Skip to main content

Author: Justin Hale

The Wright Stuff: Meet Cryptoloc’s new Customer Success Manager

Cryptoloc is pleased to welcome Katrina Wright to the team as our new Customer Success Manager, helping our users ensure they get the most out of the world’s safest cybersecurity platform. 

At first glance, Katrina doesn’t fit the profile of a tech guru. For starters, she’s an outdoor person – when she’s not helping our customers to implement Cryptoloc’s patented encryption technology, you’ll find her boating and camping with her kids, or tending to her cattle. 

But Katrina has always had a passion for customer service, and it’s that passion that she’ll be bringing to her new role at Cryptoloc. 

“When you’re running a business, I don’t think there’s anything more important than looking after your customers and ensuring their complete satisfaction over the entire lifecycle of your products,” she says.

“I’ve always had a knack for being able to put myself in the customer’s shoes and see things from their perspective. It’s not just about answering their questions – it’s about anticipating those questions, preventing problems before they can occur, and suggesting new ways for them to use your product that they might never have thought of.

“Having spent my career in customer service, I think this is the perfect role for me. I’m excited to accompany Cryptoloc’s customers on their journey with the product and ensure they get the most value out of it.” 

Cryptoloc’s patented technology, which combines three different encryption algorithms into one unique multilayer process, guarantees privacy, authenticity and control of all data transactions.

This ISO-certified technology has been deployed across a wide range of applications, including file storage, document management, ransomware recovery, counterfeit prevention and detection solutions, and the world’s most secure digital platform for customers who wish to develop and build their own products. 

But while the technology behind Cryptoloc is advanced, Katrina says her role is ultimately very simple. 

“It’s about protecting our customers from attacks,” she says. “We want our customers to have the best implementation and be able to use the full functionality of our products, and it’s my role to go out and show them how to protect their data with Cryptoloc.” 

With the Australian Cyber Security Centre (ACSC) recently reporting that cyber attacks had increased by nearly 13 per cent over the past year, resulting in losses of more than $33 billion, Katrina says it’s never been more important to ensure you’re protected against cybercrime. 

“It’s not just businesses that have to take this seriously, either,” she says. “Private companies of all sizes are being targeted by cyber criminals, but so are individuals, schools, social services, and even hospitals – people and organisations from all walks of life. 

“Many of the people who need the protection that Cryptoloc offers won’t have used a product like this before, so it’s particularly important that we walk them through it and show them how to take control of their data.” 

To get in touch with Katrina and the team and learn more about the world’s safest cybersecurity platform, contact us today.

The cybersecurity trends you need to know about in 2022

By Jamie Wilson, Founder and Managing Director of Cryptoloc

In this article:

In 2021, no sector of the Australian economy was safe from cybercrime. From government agencies to family businesses, and every type of organisation in between, it’s been one of the worst years on record – so it’s important to stay ahead of the curve and be aware of what’s coming down the pipeline in 2022. 

The explosion in remote work and the accelerated pace of digitalisation have opened plenty of doors for cybercriminals to walk through. The Australian Cyber Security Centre (ACSC) received a report of a cyber attack once every eight minutes over the 2020-21 financial year, up from once every 10 minutes the previous year, and unfortunately, those attacks will probably only become more frequent in the new year. 

But when it comes to cybercrime, a little planning and preparation go a long way – so here are the trends your organisation should be focused on in 2022. 

Rules and regulations are coming 

One of the reasons that cybercriminals have been able to operate with virtual impunity is that they’ve felt secure in the knowledge that technology has always been a step ahead of regulators. 

But with the total economic impact of cybercrime estimated at $3.5 billion in Australia alone, and $1 trillion worldwide, the law is finally catching up to the threat these criminals pose – and in 2022, we can expect to see much greater regulatory pressure to address the risk of cybercrime. 

We’ve already seen legislation for consumer privacy pick up steam, beginning with the EU’s General Data Protection Regulation (GDPR) and followed by Brazil’s General Personal Data Protection Law (LGPD) and the California Consumer Privacy Act (CCPA). It’s a sure thing that jurisdictions around the world – at a national level, but also at a state and local government level – will continue to pass legislation along these lines. 

But that’s just the beginning. In Australia, we’ve seen the recent introduction of emergency laws that require the operators of ‘critical infrastructure’ to report cyber attacks to the Australian Signals Directorate (ASD) as they happen. The laws give the ASD the power to plug into the networks of these organisations to help them fend off attacks. 

Those laws were just a prelude to a second bill, expected to be introduced in 2022, that will impose positive security obligations on businesses, requiring them to develop risk management plans and reach certain cybersecurity standards. Under these laws, company directors could be made personally liable for cyber attacks. 

I expect we’ll also see the Government move to make the payment of ransomware illegal – Labor has already introduced a bill that would require ransomware victims to disclose whenever they make a payment, and my sense is that both sides of the aisle are keen to disincentivise and defund hackers by criminalising payments altogether. (Whether or not this would actually help victims is a more complicated question.) 

In their totality, these laws could make the regulatory landscape more confusing and/or costly for organisations that aren’t prepared for them. But they should also have the effect of raising the cybersecurity floor, and setting a new standard that, quite frankly, most organisations should be meeting already. 

In much the same way that tougher legal obligations made workplace health and safety a top priority for employers, we’ll see businesses lift their game when it comes to cybersecurity, and start taking their stewardship of data more seriously in order to comply with new rules and regulations.

Cybersecurity will be treated as a company-wide responsibility 

I was recently speaking to the CEO of a large organisation with 10,000 employees. I asked him how many people were in his cybersecurity team – ‘10,000’, he responded, without missing a beat. 

That’s the attitude every employer should have moving forward. Cybersecurity awareness and training for all staff will be absolutely crucial – because while not everyone on your team needs to be an IT professional or a cybersecurity specialist, everyone will need to be regularly briefed on the latest techniques being utilised by cybercriminals, and be aware of best practices. 

Businesses have never been more at risk, and the widening of attack surfaces that’s resulted from the COVID-19 pandemic is a major factor. With more employees using more of their own devices, it’s harder than ever to secure the perimeter. 

IBM and Ponemon’s Cost of a Data Breach Report 2021 found that data breaches are 17.5 per cent more costly where remote work is a factor, and that organisations that have more than half of their workforce working remotely take 58 days longer to identify and contain breaches, on average.

That’s why every member of your team will need to be trained to make their connection more secure, and made aware of the importance of updating passwords and patches, avoiding public networks, backing up data regularly, and recognising the signs of social engineering scams like phishing emails. 

It’s always been the case that when it comes to cybersecurity, your people have the potential to be your biggest weakness – because if they can be tricked into granting access to an intruder, all the perimeter security and monitoring in the world won’t be able to protect your system from being compromised. 

But now, with the ever-increasing interconnectivity and borderless nature of the modern workplace, it’s more important than ever that every link in your chain is as strong as it can be. 

Cybercriminals are becoming more professional, and more predatory

It’s no secret that ransomware is on the rise. In June 2021, the Director-General of the Australian Signals Directorate told the Parliamentary Joint Committee on Intelligence and Security there had been a 60 per cent increase in ransomware attacks on Australian businesses over the previous 12 months. 

What’s less understood is the fact that the organisations behind these attacks are becoming increasingly sophisticated. Rather than operating as lone wolves, hackers have developed cyber cartels that operate much like the mafia, collaborating as affiliates to pool resources, pass on stolen data, and exploit security vulnerabilities within hours of their disclosure. 

