During his presentation at The Tax Summit 2023 in Melbourne, cybersecurity expert Chris Watson, a partner within Grant Thornton’s consulting team, sounded the alarm on Australia's escalating cyber threats. In his session, "Hunted by hackers? Cyber risk and client/supplier created exposures", Watson elaborated on the imperative of proactive cybersecurity measures.
Drawing parallels between traditional crime and cybercrime, Watson states, "Before the internet, thieves would put a stocking over their heads, grab a shotgun and go to rob a bank. The problem with that was, not only was there a high chance of getting caught, but also of being shot.”
However, with the advent of the internet and the world's interconnectedness, cybercriminals have seized the opportunity to target individuals and organisations with alarming efficiency. Watson's message was unequivocal in his message. “Cybercrimes are real, they are happening, and they will affect you at some point in your career, if they haven’t already."
One of the central points of Watson's presentation was the fallacy of portraying most cyberattacks as "sophisticated". He challenged this narrative, emphasising that many attacks stem from individuals surrendering passwords or unknowingly downloading malicious software.
Watson explained that hackers go through a specific process to compromise a victim's systems, which can be broken down into three key areas, he says. “Identifying who you are. Figuring out how to get a foothold in your network. And then deciding what they want to steal from you.”
He then shared an analogy, likening cyber hacking to breaking into a home. “I'll draw the classic analogy with the burglar walking down the street. I'm walking down, and I'm looking at houses. I’m checking the houses, [looking] for the ones that appear to be less secure and a bit more inviting than the ones that have padlocks and the CCTV,” he adds.
“OK, I've found a house that actually left the back door open. And I've stepped in and gained access to the network – that's the first part. The second part is, OK, I'm in there now. I want to see how far I can wander around your house and see if I can get to better parts of the house. I walk in and find an open door that has all the crown jewels. And the third part is, I have gone through the house, and I have found the places where I want to steal stuff from.”
Watson highlighted the increasing importance of data protection, asserting, "Data is the new gold rush. These criminals are coming after the data, and that's the danger to your organisation. We’ve found that once they have access to the data, one of two things often happens. One, they steal it or two, they encrypt it to prevent you from having access to it. When this happens, you have to pay the money in order to get access,” Watson explains.
AI is crucial in executing tasks that traditionally demand human intelligence and resources in the modern world. However, the fundamental distinction between humans and machines lies in the swiftness, precision and accuracy – ultimately, the enhanced efficiency – with which specific tasks are accomplished. And cybercriminals are using it to their advantage.
“AI is being used extensively to identify, sniff out and compromise systems. [Hackers] use a variety of tools and techniques to get that back door open. There’s social engineering where you go around and grab discrete pieces of information that, when put together, form a picture around what your security looks like, what your password is or how your systems are configured. And they’ll use that information against you,” Watson cautions.
During his session, Watson also delved into various tactics used by cybercriminals, including phishing, spearphishing and the vulnerabilities posed by third-party providers.
“Phishing and spearphishing are common techniques that criminals use to get into our systems that involve sending emails or calling people to get information. And it was exacerbated by COVID, with so many people working from home. This flexible working created a number of vulnerabilities in an organisation’s network that didn’t exist before,” he notes.
“Third-party risk is one of the biggest risks out there at the moment, happening to companies like Medibank, Optus and Latitude. Third-party providers were the weak links to those organisations. They had the backdoor open and allowed somebody to get in.”
Australia is the fifth most hacked country globally, with almost 2 million leaked accounts, or 15 leaked accounts per minute – 11 times more than the first quarter. "We're the most targeted country in the world," Watson pointed out.
Cyber incidents are estimated to cost as much as AU$29 billion globally. And over AU$3.1 billion was lost to scams in Australia in 2022, according to ACCC. “These are pretty frightening numbers in terms of what it costs Australia’s economy,” he says.
“Cybercrime is affecting businesses up and down the country. But not every organisation can survive the cost, the financial losses if they’ve had to pay a ransom and the cost of what’s being called cyber resilience, which is the time it takes to get back up. You have to pay lawyers and PR expenses, the cost to an organisation is significant,” he explained.
Watson also dispelled any romantic notions about hackers and implored organisations to adopt stringent cybersecurity measures. “We have a romantic notion around who hackers are,” Watson says. “Particularly, when we talk about ‘hacktivists’ who are hacking because they feel passionate about a particular issue in environmentalism or animal welfare, for example. This notion of there being honour amongst thieves is ridiculous, especially within the cybercriminal fraternity. There’s no such thing.”
“They have markets on the dark web where anyone can go and hire a hacker. You can say I want XYZ to be hacked. How much [can you do it for]? Basically, anyone can download a shrink-wrapped hacker package off the dark web for a certain amount, aim it at an organisation and not really understand the damage they’re about to cause,” Watson shares.
“If you are subject to any cyberattack, you must have a thorough and robust plan in place to cleanse the systems and get yourself back up effectively with a clean system. That can be in the form of backups or other sources.”
Today, passwords remain an issue. “The most common password is still ‘password,’” Watson confirms. “The second most popular password is ‘password1234’. We still haven’t gotten around to improving our password hygiene. I urge you to go out there and educate yourselves around passwords, whether you use password managers, passphrases, whatever. Just improve. Don’t use your favourite football team. Don’t use ‘password’. The basic exercise of improving passwords will go far in improving cybersecurity, both as individuals when we’re working from home or when we’re in the workplace.”
“The other thing I want to challenge is to get over the notion that you don’t have anything that someone would want to steal because you do. Every organisation in this world has what these criminals are after – data. That’s the names, addresses, telephone numbers, credit card numbers and bank details.”
“We’re talking hundreds of thousands, if not millions, of identities, profiles and credit cards are being compromised in a single attack. Cybercriminals are organised, and they’re hacking, ultimately, for money. The best way to get that money is to breach into the organisation and take the data out.”
“The rule of cyber is don’t trust, verify. You need to take the stance that you don’t trust anybody inside or outside of your network. There have to be constant gateways and checks, whether that’s through multifactor authentication or through multiple passwords for different parts of the business,” he says.
In conclusion, Watson listed five ways to protect against hacking. “Improve your password hygiene. Check out Essential Eight at cyber.gov.au. Enable multi-factor authentication (MFA) and back up your systems. Maintain a meaningful educational awareness program within your organisation. Ensure your disaster recovery and business continuity plans encompass and consider ransomware and business email compromised attacks within them, and test them,” he concludes.