Cyber scams continue to be on the rise, with the Australian Cyber Security Centre finding that one cybercrime is reported every seven minutes in Australia. These scams can trigger legal obligations, including assessment and notification obligations under the Privacy Act and can result in a significant financial and reputational loss for the organisations and individuals involved.

Privacy experts Partner Sonia Sharma and Lawyers Radhika Bhatia and Colin Yuan provide some quick practical tips informed by their day-to-day work, advising clients on data breach preparation and response and working closely with some of Australia’s leading cybersecurity experts.

1. Conduct regular staff training to identify an impersonation attack

Scam messages are increasingly sophisticated and authentic-looking. For example, scam messages often impersonate trusted individuals such as c-suite executives or other key stakeholders a staff member deals with in their day-to-day operations. Cybercriminals will play the long game to understand how organisations and personalities work and communicate before executing a scam to obtain credentials or commit another scam, such as invoicing fraud.

Staff need to be trained regularly to recognise these evolving scam messages and to understand what to do when they receive a suspected scam message. Training should be fit for purpose. Staff who work in finance or HR should be educated in the specific types of scams and impersonation attacks which are common to these business functions.

2. Implement and test your Data Breach Response Plan

Despite the mandatory data breach regime being several years old and the recent and significant increase in penalties for certain breaches of the Privacy Act, many organisations still do not have a Data Breach Response Plan or have a poorly drafted Data Breach Response Plan that does not set out processes, procedures or clear escalation points or have a Plan which has never been properly reviewed or tested or for responding to a data breach.

The Office of the Australian Information Commissioner (OAIC) has published extensive guidance on what a Data Breach Response Plan should include, including what a data breach is and how an entity will respond to the four key steps – Contain, Assess, Notify and Review. They set out processes, procedures and clear escalation points for responding to a data breach.

Once drafted, the Data Breach Response Plan needs to be tested and rehearsed with the organisation’s data breach response team and key internal stakeholders (including legal, IT and communications) to ensure it is understood by frontline staff and ‘fit for purpose’ for the organisation.

3. Review and consider the 'Essential eight' risk maturity framework

The Essential Eight are a series of mitigations the Australian Cyber Security Centre recommends as one of the most effective approaches to protect against cyber threats. Once implemented, the Essential Eight mitigations make it harder for malicious parties to compromise systems. In order to mitigate the risks of scams and cyber threats, organisations need to consider the Essential Eight maturity model and implement the mitigation measures appropriate to the type and size of the organisation.

4. Develop and implement policies and procedures around employee passwords and monitor them to ensure they are operationalised

In our work, we have noticed a dramatic increase in ‘Credential stuffing’. This is where a cyber attacker tries to use usernames and passwords obtained from other data breaches to gain access to individuals’ online user accounts.

Organisations should ensure that they develop policies and procedures that require staff to update their user account passwords every few months and that staff are not reusing passwords across multiple online accounts to minimise the likelihood of attackers gaining access to their accounts. These policies and procedures need to be monitored and implemented by educating staff to ensure that any “human” controls are being followed effectively. There is no point in having a Policy which states staff should not use the same password for work as their personal email accounts if this policy is not being followed.

5. Create a ‘speak-up’ culture within your organisation so that staff are not afraid to report a scam to the correct escalation point

Time and time again, we have seen that the prompt detection of scams and other cyber incidents can assist in mitigating the likelihood of serious harm occurring from those scams. It is important that staff are encouraged to ‘speak up’ as soon as possible when they think that they might have received or fallen for a scam message so that organisations can respond and take action to mitigate any potential harm as soon as possible.

Organisations should seek to foster a culture where staff feel comfortable reporting a scam that they have encountered to the correct escalation point. The OAIC makes clear that good privacy management stems from good privacy governance. Ensure your leadership and governance arrangements create a culture of privacy that values personal information, so staff feel empowered to speak up.

For further information on these tips and other guidance about how organisations can identify any risks or gaps in their approach to privacy and data security, please refer to our article Privacy Health Check: the questions to ask to avoid data breaches amid tougher penalties.