The tradecraft of ransomware is evolving at a rapid rate. In 2020, ransomware group REvil popularised the tactic known as double extortion, which not only requires organisations to pay a ransom to unlock their files, but also requires them to pay an additional ransom to prevent those files being leaked. 

The double extortion tactic quickly became ubiquitous, and has now evolved into triple extortion, in which ransom demands are also directed at a victim’s clients or suppliers – a method we expect to see plenty of in 2022. In effect, ransomware has become less of a singular attack, and more of a series of rolling demands springing forth from the initial intrusion.   

Cyber cartels have also begun offering ransomware-as-a-service (RaaS) to would-be cybercriminals lacking the expertise to pull off attacks on their own, even going so far as to provide them with 24/7 technical support, in return for a slice of the unskilled attacker’s profits. This has effectively lowered the barrier to entry to the ‘industry’ – and the more cybercriminals are active, the greater the chance that your organisation may be targeted. 

A major factor in the increasing complexity and professionalisation of these cartels is that many of them operate freely within nation states that are willing to turn a blind eye to their activities, and even provide them with tacit support. 

These ‘contract hackers’ are carrying out state-sponsored activities, while at the same time extorting businesses for their own financial gain. In 2021, the United States took the unprecedented step of naming and shaming the Chinese government as the benefactors of the hackers responsible for the Microsoft Exchange attack – but the cyber cold war has only gotten hotter since then, and you can expect more high-profile breaches and raids on hospitals, universities and state-owned utilities in 2022. 

Supply chain attacks are set to escalate 

It’s one thing to ensure your own organisation is secure. But in 2022, we can expect to see attacks on supply chains – including widely used software products and services – expand in scope and frequency. 

In 2021, the high-profile Solar Winds and Kaseya hacks helped to popularise this attack vector. Closer to home, a recent attack on external payroll software provider Frontier Software enabled hackers to access the records of up to 80,000 South Australian government employees, including their names, dates of birth, tax file numbers, home addresses, bank account details, remuneration and superannuation contributions. The records, which were stolen and published on the dark web, may even have included Premier Steven Marshall’s details. 

The PWC 2022 Global Digital Trust Insights Survey, which polled 3,602 high-ranking business, technology, and security executives around the world, found that 56 per cent of respondents are expecting a rise in breaches via their software supply chain in 2022. 

The advantage of this approach, from an attacker’s point of view, is that they can compromise a large number of organisations in one hit, making the potential reward for a successful attack quite significant. The downside for you is that your organisation might be one of those affected, even if you may never have previously been on the attacker’s radar. 

Given the high risk of collateral damage if a supplier falls victim to an attack, it will be up to organisations to closely scrutinise the security credentials and protocols of the third-party vendors they entrust with access to their data.

Cyber insurance will become harder to obtain 

Given the increasing frequency of cyber attacks, and the losses that organisations stand to incur if their data is compromised, it makes sense that cyber insurance has become highly sought after. 

The problem is that most insurers never had any real risk matrix for cybercrime, and therefore no real sense of what they’d be left paying out. As ransomware has gone through the roof, they’ve been left scrambling to put limits on the coverage they’re willing to offer. 

Cyber insurance premiums for Australian businesses have shot up by up to 30 per cent, and are expected to keep rising in 2022. Some insurers are refusing to take on new clients, or capping their coverage at about half of what they used to offer. 

To obtain coverage at reasonable rates in 2022 and beyond, organisations will need to be able to demonstrate that they meet strict cybersecurity standards and are following best practices, which may include providing cyber security education for all employees, using multi-factor authentication, implementing zero trust policies, securely backing up and encrypting their data, and having data breach incident response plans in place. 

Of course, my stance is that cyber insurance should only be used as a last resort, and that organisations should have these policies and practices in place anyway – because if there’s one thing we know for sure about cyber security in 2022, it’s that cyber criminals aren’t going to take the next year off, so you can’t afford to, either. 

With its unique three-key encryption technology, Cryptoloc is the most secure way to store, share and transfer data. To show you take cyber security seriously, visit cryptoloc.com.

The cost of ransomware: Should you pay the ransom?

By Jamie Wilson, Founder and Managing Director of Cryptoloc

It might be the most difficult decision you ever have to make. With the future of your business and the private details of your customers, clients and employees on the line, whether or not to pay the ransom demanded by a cybercriminal can seem like an impossible choice – but here are the things you need to consider. 

Ransomware has grown rapidly in both profile and impact over the last couple of years. Traditionally, ransomware attacks have consisted of criminals gaining access to your files and encrypting them, or restricting operations, and demanding a ransom for their return. 

But the craft of ransomware has evolved recently, with the emergence of double extortion, in which the criminal threatens to leak your stolen files, and even triple extortion, in which your clients or suppliers are also hit with ransom demands. 

The Australian Cyber Security Centre recorded a 15 per cent increase in ransomware over the 2020-21 financial year, while the Director-General of the Australian Signals Directorate recently told the Parliamentary Joint Committee on Intelligence and Security there had been a 60 per cent increase in ransomware attacks on Australian businesses over a 12-month period. 

There is seemingly no sector that ransomware won’t touch. Private companies of all sizes have been targeted, but so have schools, scientific and technical organisations, social services, and even hospitals. 

Earlier this year, Eastern Health – the operator of four hospitals in Melbourne’s east – was hit by a cyber attack that forced it to postpone certain surgeries, with ransomware the likely cause of the disruption. In the United States, ransomware has recently been alleged as the cause of death for a baby born at a hospital where hackers had shut down crucial systems in an extortion attempt. 

Ransomware is serious business – and for those on the receiving end, it can put them in a seemingly impossible situation. 

Is paying the ransom illegal? 

In Australia, at the time of writing, there are no laws that explicitly prohibit the payment of a ransomware demand. 

There are laws that a person considering paying a ransom should consider, however. 

Division 400 of the Criminal Code Act 1995 (Cth), which deals with money laundering, makes it an offence to deal with money or property where there’s a risk that it will become an instrument of crime, and you are reckless or negligent as to whether it will be used as an instrument of crime. 

Obviously, a hacker demanding ransom has already committed at least one crime, and it’s entirely possible they’ll use the ransom money to carry out further ransomware attacks – meaning there’s a risk the money will become an instrument of crime (even if, ultimately, the hacker ends up using the money for some non-criminal purpose). 

Duress is a possible defence here, if you can demonstrate that you believed the hacker’s threat would be carried out unless you paid the ransom; there was no reasonable way the threat could have been rendered ineffective; and the payment of the ransom is a reasonable response to the threat. 

It’s also illegal to intentionally make funds available to a terrorist organisation, under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) – so if the cyber cartel that’s demanding the ransom payment is classified as a terrorist organisation, this would be illegal. (Of course, you may not know the identity or status of the organisation making the demand, but the law still applies if you are reckless as to whether or not it’s a terrorist organisation.) 

It’s also worth noting that Labor has proposed a Ransomware Payments Bill which would require ransomware attack victims to contact the ACSC prior to making a ransom payment and disclose the amount being demanded and the details of the cryptocurrency wallet provided for the payment. The goal of the Bill, which has yet to pass, is to give the ACSC a chance to offer victims alternative options they might not have considered, and to provide intelligence that could help law enforcement agencies target the criminals making the demands. 

Australian entities with an annual turnover of more than $3 million are currently required to report all data breaches that could result in harm to the Office of the Australian Information Commissioner (OAIC) within 72 hours. ‘Harm’ is subjective here – in theory, virtually any data breach has the potential to cause some degree of harm to someone – which is why it’s considered best practice to report any data breach to both the OAIC and the ACSC. 

