Five ways to protect your business from cyber scams in 2023
Cyber scams continue to be on the rise, with the Australian Cyber Security Centre finding that one cybercrime is reported every seven minutes in Australia. These scams can trigger legal obligations, including assessment and notification obligations under the Privacy Act and can result in a significant financial and reputational loss for the organisations and individuals involved.
Privacy experts Partner Sonia Sharma and Lawyers Radhika Bhatia and Colin Yuan provide some quick practical tips informed by their day-to-day work, advising clients on data breach preparation and response and working closely with some of Australia’s leading cybersecurity experts.
1. Conduct regular staff training to identify an impersonation attack
Scam messages are increasingly sophisticated and authentic-looking. For example, scam messages often impersonate trusted individuals such as c-suite executives or other key stakeholders a staff member deals with in their day-to-day operations. Cybercriminals will play the long game to understand how organisations and personalities work and communicate before executing a scam to obtain credentials or commit another scam, such as invoicing fraud.
Staff need to be trained regularly to recognise these evolving scam messages and to understand what to do when they receive a suspected scam message. Training should be fit for purpose. Staff who work in finance or HR should be educated in the specific types of scams and impersonation attacks which are common to these business functions.
2. Implement and test your Data Breach Response Plan
Despite the mandatory data breach regime being several years old and the recent and significant increase in penalties for certain breaches of the Privacy Act, many organisations still do not have a Data Breach Response Plan or have a poorly drafted Data Breach Response Plan that does not set out processes, procedures or clear escalation points or have a Plan which has never been properly reviewed or tested or for responding to a data breach.
The Office of the Australian Information Commissioner (OAIC) has published extensive guidance on what a Data Breach Response Plan should include, including what a data breach is and how an entity will respond to the four key steps – Contain, Assess, Notify and Review. They set out processes, procedures and clear escalation points for responding to a data breach.
Once drafted, the Data Breach Response Plan needs to be tested and rehearsed with the organisation’s data breach response team and key internal stakeholders (including legal, IT and communications) to ensure it is understood by frontline staff and ‘fit for purpose’ for the organisation.
3. Review and consider the 'Essential eight' risk maturity framework
The Essential Eight are a series of mitigations the Australian Cyber Security Centre recommends as one of the most effective approaches to protect against cyber threats. Once implemented, the Essential Eight mitigations make it harder for malicious parties to compromise systems. In order to mitigate the risks of scams and cyber threats, organisations need to consider the Essential Eight maturity model and implement the mitigation measures appropriate to the type and size of the organisation.
4. Develop and implement policies and procedures around employee passwords and monitor them to ensure they are operationalised
In our work, we have noticed a dramatic increase in ‘Credential stuffing’. This is where a cyber attacker tries to use usernames and passwords obtained from other data breaches to gain access to individuals’ online user accounts.
Organisations should ensure that they develop policies and procedures that require staff to update their user account passwords every few months and that staff are not reusing passwords across multiple online accounts to minimise the likelihood of attackers gaining access to their accounts. These policies and procedures need to be monitored and implemented by educating staff to ensure that any “human” controls are being followed effectively. There is no point in having a Policy which states staff should not use the same password for work as their personal email accounts if this policy is not being followed.
5. Create a ‘speak-up’ culture within your organisation so that staff are not afraid to report a scam to the correct escalation point
Time and time again, we have seen that the prompt detection of scams and other cyber incidents can assist in mitigating the likelihood of serious harm occurring from those scams. It is important that staff are encouraged to ‘speak up’ as soon as possible when they think that they might have received or fallen for a scam message so that organisations can respond and take action to mitigate any potential harm as soon as possible.
Organisations should seek to foster a culture where staff feel comfortable reporting a scam that they have encountered to the correct escalation point. The OAIC makes clear that good privacy management stems from good privacy governance. Ensure your leadership and governance arrangements create a culture of privacy that values personal information, so staff feel empowered to speak up.
For further information on these tips and other guidance about how organisations can identify any risks or gaps in their approach to privacy and data security, please refer to our article Privacy Health Check: the questions to ask to avoid data breaches amid tougher penalties.
Looking for legal support with your organisation's cyber and data resilience?
By Sonia Sharma, Radhika Bhatia & Colin Yuan.
Keep up to date with our legal insights and events
Sign upRecent articles
Reform to Australia’s merger clearance regime
By Ron Smooker, Shaun Temby, Jacqueline Picone, and Oliver Wahlstrom
A new mandatory, suspensory merger review system conducted by the ACCC comes into effect in Australia on 1 January 2026.
Important changes to the Workplace Injury Rehabilitation and Compensation Act 2013 concerning workers’ compensation in Victoria
By Catherine Dunlop, Jessica Mourney
From 31 March 2024, amendments to the Victorian workers’ compensation scheme took effect
A step closer to mandatory climate-related disclosure
By Ron Smooker, Rosamond Sayer, Samantha Murphy, and Joseph Fox
The Treasurer introduced the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Bill 2024.
Gomeroi v Santos: New guidance on good faith negotiation, and the relevance of climate change
By Susanne Rakoczy, and Larissa Svetlov
We explore Gomeroi People v Santos NSW Pty Ltd and Santos NSW (Narrabri Gas) Pty Ltd [2024] FCAFC 26 (Gomeroi Appeal).
Partner
Sydney