Cyber security resources and support

 

Cyber criminals are nothing if not adaptable. So, it’s no surprise they adjusted to the ‘new normal’ of digital transformation and widespread remote working. And the relative anonymity of cryptocurrency payments has made cyber criminals bold. The Australian Cyber Security Centre (ACSC) found that during the 2020-2021 financial year malicious actors launched 13% more cyber attacks on Australian businesses. This resulted in Australian businesses collectively losing A$33 billion. Finance-sector businesses have always been a juicy target. 

Why accounting firms are worried. Small-to-medium businesses, which don’t have the IT resources of the big players, have long been extra vulnerable. Now, accountancy firms find themselves in an even more exposed position. Working from home means a lot more business emails and texts flying around. These messages are often sent from or to poorly secured personal devices. That’s seen fraudsters double down on phishing in general and ‘business email compromise’ (BEC) scams in particular.

A BEC scam is when criminals masquerade as, say, a partner in an accountancy firm. They then convince someone to, for instance, pay a fake invoice. There are other cyber threats, such as ransomware attacks, firms also need to defend against. BEC and ransomware are where malicious actors seem to be currently concentrating their efforts.
It’s not only the financial losses that can be devastating. In most APAC countries, businesses must now report cyber attacks to the relevant authorities. And then notify their customers their data may have been compromised. Cyber attacks can cause serious reputational damage as well as having potential legal consequences. This is mostly when relevant data protection and privacy laws have not been followed.

What to do? Even the smallest accountancy firms can buttress their cyber defences by:

• disallowing the use of easy-to-guess passwords
• insisting on multi-factor authentication
• using a Virtual Private Network (VPN) 
• using privacy and security settings on your company and personal social media.

What should you do next? Read our three-step guide for building a solid foundation of cyber security in your organisation. 
It’s on the CPA Australia cyber security hub, which has information for accounting and finance professionals on cyber security.
And make sure you stay aware of new threats by regularly checking www.cyber.gov.au

- If you've just joined us, welcome to today's webinar, Is Your Practise at Risk of Cyber Attack? I'll now hand over to the CPA moderator, Keddie Waller, to give us underway, welcome.

- Thanks Joss. And welcome everyone to today's webinars, as Joss said, Is Your Practise At Risk of A Cyber Attack? Sponsored by QBE and hosted by CPA Australia. As Joss introduced myself, I'm Keddie Waller, I head of public practise nursery here at CPA Australia, and it's my pleasure to welcome people from all over the country for today's webinar. I'd like to take a moment to acknowledge the traditional owners from around Australia and pay my respects to elders past, present and emerging. I extend this acknowledgement to all aboriginals and Torres Strait Islander people who may be joining us today. It is now my pleasure to invite Drew Fenton, Director of Fenton Green and Nicole Gabryk, special counsel at Wotton + Kearney, to start today's webinar. And over to you, Nicole.