Going forward, I expect all of the countries in the Five Eyes alliance – Australia, the US, the UK, Canada and New Zealand – to eventually pass legislation that does explicitly prohibit the payment of ransomware demands, even though this will put companies that are unable to recover without access to their data in an extremely challenging position. 

For instance, if a company feels they truly have no choice but to pay the ransom, they could then find themselves at risk of further extortion if the attacker threatens to reveal the illegal payment – creating a virtual Möbius strip of ransom payments. 

Should you pay the ransom? 

The ACSC recommends that victims of ransomware do not pay the ransom. Their reasoning is that paying the ransom effectively funds criminal groups, and demonstrates a willingness to give in to criminal demands, which can incentivise these groups to continue deploying ransomware attacks. 

The ACSC also notes there’s no guarantee you’ll actually regain access to your systems and your data after paying the ransom. (The files may not be recoverable at all, if the attackers used ‘wiper’ malware, which sometimes masquerades as ransomware.) There’s also no guarantee the group won’t just turn right around and hit you with another ransomware attack – they could even provide you with a payment link that installs more malware onto your system. 

In the United States, the FBI recommends against paying ransoms for essentially the same reasons. 

Despite this, roughly one third of Australian businesses that are hit with a ransomware attack choose to pay the ransom – for an average amount of roughly $1.25 million, according to a survey conducted by Crowdstrike in 2020. (Exact figures are hard to come by, since most victims of ransomware don’t willingly disclose that fact.)

It’s not hard to see why they decide to give in. I’ve seen businesses brought to their knees by ransomware – especially small and medium-sized enterprises that don’t have backups in place, and simply don’t have the resources to get back on their feet and rebuild if they aren’t able to recover their data. 

It’s not just smaller companies that feel the heat, either. JBS Foods, the world’s largest meat supplier, recently paid a $US11 million ransom

Earlier this year, the United States experienced fuel shortages after Colonial Pipeline, an oil pipeline system that carries gasoline and jet fuel, was hit with a ransomware attack that forced it to shut down its pipelines for days. With the assistance of the FBI, Colonial paid a $US4.4 million ransom to restore their network. 

Colonial Pipeline CEO Joseph Blount said that Colonial could have restored from backups, but opted to pay the ransom because of the critical nature of the pipelines and the uncertainty over how badly their systems had been breached and how long it would take to recover them. 

A majority of respondents (62 per cent) to CNBC’s Global CFO Council survey for Q2 2021 said that Colonial had “no choice but to pay the ransom”, although only five per cent said it was the “right” choice. 

(The Department of Justice was eventually able to recover the Bitcoins from the ransom payment by acquiring the private key of the ransom account, but these were worth only $US2.3 million because of a drop in Bitcoin value since the payment.)

No matter the size of your organisation, it’s clear that the ideal solution is to prevent an attack in the first place. Ensure your operating systems, software and applications are up to date; set your anti-virus and anti-malware solutions to automatically update and scan; turn on multi-factor authentication; and most importantly, train each of your employees not to visit unsafe or suspicious websites, open emails or files from unknown sources, or click on suspicious links in emails or on social media. 

Even if you do all of that, you could still fall victim to an attack – but you should be able to recover with minimal downtime, and without paying the ransom, as long as you’ve got a solid backup infrastructure in place. Back up your data regularly, and ensure your backups are stored securely, and aren’t connected to the computers and networks they’re backing up. 

You should also report the breach to the ACSC hotline on 1300 292 371, or via ReportCyber, the ACSC’s online portal for reporting cybercrime incidents. 

In today’s landscape, a ransomware attack is increasingly inevitable – but if you put effective cybersecurity practices in place and back up your data, you may never have to make that impossible choice. 

With Cryptoloc’s patented three-key encryption technology, nobody can ever access your data without your permission. Learn more about how you can safely store, share, sync and secure your files with Cryptoloc here.  

Threat Level: Olympics – How many cyber attacks were attempted on the Tokyo Games?

In the latest episode of the ‘Jamie Versus The Hack’ podcast, we break down how the Tokyo Olympics were protected from an unprecedented onslaught of cyber attacks. 

The Tokyo Olympics were a triumph of digital logistics. For the first time, no spectators sat in the stands as the world’s best athletes competed – instead, the world was watching from home, online and on their smartphones. 

But hosting the most digital Olympics ever brought with it a slew of challenges – about 450 million of them, in fact.

This episode, Dirk Hodgson – the Director of Cybersecurity at telco NTT, entrusted with providing critical communication services for operating the Games – schools Cryptoloc Founder and Chairman Jamie Wilson and our resident Hack on what it takes to protect the Olympic Games from hackers. 

The challenge 

As an Olympic and Paralympic Games Tokyo 2020 Gold Partner, NTT was tasked with providing telecommunications services for the Games, as well as network security for those services and various cybersecurity measures.

They provided a broadcasting network to connect the 43 Games venues with the Tokyo Big Sight that served as an International Broadcast Centre (IBC), as well as various systems for safely running the event and data network services for the system to release game results to the media, supporting steady operation of the event.

“I like to think of NTT as the world’s largest company that nobody in Australia has ever heard of,” Dirk says. “We’re actually very famous in Japan, which is where we come to the topic of the Olympics, but NTT is one of the world’s largest telcos, and we also have a technology services delivery company, which is where I fit into the picture.”

In total, there were 450 million attacks at hacking the Games – more than twice the number of attacks seen during the 2012 London Olympics. 

“The Olympics have always been targeted,” Dirk says. “They’re a big public event. They attract people who want to take a closer look at it – perhaps for profit, perhaps for a whole range of other reasons. But certainly the uptick in attacks against Tokyo, compared to, say, London and other Olympics that came before, was very significant.”

Faster, Higher, Stronger 

Incredibly, none of the 450 million attacks were successful, and the Games went off without a hitch. 

The attacks included Emotet malware, email spoofing and phishing, and fake websites made to look like they were associated with the Olympics. 

NTT’s approach to protecting the event involved ongoing threat intelligence monitoring and analysis. 

“You have to remember that the infrastructure at the Olympics is fundamentally different to what you’d have in an office building,” Dirk says. 

“One example is the sailing… NTT and a number of our partners actually installed, quite literally, a 55 metre long floating 12K TV out in the water, so people could be standing on the sideline or watching via streamed video and see the sailing that was happening on that very large, very high quality TV. 

“All of the feeds were coming from the boats themselves, as well as a fleet of drones that were flying above the sailing event, so you’ve got all of these different things happening, which just creates a whole range of [surfaces] that bad guys can attack. 

“So on the one hand, they might go for a phishing attack. They might get somebody to click a link. But on the other hand, when they look at, say, trying to take those drones out of the air, there could be a whole other way of doing that. It might be a denial-of-service attack, it might be a range of other types of attack at that point.

“What you need to do is really look at what the risks are in the environment, but you also need to establish visibility of the environment. It doesn’t take a rocket scientist to work out that the Olympics are a temporary event, so there’s a whole lot of new IT that turns up literally on the back of trucks to get set up for the Olympics, and then it goes away afterwards.

“A big part of it was making sure that all of that had telemetry on it, so it could be tracked in security operation centres… making sure that you can see everything that happens is really important. Understanding the risk is really important. That’s why NTT, over the years, has invested heavily in making sure we know what’s happening in ‘Bad Guy Land’, and making sure that we can see the threats out there and we can help our customers to protect against those. 

