Q&A with Babette Bottin, Founder and Managing Director, DAS Insure and Annie Esposito, Senior Consultant, CreditorWatch
According to the latest annual cyber-threat report from the government cyber-security agency, the ACSC (Australian Cyber Security Centre), cybercrime increased 13% over the last financial year with a rise in the sophistication of cyber threats, making crimes like ransomware and fraud easier to replicate at a greater scale.
Since COVID we have changed the way we interact, e.g. hybrid work opportunities, an increase in online meetings versus in-house meetings are the new norm. And also the way we verify information; one of the biggest industry shifts in the verification process has happened in the real estate industry.
We know cyber-crime and online fraud are increasing, but to what extent are they on the rise?
The ACSC received over 76,000 cybercrime reports. This equates to one report every seven minutes.
The report shows a huge increase in online fraud. It is still the most common type of cyber crime (27%), followed by online shopping at 14% and online banking at 13%. But online fraud is certainly the biggest one.
Ransomware remains the most destructive cybercrime threat. Especially because businesses might experience a dual extortion impact: their business is disrupted by the encryption of their data. On top of that they might face reputational and financial damage if the stolen data contains personally identifiable information of their customers.
It’s medium-sized businesses that have the highest average loss per crime at $88,000, probably because they already have a sizeable operation, but not enough capacity to have the IT security in place that large organisations have.
In terms of industries (excluding government sectors), the healthcare industry, and social assistance sector in particular, is most vulnerable because it works in collaboration across industries. This is followed by information and media telecommunications, education and training, and then professional and technical services.
Apart from working across different industries, what else makes the healthcare industry the most vulnerable to online crime?
Medical information costs about nine times more than financial information sold on the dark web. That makes the healthcare industry an attractive target. Criminals use medical information gained for identity theft but also to exploit healthcare systems (Medicare fraud, Centrelink fraud).
Health Service Providers were the number one ranked sector for reportable data breaches, according to the latest OAIC report (Office of the Australian Information Commissioner). Personal information sent to the wrong recipient via email and unauthorised disclosures (unintended release or publication) are the two most common human error breaches. Healthcare providers often use different practice management systems and part of the patient onboarding process still requires the patient to manually fill out a form. Sharing medical information amongst service providers is common and in the patient’s interest yet often not as automised and technically secured as the data handling process in other industries.
Yeah, it really goes across multiple industries. When I speak to businesses, one of the biggest risk factors I come across, regarding security issues, is the lack of verification and automation which goes together with increased human error.
Our onboarding solution incorporates e-signatures and multifactor authentication. So, from the very first point of the credit application and supplier onboarding, you’re getting that electronic signature.
A lot of people think that the wet signature is actually better, but anyone can pick up a pen and forge someone’s signature. With electronic signatures there’s real traceability to it through IP address capture, envelope IDs and custom rules to whom can sign. So, you have that extra level of security built into them that you can track. With proof of transaction from the beginning, it helps reduce fraud and provides a surety that wouldn’t otherwise be recorded.
We also have SmartID, which has document verification services (DVS) built into it. It uses biometrics and liveness, where a person can verify their government issued ID with biometrics, so they must take a picture of their own face to make sure it matches the one on their government ID. If an ID has been stolen or marked as identity theft, it will pick that up and check that as well.
I think tools like SmartID, e-signatures and multifactor authentication are invaluable for helping businesses identify phishing attacks and business email scams, where people are tricked into believing the email/invoice/call for action came from a legitimate sender.
Also, these tools assist to safely access and handle personal information, especially for industries where you must go to that deeper level to actually work and establish, for example, a credit limit, or a 100-points check.
What would be the biggest challenges for a business in establishing proper fraud prevention processes?
First and foremost, know your organisation and your structure. And what are the crown jewels, meaning your core assets? For some it’s a process, for some it’s intellectual property, for some it’s money, for some it’s their client lists or the information they hold on their clients. So, then you know what you need to protect and what could be of value to the crooks.
