Seven key lessons from the Australian Cyber Conference
IN BRIEF
- Hackers have evolved and are now targeting human error to access people’s identities, which they exploit for financial gain.
- A change management approach to creating a ‘cyber aware’ culture is now recommended as the best defence strategy.
- The number-one defence tool to have in place is a cyber incident response plan.
The 2024 Australian Cyber Conference, hosted by the Australian Information Security Association, took place in Canberra in March.
Two speakers at the conference, security awareness specialist Jacqueline Jayne and CrowdStrike’s Jana Dekanovska, share their insights and top tips for how accounting firms can better understand the evolution of cyber threats and stay protected.
1. Hackers are targeting human error
Hacking has become a lot more sophisticated in the past decade. Instead of straightforward malware attacks, hackers steal identities through phishing and social engineering and then use these identities to exploit trusted relationships between individuals and businesses for financial gain.
According to CrowdStrike’s 2024 Global Threat Report, 75% of hacks in 2023 were malware-free compared with 40% in 2019. One New Zealand firm found out the hard way, losing NZ$5 million in one payment due to an undetected change in payment details.
Jayne says worrying only about malware or ransomware is a mistake.
“The average time a cybercriminal is in your system without people knowing is over 260 days,” she says. “They’ll sit there and watch and wait to take advantage of us and our human response.
“It all comes down to human error, which is not necessarily clicking on something you shouldn’t. It could be inadvertently sending a client list to a group of people on email.”
2. Train staff monthly for 15 minutes
This is best practice globally for reducing the risk of being attacked, Jayne says. Training can take the form of games, e-learning or something to read. For smaller firms looking for training help, Jayne recommends Australia’s Cyber Wardens or employing third parties, who can supply training and simulate attacks.
The ongoing nature of the training is vital, says Dekanovska, because the hacking landscape is shifting so quickly. She suggests firms think of training as a continuous conversation they are having with staff about threats and how to respond to them.
3. Adopt a change management approach
Companies that are succeeding in the war against hackers are those that have made a cultural shift in the way they view cybersecurity, Jayne says. She proposes that a cultural shift should be led by change management people in an organisation, not IT staff.
“If a company has HR people in learning and development or organisational change, they are perfect people to run cybersecurity because you don’t need to know about cybersecurity to do it,” Jayne says.
“They can find someone who does and determine what people need to learn. It is the change management principles of getting everyone onboard. A one-hour PowerPoint session doesn’t work. There’s a lot of communication needed for people to understand what you’re doing and why you’re doing it.”
4. IT staff are not cyber experts
Dekanovska says to remember that IT staff are not specialists in cyber.
“A lot of the times when I speak to IT people, they have awareness of the risk, but they are not across every new development because it’s not their profession. Cybersecurity has been added to their other IT responsibilities as organisations ask more questions,” she says.
“Often, even when I speak to people in cyber, I feel like I’m dumb. I have to keep reminding myself that people in cyber have specific understanding of little things, because there’s so much and it keeps moving so quickly.”
5. A cyber response plan is number one
Dekanovska says the benefit of having a plan is that the firm and staff know what to do when a hack occurs.
“It’s particularly important to actually practise it. Drill, drill and drill before anything occurs. If you don’t, you’re going to be vulnerable,” she says.
Jayne recommends getting a cyber specialist to come into the firm and undertake virtual activities so staff can brainstorm and learn without stress. Incorporating everyone in the organisation will help foster a ‘cyber aware’ culture, whereby if staff see something, they will feel confident speaking up.
6. ASD’s Essential Eight and CERT NZ’s Critical Controls are the baseline
According to Jayne, all of the global frameworks are worthwhile. The only catch is that they tell firms to train their staff but not how to do it. That is where calling on cyber specialists or Cyber Wardens can be advantageous, she says.
In addition to the frameworks, Dekanovska recommends firms have visibility over the dark web.
“Nine out of 10 ransomware criminals are using the dark web to get into organisations. If someone posts your firm’s credentials on the dark web, you need to know about it as soon as possible to have them removed,” she says.
7. Insure only if defence strategies are in place
Firms need to demonstrate they have taken necessary steps to prevent an attack from happening for cyber insurance to be valuable, says Jayne.
“If you’ve not done training and the attack is a human error, then you might not be able to claim at all. If you can show you’re doing training and your risk has decreased because you’ve been following best practice, an insurance company will be more inclined to pay,” she says.
Firms can demonstrate they are reducing their risk with platforms such as KnowBe4, Phriendly Phishing and Proofpoint.
Find out more
Did you know Chartered Accountants Australia and New Zealand has its own CA Cyber Checklist for SMEs? The playbook includes tools and strategies to improve your firm’s cyber resilience.
This article was first published by Acuity Mag at the following URL: https://www.acuitymag.com/technology/7-key-lessons-from-the-australian-cyber-conference