Safer Internet Day 2019

This year we saw fantastic participation in Safer Internet Day 2019 not only from Australians, but from businesses all over the world. It’s been a great opportunity to get involved and reflect on both your business and it’s internet practices. Not only to examine your vulnerabilities or weak points, but to also be celebratory of the strides you’re making towards a safer and stronger online involvement.

The Office of the eSafety Commissioner is encouraging Australians to contribute to a safer internet by developing four critical skills, which they call the 4Rs: Respect, Responsibility, Reasoning and Resilience.

The team at CyberAware.com has reflected on these four skills, and what they mean to us. In this article we recall some astonishing cyber-security events, and how a use and awareness of the 4Rs either was or could have been utilised to prevent or recover from damages. To this day we’re still baffled and amazed by these recent stories, but we’re also grateful that we can demonstrate these colorful mistakes to help others learn and stay safe. We see businesses and individuals leaving themselves open in the same ways that the stories below highlight; hopefully by learning from these headlining cyber-security mistakes, we can work together for a safer internet.

RESPECT - Article Link

In our opinion, the most important social steps that can be taken for a safer internet are to display common courtesy and refrain from toxic or harmful behavior towards others. Respect goes a long way both in the real world and online, and disrespectful behavior can go even further.British Masterchef Critic William Sitwell knows this all to well after making an off-handed threatening comment about harming vegans in an email. Mr Sitwell’s email was publicised which led to backlash and Sitwell consequently resigning from his position of magazine editor at Waitrose Food after two decades in the position.

After plant-based food journalist, Selene Nelson, had pitched him a series on vegan cooking, Sitwell crudely responded:

"How about a series on killing vegans, one by one. Ways to trap them? How to interrogate them properly? Expose their hypocrisy? Force-feed them meat? Make them eat steak and drink red wine?"

To some readers of this article this comment will read as the standard for mainstream “TV-Chef” humor and might even garner some laughs. To others, such as Ms.Nelson, this was a very offensive and disconcerning remark. Regardless of where you land on Sitwell’s comment, it’s unanimous that he displayed a level of disrespect to Ms.Nelson and her business proposition.

Two very important things to remember when you are interacting on any online platform are:

1. What one person may find funny or non-harmful, another can be rightfully offended and hurt by (especially in the case of making violent threats as per the above.)
2. While you may not be having a face-to-face interaction from the safety of your keyboard, you are still interacting with a human being. If you wouldn’t say it in real life, don’t say it in person.

Another thing to consider with these kind of disregardful and hurtful remarks is that they are not only harmful to the recipient and create a hostile working environment, but they also cause significant damage to the public image of both yourself and the business you’re representing.

Displaying respect in the workplace and in professional environments is very important, it’s business 101. If an individual chooses to betray this basic etiquette, it should be expected that the response is going to be negative.

If the notion of being harmful to others isn’t already enough to deter you from this sort of behavior, remember that anything you put in an email or on to social media is practically being put out to the entire world; it can be publicised. Your actions are representative your beliefs and the beliefs of your business, which is why another reason why it’s critical to be respectful in any online environment.

RESPONSIBILITY - Article Link

We all have a level of responsibility to uphold for the clients and stakeholders of our business. When it comes to cyber-security, if your business holds the private/personal information of individuals, you have a responsibility to protect that data!

See for example the data breach at Red Cross, in which a database backup containing 1.3 million records from the Australian Red Cross was compromised and made publicly available.

The information in this database was personal information gathered through an online donor form, which included things like name, home address, email accounts, personal phone number, blood types and more.

Just to sum up, the information of up to 1.3 million donors was made completely available to the public due to this data breach.

The breach itself occurred as a result of human error by a partner of Red Cross, not Red Cross directly. No Red Cross employees or systems were directly at fault for the loss of data, and the entirety of the breach was caused due to the mistakes of the representative partner.

As such the Australian Red Cross has been held directly accountable and responsible for what had been described as Australia’s largest security breach at the time. This breach is a prime example of a company having adequate security measures internally, but still being compromised and made liable due to the security practices of a partner company.

The Red Cross breach is not only one of the largest data breaches in recent years, but also a fine example of a company standing up and doing the right thing. They reported to the public and the affected parties of the compromise, and co-operated with the Australian Information and Privacy Commissioner Timothy Pilgrim for almost a year in not only highlighting where they went wrong, but how they’d endeavour to prevent this kind of thing from ever recurring.

Timothy Pilgrim concluded his investigation of the attack and declared his praise and confidence for Red Cross’ management of the breach, and their ability to protect client’s data moving forward.

