The dawning of the age of cyber insecurity
If you have an enviable amount of financial assets, then you are an attractive target for cyber criminals.
The security of personal information is suddenly front of mind for many investors. In the space of a few weeks we have had spectacular breaches at some of Australia’s best-known companies.
This week the issue went to a new level when Medibank Private refused to give in to a hacker ransom gang which demanded $16m from the listed health insurer.
The hackers warned if the money were not paid, personal data would be put on the internet.
Medibank chief executive David Koczkar refused to hand over any ransom for the information – including abortion procedure details – relating to hundreds of customers. The type of information that has been compromised is alarming and includes details such as name, date of birth, address, contact details, drivers licence and passport information.
For every investor the message is clear: if you have an enviable amount of financial assets – from cash in the bank to sharemarket investments and superannuation – you are now firmly in the crosshairs of cyber criminals.
I was recently contacted by a client who had their identity stolen. A criminal suspected of stealing their mail had enough information to set up an ABN and lodge several business activity statements in their name, resulting in a large cash payment from the Australian Taxation Office.
The victims only became aware of the crime committed after they received an ominous letter from the ATO announcing a comprehensive tax audit triggered by the bogus GST claims.
With threats seemingly coming from all directions, how can investors protect their assets? Plerion, an Australian company which specialises in providing cloud security and data protection solutions, has experienced an influx of interest following the data breaches and has some insights into the area of online security.
Pierre Liddle, Plerion’s co-founder and head of privacy and security, says: “If you look at things from an attacker’s perspective, they see that more business is being done online and more digital infrastructure and data is available to be attacked.”
“The hackers search until they find a business that has a weak point in their digital infrastructure and pounce. The challenge for businesses is that there is a severe skills shortage in the cyber security sector and big business is finding it a difficult to keep up with human resources required to meet their cybersecurity commitments,” Liddle says.
It is estimated that globally 1.8 million cyber security jobs will go unfilled by the end of 2022. As an individual investor, knowing that many of the companies that hold your information may be susceptible to a cyber threat due to staff shortages, what do you do?
Liddle says: “For every third party that you interact with that asks for your personal information, you should take due care before providing it. Although filling out an account-opening form may seem like a harmless activity, you should protect your personal information as if it is the crown jewels.
“You should question why the company needs the information, how will they store it, how will they process it, who will have access to it in their business, who they will share your information with in their supply chain and what security measures are undertaken to protect you and your data. You have a right to ask and know the answers when it comes to data security.”
Glenn Makowski, managing director of CommuniCloud, a security consultancy company specialising in user education and security strategies, has the following tips for individual investors:
● Get a password manager application like LastPass or 1Password – there are free versions for consumers.
● DO NOT USE browsers to store your passwords. A browser has many functions and is not specifically designed to safeguard your passwords.
● Select at least 11 characters for your passwords including numbers, upper case and lower case letters and symbols. If you use a password manager this will help.
● Passwords with less than eight characters which contain numbers, upper and lower case letters and symbols can be hacked in hours.
● Do not mix your work passwords and private passwords.
● Only exchange passwords on sites which are secure. Look for the little padlock in the browser url bar.
● Don’t pay invoices with different payment details compared to previous invoices unless you have spoken with the company issuing the invoice.
● Avoid the use of contact details on emails or websites that have been sent to you; search for the companies’ details and use those to contact them.
● Don’t exchange personal details on calls made to you. If the caller is legitimate, you should be able to call them on known contact details sourced independently by you.
● Make sure your devices are kept up to date. Most if not all updates contain fixes related to security, and criminals target devices that are not updated.
One of the first cybercrimes that I came across was not a billion-dollar health insurer but a Melbourne cafe owner. He was defrauded of $40,000 shortly after a breach via a series of cash withdrawals made by someone purporting to be the cafe owner. There are risks at all levels of business and investment activity.
Cyber crime has taken over as the most profitable criminal activity, with an annual cost of $US6.5bn ($9.8bn) globally in 2021.
If cyber crime were an economy, it would be one of the largest in the world.
Companies are vulnerable here.
The ASX is only down by 1.4 per cent over the last six months; Medibank Private is down by 12 per cent. Cybercrime is real and it can cost you – make sure to take every precaution possible.
James Gerrard is Sydney-based financial planner