- There we go, sorry about that. Just had to fiddle with the mute settings. Good afternoon, thanks everyone for joining us. Hopefully there'll be some practical tips and things we can take from this that we could learn. As Joss said earlier, if you've got any questions as we go, just pop them into the chat. What we'll do, is we'll pause for questions at regular intervals, so that we can make sure that everyone's questions are addressed. If you want to ask them, I'm sure you can unmute and jump in at those intervals as well. I'm Nicole Gabryk, I'm a special counsel at Wotton + Kearney. I deal with all things cyber. I deal with hundreds of ransomware and business email compromise events in every given year, for all sorts of industries and organisations. I do a lot of breaches for the CPA for accountants and the like. And so I think you're in good hands between Drew and I today to give you some practical tips and hints to talk through what trends and things we're seeing. So we're gonna be looking at things like what are the current trends. And just to rejig this, I've moved the incident response piece to the end, but we're gonna be looking at cyber tips and trends. We're then going to do a very brief case study of a ransomware event. There may be many of you that have never seen a ransom note, for example, I've got an example of one of them. We'll talk about whether or not we should be paying ransom, what do we think about that. We'll then also look at business email compromise and what that means for your organisation. What are the legal ramifications? What are the practical ramifications? What do we do in the event of one of these incidences? And then we'll talk about incident response and risk management towards the end and how we can mitigate certain things by practical steps that we can take. So let's crack on. First thing we need to know is ransomware is really an epidemic in Australia currently. We see multiple events. You can see on the far right here, we're talking about four per day. And these are the statistics as of a year ago, we're still waiting for the latest statistics to come out for 2021 to 2022. And I can very well think, just from the amount of incidents we see, that these statistics will be significantly higher. It was quite interesting to see what happened when the war in the Ukraine broke out because a lot of the cyber criminals, or threat actors as we call them, are based in Eastern Europe. There was a lull in about February when the war broke out, and then it was just a massive increase post there, in terms of the types and frequency of incidents we were seeing. There are two very common strains of ransom out there, Conti being one known threat actor group and LockBit being another. Don't ask me where the names come from, the names are selected by the threat actor, or ransomware groups themselves. Conti, interestingly enough, was affiliated with the Russian government, primarily in the early days of the war in the Ukraine. They've subsequently splinted into multiple smaller groups, who don't want to be associated with any government that could be on sanctions lists because it's not good for payment of ransom and not good for business. And because of that, we've seen many new variants of ransomware emerging. But these are the two primary strains we're still seeing in Australia at the moment. What we're seeing as well is a lot of data exfiltration, which is just a fancy way of saying theft of data. But what we're seeing in about 86% of all incidences is that data is actually being stolen, or taken from an organisation who's suffering a ransomware event, whether or not that actually moves to publishing of your data on a leak website, or on the dark web, doesn't always follow through, but at the very least, we're seeing that exfiltration is a massive problem from a data privacy and a reporting obligation perspective, which we'll talk to a little bit later in the presentation. We've spoken very briefly about new malware variants that are emerging, but what we're seeing really is a lot of back to back incidences. So what we mean by back to back, is one thing that's happening, is you'll have, for example, your MSP that suffers an incident, which in turn means there's a whole lot of people that suffer incidences because of it. We're also seeing things like double and triple extortion, where not only is the data being encrypted, the data's then also being taken and threatened for publication to keep the pressure on people to pay the ransom. And we're also seeing a triple extortion threat, where not only is that happening, but clients for example, would be contacted by the threat actor to be told about the incident, to keep the pressure on you to pay ransom. So that's what we're seeing from a ransomware perspective. But that's one piece of the puzzle. The other part is business email compromise, which is much more prevalent, in many respects, than ransomware. So you may look at the first slide and think, "Ransomware is not really my problem. "What's the chance of that happening to me?" Business email compromise is a much more alive risk and the social engineering fraud that we're seeing is just incredibly clever and incredibly sophisticated. So what that means for you and your business, is that your employees and yourself, you are all the weakest link, we're all the weakest link, and there's very little we can do to prepare for the type of social engineering fraud. There are some things we'll talk about, how to prevent the risk materialising if you do click on the wrong link, but it's so clever. I'm a lawyer and we were dealing with a matter for a different law firm in another jurisdiction, and what had happened there, is a junior lawyer had jumped onto Google to search a problem, as many people do, and a threat actor had designed a search engine tool to mimic a commonly known legal search engine tool. And that lawyer had unknowingly clicked onto that because they were in a Google search panel and popped in their credentials for their organisation because it looked legit and it looked like the same process you would follow internally. And that was designed just to catch lawyers. Now you might think, well, you're not lawyers, and that's fine, but professional services are currently the most targeted organisations and industries for business email compromise. That means that you are very much at risk, your organisations are very much at risk, and the rate at which the email compromise threats evolve is quicker than any of us can keep pace. They are designed to look at you, for example, I'm sure most of you have personal examples of where you've suffered attacks, whether or not it's followed through. I received one recently, purportedly from my CEO. It was at financial year end. So come to the middle of the year, asking me to do certain things in terms of invoices. I was immediately alerted because just something about it felt odd, but it could very well look legitimate, it could very well seem to come from a legitimate supplier. And we'll talk through an example of this shortly, but the biggest problem for us of business email compromise is the knock-on effect, so the access to the data on your systems. And then, the sustained financial losses, we can see that the average loss has increased to over $50,000, and that is in the previous financial year. Again, it'll be much higher if we move to the stats for the new year, which will come out imminently. Just to give us an overview of the types of crimes that we're seeing reported. The bulk, obviously relate to fraud. That is again, fraudulent invoices. You can see some online banking and online shopping is the other thing which may not concern us, but a big issue coming from identity theft, investments, but mainly, invoice and those sorts of frauds. Before I move on to the case studies, are there any questions at this point?

- [Keddie] No questions have come yet, Nicole.