“Ultimately, that threat intelligence stood us in good stead for the Olympics, to make sure that we could see the attacks and categorise those attacks quickly.”

NTT also employed an expert team of over 200 cybersecurity specialists as part of its complete security solutions package. 

“[It took] a combination of smart technology and smart people,” Dirk says. “NTT had 200 people working on this at any one time… but even with that many people, you were never going to be able to see everything. I mean, 200 people, 450 million attacks, it just doesn’t add up.

“The important thing here is that you’ll never have enough people in this game. It’s an asymmetric threat – as a bad guy, you can launch attacks willy-nilly, and you only have to have one get through to be completely successful. On the defence, you need to be sitting there all day, every day, defending against each and every one, and if a single one gets through, you’re in all sorts of trouble.

“So you’ve got to have the right algorithms in place, and you have to have all of the data coming back so you can analyse it accordingly, and then it’s the people plus the technology that make the difference.”

Et tu, 2032? 

Dirk says that by the time the Olympics return to Australia in 2032, the cybersecurity landscape could look drastically different. 

“We’re still 11 years away from Brisbane 2032,” he says. “I mean, take yourself back 11 years and think about what was different. iPhones and Android phones were only a couple of years old back then. That’s how far in the future this is. I think technology and cyberattacks are already changing so quickly that it’s impossible to say, ‘Here’s what we should expect in that period of time’.

“I do think the threat isn’t going away. It’s going to be something. There’s going to be some degree of people who are trying to profit, people who are trying to disrupt, and perhaps people who are just trying to have fun by attacking the next Olympics. 

“What I think we, in the industry, need to do is make sure that we’re working with all of the stakeholders to give the best possible consumer experience and the best possible spectator experience in the safest possible way with whatever technology happens to be available at the time.”

Hear more from Dirk on this week’s episode of the ‘Jamie Versus The Hack’ podcast.

Each episode, Cryptoloc Founder and Chairman Jamie Wilson takes our clueless Hack through the terrifying aspects of what happens when business’ cyber and data security is breached, often with devastating consequences. Through case studies, expert guests and more, Jamie will build our Hack into a cybersecurity guru. Listen here or subscribe on Spotify or Apple Podcasts. 

How secure are the major cloud storage providers?

In the wake of COVID-19, most of us are more dependent on cloud storage services than ever. Uploading our files to the cloud is a great way to be able to collaborate with colleagues remotely and work across multiple devices – but with cybercriminals more determined to access our data than ever, it’s also important to consider how safe our files really are when we upload them to a cloud storage provider. 

This June, IDCare – Australia and New Zealand’s national identity and cyber support service – reported a 34 per cent increase in demand for its frontline case management services. This reflects a wider trend of cybercriminals looking to capitalise on a world that has been forced to adopt remote work quicker than it’s been able to adapt the best security practices for doing so.

The explosion in remote work and the acceleration in digitalisation caused by COVID-19 has exponentially increased the attack surfaces that are available to cybercriminals, and made it harder for breaches to be discovered. The Australian Cyber Security Centre recently saw a 200 per cent increase in reports of ransomware, while the cost of a typical data breach has risen where remote work is a factor, and cyber insurance policies are struggling to keep up.   

We shouldn’t assume, then, that we can simply store our files in a popular cloud server and forget about it. If you want to ensure your important documents are protected, you need to know you’re going with a secure service. 

Right off the bat, there are a couple of things that each of the major providers are doing right. Firstly, they each offer optional two-factor authentication, which adds an extra layer of security to your account by requiring two separate forms of identification to access your account. The first is usually a password, and the second can be a code sent to your phone or email address, or a biometric scan using your fingerprint, face or retina. 

And they each offer at least some level of encryption, both for data at rest (data not actively moving from device to device or network to network) and data in transit (data actively moving from one location to another, either across the internet or through a private network).

And while there have been blemishes – some bigger than others – most of them have managed to avoid major breaches so far, although the same can’t be said for their parent companies

But there’s one major problem that hobbles each of the major cloud services – and it has to do with who can access your encrypted files. 

Who holds the key? 

When it comes to cloud storage security, the gold standard is Zero Knowledge encryption. Under Zero Knowledge protocols, your cloud service provider doesn’t store a copy of your encryption key, so they can’t decrypt your files – even if they wanted to.

The problem is that none of the mainstream cloud storage providers – the ones attached to giant parent corporations, for the most part – follow these protocols. Instead, the encryption key to access the files in your cloud stays with them. 

That means that no matter how strong your encryption is, or how strong your passwords are, your cloud storage provider still has access to all of your data, and can decrypt it whenever they want, bypassing all of your security. 

There are a couple of reasons why they do this. The first is that most of the major cloud storage providers tend to be part of a suite of products, or a workspace, if you will. By holding onto your encryption key, they can access your files faster and speed up the connection between these products. 

Holding onto the encryption key also enables them to scan your files – for instance, one major cloud storage provider flat-out tells users in their privacy policy that they scan the documents users upload to the cloud in order to find things like “which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like”. (In other words, their privacy policy is that you don’t have any.) 

The same privacy policy states that they will process your data when they have a legal obligation to do so – if, for instance, they’re responding to an enforceable governmental request. In fact, that’s true of all the major cloud providers, who are all subject to US laws, including the Patriot Act, which gives government agencies the ability to demand access to the data on their servers.  

But if they didn’t have your encryption key, then they wouldn’t be able to hand over your data, no matter how badly the government wanted them to. 

Keeping your encryption key on their servers also means that, if those servers were hacked, the keys could be obtained by cybercriminals and used to decrypt data stored in the cloud on a massive scale – defeating the entire purpose of uploading your files to a secure cloud storage service.  

A safer alternative 

Unlike the ‘big three’ cloud storage providers, we’re proud to say that Cryptoloc abides by Zero Knowledge protocols, which means that we can’t see the data you store with us, and we can’t share it with a third party – even if we wanted to. Which we don’t. 

Better yet, our patented three-key encryption technology combines three different encryption algorithms (AES 256, RSA 4096 and RSA OAEP) into one unique multilayer process, so even if someone gains access to your private key without your consent, they still won’t be able to access your data. 

We’ve deployed this technology across multiple products, including Cryptoloc Cloud, which is built to the highest ISO 27001:2013 information security standards. Every piece of data in the Cloud is assigned its own separate audit trail; every user and action is tracked, verified and accounted for; and access for individuals or groups can be revoked at any time. 

That’s why no Cryptoloc product has ever been breached, and why no other cloud storage service comes close to Cryptoloc for secure, safe and convenient data management.

Learn more about how you can store, share, sync and secure your files with Cryptoloc Cloud here.  

This time it’s personal: Why we’re starting the Jamie Versus The Hack podcast

By Jamie Wilson, Founder and Chairman of Cryptoloc

Things aren’t normal.

Even before that pesky thing called the novel coronavirus hit us, cybersecurity hacks and devastating ransomware attacks on businesses were already rising.

Like many other aspects of business, the pandemic has just accelerated things. 

But this time, businesses have never been more at risk. Staff working from home have unleashed a plethora of problems on companies’ cyber and data security. And the numbers prove it.

Ransomware attacks are through the roof, and the monetary and data losses suffered by businesses is reaching a fever pitch.

But there’s something else. As much as hacks and attacks have spiked, so too has the amount of work needing urgent attention on boardroom tables.

And my fear is that cyber and data risks aren’t high on the priority list for them. Second to that, from the conversations I have every week and the data emerging from surveys and research around the globe, the understanding of what it means to protect businesses and individuals from these attacks is stagnating.

