A Google search of coronavirus returned about 2.8 billion results, while cyber security yielded a paltry 600 million or so. Yet with so many people working remotely, we greatly increase the points of entry and risks of security breaches. 

The other virus

In 1983, a professor at the University of Southern California, Len Adleman, is credited with coining the term “computer virus”1 to describe self-replicating software that spreads by attaching itself to existing programs. Six years later, “cyber security” entered the English lexicon. Today, the Australian Government Information Security Manual defines it as “Measures used to protect the confidentiality, integrity and availability of systems and information.” 2  

While many cyber security resources recommend that updating and patching the vast array of hardware and software combinations businesses use is the minimum first line of defence, significant technology risks remain. This paper looks at one of the most recognised weak links in cyber defences – people. The term “people” goes beyond employees and IT teams. It includes business owners, boards and management who are prioritising the protection of data and digital assets, just as they protect physical assets.

As Chairman of Telstra and logistics giant Toll Group, John Mullen has learned some hard lessons. On 10 March he said, "It is an element of human behaviour that creates these entry points or the chink in the armour. It is rarely the actual firewall that didn't work."3

Why it matters – the cost of cyber crime

The Australian Criminal Intelligence Commission reports that the Cyber Security Review, led by the Department of the Prime Minister and Cabinet, found that cyber crime is costing the Australian economy up to $1 billion in direct costs alone.4 This number will likely have to be revised up in light of the sustained cyber-attacks on business, infrastructure and government services this year.

Over the last few years, penalties associated with privacy violations have been increasing across the globe. In Australia, at the moment, penalties for non-compliance with the Privacy Act can reach between $2 million and $10 million for businesses and up to $500,000 for individuals.5

Emails a major source of fraud

The CEO of Telstra Andy Penn said in a 6 May AFR article that Telstra blocks 23 million malicious email messages every day. Mr Penn went on to say that "COVID-19 has amplified that risk because so many of us are now working and studying from home. This means activities we used to undertake within the traditional firewalls of enterprises, governments and education institutions are now being completed from home over VPNs".6

The CBA Cyber Outreach and Research team published a Special Edition of its quarterly newsletter detailing email payment fraud7, with the team highlighting that in the majority of cases, the perpetrator imitates one of two parties:

  • A supplier or business partner – posing as genuine suppliers, fraudsters submit instructions to alter the supplier’s bank account to one they have access to;
  • The CEO, director or another senior executive of the organisation – the fraudsters request account staff to urgently pay a supplier or business partner via a nominated bank account accessible to them.

As payments move toward real-time settlement, the window for the freezing and recovery of payments misdirected due to deception is diminishing.

In the same Signals Special Edition7, our Cyber Outreach Team provide a checklist of four basic countermeasures to prevent business email compromise:

  • Multi-factor authentication.
  • Conditional access rules for cloud-based email.
  • Enforce password policies.
  • Educate staff to identify phishing campaigns.

Passwords – easy entry points

Over 8 billion accounts and half a billion passwords have been exposed in data breaches8, making it evident that many don’t get the basics right. You can check if your credentials, such as email addresses and passwords, have been exposed at haveibeenpwned.com (a free online resource created by Troy Hunt, a Microsoft Regional Director and MVP awardee for Developer Security).

The CommBank Signals publication9 noted recent analysis from NordPass (a password manager app) “which looked at 500 million passwords leaked in various data breaches in 2019, found that ‘12345’ and ‘123456’ were still the most popular passwords being used to ’secure’ millions of accounts”. Its findings are supported by a 2019 study for the UK’s National Cyber Security Centre and Department for Digital, Culture, Media and Sport that found 23.2 million hacked accounts had used the password ‘123456’. Other high-risk, common passwords were ‘test1’ and ‘password’10.

Furthermore, LastPass’ 2019 ‘State of the Password’ report, found that employees reuse their passwords 13 times on average. Yet once breached, a password used for private or personal purposes, can open the door to business systems and data.

In a February 2020 presentation11 to the RSA conference of cyber security professionals, Microsoft’s Director of Identity Security said that every month 1.2 million accounts are breached. That’s the equivalent of 0.5% of all accounts.