- Great, so then we'll move on. So I'm gonna look at two case studies for you, I'm going to look at a case studies for ransomware and then we're going to do a case study for a business email compromise. These are the two typical events that we'd see affecting businesses on a day-to-day basis. So the first thing to know about ransomware is anytime we have a weekend, a deadline, public holidays, we have another one coming up on Thursday in New South Wales, what we see is that they become a lot more prevalent over holidays and things like that, especially when no one's looking at what's happening at the systems over a weekend, or over a public holiday. So that's why for the purposes of our example, let's assume that it's a Monday morning and one of your employees logs into their computer and they can't get access and there's a problem and they're not sure what's happening, and they manage to find a file and they click on the file, and this is what appears. So this is a typical ransom note, most of these look quite similar. They may have slide different nuances, but really what they're saying to us is a few key things, one is they're telling us that they've been encrypted, so that's step one, is there's an encryption of all your data, or partial data, as much of it could be locked out that you can't access it. If you don't have backups and those sorts of things, it could be that you don't have access to any data whatsoever. Sometimes your backup discs are encrypted, but they will say to you, irrespective of what's happened, that your backups have been deleted or encrypted. They'll say that copies have been removed. So they'll talk to you about data exfiltration. They'll say, "Do nothing." Often they'll say, "Do not contact law enforcement." It'll have some sort of method, or methodology, or some sort of communication around that. But in essence, you're stuck, and you're in a situation of you have this, you have nothing else, the question then, is what next? So the first thing for any of us to ask is we must assume that all of us will, at the very least, can be faced with a similar situation. And part of today is about thinking about what we do in the event of that situation. So if it's you, if it's your organisation, what do you do? What would you do? We've obviously just put some things to think about here. For most people, the answer would probably be to escalate it internally. Could be that you have a pre-prepared incident response plan, which would be fantastic. If you have something in place in terms of an incident response plan in the background that you've already done a dry run, you've thought about who you would contact and what you would do, that's great. For some people, they would contact the threat actor, and we've seen that happen. So they follow through with clicking on the links and they email the thread actor to say, "Please give me my data back, what do I need to do?" There'll be some sort of ransom demand. Sometimes it seems like a trivial amount. We had one recently for an accountant, who paid $1,000, a nominal amount, and he thought, "Well, it's much easier for me to pay $1,000 "than to go through the hassle of anything else. "I'll get the key back and I'll carry on with business." Except that wasn't what happened, he paid $1,000 in Bitcoin and nothing happened after that. In fact, the extortion rose, it then became a case of, "Well, thank you for paying the first 1,00. "That was the down payment on what is actually the ransom "and the price moved." We've seen people pay ransom without contacting anyone else and not get the correct decryption key, that is what you need to actually get back into business, or have patchy decryption, where they've actually paid something for nothing and they haven't recovered entirely. So some things to think through about what to do, but just to have a look, very briefly, at what we know to be the recovery phases. So you're faced with this, you realise something has happened, and that is our detection phase. Now, detection can often mean investigating the extent of the compromise, the extent of the incident. How far is this protruded? How much of my system is affected? Next step is going to be containment, it's the natural thing. So detection and containment could both ordinarily involve your MSP, whoever you'd go to for your IT services, internal IT or someone of the like, or it's you if you do your own internal IT. But those two steps are the first steps and many problems can come in, in those steps. The reason for that, is often when things are done internally prior to the forensic assessment, in trying to contain the incident and in trying to understand what's happened to the incident, one of the first things that happens is a reset of a whole lot of things on our system before we've preserved any forensic evidence. Now, why is forensic evidence important? Because the forensic evidence, artefacts, are incredibly important to determine the extent of the incident. So not just, there is an incident, not just recover from an incident, but to know what has actually happened on your systems. Was there data that was exfiltrated? How many of your clients, or customers, or employees have been affected? What sort of personal information is impacted? What are your notification obligations? Those are the sorts of artefacts that we try and put in a sandbox environment and retain, that we know what to do in terms of a recovery and reporting step, which is our final stage. But for most businesses, just getting back to our recovery and getting back online can become so important that we forget about the forensic assessment piece. But these are, broadly speaking, the four pieces that we follow through in terms of any incident. So how do we know, in terms of the duration, or length of an incident, how long it takes to do anything? First thing we need to know and we need to tell you, is that it takes a long time to recover from a ransomware event. Even if you pay the ransom, the timeframes I've put up on the screen of timeframes where a ransom is paid. So your first 72 hours are for investigating the incident. Then we're talking about the response piece, that is, again, containment, not investigation or recovery, it's containing. That can take anywhere from a couple of days, to a couple of weeks. And then finally, getting back online, so doing the recoveries, getting back up to speed, can be anywhere from two weeks to two months. The average recovery time for an incident where a ransom is paid and you recover, is around a month. So by no means is payment of a ransom, the be all and end all, in terms of getting back online and thinking that the next day you can just be operational and nothing will have happened. It does take a long time to recover from the incident. So just to pop to a quick poll question for those that