Despite the fact that it was an external mistake by a partner that caused the breach, the Red Cross owned up to their responsibility for the damages and took appropriate measures to make sure their donors and stakeholders are safe moving forward.

In doing this, they’ve not only shown that they are aware of their business and the damages that occurred within, but they’ve also been able to clearly and efficiently communicate to the victims both the extent of the damages and the measures taken to protect them moving forward. It’s this kind of standing up and taking ownership that not only protects your reputation, but makes the internet a safer place for all Australians.

Dealing with the fiscal and reputational fallout of such an attack is the hardest part of a data breach on this scale, and where most businesses ultimately fail is in their ability to regain the trust of client’s & stakeholders. This brings me to the next of the 4R’s.

RESILIENCE -  Article Link

See for example the recent data breach at PageUp, and the class action for breach of privacy that’s followed.

If you are not aware, PageUp (a recruitment system used by companies such as NAB, Coles & Australia Post) last year experienced a mass data breach in which the personal details of thousands of Australian job applicants were potentially compromised.

In response to this, not only have large clients such as Telstra, Jetstar & The Tasmanian Government have suspended their use of the service, but PageUp is also under investigation for a class action lawsuit by Sydney Law Firm Centennial Lawyers.

The law firm is in contact with job seekers and employees from more than 15 companies, with the intention of gathering information and likely commencing a class action on the account of a mass data breach which could potentially affect any of the 2 million active users of the platform.

Centennial Lawyers have even published a form via which PageUp users can register their interest in joining the class of persons affected by the breach. This form even reads:

“There is no cost to join the class. Centennial Lawyers will only be paid if the action is successful.”

The reaction from the affected parties, the partners of PageUp, and the general public are all indicative of what can be expected in the fallout of an attack, and this is where preparation and resilience is most important .

While PageUp’s clients are definitely victim to this attack, it’s easy to forget that PageUp themselves are definitely a victim of cyber-crime here too. PageUp has made great strides in preserving their reputation and proving that their business is trustworthy again. They’ve publicly declared the results of their investigations, chief executive Karen Cariss announced the breach shortly after it’s discovery, and they even have an ongoing update page on their site that details further findings and activities relating to the incident, as well as general tips n how to keep yourself safe online.

By utilising an increased participation in cyber-security and improving their awareness during the fallout of this breach, PageUp has demonstrated a critical resilience. Their incident response plan has been carried out very well, and from this they’ve managed to gradually recover and preserve their reputation as a business.

Your incident response actions need to prove to your stakeholders that your trustworthy with their data, and that you’ve taken measures to stop same type of breach from happening again.

For information & resources on developing your incident response plan, visit sme.cyberaware.com

REASONING Article Link

The final R we’ll be tackling today is Reasoning,  which is the most valuable tool you can employ to avoid being scammed online.

If you’re one of the people that automatically trusts any email they receive and assumes that the worst won’t happen to them, then yesterday was the time to shape up and become aware. Scams are becoming more and more sophisticated.

Currently, the most successful scam targeting Australians is a new Netflix Phishing scheme, in which the recipient is told that their account will be deleted unless they verify themselves in three separate ways:

1. Log in to their Netflix account using their email and password
2. Update their billing information, with personal address and DOB included
3. Validate their payment information (a credit card)

For the estimated thousands of Australians that were unfortunate enough to trust this email, their credit card information, login details to Netflix (and any other platforms using the same password) and their home address have now been stolen by this scam.

From this one email, they are now completely open to identity theft, fraud and other cyber-initiated attacks.

You may be thinking “That’s their fault for falling for the scam, I wouldn’t give my private details through an email.”

But what if the email looked like this?

Or if the website it took you to looked like this?

For most of us, that would definitely pass as legitimate. The only way to tell whether an email is real or fake is to double and triple check what it’s trying to do, and where it’s trying to send you.

As per Cyber Aware’s STOP article that was published last week, when you receive an email you can hover over the link to see where it’s actually taking you to. This fake Netflix email doesn’t take you where expected, but rather:

vegankiss.net/wp-contentthemes/twentysixteen/Login/?ha=httpssmd1718nax7

Doesn’t seem quite right does it? Going by the example we used in the first R of this article, not only would this URL warrant death threats by William Sitwell (you could also say that it wouldn’t sit well with him….), it also has absolutely nothing to do with Netflix!

There are many more types of scams that require a level of reasonability and knowledge to identify, and while the URL is often a dead giveaway, there are some instances where it just won’t cut it.

For more information about Phishing Scams and awareness training, say hello to the team at sme.cyberaware.com