one red flag to identifying these scams. Other red flags are the random sending address, for example “noreply@ syrenergy.com”,” reply@globalenergyfinance .com” or “noreply@ energy2u.info”. Official email billing addresses to keep an eye out for, anything else is fake:
Millions of email scams are circulated daily to unsuspecting business owners and individuals. Awareness is half of the battle against a never ending wave of scams and phishing attempts, the other half is adequate email security.
In the event that your business is impacted by a cyber attack, data breach or email scam, cyber insurance is a cost effective way to mitigate the expenses, reputational damage and financial loss.
Cyber Insurance Australia reduces the costs of cyber crime for your business.
Share this list with your colleagues to help spread the word before one of these nefarious emails ends up at your business.
The ASIC website offers the following advice for avoiding email scams:
Keep your antivirus software up to date
Be wary of emails that don’t address you by name or misspell your details and have unknown attachments
Don’t click any links on a suspicious email.
Above all we recommend educating employees to recognise suspicious emails and unusual behavior without curiosity getting the best of them.
Each month Cyber Insurance Australia takes a look at some of the email scams being targeted at Australian business owners. June has been a big month in the news with the Petya ransomware attacks getting major media coverage around the world and across Australia after our beloved Cadbury chocolate factory fell victim.
Each day around the world millions of malicious emails are sent to individuals and business owners with ever increasing sophistication. The scammers responsible for the below scams are part of well organised and funded criminal groups which put increasing amounts of effort into duping as many people as possible.
According to MailGuard, ” Cybercriminals have been inundating Australians with fraud emails this month, with the number of large-scale scam email attacks as high in one day as an average week.”
Yet another government department has been impersonated in a large scale email scam this month. Over the past few months we have written about scams being targeted at ASIC , MYGOV and the ATO. This month Australians received an email from the NSW Roads & Maritime Services department regarding an E-Toll account statement. The email which can be seen below shows a well copied email template which uses the official Roads & maritime branding, logo and privacy statement.
The email directs recipients to view the attached statement which contains malicious software. This email scam doesn’t address recipients by name, hold any personal information or indicate an overdue toll amount, it simply relies on the curiosity of people to open anything from an authoritative source. Malware is designed to interrupt, destroy, gain control of or steal data from a computer system.
This definitely won’t be the last time a government department is impersonated for email scams.
EnergyAustralia was also impersonated this month with fake invoices being sent with randomised amounts due within a matter of days. Cyber criminals will randomly generate an amount for the invoice in an attempt to avoid detection from security software. The email seen below shows a well duplicated and legitimate looking email from EnergyAustralia.
The email scam was sent from “noreply@ energyagent.net”, a domain recently registered in china. The email contains a “View bill” link which downloads a nefarious “EnergyAustralia Electricity bill.zip” file containing malware. Always check small details such as the sending address when receiving suspicious emails.
If you have received this email, you can report it to EnergyAustralia by forwarding the email to staysafe@energyaustralia.com.au. Please send the hoax email as an attachment if possible. Don’t forward the hoax email to anyone else.
Once you’ve sent the hoax email to staysafe@energyaustralia.com.au, delete it from your inbox immediately. Then empty your Deleted Items folder.
EnergyAustralia’s advice regarding email scams from their website.
MYOB
In the lead up to End of Financial Year criminals are targeting businesses using the popular accounting software package MYOB. Criminals are using the MYOB brand in their email scams for added legitimacy. The emails indicate an attached invoice for a random amount of money which was due in April 2017. The business names used in the email scam are unrelated and are added to help deceive their recipients.
According to MailGuard, the “view invoice” button links to a .ZIP file which contains malware. This type of malware can steal private information from internet browsers, automatically run the malicious software at windows startup and more.
MYOB is no stranger to impersonation tactics from cyber criminals, many email scams rely on large brands which businesses have a high chance of working with to catch unsuspecting victims.
Origin Energy
Origin are a regular target for email scams as a large number of their customers receive email correspondence and Origin provide services for such a high percentage of Australians. Origin have had their brand impersonated numerous times in the past, the continued use of their branding and other energy providers indicates the efficacy of this type of scam. The most recent Origin email scam comes just days after Origin officially announced price increases via email which added to confusion for recipients.