Enter our new podcast, Jamie Versus The Hack.

Every month I’ll guide our Hack – our poor producer who doesn’t know their ransomware from their menswear – through the cybersecurity topics that should matter to the boardroom. We’ll use real-life case studies, talk to expert guests, break down where things can go wrong and what to do if it happens to you or your business.

You can expect to learn a commonsense approach to protecting your business at every penetration point. And because our Hack has next to no idea about cybersecurity, we’ll take the simplest, most effective approach. And we’ll laugh (or potentially cry) as we go through it.

The huge range of cybersecurity podcasts out there are focused on confusing tech terms, and long-winded and boring conversations. The problem is that the devastating outcomes of cyber attacks aren’t just technical. The effects of cybersecurity breaches are shockingly real. Businesses and data can be lost, sure. But don’t forget real people get hurt. Hacks on hospitals. Hacks on aged care companies. Hacks on critical services like electricity and water providers. 

Boards have an obligation to know these threats and address them. Jamie Versus The Hack will tell you how to do just that. Because cybersecurity isn’t just business, it’s personal.

Listen on our website at cryptoloc.com/podcast, or through Spotify or Apple Podcasts.

Why Australia is enacting emergency cybersecurity laws

Emergency alert! Australia’s Federal Parliament is preparing to pass emergency laws to help fend off cyber attacks in a range of key sectors. Here’s what you need to know about how the laws will work, and why this is happening now. 

What are the emergency laws? 

The parliamentary joint committee on intelligence and security (PJCIS) has tabled a report endorsing the urgent passage of laws to protect Australia’s critical infrastructure from cyber threats. 

This would split the critical infrastructure bill that’s been under discussion in half, granting the government emergency powers to defend against cyber attacks on major infrastructure now, while providing time for government and industry to continue consulting on other issues. 

The new laws would allow the government to declare an emergency and give agencies like the Australian Signals Directorate (ASD) the power to plug into the networks of companies, organisations and operators that are part of sectors deemed to be ‘critical infrastructure’, as a last resort to help them fend off cyber attacks. 

The emergency laws would also require these critical operators to report cyber attacks as they happen. This would impose an obligation on them to send ‘signatures’ – files containing data sequences used to identify cyber attacks – to the ASD when they become aware of an attack. 

The bill is expected to cover ports, water, power plants, telecommunications and the defence industry, while also expanding the definition of ‘critical infrastructure’ to include universities, finance and banking, health and the food and grocery sectors. 

This follows reports in June that a major Australian company refused to comply with the ASD for weeks, despite being the victim of an active cyber attack that was having what ASB Director-General Rachel Noble called a “national impact on our country”. Transport and logistics operator Toll Group later conceded that they “may” have been the company at the centre of those reports.

A second bill, to be introduced at a later date after further consultation, is expected to impose ‘positive security obligations’ on businesses, which would require them to develop risk management plans. 

Under the second bill, company directors could be made personally liable for cyber attacks, in much the same way that they’re already personally responsible for workplace health and safety – but the details of these reforms have yet to be decided on, and have proven controversial with businesses and unions alike

That’s why, for now, the government is expected to follow the committee’s recommendations and split the bill, passing the emergency measures now and coming back to the more contentious elements of the bill later.     

Why is this happening now? 

The Chair of the PJCIS, Liberal senator James Paterson, said the inquiry received “compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure is increasing globally”, putting pressure on the government to act now. 

“Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” he said. 

Paterson said that while many businesses have asked for the entire critical infrastructure bill to be paused “in the current economic climate”, the committee felt there was a need for emergency powers to be granted urgently.  

“While sympathetic to the concerns of industry leaders, the committee does not believe that pausing the entire bill is in Australia’s national interests given the immediate cyber threats that our nation faces,” he said. 

Last year, Prime Minister Scott Morrison revealed there had been a string of cyber attacks on all levels of government, industry and critical infrastructure, including hospitals, local councils and utilities. At the time, Morrison refused to publicly confirm reports that China was behind the attacks. 

This year, however, Morrison joined the US, the UK, the EU, Canada, Japan and New Zealand in calling out the Chinese government for orchestrating the massive Microsoft Exchange attack, which compromised at least 30,000 email systems around the world. 

While the intent of the Microsoft Exchange attack might have been to gather intelligence, the smash-and-grab method of the attack led to schools, hospitals, councils and pharmacies having their data compromised. 

But the Microsoft Exchange attack was just the most high-profile in a string of recent incidents. As well as the attack on the Toll Group, the likes of Nine Entertainment, BlueScope Steel, Lion Dairy and Drinks and UnitingCare Queensland have all been recently targeted in Australia, while Victorian health operator Eastern Health was forced to postpone elective surgeries at four Melbourne hospitals because of a cyber attack. 

The Australian Cyber Security Centre recently saw a 200 per cent increase in reports of ransomware, while an Australian Institute of Criminology report estimated the total annual economic impact of cyber crime at $3.5 billion in Australia alone. Globally, McAfee and the Center for Strategic and International Studies found that losses from cybercrime had reached almost $1 trillion by the end of 2020

Attacks on critical infrastructure are a particular priority for the government, because the consequences could include shortages of essential medical supplies; instability in the supply of food and groceries; impacts to water supply and sanitation; disruptions to transport, traffic management systems and fuel; and the temporary shutdown of the banking, finance and retail sectors. 

When will the second bill be passed? 

While the bill authorising the government’s emergency powers is expected to pass urgently, a deadline for the passage of the second bill, imposing cybersecurity obligations on businesses, has not been set. 

But in recommending that the bills be split, PJCIS chair Senator James Paterson reiterated the importance of passing the second bill once the details have been finalised. 

“The passage of both bills is essential because cybersecurity is not just the government’s job,” he said. 

“Industry has a role to play too, and the second bill, which imposes obligations on businesses, is an important part of a comprehensive response to the serious challenges we face.” 

Cryptoloc founder Jamie Wilson has welcomed the possibility of cybersecurity obligations for businesses, and believes it’s time for businesses to face the same requirements for cybersecurity that they do for workplace health and safety. 

“There was a time not that long ago when many businesses took a laissez-faire approach to health and safety, and now it’s everyone’s number one priority, because they have to comply with strict legal obligations,” he said. 

“We need to see these types of expectations being applied to cyber security. It needs to be a basic policy, for instance, for businesses to start securely encrypting their data, and this needs to be driven from the top down. We need to see the government putting forward cyber practices and policies to protect people – because we can’t wait for businesses to police themselves.

“At the same time, there’s a need for the government to educate businesses and the general public alike about the impact of cybercrime, to illustrate why these measures are necessary.”

Less than zero: How Zero Trust works and why it matters

Who do you trust? If you’re serious about protecting your network, the answer is simple – absolutely nobody. 

Yes, when it comes to cyber security, Fox Mulder had the right idea: Trust no one. That’s the philosophy behind Zero Trust architecture, the model that’s come to be seen as the superior approach to cyber safety. 

It sounds simple enough, but how do Zero Trust protocols actually work, and why should your business implement them? Here’s what you need to know. 

What is Zero Trust? 

Traditionally, network security approaches have concentrated on the perimeter, and on keeping attackers out. It’s a castle-and-moat approach that requires users to pass through layers of security on the perimeter, including firewalls and VPNs, but then trusts them by default once they’re inside the network. 

Unfortunately, with the growth of working from home and remote access, the widespread adoption of bring your own device (BYOD) policies, and the shift towards the cloud, the perimeter isn’t as clearly defined as it used to be. A castle-and-moat approach also does little to protect against phishing emails, stolen passwords and other common forms of social engineering that enable attackers to bypass perimeter controls. 

