Published on the 13/09/2023 | Written by Heather Wright
Password = Password problem is not helping…
Data might be the new gold rush, and cybercriminals might be exploiting that to the hilt, but most attacks are far from ‘sophisticated’.
Chris Watson, a partner within Grant Thornton’s consulting team and cybersecurity expert, says businesses need to up their game, including with some basic security measures.
His warning comes as the number of accounts breached in Australia soars. Surfshark figures show 1.9 million Australians were breached in Q2 – or 72 leaked accounts per 1,000 residents and 15 leaked accounts per minute.
“They’ll use that information against you.”
The ACCC says more than AU$3.1 billion was lost to scams in Australia in 2022.
They’re numbers Watson says are ‘pretty frightening’ in terms of the cost to Australia’s economy.
But he says he gets frustrated at reports of ‘sophisticated attacks’.
“More often than not, they’re really not. It’s because somebody has given up a password, someone has clicked on the link and allowed software to be downloaded. But it’s good for public relations to say it’s a sophisticated attack,” he says.
“Cybercrime is affecting businesses up and down the country. But not every organisation can survive the cost, the financial losses if they’ve had to pay a ransom and the cost of what’s being called cyber resilience, which is the time it takes to get back up. You have to pay lawyers and PR expenses – the cost to an organisation is significant,” Watson said during a session at The Tax Summit 2023.
Poor passwords remain a key issue, with the most common password still, yes, you guessed it, ‘password’. Password1234 is second most popular.
“The basic exercise of improving passwords will go far in improving cybersecurity both as individuals when we’re working from home or when we’re in the workplace,” he says.
“I urge you to go out there and educate yourselves around passwords, whether you use password managers, passphrases, whatever. Just improve. Don’t use your favourite football team. Don’t use ‘password’.”
He warned too, that every organisation in the world has something criminals are after – data, including names, addresses, phone numbers, credit card numbers and bank details.
“Cybercriminals are organised and they’re hacking, ultimately for money. The best way to get that money is to breach into the organisation and take the data out,” he says.
“Data is the new gold rush. These criminals are coming after the data.
“We’ve found that once they have access to the data, one of two things happen. One, they steal it, or two, they encrypt it to prevent you having access to it. When this happens you have to pay the money in order to get access.”
While phishing and spearphishing, sending email or calling people to get the information that enables access, are among the common tactics used, third party risk is one of the biggest risks currently, he says, pointing to the Medibank, Optus and Latitude breaches.
“Third-party providers were the weak links to those organisations. They had the backdoor open and allowed somebody to get in.”
He warns too, of the AI threat. AI executes tasks that traditionally demanded human intelligence and resources, and with a swiftness, precision and accuracy – or enhanced efficiency.
“AI is being used extensively to identify, sniff out and compromise systems. [Hackers] use a variety of tools and techniques to get that back door open.
“There’s social engineering where you go around and grab discrete pieces of information that when put together form a picture around what your security looks like, what your password is or how your systems are configured.
“And they’ll use that information against you.”
Hiring hackers on the dark web is also an option.
“Basically anyone can download a shrink-wrapped hacker package off the dark web for a certain amount, aim it at an organisation and not really understand the damage they’re about to cause,” Watson says.
Interestingly, he says we have a ‘romantic’ notion around hackers, particularly hacktivists hacking because they’re passionate about a cause such as environmentalism or animal welfare.
“This notion of there being honour amongst thieves is ridiculous, especially within the cybercriminal fraternity. There’s no such thing.”
He implored organisations to adopt stringent cybersecurity measures to protect themselves and their customers.
“If you are subject to any cyber attack, you must have a thorough and robust plan in place to cleanse the systems and get yourself back up effectively with a clean system.”
That can be in the form of backups or other sources, he notes.
“The rule of cyber is don’t trust, verify.
“You need to take the stance that you don’t trust anybody inside or outside your network. There have to be constant gateways and checks, whether that’s through multi-factor authentication or through multiple passwords for different parts of the business,” Watson says.
While improving password hygiene is one way to start protecting yourself from hackers, Watson also suggests checking out the Essential Eight, enabling multi-factor authentication and backing up systems, maintaining a ‘meaningful’ education awareness program within your organisation and ensuring disaster recovery and business continuity plans encompass ransomware and business email compromised attacks – and that the plans are tested.