We’re all aware how our lives have changed since the global pandemic. In a short few years remote work, online shopping, telehealth services and myriad other possibilities have become business as usual, instead of out of the ordinary.
With the growth of technology to support new ways of managing our personal and professional lives, comes ever more sophisticated ways for cyber criminals to target business, organisations, and consumers.
Instead of the lone hacker, working in isolation, cyber criminals are now sophisticated cross-border organisations using tools like AI, machine learning and automation to launch realistic and targeted attacks on the vulnerable and unwary.
Types of cyber attacks
- Malware – Software that performs a malicious task on a target device or network, e.g. corrupting data or taking over a system.
- Phishing or smishing – Tricking an email or SMS recipient into disclosing confidential information or downloading malware by clicking on a hyperlink in the message.
- Spear Phishing – A more sophisticated form of phishing where the attacker learns about the victim and impersonates someone they know and trust.
- Man in the middle attack – Where an attacker intercepts an electronic message, perhaps changing them in transit. The sender and recipient believe they are communicating directly with one another.
- Trojan horses – a Trojan is a type of malware that enters a target system looking like one thing, e.g. a standard piece of software, but then lets out the malicious code once inside the host system.
- Ransomware – An attack that involves encrypting data on the target system and demanding a ransom in exchange for letting the user have access to the data again.
- Data breaches – A data breach is a theft of data by a malicious actor. Motives for data breaches include crime (i.e. identity theft), a desire to embarrass an institution and espionage.
Crime targeting smartphone users has increased considerably as we rely more on them for leisure and business activities, with smishing attacks more than doubling in the US in 2021. In the UK over 50% of SMS scams involved delivery notifications. Cyber criminals also initiated more than 100,000 telephone-oriented attacks a day.
In Australia, we’ve seen an increase of nearly 13 percent between 2020 to 2021. During that time the Australian Cyber Security Centre (ACSC) received over 67,500 cybercrime reports, or one cyber attack every eight minutes. In total, reported losses from cybercrime cost Australians more than $AU33 billion last year and globally, the threat is predicted to cost $US10.5 trillion a year by 2025.
Fraud, online shopping scams and online banking scams were the most reported types of cybercrime. And it’s not surprising, considering the Australian Payments Network has reported that card payments increased by 8% to $865 billion in 2021. Online retail spending grew by an estimated 8.2% to $53 billion and card fraud increased by 5.7% to $495 million. “Card not present” fraud accounts for 91% of all card fraud and increased 7.6% to $452 million.
These numbers show how crucial it is for businesses to prioritise cybersecurity and safety measures. No matter the size and scale of a cyberattack, the effects can be potentially catastrophic for your business.
Despite a record year of breaches, a recent study found that half of US businesses have a cybersecurity plan in place and of those, 32% haven’t changed their cybersecurity plan since the pandemic. Only 43% of businesses said they felt prepared to face a cyber-attack in 2022.
So, how can you prepare to resist a cyber attack?
Step 1 – Have a plan
Firstly, adopt security standards to protect your customers and your business. The Payment Card Industry Data Security Standard (PCI DSS), is an internationally recognised standard for maintaining the integrity of merchant payments and customer data security.
The twelve core requirements to be PCI DSS compliant are:
- Network security
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
- Cardholder data protection
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
- Vulnerability management
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
- Access control
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
- Monitoring and testing
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
- Information security
12. Maintain a policy that addresses information security for employees and contractors
If you experience an attack (or suspected attack), have an incident response plan in place. PCI compliance and making the most of the advanced cyber security tools available to you can help mitigate the risks.
Step 2 – Get the facts
Forewarned is forearmed, so get familiar with how cyber attacks can occur to minimise online threats. Also educate employees about the risks of social engineering. Users clicking on something they shouldn’t leads to infection, so some basic precautions can help address threats.
- Training employees to recognise malware and phishing threats.
- Using secondary channels or two-factor authentication to verify requests for changes in account information.
- Checking email addresses and URLs relate to the person/business they claim to be from.
- Watching for hyperlinks that contain misspellings of the actual domain name.
- Enabling the settings in employees’ email accounts to allow full email extensions to be viewed.
- Monitoring your personal financial accounts for irregularities, such as missing deposits.
The effects of these attacks can range from financial loss, like the theft of money and financial information, to business loss, like reputation damage and significant downtime while you recover.
Consider tabletop exercises. Preparing for ransomware with a tabletop exercise can identify potential gaps and ensure the right process is in place to mitigate and recover from a potential attack.
The ACSC website provides extensive advice, guidance and information on a range of cyber security matters. The website also provides additional assistance and referral pathways depending on the nature of the breach.
Step 3 – Implement safeguards
There are tools and processes that exist to safeguard your business from cyberthreats and it is your responsibility to implement them.
As good practice, you should:
- Use spam filters to reduce the amount of spam and phishing emails that your business receives.
- Set up firewall security to protect your internal networks from the threats coming from the Internet and WiFi.
- Encrypt your data when stored or sent online, so only approved users can access it.
- Create strong passwords to protect access to your business devices, and change those passwords regularly.
- Consider cyber-insurance to protect your business against the costs and resultant downtime that may result from attacks.
Step 4 – Review and update systems regularly
It’s important to regularly update applications, including anti-virus software, plugins and operating systems to fix any potential vulnerabilities that new and sophisticated cyberattacks may exploit.
Patches, updates or vendor fixes for security weaknesses should be applied within 48 hours if a known exploit exists. By keeping software and firmware updated, an attack risk can be eliminated. With cyber criminals using automated tools to exploit known vulnerabilities, monthly software updates may not be enough.
Ransomware’s target is data. Frequently perform reliable backups to reduce the risk of losing data. Keep backup data in a safe location (physically or in the cloud), preferably protected or isolated from the device where the original data is stored.
Step 5 – Partner with a cybersecurity expert
For industries and businesses that don’t have (or can’t afford) the internal expertise or capabilities to manage increasingly sophisticated breaches, partnering with a cybersecurity expert can make sense.
Eway has launched the Merchant Trust Initiative (MTI) to help our customers improve their cybersecurity and protect the card payment data they collect, transmit and store. The MTI gives you a range of enterprise-level online tools including anti-virus, remote access security, point-of-sale device monitoring, mobile security, and more to improve security within your business. It also enables you to become PCI compliant. And as we’ve just seen, the risk of non-compliance is too big to ignore.
Find out more about Eway’s cybersecurity protections:
Or get in touch:
Cyber crime information and resources:
Subscribe to updates
Get the latest news and payment insights from Eway hot off the press.