But if the traditional approach has been ‘verify, then trust’, the Zero Trust approach is ‘verify, then verify some more’. It was developed by cybersecurity expert John Kindervag in 2010, and applies a mantra of ‘trust no one and nothing’.

A Zero Trust approach assumes that anyone inside the network may already be compromised, and requires them to be verified and authenticated frequently before they’re granted access to anything. 

Essentially, it’s less like crossing the moat into the castle and having unrestricted access, and more like being chased around Bowser’s castle while he throws fireballs at you. 

How does Zero Trust work? 

The thing to note here is that Zero Trust isn’t the name of a specific set of tools, or a particular type of technology. Instead, it’s a mindset that underpins your approach to security. 

In practice, Zero Trust relies on technologies like multifactor authentication, which requires more than one piece of evidence to confirm a user’s identification, and encryption, which renders data inaccessible without the correct decryption key, as well as AI and analytics that work in real-time to validate the user’s geo-location, behaviour patterns and authentication risks.

Microsegmentation, the process of dividing data into distinct and granular security segments and then defining security controls for each segment, is also a key component of Zero Trust. 

Much of that process is automated, so the user isn’t constantly being disrupted, but they’ll also periodically have their access timed out and be forced to re-enter their credentials to continue accessing the network. 

Zero Trust also calls for a ‘least privilege’ policy of giving users the least amount of access they require for their role, rather than letting them have the run of the network, and reviewing those privileges regularly. 

All of this restricts what’s known as ‘lateral movement’ – the techniques that attackers use to move through a network and search for data once they’re inside. If they aren’t able to reconfirm their credentials as they move through the segmented network, they can be quarantined before they can do any more damage. 

A Zero Trust approach is also strengthened and supported by enacting Zero Knowledge protocols, in which your encryption keys are separated from your encrypted data. This way, even your data security and cloud platform providers can’t see your data. 

Cryptoloc, for instance, has Zero Knowledge protocols in place for our clients. If the ethos of Zero Trust is ‘trust no one’, then the credo of Zero Knowledge is ‘I know nothing’ – shout-out to Sergeant Shultz.

Why does Zero Trust matter? 

If you’re a trusting kind of person who’d prefer to look on the bright side of life, and you don’t want to believe that everyone inside your system is a potential attacker, then all of this might seem like it’s a little much. 

But the frequency and impact of cybercrime is on the rise, with a recent Australian Institute of Criminology report estimating its total annual economic impact in Australia alone at $3.5 billion. For businesses and individuals alike, the impact of a hack can be catastrophic

But that impact can be significantly reduced by adopting a Zero Trust mindset.

The recent Cost of a Data Breach Report 2021 from IBM and Ponemon, which studied the impacts of 537 real breaches across 17 countries and regions, found the average cost of a breach currently sits at US$5.04 million when Zero Trust protocols are not in place, as opposed to US$3.28 million with mature Zero Trust protocols are in place. That’s a cost difference of 42.3 per cent – and that’s only if you get breached in the first place, which is a less likely outcome with  stronger security protocols in place.

Despite this, IBM and Ponemon found that only about a third of organisations have adopted a Zero Trust approach, and close to half of the organisations they studied have no plans in place to adopt one. 

Use of strong encryption, a key component of Zero Trust, was a major mitigating factor. The study found that organisations using high-standard encryption (at least 256 AES, for data at rest and in transit) saved an average of 29.4 per cent per breach, compared to organisations using low standard or no encryption. 

Taking a Zero Trust approach doesn’t mean you don’t have faith in the people you want to access your network. It just means you want to make life as hard as possible for the people you don’t want to access your network, and you want to take the necessary steps to protect your data – because relying on old-fashioned perimeter controls in today’s environment makes Zero Sense. 

Why are cyber insurance premiums going up, and how can you get a better deal?

It may not have attracted as much attention as the coronavirus, but ransomware has become a pandemic unto itself – and it’s sending the price of cyber insurance skyrocketing. Here’s what you can do to keep your premiums as low as possible.   

Cyber insurance is a relatively new addition to the insurance market that helps to protect organisations from the fallout of being hacked. 

According to the Insurance Council of Australia, cyber insurance is typically available to cover: 

  • Costs related to the loss of or damage to data 
  • Content-related claims related to data 
  • Costs to prevent future breaches 
  • Fines and penalties imposed by regulators 
  • Public relations costs 
  • Liability for denial of service from or access to electronically provided data 
  • Costs associated with cyber extortion reimbursement 
  • Compensation to third parties for failure to protect their data 

But at a time when more organisations are clamouring for these sorts of protections, cyber insurance carriers are raising premiums and limiting the coverage they’re willing to offer. 

In a recent report entitled Cyber insurance: A hard reset, multinational insurance broker Howden reported that global insurance pricing had increased by an average of 32 per cent from June 2020 to June 2021. 

Similarly, insurance broker Marsh’s latest Global Insurance Market Index found that cyber insurance premiums shot up 56 per cent in the US and 35 per cent in the UK from the second quarter of 2020 to the second quarter of 2021. 

Marsh reports that Australian businesses, specifically, have been slugged with cyber insurance premium jumps of up to 30 per cent, and those prices are expected to just keep rising.  

Why are cyber insurance premiums going up? 

Essentially, cyber attacks are becoming too common for the insurance sector, which relies on businesses insuring themselves against scenarios that might not end up happening for its profits. With hacks becoming a virtual inevitability, safeguarding businesses against them is an increasingly shaky prospect for insurers.   

According to both the Howden and Marsh reports, it’s the frequency and severity of ransomware attacks – in which cybercriminals take control of a network and demand payment to hand it back – that are driving cyber insurance prices skyward. 

The number of ransomware attacks worldwide shot up 170 per cent from the first quarter of 2019 to the fourth quarter of 2020, according to Howden, while the average cost of a ransomware attack is up 145 per cent in 2021 compared to 2020.

There are a number of reasons for the rise of ransomware, including the availability of low-cost ransomware kits and ransomware-as-a-service (RaaS) offerings that enable users to launch ransomware attacks without any technical expertise on their part, effectively lowering the barrier to entry to the cybercrime ‘industry’. 

The proliferation of double extortion is also a factor – in a double extortion attack, not only do cybercriminals take control of your system and demand payment for its return, but they also threaten to leak the data they’ve stolen from you, and demand a separate payment not to do so. Ransomware group REvil had the dubious honour of being the first to use the double extortion tactic in June 2020, and it’s since taken off worldwide. 

As is so often the case, the COVID-19 pandemic is also partly to blame. The sudden explosion in remote work and the acceleration in digitalisation that has come with that has exponentially increased the attack surfaces that are available to cyber criminals, and made it harder for breaches to be discovered. 

IBM and Ponemon’s Cost of a Data Breach Report 2021 found that data breaches were 17.5 per cent more costly where remote work was a factor, and that organisations that had more than half of their workforce working remotely took 58 days longer to identify and contain breaches, on average.

Not only has the rash of ransomware attacks sent cyber insurance premiums soaring, it’s also affected the coverage that some insurers are willing to offer. In May, French insurance giant AXA announced it would no longer write policies that reimburse ransomware victims – and were immediately hit with a retaliatory ransomware attack – while other insurers are declining to take on new clients, or capping their coverage at about half of what they used to offer.

How can you lower the cost of your cyber insurance policy? 

A wide range of factors can impact your cyber insurance premium, including the size of your business and its annual revenue, the industry you operate in, and the type of data you have access to. 

But in much the same way that a high-risk driver will have to pay more for car insurance, the Howden report found that insurers are demanding more from business’ cybersecurity, and will charge organisations that are more likely to fall victim to a breach a higher premium – or refuse to insure them altogether. 

This is in line with a recent letter from the Insurance Council of Australia to the Department of Home Affairs, in which the Insurance Council wrote: “Insurance underwriters place a strong focus on a customer’s risk management and security culture when reviewing, assessing and pricing the risk. Effective risk management, including a strong internal security culture, can be the most effective defence against threats.” 

This might seem like a no-brainer, but it hasn’t always been this way. In the past, insurers might have just asked potential clients to fill out a questionnaire about their cybersecurity practices, and taken them at their word that their house was in order. 

In today’s environment, however, these insurers are partnering with outside firms to vet potential clients’ cybersecurity protocols, and demanding to see evidence that they have appropriate controls in place and are following best practices, including using multi-factor authentication, implementing zero trust policies, and backing up and encrypting their data. 

For instance, the IBM and Ponemon report on the cost of data breaches found that organisations using high standard encryption – at least 256 AES, at rest and in transit – had an average breach cost that was 29.4 per cent lower than organisations using low standard or no encryption. Insurers, who are likely to be aware of that data, might then offer broader cover and better pricing to organisations that can demonstrate they’re using strong encryption technology. 

Companies who take a proactive approach by providing cyber security education for all employees, including advice on how to identify suspicious emails and requests, are also likely to be looked upon favourably by insurers. 

“Carriers… are demanding extremely high cyber security standards,” says Shay Simkin, Global Head of Cyber at Howden. 

“Impeccable cyber security hygiene is therefore crucial for companies looking to purchase cyber insurance cover. Not only does it open up capacity availability, it also helps provide more favourable pricing and terms.” 

Or, as the Insurance Council of Australia puts it: “Capabilities that indicate a strong risk management and security culture may, for instance, include internal data handling and internet usage policies for all employees across the business, adequate prevention, detection, and response security capabilities and internal data breach incident response plans. Guidance and resources that support businesses, especially small businesses, to protect themselves against cyber threats can strengthen risk management and security practices.” 

This isn’t a set-and-forget proposition, either. In many cases, insurers will reassess their policies every 12 months, so even after you use your organisation’s preparedness to get a good deal on cyber insurance, you’ll need to ensure you maintain those high standards and keep the proper procedures in place. 

Then again, why wouldn’t you? Cyber insurance is not, in and of itself, a cybersecurity strategy, and no matter how low your premium is and how great the terms of your coverage are, it should only be used as a last resort. The best response to a breach is still to avoid being breached at all. 

At the end of the day, if your business never has to make a cybersecurity claim, it’ll be a win for your insurer – but it’ll be a win for you and your clients and customers, too. 

With its unique three-key encryption technology,  Cryptoloc is the world’s safest cybersecurity platform. To show you take data management seriously, visit cryptoloc.com

The real cost of cybercrime

Being hacked is about much more than just financial losses – and yet it’s about that, too. This is what it’s really like for individuals and businesses who fall prey to cybercrime.

Former FBI director Robert Mueller once said there are only two types of businesses – those that have been hacked, and those that will be. As our world gets smaller, and our systems for sharing information become increasingly interconnected, being hacked is becoming an inevitability. 

Dr Cassandra Cross is an Associate Professor in the School of Justice at the Queensland University of Technology who specialises in researching cyber scams and their victims. She says that despite the rising prevalence of cybercrime, most people still don’t understand what’s really at stake. 

“The problem is that people don’t perceive the threat of cybercrime to them accurately,” she says. “People think it won’t happen to them; that it’s something that only happens to other people. There’s a definite discrepancy between the actual threat of cybercrime, and how at-risk people think they are.” 

The emotional impact 

Before we even begin to count the dollars-and-cents impact of cybercrime, it’s important to consider the psychological impact, which is too often ignored. Victims of a cyber attack can be left with feelings of anger, anxiety, fear, isolation and embarrassment, which can lead to anything from sleeplessness to self-harm. 

“People should know that cybercrime can have a number of non-financial impacts,” Dr Cross says. “It can impact their emotional and psychological wellbeing. Victims can experience depression. It can impact on relationships, on employment, and it can even lead to homelessness. At the serious end, it can have a severe impact on someone’s physical health, and in the worst case scenario, there have been victims who have committed suicide as a response to cybercrime. 

“I think we have to acknowledge, to a much greater degree, the range of impacts that different types of cybercrime can have, and acknowledge that the way one person experiences an incident can be quite different to somebody else in the same situation. That will depend partly on their ability to disclose what’s happened to family and friends, and to gain support from both formal and informal networks.”

Dr Cross says many victims of cybercrime are left feeling that they’ve been violated, in much the same way that you might expect after a physical attack. 

“That feeling of violation and vulnerability is something I’ve come across a lot in my research on cyber fraud,” she says. “Fraud is all about deception. It’s about deceiving somebody for financial gain. And once a person realises that they’ve been deceived, it comes with an immense sense of violation, betrayal, and loss of trust. Many victims talk about the fact that they find it difficult to trust people in their day-to-day lives moving forward, and they find it hard to start new relationships.” 

One of the most damaging aspects of a hack can be the response from other people. 

“There is a lot of victim-blaming that comes with cybercrime,” Dr Cross says. “Victims feel so ashamed and embarrassed about what’s happened, and there’s such a stigma associated with it, that they often don’t tell anybody about it. And that exacerbates it, because they suffer in silence. They’re not able to gain any support in the aftermath of what’s occurred, and it sends them spiralling downwards.” 

For many victims of cybercrime, dealing with the system in the aftermath of the crime can be as traumatic as the crime itself. 

“Our systems are not very well designed, and they certainly aren’t victim-centred,” Dr Cross says. “If my wallet gets stolen or my house gets broken into, I will generally go to the police to file a report in the first instance. But for the various types of cybercrime, there are a multitude of agencies that might be relevant to a victim’s circumstances. 

“They might need to talk to the police, but they might also need to talk to banks, consumer protection agencies, government agencies, perhaps even a private organisation. It can leave them feeling like they’re not being heard, and it creates a merry-go-round effect as victims are passed around from one organisation to the next. They sustain additional trauma, and frustration, and a huge sense of anger at not being acknowledged, not being listened to, and not being able to find anyone who can assist them with their personal circumstances.” 

In Australia, there is a central reporting mechanism for victims of cybercrime, but Dr Cross says that comes with its own challenges. 

ReportCyber is the online reporting mechanism for cybercrime in Australia, but from a victim perspective, you can see how that might not be ideal,” she says. “Victims who have been deceived or defrauded and lost money or data online are then directed to go online and provide all of their personal details and the details of what happened, and send that information into a black hole that doesn’t give them a personalised response and might not lead to any further interaction or communication.”

In a recent study on the police response to cybercrime for the Australian Institute of Criminology, Dr Cross and co-authors Dr Thomas Holt, Dr Anastasia Powell and Dr Michael Wilson found that community members are more likely to express confidence in the police response to cybercrime than the police themselves. 

They surveyed hundreds of officers in Queensland and New South Wales, as well as thousands of community participants, and found that police consistently reported lower confidence in their capabilities to investigate cybercrime – most likely because they’re more aware of the difficulties cybercrime presents for law enforcement in reality, with its technical complexity and cross-jurisdictional nature.