So, first step for an organisation is to determine what they have that could be attractive to cyber crooks to onsell on the dark web.
Second – this is not just an IT problem, it is a business problem – management needs to be engaged. The ultimate responsibility lies with the board. It is also a people problem, so staff need to be included, and trained on an ongoing basis. Where are your potential weak spots? Where are your potential gaps?
I recommend starting with a cyber risk health check. When consulting businesses I often use cyber risk assessment tools applied to when preparing clients to get cyber insurance ready. The cyber.gov.au site has also some great assessment tools that provide a roadmap for businesses starting out on their cyber security journey.
Also keeping in mind that nowadays there are even simple kits for sale on the dark web on how to hack into someone’s network without having the technical expertise. According to the ACSC the so called ‘cybercrime-as-a-service’ or CaaS tools continued to increase the overall cybercrime threat to Australia.
The other thing to be conscious of, particularly if you work with a large client, defence force or the government, is not being that ‘Trojan Horse’ or weak link that exposes them to risk.
This is where CreditorWatch’s products come in as well. To become a tier-one or tier-two supplier to these large organisations it is now often a requirement to have good cybersecurity processes in place.
And since the recent high-profile breaches, like Optus and Medibank, we do know that we will have new higher penalties imposed when data breaches are not reported properly and managed properly.
There was also an amendment to the Privacy Act in 2018 to include the Notifiable Data Breaches (NDB) Scheme. Any business with a turnover of more than $3 million must immediately notify the Office of the Australian Information Commissioner (OAIC) when a data breach occurs. Some industries, e.g. Healthcare Services, are exempt from this threshold. We are currently awaiting the amendments to the Privacy Act, with the PA Bill expecting to be passed after March 31st. Australia will then have the largest maximum penalties for infringing privacy.
If you hold personal, identifiable information, you have that extra duty of care and you need to be vigilant. So, that could be your crown jewels, and then you start to map out how you collect that data, how you store it, where you store it, how you destroy it, back it up and that whole lifecycle of data needs to be mapped out.
The cybercrooks will always go for the easiest target. It comes down to those things that we mentioned like a strong onboarding process, automation, and multi factor authentication in place. You don’t have to outrun the bear; you just have to be running faster than your neighbour because hackers always go for the easiest target.
When you talk about credit applications; especially if a business manages this on a large scale, they will access and potentially hold quite a large amount of sensitive information about their customers to process those credit applications. So, they should focus on securing the whole process – of how to collect it, store it, destroy it and how to protect access from external, and internal sources.
You mentioned gaps in security protocols earlier. Where do businesses typically have gaps and vulnerabilities that can be exploited and what can be done to prevent them?
The first one, that a lot of businesses overlook, is outsourcing of valuable data to external providers. You must hold your outsourced providers accountable to the same standards that you apply for yourself. There is a saying in the cyber industry, ‘You can outsource the service, but cannot outsource the risk’.
The second one is user permissions – limiting access on a need-to-know basis, in combination with strong passwords and multifactor authentication for all critical accounts.
Third would be automated updates of hard and software systems. Regular backups, that are tested.
Fourth awareness training for staff, digital fire drills, friendly phishing campaigns.
And last in my top five: if you hold personally identifiable data, implementation of a data breach response plan.
That’s great advice. What should a business consider when engaging with outsourced providers to ensure they are secure?
An important question, Annie. According to the latest OAIC Report, eight out of the 40 large-scale data breaches involved a service provider relationship.
I recommend asking what specific security measures they have in place to keep your data safe. In my experience, most service providers have an external audit report that you can access if you sign an NDA. The information should cover where the data is stored and backed-up, what policies, standards and procedures they have in place to handle the data access, the architecture, configuration, Access control are all important. Do they follow NIST, or Essential Eight. Do you maintain any certified information security standards?
I agree, CreditorWatch has a number of added security measures when it comes to the data we host and hold on our platform. We have our ISO 27001 and we’ve recently been identified by the ATO as a data service provider – the only credit reporting bureau that has been certified by the ATO at this stage to report on their data.
