Next Investors logo grey

Protect yourself: Own your cyber risk


Published 29-AUG-2019 07:56 A.M.


5 minute read

Hey! Looks like you have stumbled on the section of our website where we have archived articles from our old business model.

In 2019 the original founding team returned to run Next Investors, we changed our business model to only write about stocks we carefully research and are invested in for the long term.

The below articles were written under our previous business model. We have kept these articles online here for your reference.

Our new mission is to build a high performing ASX micro cap investment portfolio and share our research, analysis and investment strategy with our readers.

Click Here to View Latest Articles

This week the Office of the Australian Information Commissioner (OAIC), released its Notifiable Data Breaches (NDB) Scheme report. This quarter, there were 30 more data breaches reported in than in Q1, with the health service reported to be the country’s most affected sector (47 NDBs reported). The finance sector followed closely with (42 NDBs) and in one single incident, over 10 million individuals had their information compromised.

The majority of breaches were attributed to malicious or criminal attacks, which accounted for 62 per cent of all breaches, followed by human error (34 per cent) and system faults (4 per cent).

Interestingly, as attacks increase, the OAIC will curtail its reporting to just twice a year. That could be a story in itself, however when you look at the amount of attacks - and the calibre - it is certainly a good time to tighten security protocols. The OAIC is putting that onus on businesses," said Australian Information Commissioner and Privacy Commissioner Angelene Falk.

“The reporting regime has been well accepted and the onus is now on organisations to further commit to best practice in combating data breaches and improving response strategies,” she said.

“Effecting change in practices to prevent breaches is vital to the goal of protecting the community.

“Putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers, who in turn are demanding greater security from the organisations with which they share information.”

According to Lindsay Brown, Vice President of Asia Pacific and Japan at LogMeIn (NASDAQ:LOGM), “Data breaches and security issues have become the new normal, which is deeply concerning, for consumers and businesses alike."

We have seen several examples of this new normal, just this week, following a fresh data breach involving PayID records.

NPP Australia revealed that phone numbers, names, BSB and account details linked to PayID were all breached after the New Payments Platform (NPP) database was hacked. The NPP is a real-time payments platform mutually owned by 13 major financial institutions, including the big four banks, who have been in touch with affected customers.

"Though the number of reported data breaches has grown by 30 in Q2, the composition looks eerily similar. Much like last quarter, the Notifiable Data Breaches Q2 2019 report found that malicious or criminal attacks accounted for the majority (62%) of reported data breaches (151 of the 245 breaches). The vast majority of cyber incidents (79%) were linked to stolen or compromised credentials, collected through various means including phishing and brute-force attacks. While more organisations are looking at ways to mitigate the risk around credential management (including passwords) it continues to be an avenue for malicious actors to infiltrate businesses who rely on their users to do the right thing when it comes to credentials."

Westpac has heightened account monitoring on accounts and asked customers to be on the lookout for any suspicious activity. "We ask that you also be vigilant with any messages received via text or phone calls from an unidentified source," the bank said.

Meanwhile, a database belonging to Neoclinical, an Australia-based company that matches individuals with active clinical trials, exposed approximately 37,000 people's contact information and their responses to personal medical questions qualifying them for clinical trials, which included information about diagnoses, illicit drug use and treatments.

School students' email addresses were exposed online in a major data leak, after being used to register for an international pornography site.

That's just a drop in the ocean of what has happened this week alone.

Our own worst enemies

We need to be wary fo hackers, but sometimes we are our own worst enemies.

“In our LastPass Psychology of Passwords survey we found that 91% of respondents claim to know that using the same password for multiple accounts is a security risk, but 59% admitted that they continued to do so," Brown says.

"Meanwhile, in a global study of 47,000 LastPass users, 50% said there is no difference between their personal and work passwords, while each of us shares around six passwords with our co-workers! Naturally, humans resort to using the bare minimum required when inputting credentials, and this doesn’t change in the workplace. Credentials are a core part of every employee’s daily workflow, and failing to secure them can have dire consequences.

Brown has urged business leaders to educate employees on the importance of these practices and establish password requirements including a mix of characters (uppercase, lowercase, symbols, and numbers), avoid words straight out of the dictionary, and be as long as possible – ideally no shorter than 14 characters.

"The longer the password is, the harder it becomes to crack, or brute-force attack," she says.

“What’s more, using an identity security solution that brings together password management, single-sign-on (SSO) for apps, and multi-factor authentication (MFA) (or biometric based solutions), is the single best way to keep your organisation’s credentials secure. Looking beyond passwords and incorporating these additional features adds layers of protection that helps ensure an attacker won’t be able to access an account even if they do obtain the password.

“As those on the front line, staff should also be given guidance on responding quickly to data hacks. If a business can build a strong defence mechanism combined with trained staff, it will stand a better chance of remaining secure and cyber-ready.

“By leveraging user friendly comprehensive identity management solutions alongside solid cybersecurity processes, we can ensure that data breaches as a result of weak passwords and stolen credentials become a thing of the past.”

There is a great deal that can be done to mitigate data breaches, including strengthening passwords, creating multi-factor authentication security solutions and using companies such as WhiteHawk (ASX:WHK) that can match businesses with bespoke solutions, find insights, affordable vendor products and services to help them own their cyber risk.

And that's the key. Own your cyber risk by implementing all of the above. You may not beat the hackers by doing so, but you'll certainly make them think twice about instigating a breach against you.

General Information Only

S3 Consortium Pty Ltd (S3, ‘we’, ‘us’, ‘our’) (CAR No. 433913) is a corporate authorised representative of LeMessurier Securities Pty Ltd (AFSL No. 296877). The information contained in this article is general information and is for informational purposes only. Any advice is general advice only. Any advice contained in this article does not constitute personal advice and S3 has not taken into consideration your personal objectives, financial situation or needs. Please seek your own independent professional advice before making any financial investment decision. Those persons acting upon information contained in this article do so entirely at their own risk.

Conflicts of Interest Notice

S3 and its associated entities may hold investments in companies featured in its articles, including through being paid in the securities of the companies we provide commentary on. We disclose the securities held in relation to a particular company that we provide commentary on. Refer to our Disclosure Policy for information on our self-imposed trading blackouts, hold conditions and de-risking (sell conditions) which seek to mitigate against any potential conflicts of interest.

Publication Notice and Disclaimer

The information contained in this article is current as at the publication date. At the time of publishing, the information contained in this article is based on sources which are available in the public domain that we consider to be reliable, and our own analysis of those sources. The views of the author may not reflect the views of the AFSL holder. Any decision by you to purchase securities in the companies featured in this article should be done so after you have sought your own independent professional advice regarding this information and made your own inquiries as to the validity of any information in this article.

Any forward-looking statements contained in this article are not guarantees or predictions of future performance, and involve known and unknown risks, uncertainties and other factors, many of which are beyond our control, and which may cause actual results or performance of companies featured to differ materially from those expressed in the statements contained in this article. S3 cannot and does not give any assurance that the results or performance expressed or implied by any forward-looking statements contained in this article will actually occur and readers are cautioned not to put undue reliance on forward-looking statements.

This article may include references to our past investing performance. Past performance is not a reliable indicator of our future investing performance.