want to, what are your thoughts on paying the ransom? Do you think you would pay a ransom? Would you always pay a ransom? Would you never pay ransom? Or would you pay ransom if you thought it was legal? Just give it a second for everyone to think about it. And while that's happening in the background, we will talk through, in a moment, some considerations for payment of ransom, we will look at some of the legal implications of payment of ransom, but just instinctively, as a business, is that something that you think should be done, or should never be done? Could be interesting to see what results come back in. Give it, let's see, we've got about 10 more seconds and then we'll get the poll results back in. Yeah, so I see there's a question there on whether or not it's payment... Whether it's legal to pay a ransom? And we'll talk about that in a minute. I'm not sure if Joss or Keddie are able to give me... There we go. So nobody said, "Yes, always," which is interesting. Normally it's a little bit split, but you can see there's more leaning towards "No," than a "Potentially yes." We don't really have time in this forum to unpack why that is, very interesting to have a discussion down the line with each of you, as to what your thinking is, but very interesting to see that, it wouldn't just automatically be paid. So just a couple of things to think about from a settlement perspective. So just to answer the question that popped up, in terms of when it's lawful, there's gonna be a couple of things you're gonna need to look at. So the law on paying ransom changes, depending on, primarily, what sanctions are in place at a high level at any point in time. So for example, if we know that the money is going to be used for proceeds of crime, we could run into issues in terms of paying that money if we know it's gonna be used for proceeds that are gonna go to criminal syndicates. If we know the proceeds are going to a sanctioned entity, or a sanctioned individual, in that instance, we also wouldn't be able to pay it. So there's a couple of things we need to do before we pay a ransom. First thing you're going to do before any ransom is paid, or should be paid, is you're going to want to appoint a specialist negotiator. Just a word of caution, there are many organisations out there that, if you just Google them, they say they're able to assist you with facilitating ransoms if you're stuck, they act as intermediaries, what they are, in many circumstances, is more often than not just another conduit for ransomware groups, or breakaways from the affiliates, so just be careful of that. We have very carefully crafted panel selections to who we utilise to do the negotiations. And the reason for that, comes down to the legality of the payment, as to whether or not we're going to have any sanctions in place. Because one of the things that a good negotiator does for us, is they do a sanctions check. They give us a report on whether or not they are legal impediments, from a sanctions perspective, in making a payment. So the first thing we do is we engage a negotiator and then we agree a price. In return for that price, we make sure that the party we're agreeing the price with, is actually able to give you the correct decryption key. So we do things like, we test some files that are encrypted, we make sure we get what we call proof of life. Then you're going to one legal advice on the legality of that payment, so what jurisdiction is it being paid to? What do we know about the threat actor? Do we know whether or not they sanctioned? I mentioned at the outset, the group Conti. So when Conti came out in favour of the Russian government, the reason that it caused the splinter effect, where a whole lot of Conti employees broke away from the main group, was because they didn't want to be placed on a sanctions list, where they couldn't receive payment for ransom, that's another thing to think about. How do we pay the payment? Do we pay it in Bitcoin? Do we know what the proceeds are being used for? I know you're gonna say to me, "But we can almost always assume "the proceeds are gonna be used for crime." Well, the threat actors, A, are not gonna tell you their identity and they're not going to tell you what they're using the money for, probably wouldn't recommend that you ask them, but if we know exactly what it's being used for and we know that it's for a sanctioned entity, we wouldn't be recommending a payment. And again, we'd only be recommending payment of ransom in very select circumstances. We would certainly, for example, not be recommending making a payment if it was simply to prevent a threat actor from publishing your data because invariably the data ends up being sold, or published anyways. But if you've got legitimate reasons for needing to pay a ransom, we're often going to look at things like, how dire is a situation? We look at it like a kidnapped for ransom, life or death situation. Would your business be crippled if you didn't pay a ransom? So if we're able to answer some of those questions, then it may very well be legal to pay the ransom. And then finally, the actual facilitation, or making the payment of ransom, is incredibly important. You're gonna want the negotiator to facilitate that payment for you, to assist you to get it paid, to help you get over all the currency fluctuations, to get over the hurdles in terms of how that is that is purchased and sold, and traded in Bitcoin, for example. Some things to think about, whether or not you actually pay a ransom. Things like how long is your system down for? Can you resolve the outage yourself? What's happened to your data? Have you lost data? Is there a threat of publication? Is that good enough, to pay? Chances are they're still gonna publish the data anyways. And then thinking about some reputational risks, again, reputational more from a business continuity than from knowing that the incident has happened. Just some things to think about. I'm going to skip over these two steps because I'll come back to them when we talk about the end of the BEC because if it triggers your privacy obligations, it may very well trigger those things. But just going one slide back, any incident needs a robust communication strategy. That means you need to think about who you're communicating what to, anything from supplier to customer, client, public communication perspective, so what are you putting out there, you don't necessarily want to bash something out, to all your clients to say, "We've had a ransomware event and we're down for a week." It's about what you say that needs to be measured against any real risk. So just give some thought to your communication strategy. And that again, comes out to... We'll talk about it at the end about risk planning. Any questions on ransomware before I move on to business email compromise?

