A STEAK SANDWICH WORTH 100K
Recently, while sharing a beer at a networking event, I got talking to a guy who runs a small construction company. When I mentioned my role as a Virtual CTO, he dived into this gripping story about almost transferring $100,000 to a fraudster for a labour hire invoice. He'd received an email about a change in bank details, supposedly from his account manager. The twist? He was enjoying a steak sandwich with that very account manager when the email popped up, a lucky break that saved him from falling for a scam that would have, by his own admission, crippled his business.
This happened to a reasonably tech savvy chap, so what’s the chances it's going to happen to you? You might think this is an isolated incident, a stroke of bad luck. I’d wager it’s not a matter of 'if' but 'when'. This is a stark reality for every business owner, regardless of industry size. Cyber threats don't discriminate – they are universal, and we're all potential targets.
The cold, hard facts paint a worrying picture. Cybersecurity capabilities are constantly evolving, but so too are the methods of cybercriminals. With cybercrime costs estimated to be a staggering USD$8 trillion by the end of this year and $10.5 trillion by 2025, the urgency is clear. And it's not just about the money; it’s about protecting our operations, reputation, and the trust we’ve built.
Consider phishing, the hackers’ weapon of choice. It’s the most common method, with half of the mobile phone owners worldwide exposed to a phishing attack every quarter in 2022. And let’s not overlook the menace of ransomware, hitting 76% of organizations in 2022 alone. Even the seemingly benign business email compromise (BEC) is on the rise, with a 64% increase in fake CEO emails.
Let's delve into the various guises these cyber threats can take:
Phishing: Disguised as legitimate emails, phishing aims to steal sensitive data. Kaspersky's anti-phishing system detected more than 500 million attempts to access fraudulent websites in 2022, which is double the figure from 2021.
Business Email Compromise (BEC): By impersonating corporate email accounts, attackers deceive companies into fraudulent transactions. A Lithuanian man infamously swindled over $100 million from two major U.S. companies in 2019.
Social Engineering: This involves manipulating individuals to bypass security protocols, often accompanying phishing and BEC attacks. A well-known case involved attackers calling a company's employees, posing as IT staff, and gaining sensitive information, which led to a data breach.
Invoice Fraud: Companies are misled into paying for non-existent goods or services. A European cinema chain lost a staggering €19.5 million to this scam in 2018.
Ransomware: This type of malicious software encrypts data and demands a ransom for its release. A notable instance was the 2017 WannaCry attack, which impacted hundreds of thousands of computers worldwide and caused damages running into billions. More recently, in 2022 and 2023, major companies like Optus, Medibank, and DP World have also fallen prey to ransomware attacks. According to Malwarebytes, the landscape is increasingly complex with as many as 48 distinct ransomware groups identified. Alarmingly, there has been a 75% increase in the average number of monthly attacks in the latter half of the past year, indicating a significant surge in ransomware activity.
You might be thinking, 'We've got the software to shield us, right?' Well done on that front – a robust cyber strategy certainly encompasses a range of tech solutions, from antivirus and anti-malware tools to sophisticated email scanning and invoice verification systems. But here's the catch: the most significant vulnerability often lies not in our systems, but in our people. The human element is frequently the weakest link in our cyber defences. That's why knowledgeable employees and vigilant individuals are absolutely crucial – they stand as the frontline against these relentless digital threats. Hence, I firmly believe that awareness and training are among the most powerful weapons in our cybersecurity arsenal.
Cybersecurity is more than just a technological safeguard; it's an integral part of protecting our business operations. While I typically refrain from promoting specific products, I believe in sharing exceptionally useful resources, particularly those that are accessible and engaging.
Please don’t rely on steak lunches and pure luck to protect your business. Here are some practical steps you can take to bolster your business's cybersecurity:
Allocate Time for Cybersecurity Training: Set aside dedicated time for your team to engage in cybersecurity training. This could be an organized course or workshop for everyone.
Engage your team: As a fun and informative pre-holiday activity, encourage your team to explore the 12 Days of Phishmas from Phriendly Phishing. This digital advent calendar offers a daily dose of crucial cyber safety tips.
Explore Online Learning Modules: Direct your employees to cyber.gov.au/learn to work through educational modules and quizzes, enhancing their understanding of cybersecurity.
Incorporate Training into Onboarding: Include cybersecurity training in the induction process for new hires, ensuring they begin with a strong awareness of security practices.
Promote a Positive Security Culture: Foster positive security habits within your team. This could involve rewarding staff for identifying phishing emails or implementing tools like password managers to simplify security processes.
And now, over to you. Have you had a brush with cyber threats? What steps are you taking to safeguard your digital space? Let's open up the discussion and share insights. Cybersecurity is a collective effort, and together, we're stronger.