Microsoft says updating legacy email protocols and enabling two-factor authentication (2FA – for example, entering a code sent to your mobile phone is required in addition to your password) can greatly reduce the risk of compromise, in conjunction with the use of strong unique passwords.

How to strengthen passwords

Unfortunately, most of us simply can’t memorise a unique complex password for our growing number of online accounts. Apple has recognised the challenge and provides a built-in password manager: iCloud Keychain, which joins a number of password manager apps for both smart phones and desktops, which have developed solutions to generate, securely store and even enter strong passwords for us, but relatively few people use them.

The Australian Cyber Security Centre advises for passwords that “the longer it is, the stronger it is!”12 It recommends passphrases made up of at least four words and at least 13 characters in length, ideally something meaningful to you so it’s easy to remember.

But avoid common quotes and including names, dates of birth and other information that may be publicly known or accessible because cyber-attackers are increasingly sophisticated and well organised. They conduct detailed surveillance of people and businesses, harvesting information from a wide variety of sources, then patiently wait for maximum benefit before striking.

Biometric alternatives – safer but still fallible

Only seven years ago we began unlocking iPhones with a fingerprint. By November 2019 hackers demonstrated that any smartphone fingerprint lock can be broken in 20 minutes13, using less than $200 of hardware. Apple dropped the use of fingerprints in its iPhone 11, in favour of facial recognition.

Even confirming the authenticity of financial instructions, amendments and approval of payments through voice or video calling isn’t risk-free these days. Deep Fake technology, which manipulates video and audio using artificial intelligence (AI), “can be used to make people believe something is real when it is not,” according to an October 2019 CNBC report14.

As reported by the Wall Street Journal15, it’s a lesson the CEO of a U.K.-based energy firm learnt first-hand. In March 2019, criminals used AI to impersonate the voice of the CEO of the firm’s German parent company. Thinking he was acting on his boss’ instruction, the CEO transferred €220,000 (AUD$370,000).

And, of course, while passwords or PINs can be changed, the same cannot be said for your fingerprints, face or voice.

Despite these demonstrated weaknesses, biometrics offer greater security and convenience than passwords. Importantly, they can also break down barriers for the ‘unbanked’ – including those who can’t read or write, have limited financial literacy or have disabilities.

Education brings greater protection

As the pandemic causes many businesses to struggle for cash flow and to form new business relationships, take extra care authenticating information provided. The simplest thing any business can do is to make sure you and your people know how to protect your data assets.

How we can help - educational resources for you

As businesses move workforces to working from home, many employees may not have had adequate, updated and regularly reinforced training. If that’s the case, it’s easier to fall victim to increasingly sophisticated attacks.

To stay up to date on the latest cyber security trends, subscribe to Signals https://www.commbank.com.au/business/support/security/signals.html

To learn more from leading experts about what’s important to business and the economy visit CommBank Foresight™ – insights for future-facing businesses.

Things you should know

This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. You should consider seeking independent financial advice before making any decision based on this information. The information in this article and any opinions, conclusions or recommendations are reasonably held or made, based on the information available at the time of its publication but no representation or warranty, either expressed or implied, is made or provided as to the accuracy, reliability or completeness of any statement made in this article. Commonwealth Bank of Australia ABN 48 123 123 124. AFSL and Australian Credit Licence 234945.

The links within this article will bring you to a third party website, owned and operated by an independent party over which CBA has no control ("3rd Party Website"). Any link you make to or from the 3rd Party Website will be at your own risk. Any use of the 3rd Party Website will be subject to and any information you provide will be governed by the terms of the 3rd Party Website, including those relating to confidentiality, data privacy and security.

Unless otherwise expressly agreed in writing, CBA and its affiliates (collectively "CBA") are not in any way associated with the owner or operator of the 3rd Party Website or responsible or liable for the goods and services offered by them or for anything in connection with such 3rd Party Website. CBA does not endorse or approve and makes no warranties, representations or undertakings relating to the content of the 3rd Party Website.

