Martin Littlewood, head of cyber security at SecurePay, gives us the lowdown on his talk for Seamless eCommerce expo and reveals the current trends in Internet crime and cyber security risk.
You might not walk down a dark alley at 2am but, according to Martin Littlewood, head of cyber security at SecurePay, browsing the Internet can take you unknowingly down myriad virtual dark alleys – putting your personal and business data at risk. Even seemingly innocent emails from what appear to be trusted brand names can link you to a malicious website resulting in a malware infection or tricking you into giving away usernames and passwords.
Martin will be giving a talk on cyber security and current cyber risk trends at Seamless Expo in Melbourne next week. Here he gives us a pre-event glimpse into the current cybercrime landscape and what you can do to protect yourself and your business.
What will your talk focus on?
My talk at Seamless will look at cyber security and payment fraud trends. There’s a large number of organisations around the world who have dedicated teams producing reports on all of the evidence around data breaches or other security incidents that occur each year. What I want to do is provide some of that information because a core part of managing risk is understanding how the risk landscape is changing and what the trends are. I want to overlay that with my lived experience in this role.
So can you give us a heads up on the current cyber risk trends you’ll be talking about?
One of the main risks at the moment is distributed denial of service (DDoS) attacks, which are on the rise. This means cyber criminals use IT infrastructure to send so much traffic to a web service that it overwhelms it. They do this so that that they can send an extortion threat to a company that relies on Internet access to make its living, so any downtime associated with an attack means revenue loss. The criminals will either carry out this attack and then ask for money to free up the service again, or even just threaten to carry out the attack.
These attacks are increasing because there are more and more companies relying on the Internet for their business. In the eCommerce world having someone block your website quickly becomes a massive revenue issue so it’s a very effective threat. Also technology is changing very quickly and it’s actually allowing these attacks to be facilitated more easily.
When cyber attacks happen are businesses going to the police or are they paying up?
All the evidence suggests that some companies do pay up. With these kinds of attacks police agencies always recommend that you don’t pay but there’s evidence that even police departments in the UK and the US have in fact paid. So really the best thing you can do, and what my talk will explore, is to protect against risk as much as is possible, such as having data backups and keeping abreast of the scams.
In terms of distributed denial of service attacks, this year we’re seeing smaller and shorter attacks trending rather than longer attacks, so victims of these attacks would need to decide what the impact would be to your business and if they could put up with such disruption for a short amount of time rather than paying up.
Is the risk of cyber attack a serious reality for businesses?
It absolutely is a real risk. The most recent Telstra sponsored Cyber Security Report states that 59 per cent of respondents from both Australia and Asia indicates that their business is impacted by at least one security incident on at least a monthly basis.
According to CERT (Computer Emergency Response Team) Australia, the energy and communications sectors had the highest number of reported compromised systems. The banking and financial services and communications sectors had the highest incidence of DDoS activity and the energy and mining/resources sectors had the highest number of malicious emails being received.
What’s driving cyber attacks?
At the end of the day, the criminal organisations are almost always in it for money and are only doing things that effectively force people to pay up. Trends show that they very clearly change their tactics when something doesn’t work or when law enforcement agencies or governments are able to prevent a certain tactic.
The nature of the Internet means that people can carry out these attacks from countries on the other side of the world with pretty much identity immunity. It’s very difficult to identify who is behind an attack and now with the advent of crypto currencies like Bitcoin it’s easy for them to receive payment which also can’t be tracked.
If a company is cyber security savvy enough can they completely protect against risk?
I’d suggest that if a very well skilled and motivated attacker wanted to attack a company it would be very difficult to say that a business could categorically prevent it. What I can say, though, is that 99 per cent of the actual ways companies are compromised is because of poor security hygiene – not getting the basics right. If you can get the basics right – and that doesn’t have to mean expensive or complex processes – you’d be able to prevent 99 per cent of the security attacks out there. At SecurePay, we have those controls in place in line with regulatory requirements.
What would be your recommendations to our small business clients?
Well they’ve taken the first step by being SecurePay customers and therefore protecting their payment processing. I would suggest that small business owners need to dedicate some time to understanding what the risks are that they face and what they can do about them, which really starts with some of the government websites that explain in quite simple terms what people can do and what to keep an eye out for (see below for links).
Any other trends we should be aware of?
Another current trend is phishing attacks. These are malicious emails that are sent to people which contain malware, viruses or ransomware that encrypts your data, or a link within the email that takes you to the website which then hosts the malware. Sometimes they’ll even ask you to put in your username and password [for the company they’re pretending to be]. These emails are reaching inboxes and are coming through looking like legitimate emails from familiar companies.
How can we prevent and protect against these attacks?
It’s a fast moving threat landscape and it’s very difficult to prevent attacks from happening. There are, however, simple tactics that people can do to help protect themselves from attacks.
- Patching your computer systems. That means upgrading systems as soon as updates are released.
- Having antivirus products on your computer.
- Looking at the government websites [below] which offer useful actions and updates on the latest scams.
- Being cautious about clicking on links sent in emails.
- Backing up your data.
For your average small business person hearing about the big stories, where companies like Facebook and Google are suffering from security breaches and incidents themselves, it’s easy to think ‘there’s nothing I can do about it if even those companies can’t protect themselves’.
However, there are things you can do and in my presentation it won’t just be a bad news story but rather a positive look at how you can take steps to protect yourself. I’ll also look at some of the good news on the landscape such as the fact that Australia now has a national cyber security strategy in place.
Cyber security and online safety resources for individuals:
Cyber security and fraud protection resources for small businesses:
If you are the victim of a cyber security incident, please report it to: