Simply relying on technology such as spam filters, anti-virus/malware and firewalls isn’t enough to comprehensively protect your firm from cyber-attacks.
Many large companies and government organisations have experienced significant cyber-security incidents despite investing large sums of money not only on technology, but also by hiring dedicated cyber-security experts who keep watch around the clock. Cyber-criminals are becoming more sophisticated and can defeat just about any system and technology put in place. They are increasingly building their arsenal of attack vectors and continually search for weak points to access sensitive information. Now, you may be thinking, “why would cyber-criminals target my small company?” The answer is simple – you are most likely an easy target and a possible way into you big clients (large corporate and government departments). A good example is the 2017 attack on the Australian Defence Force’s multi-billion dollar Joint Strike Fighter program and surveillance plan projects where 30 gigabytes of data were stolen including information on its warship and submarine fleet (Clout, 2018). How did the cyber-criminals get into the ADF? They managed to hack their way into the ADF through one of their smaller sub-contractors.
The weakest link in any organisation is people – do you really know what your employees are getting up to online? Dark Reading’s Strategic Security Survey showed that over twenty five percent of cyber-security breaches are caused by insiders – your trusted employees. The report also found that 44 percent of organisations say authorised users and employees pose the greatest threat to data security and 61 percent of organisations believe negligent users will be the primary cause of a data breach in the next 12 months (Vijayan, 2018). Cyber criminals understand these weakness and use to their advantage by launching sophisticated cyber-attacks including social engineering and advanced persistent threats (APT) to get to the information they’re after.
Professional services firms, in particular accounting and legal firms, have rich client data and a wealth of personally identifiable information. This type of information is attractive for cyber-criminals. More importantly, professional services firms are knowledge-based organisations that rely heavily on computer and information systems. Therefore, reliable uninterrupted access to systems and data is crucial for business operations. An excellent case study of how a professional services firm suffered as a result of a cyber-security attack is DLH Piper. DLH Piper, like many large global companies, had their entire operations crippled by the Petya ransomware in June 2017. The Petya ransomware attack struck across the globe, taking out servers at Russia's biggest oil company and shutting down computers at multinational businesses, including the Australian offices of DLH Piper (ABC News, 2017). Ransomware is malicious software that locks up computer files with unbreakable encryption and then demands a ransom in the virtual currency bitcoin for its release.
Global law firm DLA Piper was the victim of this cyber incident and it is believed that the initial site that was infected was based in Eastern Europe. Australian staff were advised that all DLA Piper IT systems have been taken down to contain the situation and were warned not to attempt to log in to their computers or turn them on. DLA told its employees that is was unlikely IT systems will be fully restored during the course of the business day in the Asia-Pacific region (ABC News, 2017). It took DLH Piper 2 weeks to fully restore their IT systems. During this time, employees were encouraged to work from home and use personal email messages to communicate with clients.
Fortunately, there two important strategies you can implement to reduce your risks – educate your people and take out a dedicated cyber-insurance policy. Education is an important component to protect your business and employees from cyber-attacks. In the DLA Piper case, the ransomware that infected all computer systems globally would have started from at least one person opening a malicious email. Business Email Compromise (BEC) and email Phishing remains the most widely used cyber-attack vector. Organisations that have trained their users through simulated phishing tests and security awareness training can significantly reduce these risks. From a risk management and business insurance perspective, many insurance companies now offer dedicated cyber-insurance policies that provide further cover for your business. The premiums on cyber-insurance policies can be reduced by demonstrating an organisational wide commitment to reducing the risks of cyber-attacks by implementing appropriate technologies, strengthening business processes and investing in the education your employees.
ABC News 2017, ‘Petya cyber attack: Ransomware virus hits computer servers across globe, Australian office affected’, ABC News, accessed 8 February 2019, <https://www.abc.net.au/news/2017-06-28/ransomware-virus-hits-computer-servers-across-the-globe/8657626>
Clout, J 2018, ‘More needs to be done by SMEs on cyber security: Angus Taylor’, Australian Financial Review, accessed 18 December 2018, <https://www.afr.com/technology/technology-companies/more-needs-to-be-done-by-smes-on-cyber-security--angus-taylor-20180809-h13qh3>
Vijayan, J 2018, DarkReading, ‘Data Breaches: Vulnerability Rising’, DarkReading.