Coming back to the recent data breaches, when collecting personally identifiable information – it should be done on a need-to-know basis. For example, if you look at a company like Optus, while they are required to conduct a 100-point check for customer verification process do they need to store the underlying documents for that check once completed and if so for how long. Does everyone in the organisation need to have the ability to access sensitive data? User privileges is another huge topic.
Let’s look at credit managers – they deal with money, accounts, handling cash, signing invoices – naturally they are an attractive target for phishing campaigns and email scams.
Companies, especially small business with one or two credit managers, should aim to streamline and implement robust process to reduce mistakes and prevent fraud.
Credit managers that are dealing with financial data do have to be very cautious. It helps to use modern technology and solutions like CreditorWatch also to minimise human error.
Credit managers face another problem regarding personally identifiable information: during the credit application process when investigating directors and their history, not only as business owners or board members, but also if they have had anything negative against them privately. How can we do this respectfully?
Absolutely. We provide this data on all our credit reports. With our onboarding solution, ApplyEasy, when a customer fills out their credit application and enters their ABN, we automatically tell you who the director of that business is. We can provide date of birth and address for your verification. By verifying the company details, structure, and directors; there’s no room for error.
As part of this process, we also show you their credit report. We’ll reveal if that director is flagged for bankruptcy, what their history looks like, if they’re involved in any adverse cross-directorships, if they have had previous businesses with court actions, payment defaults or insolvencies. We can connect those dots which usually go unseen. This also helps prevent phoenix activity – we’re able to pick up if someone has had a dishonourable past, they can’t just pop up under a new ABN and apply for credit.
And it also will help credit managers – not needing to have those kinds of potentially embarrassing discussions with their future clients, rather, it’s just a normal process where they use their service provider CreditorWatch to run those checks for them.
CreditorWatch is helpful because it helps to overcome awkward discussions with potential clients, while verifying that they are who they say they are. For many businesses, a lot of information is still being filled out manually – credit applications, trade references and so on, filled out by potential new suppliers just by hand!
Yeah, that’s a big thing too. With documents not being electronic or automated, it’s difficult to control which things get filled out properly – sometimes not even filled out at all! With ApplyEasy we can have custom mandatory fields, automated trade references, e-signatures, multifactor authentications; a whole host of added security that you just can’t get with a scanned piece of paper.
The goalpost is not that high. Small to medium-sized businesses can make it to that first base level of having solid procedures in place by knowing what their crown jewels are – the data that is precious to them, their clients and their stakeholders. Then, observe and map out the process of how they handle this exchange of data and how they collect it, store it, protect it and back it up.
Then, they can investigate where they can get help with automation. Some issues across these targeted industries and bureaucracy in general, they often run on very outdated platforms, which leave them vulnerable to threats.
On a positive note, if you’re small to medium-sized, you’re nimble – that’s your advantage compared to the big guys. You can most likely implement your technology and updates faster because your decision processes are leaner. My advice is to use the best state-of-the-art technology and go with the times.
Data protection and cyber safety can also be sold as a competitive strength for small and medium-sized businesses. For example, in the construction industry, considering trade credit protection and the processes involved, there’s a huge risk there because they often involve significant contracts and rely heavily on their supply chain. They are absolutely a target. According to the ACSC report, construction is in the sixth place, followed by manufacturing, before financial and insurance services. Because of the significant amount of money that is being exchanged. Ransomware attacks leading to business interruption losses and cybercrime like funds transfer fraud particularly affect this sector.
What final piece of advice would you have for business operators in relation to proactive measures they can take to tighten up their data security?
Knowledge is power. As data protection and cyber safety is complex and constantly evolving, I recommend looking for business partners that strengthen your cyber security posture, like CreditorWatch and its smart automation tools. Considering the imminent release of the PA Bill, now is the time to review your data handling processes and if you have cyber insurance in place, to stress test that you have the right cover in place.
Get started with CreditorWatch today
Take your credit management to the next level with a 14-day free trial.