KPMG partner Philip Whitmore says the phishing is the most common way for a cyber-criminal to get an initial foothold into an organisation: “They gain unauthorised access through manipulating us via phishing emails.”
He was speaking to 60 people attending an online security seminar last week. He explained that phishing emails pretend to be from a person or organisation we trust – like our bank, a supplier, or a government agency.
“This is where someone uses an email to try and trick us into disclosing sensitive information (such as passwords) or to download malware, by pretending to be someone they’re not.”
The attackers play upon emotions such as curiosity, greed or fear, and often indicate that something has to be done quickly, explains Whitmore.
When an attachment comes from someone you don’t know, or you were not expecting the file, take steps to ensure it is legitimate before opening it.
“It’s not a matter of if a cyber-attack happens, it’s a matter of when,” Whitmore said.
Businesses should treat security as a business issue, not just an IT issue. A cyber-security breach can affect businesses in multiple ways, with the theft of money, loss of data, or the theft of intellectual property (including things such as customer lists) being the most obvious ways.
Organisations stand to lose far more than their money, data and intellectual property in the aftermath.
“Damage to reputation and brand can be just as devastating as the theft of money and secrets, or loss of data,” he warned.
“Making sure we’re all aware of the cyber-security risks facing us is the first step to helping us mange them more effectively.”
Some of the most common cyber-security breaches KPMG has seen in the Pacific include:
· ransomware attacks, whereby malware is inadvertently downloaded onto computers, as happened to Tamarind House this year;
· theft of money through someone sending emails pretending to be a supplier, and asking for payments to be made to a different bank account;
· theft of money through gaining unauthorised access to a computer and determining the passwords used to access Internet banking, or by altering the bank account numbers for suppliers in the accounting system.
Typical security measures that have been implemented after these attacks have included security awareness training for staff, making sure staff don’t have full access of their computers for day-to-day activities such as reading email and browsing the web, and ensuring backup processes are robust (so that systems and data can be recovered if it all goes wrong).
Whitmore said: “Making systems more secure doesn’t usually necessitate spending lots of money, and being proactive in securing things is a lot cheaper than having to deal with the aftermath of cyber-attack.”