- [Keddie] No, no questions yet, Nicole.

- Great. So BEC, we spoke about right at the outset, but really, this is the kind of things we see, you get an email that looks quite legit. It may come from somebody purporting to be within your organisation, it can often be from a supplier you're expecting an invoice from. It could be anywhere. It can be very straightforward, like there's been a moderate change, something on your systems, purportedly from an IT service provider, please click here to just modify your systems. Whatever it is, generally, it lures us in, it makes us think we're expecting it. In this instance, we've used one from a mail delivery group. You think that it's fine, you think you should download something, you think you'd be able to access something within an email, you click on the link, you move forward... Oh, sorry, I've gone one slide too far. Again, you come up to a legitimate link. Sometimes, if we're smart, and we're looking up the top there, you can see Happy Machine, what is that? Clearly there should be some problem, but most people don't always see those things, sometimes they hide those sorts of things. But you have what seems to be a legitimate account, you pop in your details and it takes you through to a legitimate page. A couple of days later, you get an invoice, or you get a supplier following up on an invoice, "Why aren't we paid, what's going on? "There seems to be a problem." And you think, "Well, I don't know, "I thought I'd paid this." You're not sure what's happening and you start investigating, and it turns out that your emails been compromised. It means that a third party now has access, because of this incident, to your mailbox. They've been able to access your historical mailbox, your historical emails, invoices, critical business information, and sometimes business email compromise is the first port entry to an ultimate ransomware event. We've seen incidences, for example, where threat actions have been on the systems for months at a time. And they sell these credentials on dark web forums, so you've compromised the credentials, nothing happens, you don't know you've compromised them, and nothing happens for weeks or months, until that credential is on sold somewhere else. So a whole lot of things can happen between the phishing incident, or the business email compromise, and the end. Again, often that is for invoice fraud. We're seeing things like invoice approvals, false invoicing, data theft are rising, phishing attacks on your clients, where spoof emails are sent on mass, and then social engineering attacks for your clients, to obtain fraudulent payment from them. Those are all the repercussions we see from business email compromise. So your next steps after anything, again, is trying to preserve that evidence. And again, I stress how important it is, if you are faced with an incident, please do remind whoever it is that's assisting you to try and preserve whatever evidence you've got. It may not happen, it may be that you involve, perhaps a law firm, you phone your broker, fundamentally, as soon as possible, you notify your insurers, you do something where there's another step, which can help you compromise that evidence. Even if you're not sure of an incident, if you think something may have gone wrong, it may be worthwhile to engage as soon as possible, because then we get to the point of, well, what are your legal obligations? If you've got personal information that's been compromised, you may very well trigger your privacy obligations. Now, for many people, they say to me, "But if my turnover is less than $3 million, "the Federal Privacy Act doesn't apply to me." That's correct at a high level, except they are caveats within the Federal Privacy Act. First caveat, is anyone who deals with tax file numbers. If you deal with tax file numbers, you are a tax file recipient and you are subject to the Privacy Act. That means that if you have a compromise of TFN information for your clients or your customers, in a ransomware event or a business email compromise, you will have to notify the information regulator, the OAIC, about what has happened on your systems. And you may very well need to notify your clients, whose TFN information has been compromised. The reason for that, is because TFN information is one of the very serious touchpoints. It is something that they say constitutes a serious risk of harm because your risk of identity theft and crime that can flow, financial crime that can flow from theft of TFN information, is really severe and really prevalent. The other thing is the OAIC is quite strict on how we treat TFN information. Under Section 17 of the Privacy Act, and I'll do my quick lawyer speech for one minute before we wrap up and I hand over to Drew, is that TFN recipients need to take reasonable steps to securely destroy, or permanently de-identify TFN information that is no longer required by law. That means you should not be sitting on every historical client's TFN details for all eternity. If they're no longer a client, if your statutory period for retention of that data has lapsed, if you no longer have a lawful basis to have that information, you should not keep that information just in case, it should be deleted, de-identified, or removed from your systems. Otherwise, you may trigger those obligations where you have to let people know what has happened. And again, you then have to notify your clients as to what has happened. There's some tips there for you, on what their not Notifiable Data Breach scheme looks like. Again, it's all about assessing the type of data, assessing whether there's a serious harm and commencing with remedial action. All of those things, again, if you've got TFN information, you can beat your bottom dollar that serious harm will have been triggered. You would need to notify. And in most ransomware, or BEC incidences, we almost always see exposure of data that triggers your obligation, so please just be aware of that. Very briefly, I'll be another minute in risk management and then I'm gonna hand over to Drew. Just a couple of practical tips to think about. First thing is please think about having an incident response plan. What is that? Well, that is something where you know what the basics are to respond to any incident. If you're faced with these sorts of scenarios we've discussed today, if you have a business email compromise, or a ransomware event, what do you do? Who do you contact? What is your immediate next steps? What are your legal obligations? What do we need to do? Those are the kinds of things you put into an incident response plan that the very least you've got a framework to work off in the event of an incident. And have that stored somewhere other than on your main systems. Have a hard copy one page mind map, or diagram, if that's what you need to do, that you know what to turn to in the event of an incident. If you can't email your colleagues and clients, what do you do? Do you phone them? Do you deal with WhatsApp? What is your next step? Regular employee training is incredibly important. Dealing with mock scenarios, simulating at doing things like phishing simulations, making sure that you are implementing evidence prevention and log retention. So what are logs? Things like your email logs, your IT logs, anything that can tell us forensically, after an incident, what has happened, what to do with the information. Risk mitigation, things like your password policies, have good password policies in place. Security patches need to be done, you need to be talking to your IT service providers about patching, about basic things, like if you use Office 365, if you are using those sorts of things, they come with free products, MS Defender, you can set your firewall logs for free to be 30 days, or 90 days, if you know what's happened in your environment. Very important things to do. Upgrade that outdated software, have a look at those things. And then, finally, consider what your ultimate obligations are. Are there legal notification obligations that are triggered by an incident? What about outsourcing? What happens if you've got a cloud service provider hosting, or holding your data? If you've got an IT service provider doing something for you, what are the implications of that and what happens if there's a compromise on their network? So a couple of things to think about. I see there was one question that came in before I hand over to Drew. Just seeing. That questions' been done and there was just a self assessment that came in. Great. Then Drew, I'm gonna hand over to you before we deal with the last few elements. Just checking. Drew, can you hear us? Okay, so Drew seems to just have a problem. It's fine, what I'll do, is I'll carry on, if that's fine, Keddie, in the interim. Maybe there's a technical difficulty.

- [Keddie] Please do, thanks Nicole.

- Yeah, that's fine. What Drew was going to say, and I'm sure if he jumps back on, he'll talk through it more comprehensively than me.

- [Drew] That's all right, Nicole. There we go, just in time that I can hand over to you.

- [Drew] My apologies, my computer has the gremlins in it today. Look, thank you, Nicole and Keddie, and everyone for joining us today. Can I just say at the outset, in my view, cyber is the most serious risk facing the business community. It may not be the largest numeric financial cost to your business model, but to me, reflecting on it in the last couple of days, I think it's nearly a little bit like motor vehicle insurance. If you have a computer and you are on the net, you need this insurance, in my view. The problem we have here in relation to your risk profile, is that it is ever changing on a day-to-day basis. If we talk about all the other insurance products we buy, fire and motor vehicle and these sorts of policies, the risk profile is reasonably static. Cyber is ever evolving. We have, not only innocent errors that can cause this trouble and in actual fact, we have to our detriment, bad people. We have criminal gangs who are very sophisticated and they are looking out, looking to steal, enter your computer environment and steal, or ransom your computer system. So my strongest recommendation, is speak to your insurance professional and seek a quote if you do not already have it, and effectively transfer this risk profile over to an insurance company, who then engage their professionals, like Nicole, and TechPR, et cetera. Now, we'll just go through these couple of slides. The risk profile, as I've just mentioned, is large. Can we handle it ourselves? My view is, no, we can't. I'd also raise the issue here, is who is providing your tech support? Is it your brother-in-law? Is it your family member? I'd seriously recommend that you review who is providing, what is their skillset, what is their knowledge, what are their capabilities. There are several providers in the market that can provide cover for your firm. Can I say that there... I suggest somewhere between 10 and 30 different insurance companies in this marketplace, could provide you with an alternative quote to the one you may have at the moment. Please be careful of what cover is available under those policies because it does vary and we'll go through the cover in a moment. And as Nicole said, the key benefit for purchasing cyber insurance, is having access to a firm, like Wotton + Kearney. There are a number of aspects to the claim, as Nicole has pointed out, and we'll just go through these in relation to a good cyber policy, should have all these sections in it. The first one is third party cyber liability. I'm sure not a lot read their liability policies, but I can say to you now, the insurance industry is starting to put exclusions on normal policies about cyber liability, whether they be a public liability policy, or a professional indemnity policy. If you were to negligently transfer, or... Transfer some bad code to a client, you didn't have proper protection security on your system. That client then suffered a result of of being closed down, or possibly even ransomware, or something like that. There is a potential for that liability to come back onto your firm, or your company, as a result of you not taking adequate protection in relation to your computer environment. Nicole has spoken about that hacker damage, this is about the environment of both software and hardware. One of the first claims we had, was a client did not pay the ransom. They deleted all the file from their system, they thought, that's not a problem, I've got backup. The problem was they had no software at all. They then had to go out and buy new software, which didn't match the old software. So the backup, this was an old claim, backup discs had to be reconfigured to match the new software. It was an absolute nightmare. Cyber extortion, Nicole went through that in detail. The government may ban this, as we're all aware, but at this point in time, one needs to be careful and certainly have a negotiator, which the insurance company will provide for you. Public relations, basically every accounting firm in Australia is caught under this Act. And I suggest you, you have a very well crafted message not to create panic, not to create an environment where the client says, "Well, our accounting firm is hopeless, "we're going to move." You want to retain the clients in that messaging, a professional needs to assist you in doing that. Business interruption costs, we are finding that is an increasing, ever increasing cost, in relation to a claim. You are out of action, it can be rewriting of records, it can be a cost of production, not in the accounting profession, but a very relevant one with a factory, they got closed down for three months because all their machines were German and they had a terrible trouble reconfiguring them, they're the sorts of business interruption costs that can occur. And as I say, the the data breach notification costs, you need to convey the message to your client, to relevant regulators, et cetera. Look, encapsulating that environment and insurance, as I say, to me, it is something that you must consider in running a professional practise. Unfortunately, the cost of this insurance is going up, but my view is it is an essential part of your suite of insurance, is to protect the firm and ultimately the partners and employees of that firm. Now Keddie, we going back to you for some questions.

- I think we'll hand back to Nicole.

- I'll just jump in and I'll be a few more minutes before we can hand over to Q&A, just looking at your incident response. So just to mirror and match what Drew was saying, when we look at the costs of these incidences, your first party costs, as in your incident response costs, can be quite significant. Everything from an IT service provider to assist you getting back online, to a forensic service provider to actually help you figure out what happened, legal, to give you those sorts of advices on whether or not to pay ransom, who you need to notify, how you need to notify, PR crisis comms, things like ID monitoring, or call centre services, if you need those services to your customers. All of these things can be very expensive, outside of the business interruption costs. When we think that the first party response is expensive, what we're actually seeing, in terms of the real numbers, is business interruption costs often comprise nearly 80% of every single insurance claim we're seeing, cyber insurance claim, because the knock-on effect to your business is just massive, you're out of service for what could be a month, or two months. You lose business in that time. You have to dedicate resources that would otherwise be servicing your business to fixing this incident. You lose valuable hours where employees sit for a week or two and can work, can't work at all, sorry, rather, and you're paying their salaries to work. So there's a whole range of costs that flow from it. And these are all the different parties that we see that come to play. Again, really important to get in touch with Fenton Green, your broker, with us, or with your insurer, anytime during the policy period, to question anything about, "I think I've got a problem, "I'm not sure if I need to do something." Who are the right vendors to engage if you've got any sort of inquiry regarding your policy? Your broker should be your first port of call for all of that, they know exactly who to direct you to. If you contact Fenton Green, they'll know exactly who to send you to. But really just being mindful of these aspects and then asking the right questions and giving yourself the right sort of protection, is fundamental. And on that point, we'll hand over to questions and please feel free to ask anything that you'd like.

- Thanks Nicole and Drew. Yeah, really encourage you to send through your questions through the chat box because we definitely have experts here to answer those queries. I just wanna go back and ask a couple of things. Drew, you said before that you see cyber as one of the biggest risk facing members practises, and I think, seeing what we're hearing, or seeing what Nicole's told us about today and also those challenges coming through and what we're hearing from members, I definitely have to agree and we spoke about this last week, at our public practise webinar. I just wanna touch on something that's recently come to my attention around ATO, full protective measures and that sort of flow on. And Nicole, you were talking about the average time of a business being closed after an event, or being able to restart up, is about a month, could you maybe just talk through some of the challenges and what that actually means for both the business and their clients?

- Yeah, perfect. So where we have an incident that happens, there's a couple of things that have to happen afterwards in terms of medicating risk for clients and customers. The purpose of a notification of any incident is to assist the party whose information has been compromised, in actually protecting their information, knowing about the incident, looking after it. So there's a couple of things an organisation can do after the event, one of the things that happens, is that you can contact the ATO to ask them to apply protective measures over certain tax file numbers. It's a bit of a thorny subject because while it serves its purpose in protecting the tax file number, it creates a difficulty for a business in actually being able to deal with that tax file number and that person going forward, because suddenly you don't have access to file and lodge returns and do some things that you would normally do from a day-to-day basis, any time you want to transact on that account, you have to contact the ATO, you have to phone them telephonically, you have to ask them to raise, or lift that protective measure. And that stays in place for years, so it really creates a lot of difficulty around what that can mean. The other element that we've seen, is the source of the breach. So we've seen a couple of things where, for example, we've had some of our accounting clients, where their customers have been subject to a breach. Say you've got 10 clients that suddenly are subject to a breach, but you don't actually know what the source of that breach is, and there's some speculation about whether or not there are possible problems at the moment, practically, with the portal that accounting firms are using with the ATO, which is external to your firm, and whether or not that has has caused some sort of issue in terms of a leak of data. Because on one of our matters recently, we had one of these where there were 16 odd end clients who were affected in a breach, and we went through a forensic investigation and the forensic results were inconclusive, we couldn't tell what the source of the reach was. And when we notified the ATO of this incident, the ATO actually came back to us and said, we've seen this happen for a number of other clients in the industry and they think there's an issue with a software, or the portal that may have suffered a leak, or a credential compromise from that perspective. So it may not even be on your systems that something goes wrong, it may be on a third party system, auxiliary to your business that you rely on. And then you end up in a situation where you may have to put protective measures on TFN numbers, which is not great for business. If you tell your clients every time that you can't access their portal, or the profile, unless they phone the ATO, it's not gonna leave you in good favour with your clients.

- Yeah, and I think the thing that stuck with me on that is, someone said once an identity is stolen, it can't be unstolen. For the natural life of that client, there's a risk around that data being there. And even if they get unhappy with that accountant and move to a different accountant, it doesn't matter, those protective measures stay with them. And I was reading, it even impacts automatic generation of BAS statements and all those sorts of things that members would be doing on a daily basis. So I think that when I heard that incident, that to me, is something that really does show the reality, it's not just the impact that it's gonna have in terms of shutting that business down, but the flowing impact to your clients and your business as well.

- Yeah, absolutely.

- Sorry. I was gonna say, so a couple of things we hear about is, and you spoke about that business email compromise and we've seen incidents where people have got in and emulated, like you said, a staff member, and maybe changed bank account details, or a supplier. Do you have any maybe good tips you could provide the members on the line around processes, checking with third party suppliers, or when they're getting invoices in, or issuing invoices, just to help improve that security process?

- Yeah, so the first thing, is always have a a multi-person system in place, in terms of verification of invoices. So what we often see from an invoice fraud perspective, is you get an invoice in, the invoice has a phone number on, you phone the phone number on the invoice to check if this bank account change, or whatever it is correct, don't do that, go back to the source of whatever it is in terms of your originating correspondence for that client or customer. And then within your organisation, have a multi-person authentication process. So we've also seen impersonations of a CEO sending something to a finance clerk to say, "Please pay this invoice, "I need it paid immediately "because I can't purchase a tracked auction without it," for example. And then, they pay it immediately and it's only afterwards that it turns out it's not the case, but in that payment link between person instructing and person paying, have another step in the process that involves an external verification process. And anywhere that involves change of supplier details, bank details, your own details, communicate to your customers that you won't change your bank details. If we create awareness around that process, it can mitigate some of the invoice frauds and things we see.

- Yeah, and I think that's really important, it does matter, the size of the business, some of those things can be easily put in place and making sure you've got another set of eyes over it, any internal approvals as well. We did a webinar last week and we asked our members about some of the challenges and they said, just the amount of ongoing change, regulatory changes, I know for those in taxes changes again with Section 100 A and firm profit allocation, et cetera, and technology is not always the strength of everyone and certainly not my strength, are there some basic tips that you could tell members that the non-negotiables, our human members say that for example, "I'm in the clouds, I've got a level of protection, "but I feel like that's a little bit of a false economy," and that there's some further steps that they should absolutely be looking at as a minimum within the business.

- Yeah, so again, I think really vet and verify your MSP, or third party IT service provider. Good to change it up frequently as well, if you've had the same person for 10 years. Loyalty isn't the right thing in a tech space where products are changing. Having basic things enabled on your free software platforms can be fundamental, like I spoke about, if you're using Office 365, you're using Microsoft Suites of products, they have things like Defender, which you can use for 30 days free of use, and the cost is actually really minimal, I think it's a couple of 100 bucks a year to use those sorts of licensing requirements, which can do a whole range of things, like detect entry into your systems and give you early warnings and alerts. Just having good hygiene in place, regular changing of passwords and employee training and awareness is absolutely key and critical. We're all employees, or we employ people, we've all clicked on things we shouldn't have clicked on. I was in the middle of a breach for an accountant firm, interestingly enough recently, where we discovered that for four months, threat actor had been on the systems between two different incidences. And they had the same IT service provider in the duration of it, which was probably the source of the incident to begin with. And while remedying the breach, the IT service provider had an incident where they spammed us with phishing links. And if we weren't alert to it, you're so busy reactively responding to a breach, you may have opened up the wrong thing from the wrong person.

- Yeah. And it's a really good point 'cause I think you said earlier and you've just sort of touched on again, staff and human error is often the driver, or the catalyst for some of these things, and not by any attempt to trying to do it purposely, just because you said, so busy and different things come in, or they're so sophisticated now in terms of how these things actually come through that it looks legitimate. And we are in an environment where we still have a level of remote working. Is there some added some security, or things that they should be thinking about, members should be thinking about, if they've got staff working from home, or using their own devices, or even some places to go for thinking about some training.

- Drew, I don't know if you want to jump into this-

- Look, I'll just jump in there, Keddie, I think we we're all here to please our clients. Could I just say, a little bit more discipline from everyone would help here. How many have answered or looked up emails on their phones? You're on the train, you're walking down the street and you see the email and you click, you basically cannot verify that email correctly, walking down the street on your phone. Our view is, and Nicole, you'll be better at this than me, but basically about 60% of all the matter, really start by somebody clicking on something within the office. I know the world's changed in relation to the environment of which we work in. If we take the work computer home, where we have a link, whatever it is, please do not let other family members click on... social media, or different environment which is outside the work environment. Try and keep your systems nice and clean in relation to outside searches for whatever it is, a new car, a new house, or whatever. As I say, a little bit more discipline, your client can wait till you get back to the office to answer that email, don't answer it walking down the street, or on the train, on your phone. Just some nice simple things like that, I think can assist.

- Yeah, and maybe just closing remark, is don't do anything too quickly, I think that ties into what Drew's saying. If you get something that you feel your time pressure to answer or respond to, think twice because that is what social engineering fraud is designed to do, it's designed to make us panic, designed to make us do something quickly, click on this quickly, do something quickly. And often if you just have a 24 hour process, where you do something else in between, it can help eliminate that risk.

- Yeah, I think they're really wise tips and wise words. I have popped in the chat, some links to some training that CPA Australia has made available, so they're complimentary eLearning resources. There's four modules, and one in particular, I think, was resonating with me when you're talking, Nicole, about responding to cyber threats. So there is a particular module in there to help you design your cyber security response and how to practise that. We've also got a self-assessment checklist, just to help you get a bit of a picture and a stock take of where your business might be in terms of risks, in terms of a traffic light system. So again, if you're looking at a starting point and thinking about that, it's a really good one just to do a bit of a self-assessment. I cannot reemphasize what Drew said earlier, this is seriously one of the most significant risks that your practise is going to face at the moment. I know everyone is super busy, everyone is resource constrained and it makes it challenging, but it absolutely has to become a priority for your business, just because of the risk. And Nicole spoke at the top of this about professional services being a prime target because of the data and the information being held. So I really, really like to take this opportunity to thank Nicole and Drew for today's webinar. I think you've given us lots of great practical insights. And really you're showing the impact that a breach can actually have on a practise and really bringing that home. I'd like to thank everyone for taking the time to join us for the webinar today and taking time out of your business to be here and invest in this, 'cause like I said, it's such an important area. With that, I'd like to hand back to Joss to close the webinar for today.

- [Joss] Thanks so much. Yep, I totally agree with you, Keddie, Drew and Nicole, thank you so much for an excellent webinar. Also a big shout out to everyone's participation with the chat, with questions and comments in the chat box. Please keep an eye out in your inbox for the recording of today's webinar. As you exit, you'll be directed to the feedback form, just to let you know this is a safe link and we would love your feedback. Thanks again and we look forward to seeing you next time.