Adding to the frustration and stigmatisation that those who have fallen prey to cybercriminals can feel, police tend to prioritise their work according to a sense of ‘ideal victimisation’. Observations of police control rooms in the UK, for instance, have found that the perceived ‘blamelessness’ of cyber-harassment victims will influence whether or not police decide further investigation is warranted

All told, it can add up to a deeply unpleasant experience for victims of cybercrime who might be expecting their complaint to be taken more seriously than it is. 

“It’s frustrating for victims to go to the police, be told the police can’t take the complaint, and then be referred online to ReportCyber, when they’re expecting a different outcome,” Dr Cross says.   

The business impact 

The impact of cybercrime on businesses might be better understood than the psychological impact of cybercrime on individuals, but there’s still a lack of awareness about the reality of the situation. 

For one thing, it’s naive to think that the business impact of a hack is limited to money. This year in Australia alone, Victorian health operator Eastern Health was forced to postpone elective surgeries at four hospitals in Melbourne’s east because of a cyber attack, while Queensland health and community care provider UnitingCare Queensland, which runs numerous hospitals and aged care and disability services throughout the state, was suspended from the national My Health Record system after falling victim to a cyber hack, leaving patient records unable to be accessed online. 

Most jurisdictions require data breaches to be disclosed. In Australia, when a business covered by the Privacy Act 1988 has reason to believe a data breach has occurred, they have to notify the Office of the Australian Information Commissioner. They also have to notify any individual at risk of being affected, and let them know what the company is doing to mitigate that risk. 

It can take time for the true impacts of such a breach to reveal themselves. It was only this year, for instance, that National Australia Bank revealed it had paid $686,878 in compensation to customers exposed in a 2019 data breach, when personal account details of about 13,000 customers were uploaded online. 

The costs included the reissuance of government identification documents, as well as subscriptions to independent, enhanced fraud detection services for the affected customers. But that’s unlikely to be the full price of the breach for NAB – the bank also hired three cyber-intelligence experts to investigate the breach at the time, the names and cost of which remain unknown. 

The average cost of a cyber attack on a business is a matter of some debate. The Hiscox Cyber Readiness Report of 2021, which surveyed 1,709 firms around the world that tracked the cost of cyber attacks, noted a wide range of outcomes “that should send a chill down any CEO’s spine”. One in six of all firms that were attacked over the past year said the impact was serious enough to ‘materially threaten the solvency or viability of the company’. 

According to the Hiscox report, the median cost for all attacks on firms with under 10 employees over the last year was just over US$8,000. At the 95th percentile, however, there were firms suffering losses of US$308,000, with one German firm having to pay the equivalent of US$474,000 per employee.

For enterprise-scale firms, the median cost was US$24,000, but at the 95th percentile, firms were suffering losses of US$462,000. 

But those numbers pale by comparison with the Cost of a Data Breach Report 2021 from IBM and Ponemon, which studied the impacts of 537 real breaches across 17 countries and regions. Their report found the average cost of a breach currently sits at a staggering US$4.24 million, a 10 per cent increase from last year. Ransomware breaches were particularly costly, at an average of US$4.62 million. 

The IBM and Ponemon report took into account hundreds of cost factors, from legal implications and regulatory requirements to loss of brand equity, customer turnover, and the drain that managing a breach has on employee productivity.

Breaches were costliest in the heavily regulated healthcare industry (US$9.23 million), a logical result given the additional sensitivity of medical records, with less regulated industries such as  hospitality (US$3.03 million) sitting at the opposite end of the spectrum.

Lost business represented the largest share (38 per cent) of breach costs. Lost business costs include business disruption and revenue losses from system downtime, customer turnover, reputation losses and diminished goodwill. 

The average cost per record of personally identifiable information was US$180. Mega breaches involving at least 50 million records were excluded from the average, with a separate section of the report noting that they cost 100 times more than the average breach. 

The report found the average breach takes 287 days to identify and contain, with the cost increasing the longer it remains unidentified. When it comes to cybercrime, at least, time really is money.  

The report confirmed that costs accrue over several years. While the bulk of a data breach cost (53 per cent) is incurred in the first year, another 31 per cent is incurred in the second year, and the final 16 per cent is incurred more than two years after the event.

In 2019, a Deloitte report determined that up to 90 per cent of the total costs in a cyberattack occur beneath the surface. 

Traditional approaches to calculating the cost of cybercrime have focused on the theft of personal information, because the data is readily available and the costs are relatively quantifiable.

But the Deloitte report argued that ‘hidden costs’ – including the theft of intellectual property, the disruption of core operations and the destruction of critical infrastructure, as well as insurance premium increases, credit rating impact, the loss of customer relationships and brand devaluation – are the real killers when a cyber attack occurs. 

Dr Cross says communication in the aftermath of a breach is crucial for mitigating an attack’s impact. 

“The tone of communications is so important, in terms of how the attack impacts their reputation and how they can move forward from it,” she says. 

“Data breaches are not new. Sadly, they’re very common at this point, and we see them quite often in the media now. But there are companies who deal with them better than others, in terms of the way they communicate with victims and the way they communicate publicly about what’s happened. 

“I think it’s something that every company should anticipate and have a strategy for dealing with. Not if this happens, but when this happens, this is what we’re going to do. There have been some great examples of this – there was some very positive commentary around the Red Cross’ response to their breach, in terms of the way they immediately notified the affected individuals, took responsibility for it, and put forward their plan for what they were going to do in the future. 

“On the other hand, we’ve seen companies suffer data breaches and put out comms saying, ‘There’s nothing to see here, there’s no risk, nothing happened’. That’s not very helpful for the individuals who might have been affected, and it’s probably not true, either.” 

The IBM and Ponemon report found that organisations who had formed incident response teams and tested their incident response plans had an average breach cost that was US$2.46 million lower than organisations with no incident response team or plan in place. 

Dr Cross also recommends backing up data regularly, “so if you’re subject to a ransomware attack and your files are encrypted by an attacker, you don’t lose everything”. 

The use of strong encryption has also been found to be a top mitigating cost factor. By encrypting files, businesses can ensure that if and when they suffer a breach, any files an attacker gains access to will be worthless to them without an encryption key. 

The IBM and Ponemon report found that organisations using high standard encryption – at least 256 AES, at rest and in transit – had an average total breach cost of US$3.62 million, compared to US$4.87 million for organisations using low standard or no encryption. That’s a difference of 29.4 per cent. 

When you consider the real costs of cybercrime, it’s clear that every organisation has a strong imperative to protect their data – not just financially, but morally and ethically, knowing that every breached record has the potential to have a devastating impact on the individual who’s at risk of being affected. 

Ultimately, Dr Cross says victims of cybercrime are part of a hidden, but growing, epidemic.

“I think there needs to be greater acknowledgement of victimisation,” she says. “I spoke to a victim recently who lost a lot of money. She spoke to a staff member at the bank, and that staff member actually just took the few extra minutes to explain to her what had happened, how she’d been defrauded, and how she could protect herself in the future. 

“He didn’t make promises about how she could get her money back, he didn’t resolve the situation for her, but she felt a lot better having had that phone call with him. She felt like she had a better understanding of the situation, as opposed to many other victims who are explicitly blamed for what’s happened, told it’s their fault and told there’s nothing that can be done. 

“I think organisations can do a lot for victims of cybercrime just by listening to them, acknowledging what’s happened, and being truthful and upfront with them – not leading them on about the potential for some sort of international sting to take down the offender networks that might have been involved. 

“That’s what happens on television, but unfortunately, we know that’s not what happens in reality.”