How organisations big and small can step up cyber security

With the COVID-19 pandemic came a rise in fraud¹. The Australian Competition and Consumer Commission’s Scamwatch has reported more than 3,300 scams featuring a mention of the coronavirus totalling more than $1.6 million in losses since the start of the pandemic.²

Even before the pandemic, criminals tested the nation’s cyber security. According to Prime Minister Scott Morrison, Australia has been defending against ongoing digital attacks for a long time.³

“…Australian organisations are currently being targeted by a sophisticated state-based cyber actor,” he said at a June 19 press conference. “This activity is targeting Australian organisations across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure.”³

He said the frequency and scale of the attempts was escalating.⁴ In response to the attacks, the Prime Minister announced the allocation of $1.35billion of defence funding over the next decade to enhance the Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC). In the process, the Federal Government wants to create 500 new jobs in its internal cyber intelligence agency.

The Association of Certified Fraud Examiners explains how times of crisis and recession can be especially inviting for fraudsters and scammers in its recent report, Coronavirus Pandemic Is a Perfect Storm for Fraud.⁶

Glenn Stuttard, Australia Post’s Chief Information Security Officer, agrees. “Unfortunately criminals prey on people when they’re particularly vulnerable and distracted, as they have been during COVID-19.”

The shifting landscape of cyber security

Stuttard says essential service organisations and other programs accessed by millions across the country can be popular targets for criminals. 

“We here at Australia Post experience regular attacks,” Stuttard says. “They don’t necessarily make an impact on customers, however we do have to remain adaptive in response to defending against them as threats change.”

He says COVID-19 significantly changed the types of attacks he and his cyber security team had to identify and prevent.

“We’re constantly responding to changing threat landscapes that we see. We’re always adapting our methods and education programs to align with those changes.”

Strengthening cyber security internally

“It’s important for organisations without large budgets to know it’s not just about spending money,” he says. “While baseline technical security controls are extremely important, there’s a lot of power in education. Somebody who doesn’t know what to look for and clicks on the wrong link or sends the wrong information could cause a major issue for your organisation.

For example, Australia Post is adding additional features to its internal email system so its users can easily report suspect emails. Employees can click a new button to report a phishing attempt, making it simpler to monitor the risk of malicious email attacks.

Australia Post is also training employees through phishing simulations, in which the cyber security team sends test phishing attacks to employees to assess how they react. The team tracks who clicks on phony links, who reports them and who simply deletes suspicious messages. This helps refine cyber security messaging within the organisation and tailor training.

“It’s a great way to measure effectiveness of communication and overall awareness within our business,” Stuttard says. This communication is key, as any investment in cyber security can potentially be undone by one poor decision.

Stuttard says more sophisticated fraud attempts are making it harder to identify false communications. “The line between a legitimate email and a fraudulent one is becoming increasingly difficult to differentiate.”

Here are some things to look out for:

1. Do not click on suspicious links in emails or text messages – especially emails requesting you to enter your account information.
2. Be cautious of emails asking you to act on financial transactions with a sense of urgency.
3. Be vigilant when opening attachments – ensure you are expecting the attachment and that it’s not suspicious.
4. Do not forward any suspicious emails from your personal email to your work email account.

Stuttard says if you are a victim of cyber crime or are having issues related to identity theft, you can reach out to IDCARE, Australia and New Zealand’s national identity and cyber support service, for help.

Following the lead of the Australian Cyber Security Centre (ACSC)

Stuttard says the Australian Cyber Security Centre (ACSC) can be an excellent source of information and guidance, even for organisations with fewer resources.

“The ACSC site gives you a structured way to approach this education, broken down by category or type of business.”

Smaller organisations, such as child care providers and local councils, might not have the same resources to dedicate to digital security as large corporates. According to the 2019 ACSC’s Cyber Security and Australian Business report, nearly half of the 1,763 respondents spend less than $500 a year on cyber security.⁷

Balancing access and security

During the COVID-19 pandemic, the government launched a series of programs – including JobKeeper, JobSeeker and early superannuation access – to help Australians stay financially stable during difficult times.

Unfortunately these programs also attracted cyber fraudsters. The ATO sent out a warning in May⁸ saying scammers were impersonating the organisation and asking for bank account details to facilitate payments. And more than 150 Australians were scammed out of superannuation funds⁹ through scams targeting the government’s early access scheme.

Australia Post’s Solution Lead Peter Unkles says it can be difficult to make these important resources available to those in need while also ensuring cyber security.

“You have to strike a balance,” he says. “To make it completely fool proof, there’d be too much friction in the process for people.”

For example, requiring five identity documents, a face-to-face meeting and biometric scanning and facial recognition could greatly increase security. But it would also be a barrier for many citizens to benefit from the programs.

“There’s always this balancing act between making programs strong and secure, versus reducing the number of people who can actually access it.”

That’s why having a range of digital and physical identity verification methods is key. Australia Post’s solutions, which include in-person checks at participating post offices around the country as well as Digital iD™, provide flexibility for different circumstances.

“You don’t want to exclude people from having access to benefits just because of where they live or how comfortable they are with technology,” Unkles says.

He points to an example of elderly Australians selling their homes to move into retirement villages. Property transactions have official identification requirements.

“A 95-year-old selling their home may not want to or be able to download an app and do a digital facial recognition check,” Unkles says. “It could cause them a lot of stress. It’s all about providing them with options.”

With the rise in fraud brought on by COVID-19 and ongoing attacks from overseas, strong cyber security should be an ever-present consideration for organisations of all sizes across Australia. But providing a frictionless consumer experience is also important if you want to ensure equitable access – especially for those most at risk.

Federal and ACSC guidelines can help you better protect your organisation from an evolving series of threats, regardless of resources available. This can help ensure Australians have one less thing to worry about in uncertain times, and build their confidence in your services.