The below email was sent from the recently registered domain, noreply@ globalenergyfinance.com, instead of an official Origin address.
In the past, these email scams were often noticeable due to the poor wording used and lack of legitimate logos, branding and contact details. The above Origin scam which MailGuard estimates was sent to approximately a quarter of Australian businesses is clearly well written and shows an increasing level of sophistication.
Very similar to the above approaches, when recipients click the “View bill” button a download is prompted which contains a malicious file named “Origin electricity bill.js”. The malware in this scam is similar to the above MYOB malware which can
steal private information
Install itself for autorun at Windows startup
Implement a process that significantly delays the analysis task
Last month the media reported on the global “WannaCry” outbreak but June saw “Petya” take the spotlight. Similar to other forms of ransomware, the basic principle is to interrupt and lock the victims computer operations while demanding a ransom paid in bitcoin. The amount demanded for Petya appeared to be $300USD and infected hundreds of thousands of computers. Many victims around the world are left scrambling including Russia’s biggest oil company, Ukrainian banks and multinational shipping and advertising firms.
The Tasmanian Cadbury chocolate factory had production halted when the computer systems were attacked. “It’s a highly advanced site and highly automated. Most of the production process is controlled by computers,” said John Short of the Australian Manufacturing Workers’ Union regarding the Cadbury factory.
In a statement, Cadbury’s parent company Mondelz International said they “do not know when our systems will be restored” and “We continue to work quickly to address the current global IT outage across Mondelz International,”.
Below is a screenshot of what victims are faced with after infection.
“It’s like the NSA built a kind of digital Ebola, used it secretly for five years, and now it’s out in the wild. #Petya” – Nicholas Thompson, Editor in Chief, Wired.
Stay Smart Online has released the following information regarding the Petya ransomware and what businesses can do:
There are very simple steps you can take to reduce the risk of your personal and business records being impacted by Petya ransomware. The top two steps are:
Immediately install the latest Windows updates for applications, software and operating systems. Note that updates are also available for Windows XP.
Cyber Insurance Australia can help reduce the costs of cyber crime for your business.
Each month we will be updating and reporting new malicious emails making the rounds for Australian businesses.
Subscribe and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information. Thanks to MailGuard , subscribe to the security blog for regular updates here.
Share this list with your colleagues to help spread the word before one of these nefarious emails ends up at your business.
Public awareness continues to slowly increase with reports of major data breaches and cyber attacks. As a result, a large number of Australian business owners are looking at cyber insurance to mitigate the high costs involved with a data breach or cyber crime.
The number one question we are asked when discussing cyber insurance is how much does cyber insurance cost? followed by, what does cyber insurance cover?. Often times the cost of the policy is a greater factor on whether to purchase a policy than the policy coverage itself.
Many business owners are hesitant to add another insurance cost to their existing expenses, especially if they have not had any direct impacts from a cyber attack.
A few important variables which can influence your cyber liability insurance cost:
The Limit of Liability – The higher the policy limit required, the higher your policy cost will be.
Security measures in place – A major factor is the security systems and procedures in place. A business with regular backups, employee security training and encryption requirements will have a better overall risk exposure than a business which doesn’t.
Staff numbers – Staff size is a good way to get a broad idea of the amount of information and access points a company may have. Internal threats from employees are one of the largest causes of cyber crime.
Unique risks for your business –Depending on the nature of your business, you may face a higher level of risk than another business. For example, a medical clinic which holds sensitive information or a business with valuable third-party intellectual property may attract a higher premium.
Optional extras – Some insurers offer additional cover for phishing and cyber theft which come with an additional premium. These risks, although in a digital form are normally excluded.
How much could a cyber attack cost my business?
According to the Australian government, the average cost for a cyber attack is $276,323 and 50% of that cost is spent on detection and recovery.
The average time to resolve an attack is 23 days which is increased to 51 days if the attack was a malicious insider, employee or contractor.
A massive 40% of the impact on a business is due to business interruption with data loss coming in at 29%.
Could your business survive the costs and interruptions lasting 23 days or more?