CBA disclaims liability for any loss, damage and any other consequence resulting directly or indirectly from or relating to your access to the 3rd Party Website or any information that you may provide or any transaction conducted on or via the 3rd Party Website or the failure of any information, goods or services posted or offered at the 3rd Party Website or any error, omission or misrepresentation on the 3rd Party Website or any computer virus arising from or system failure associated with the 3rd Party Website.

1. Sabrina Pagnotta (2017). Professor Len Adleman explains how he coined the term “computer virus”. WeLiveSecurity by ESET. Retrieved June 2020 from https://www.welivesecurity.com/2017/11/01/professor-len-adleman-explains-computer-virus-term/.

2. Anonymous. Cyber security. Glossary Cyber Security Terms. Retrieved July 2020 from https://www.cyber.gov.au/acsc/view-all-content/guidance/glossary-cyber-security-terms

3. Paul Smith (2020). Russian hackers behind 'terrible' Toll cyber attack. The Australian Financial Review. Retrieved June 2020 from https://www.afr.com/business-summit/russian-hackers-behind-terrible-toll-cyber-attack-20200310-p548no

4. Anonymous (2019). Cybercrime. Australian Criminal Intelligence Commission. Retrieved June 2020 from https://www.acic.gov.au/about-crime/crime-types/cybercrime

5. Civil penalties — serious or repeated interference with privacy and other penalty provisions https://www.oaic.gov.au/about-us/our-regulatory-approach/guide-to-privacy-regulatory-action/chapter-6-civil-penalties/

6. James Fernyhough (2020). Telstra pours millions into cyber arms race. The Australian Financial Review. Retrieved June 2020 from https://www.afr.com/companies/telecommunications/telstra-pours-millions-into-cyber-arms-race-20200505-p54q0u

7. CommBank Cyber Outreach Team (2018). Email Payments Fraud: A Signals Special Edition. Commonwealth Bank. Retrieved June 2020 from https://www.commbank.com.au/content/dam/commbank/assets/business/can/business-insights/signals/signals-email-payment-fraud-march-2018.pdf

8. Anonymous (2020). Create Better Passwords. Stay Smart Online delivered by the Australian Cyber Security Centre. Retrieved June 2020 from https://www.staysmartonline.gov.au/reversethethreat/passwords

9. CommBank Cyber Outreach Team (2020). Signals Security Report January 2020. Retrieved June 2020 from https://www.commbank.com.au/content/dam/commbank-assets/business/latest/2020-01/signals-issue-17.pdf

10. Ipsos MORI (2019). UK Cyber Survey, Key findings – General public. Ipsos MORI. Retrieved June 2020 from https://www.ipsos.com/sites/default/files/ct/news/documents/2019-04/uk-cyber-security-survey-2019-_slides.pdf

11. Alex Weinert and Lee Walker (2020). Breaking Password Dependencies: Challenges in the Final Mile at Microsoft. RSA Conference 2020. Retrieved June 2020 from https://published-prd.lanyonevents.com/published/rsaus20/sessionsFiles/18466/2020_USA20_IDY2-F03_01_Breaking-Password-Dependencies-Challenges-in-the-Final-Mile-at-Microsoft.pdf

12. Anonymous (2020) Australian Cyber Security Centre guidance. Create Strong Passwords - How to  https://www.cyber.gov.au/acsc/view-all-content/guidance/create-strong-passwords

13. Davey Winder (2019). Hackers Claim ‘Any’ Smartphone Fingerprint Lock Can Be Broken In 20 Minutes. Forbes. Retrieved June 2020 from https://www.forbes.com/sites/daveywinder/2019/11/02/smartphone-security-alert-as-hackers-claim-any-fingerprint-lock-broken-in-20-minutes/#6c89b7c26853

14. Grace Shao (2019). What ‘deepfakes’ are and how they may be dangerous. CNBC. Retrieved June 2020 from https://www.cnbc.com/2019/10/14/what-is-deepfake-and-how-it-might-be-dangerous.html

15. Catherine Stupp (2019). Fraudsters Used AI to Mimic CEO’s Voice in Unusual Cybercrime Case. The Wall Street Journal. Retrieved June 2020 from https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402