Increasing cyber risks: is the industry prepared?
With so many of the Australian workforce currently working from home and remotely, more and more businesses are being targeted by cyber criminals every day.
Along with the growing amount of data and online information exchange comes additional risk, including:
- business operational risk
- crime risk (including monetary theft)
- legislative risk.
The statistics confirm that business both big and small are affected by these three key risk areas. The Australian Government’s ‘Stay Smart Online’ initiative published the following statistics:
- 700,000 Australian businesses have experienced cybercrime in the past five years
- average cost to the business of $275,000
- $205 is the average cost per record in a privacy breach.
Industry statistics also tell us that 30 per cent of cyber events result in productivity loss and 25 per cent of cyber events result in revenue loss.
When it comes to the mining and resource sector and the rush to get people working from home, unfortunately security risks have often taken a back seat. When you put your office into the home a number of things can make your business more vulnerable.
Examples of key remote working risks
1. Home WiFi
A common example is the use of home WiFi with a standard router that may have default passwords that are very common and easy to hack. This becomes a weak entry point for hackers into your businesses IT systems. Some staff are working from home in share houses (family access) with common computers and laptops used across multiple users, thus creating multiple points of attack.
2. Sensitive information saved to a local drive
For convenience, sensitive information and documents are more regularly being saved to local machines and taken off work environments because ‘the WiFi is too slow’ and its easier to work on those documents from the local machine. This creates a vulnerability if the localised laptop becomes compromised.
3. Information saved in the cloud
We often get mining consultancy business telling us they are safe because all their information is ‘in the cloud’. But this is not a risk-free environment and still requires businesses to set up their IT infrastructure with security in mind. A very common example is Office 365 used by many businesses, which can be vulnerable to attack if you do not make it secure. It is recommended that all businesses utilise multi-factor authentication to bolster security in terms of unauthorised access into their IT systems.
One resource consultancy business used a third-party cloud-based software provider to hold confidential client information. The cloud provider advised the consultancy business that their account had been accessed by an unauthorised identity who had deleted data relating to their clients. As a result of the hack, the business was unable to operate as usual due to the missing data and limited access to their software. The resulting rectification required a specialist IT Forensic Consultant to assist the business to investigate whether their systems has also been compromised, and significant business interruption costs were incurred while IT systems were being checked and restored.
What are the threats? Examining cyber events
As touched on above, there are a number of ‘cyber events’ that pose risks to resource professionals and their businesses. These include:
- unauthorised system access
- electronic attack
- ransomware and cyber extortion
- privacy breach via accidental disclosure or rogue employee
- DOS attacks, malware, spyware
- virus transmission
- unauthorised eft
- corporate identity theft
- theft of client funds/funds in trust or escrow
- changed bank details.
Three cyber trends worth highlighting
1. Ransomware/cyber extortion
These incidents involve being locked out of your IT system and having to pay a ransom to be given access back to your systems and database.
A mining industry consultancy had their IT system compromised by a ransomware attack. Client data and working documents were compromised and the business could not access their client data and documents. A law firm was also required to assist the remediation process and advise if the business had to report the matter to the Privacy Commissioner.
2. Hacking/virus breach
A hacker was able to gain access to a business’s computer system and network through a Remote Desktop Protocol. This exposed the network and removed the more secure connection of a Virtual Private Network (VPN). The hacker then obtained administrator access and launched encryption across the servers. Restoration from backups was not entirely successful, resulting in loss of data and costs incurred to get systems up and running. In addition, where sensitive client data is hacked and stolen, a privacy breach had to be reported to the privacy commissioner which involved additional costs and expenses.
3. Social engineering fraud (theft of funds)
A mining consultant’s email was accessed by a hacker who posed as that mining consultant and sent multiple emails to their bank instructing for funds to be transferred into the hacker’s bank account. When the consultant discovered that three unauthorised payments had been made, they immediately contacted the bank to freeze the funds. Not all of the unauthorised transactions were able to be recovered.
We have also seen incidents inside larger consultancy firms of a hacker posing as a manager or owner (known as social engineering or impersonation theft) and authorising the payment of fake supplier invoices that are then paid into the hackers bank account.
Over 50 per cent of businesses wrongly believe cyber is an ‘IT problem’. But the Office of the Australian Information Commissioner (OAIC) statistics tell us that 37 per cent of privacy breaches notified to OAIC in 2018 were a result of human error.
Social engineering fraud primarily targets humans. IBM research has identified the three ways to reduce the impact of cyber events are:
- incident response (your own IT assistance or insurer-provided assistance)
- use of encryption
- continual employee training (cyber awareness).
Investing time and effort into the above practices can assist in reducing the likelihood and impact of a cyber event. Of course, it is not a guarantee or failsafe approach to managing these risks, so we recommend being proactive with such risk management and in addition looking at purchasing cyber insurance protection.
Insurance cover for cyber risks
Insurance protection can provide cover for the cyber and privacy costs incurred, cover your own losses (business interruption) and also cover crime losses (sums of money stolen).
There are a range of cyber insurance products and the cover can vary broadly. For example, many of the insurance covers exclude different elements of cyber crime losses, which significantly affects the price of the insurance. An example would be cyber crime (theft of funds) cover, which is often excluded from many cyber insurance quotes. Different insurance products can be tailored for different businesses so it is highly recommended to obtain advice from an insurance broker with expertise in cyber insurance offerings for the mining and resource sectors.
If you would like any additional information on cyber risk and/or the costs of an insurance policy to cover these risks, do not hesitate to contact Austbrokers Countrywide. Email your enquiry to firstname.lastname@example.org or call Greg Hansen on Ph 1800 245 123.
Greg Hansen is a Director at Austbrokers Countrywide, the preferred partner for insurance services with the AusIMM.