Businesses need to understand the importance of being cyber safe. Cyber criminals are exploiting the global focus on COVID-19 and the new normal of working from home, to infiltrate networks and extort money.
In the World Economic Forum’s (WEF’s) Global Risks Report 2020, cyber-attacks ranked asthe second greatest risk for business globally over the next decade. During a meeting of the United Nations (UN) Security Council in May 2020, the disarmament chief of the UN reported a 600% rise in malicious emails during COVID-19.
And in Australia too, the Australian Cyber Security Centre (ACSC) warned of a significant increase in attacks on businesses with COVID-19 themed email ‘phishing’ attacks.
Cybercrime costs Australian businesses $29b each year
Abigail Bradshaw of the ACSC said that “Small businesses can be big targets for cyber criminals”. Attacks often involve cleverly disguised emails which make unsuspecting business owners and employees open malicious files. These scams and other cyber activity have cost Australian businesses an estimated $29 billion each year. One reason small to medium sized businesses are under great threat is because they do not have the sophisticated security systems and IT departments of bigger operations.
The Privacy Act requires businesses to take “reasonable steps to protect the sensitive and personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure” (APP 11.1). The consequences of not doing so can be significant.
Scammers use a variety of approaches, from setting up fake online stores selling protective gear like face masks etc and stealing the victims credit card details to taking control of a victim’s computer system and locking data until a ransom is paid. This type of extorsion is becoming more targeted and costly and recovery times can be long.
Five potential threats businesses need to be aware of:
Business email compromise, also called CEO fraud, where threat actors interject into email streams to divert funds by exploiting technological and human vulnerabilities.
Ransomware, where threat actors take control of systems and lock data until a ransom is paid.
Cloud security – the increase in organisations outsourcing data storage to cloud-based infrastructure has increased security risks.
Internet of Things (IoT) risks come from a range of products, like printers, smart TVs, and automated home assistants, many of which have poor security.
Mobile devices and Bring Your Own Device (BYOD) which connect to corporate systems may be insecure.
Six things businesses can do to help them stay cyber safe:
Awareness: Promote a ‘stop and think before you click’ message amongst their staff.
Passphrases: Ensure that they and their staff use Passphrases rather than passwords e.g. lyrics to a song. They should at least 12 characters long and include upper and lowercase letters, numbers and symbols for extra strength. Better still use two factor authentication which typically requires the user to provide a secret only the user knows (like a passphrase or PIN).
Updating: Ensure all operating systems and application software update automatically where possibleAnti-virus software: Installing anti-virus software and an ad-blocking browser plugin on staff computers to help prevent malware compromising business computers.
Backup: Keep frequent backups of all critical information and systems, ensuring that backups are stored securely off site and not connected to the network to prevent their loss due to fire, theft or malware.
Subscribe to alerts published by: Stay Smart Online: www.staysmartonline.gov.au/alert-service
Scam watch: www.scamwatch.gov.au/news
Have financial protection should an attack slip through
In the event of an attack slipping through, it’s important for businesses to have financial security to handle and remediate the situation – which may include a ransom, data and application restoration, legal advice, data breach investigation and public relations, to name just a few. The financial impacts of cybercrime can be extensive and not always obvious.
Like COVID-19, there is no cure for cybercrime, just preventative measures and having the means to remediate the situation once it has taken place. To speak to a broker about cyber insurance, contact us today.
What are the key risks in the building and construction industry?
Construction projects involve multiple stakeholders and are often undertaken on challenging sites. Construction businesses must often manage changes to scope or orders, poorly written contracts and specifications and complex project management issues. They may need to deal with labour and materials shortages, or theft of tools and materials.
Subcontractors and suppliers can provide extra stress for construction firms, as can the rising number of extreme weather events. What’s more, cybercrime is an emerging threat to construction businesses, which often use insecure
connections from mobile workplaces, and share files and data with stakeholders outside the business.
Who should consider insurance?
Whether you’re an owner builder, a contractor or a large construction company, you’ll need a range of insurance covers to safeguard your workers, building and equipment.
“The construction industry generates over $350 billion in revenue, producing around 8% of Australia’s Gross Domestic Product, and has a projected annual growth rate of 2.5% in the next five years.” Australian Industry and Skills Committee, Construction, 2020
Did you know?
12,600 – The average number of serious claims per year over the last 5 years. (Safe Work Australia, Construction Industry Profile, 2015)
The construction industry had the fourth highest rate of serious claims in 2012-13. (Safe Work Australia, Construction Industry Profile, 2015)
What insurance should you take out – and what can it cover?
Insurance can protect you and your employees onsite, on the way to work and in your office.
Protects any buildings under construction and construction equipment. This cover may include protection against:
• natural disasters like fire, earthquake, storm, flood, wind and water damage
• damage to property caused by defects, theft and malicious damage or vandalism or smashed glass
• third-party personal injury and property damage.
Safeguards your business premises against:
• equipment or machinery breakdown
• employee dishonesty
• property or glass damage
• legal issues, with public and products liability
• tax audit
• theft, and theft or loss of money.
Safeguards you and your business against expenses and legal costs if your website or other systems are hacked and your system cannot be used or customers’ details are stolen.
Takes care of your valuable business vehicles with cover to:
• help if you or your staff damage another person’s vehicle
• repair your vehicle after an accident or replace it if it’s written off
• replace a lost or stolen vehicle
• safeguard you against legal liability
Protects you against legal action from a client for breach of professional duty. This
type of insurance is often required by building contracts.
What usually isn’t covered?
Exclusions, the excess you need to pay and limits of liability can vary greatly depending on your insurer and the requirements of your business.
The Insured received an invoice, purportedly from a known supplier, requesting payment for an outstanding debt. The Insured transferred $27,000 in accordance with the email instructions. The next week the Insured discovered that the email was fraudulent and payment had been made to a hacker.
As the Insured did not have the optional Social Engineering cover under their policy, they were unable to claim for the direct financial loss suffered as a result of making the fraudulent payment. The Insured was able to claim for remediation costs in relation to the attack, given there was a threatened Network Security Event.
The Insured’s director noticed that some documents on their server had been deleted. Further investigations were undertaken and it was discovered a hacker had been accessing the Insured’s system for the past 2 months.
The Insured notified the insurer who hired an IT Forensic Consultant to review the Insured’s systems. It was discovered 800 client files had been accessed which included private details such as driver’s licenses and passport numbers. A specialist firm was appointed to monitor whether any client identities were stolen or sold as well as a law firm to advise on the data breach issues and draft a notification letter to all affected parties. It was determined that the Insured had to report the incident to the Privacy Commissioner and the appropriate steps were taken to secure the information they held. Remediation costs were also covered to rectify any issues with the Insured’s system.
A hacker impersonated a client of the Insured, using an identical email address. The hacker emailed the Insured advising that future payments should be made to a new bank account. When the Insured was due to pay the client, they paid $41,000 into the fraudulent account.
The Insured claimed against their Cyber policy which triggered the optional Social Engineering cover. Indemnity was granted for the direct financial loss suffered by the Insured.
The Insured hired a contractor to perform works on one of their properties. The Insured received an invoice for $13,000 from the contractor. The following week the Insured received an email claiming to be the contractor, stating that their bank details had changed and provided the new details. The Insured subsequently paid the $13,000 into the ‘new’ bank account. A few days later the contractor followed up the Insured for payment for their works at which time it was identified that their emails had been compromised and the Insured had paid a fraudulent account.
The Insured made a claim on their Cyber Policy and after conducting investigations, indemnity was granted under the optional Social Engineering Fraud cover. The Insured was reimbursed for the direct financial loss suffered as a result of the fraud.