We’re living in a digital Wild West. It’s not only the big players at risk; small and medium-sized businesses are increasingly targeted.
Just ask tech giant Microsoft, recently infiltrated by a nation-state attack through a simple password. This stark reminder highlights the vulnerability we all face.
The bad news? Identity attacks on cloud platforms are surging, and unmanaged devices leave you open to ransomware. Microsoft’s 2023 report paints a grim picture: attempted identity attacks soared from 3 billion to 30 billion monthly, translating to 4,000 attacks per second on their cloud alone.
Furthermore, 80–90% of ransomware attacks stem from unmanaged devices, and 70% target small businesses like yours.
Let’s face it. We’re a nation of sun-kissed innovators, early adopters, and, well, sometimes, a bit too trusting. This makes us ripe for the pickings for cybercriminals, who wield increasingly sophisticated tools and tactics.
This article equips you with the knowledge and tools to build digital resilience and thrive in this new landscape. We’ll unpack the latest threats, explore effective defenses, and empower you to protect your business.
Cybercrimes You Need to Be Aware of in 2024
Having painted the broad strokes of the global cybercrime landscape, it’s time to zoom in on the specifics. The digital threats we face are not just varied but evolving at a breakneck pace. Below are the most prevalent forms of cybercrimes that are currently targeting businesses.
1. Identity Attacks
Your login credentials are the new goldmine for hackers. The scale of identity attacks is staggering. According to Microsoft Entra data, there’s been more than a tenfold increase in attempted attacks, rising from around 3 billion per month to over 30 billion. This translates to an astonishing average of 4,000 password attacks every second targeting Microsoft cloud identities this year.
A primary reason for the prevalence of password attacks is the low security posture of many organizations, particularly in the education sector. A significant number of these organisations have not enabled Multi-Factor Authentication (MFA), leaving them highly susceptible to phishing, credential stuffing, and brute force attacks.
Remember the days of “Nigerian prince” emails? While those still exist, today’s phishing scams are far more sophisticated, targeting not just your data, but also your trust. And one particularly concerning trend is the rise of attacks specifically aimed at older adults.
These scammers exploit the trust and potential lack of technical experience of older individuals, often using tactics like:
- Grandparent scams: Posing as a grandchild in need of urgent financial assistance.
- Tech support scams: Pretending to be from a well-known tech company, offering fake “help” and requesting remote access to fix non-existent problems.
- Medicare/Social Security scams: Threatening to suspend benefits or requesting personal information under false pretenses.
The consequences can be devastating, leading to financial loss, identity theft, and emotional distress. But beyond these traditional phishing methods, a more concerning trend is emerging: Adversary-in-the-Middle (AiTM) attacks.
AiTM attacks involve an intermediary capturing the user’s credentials during a seemingly legitimate authentication process.
These sophisticated attacks are particularly dangerous because traditional defenses, like resetting user credentials, are no longer sufficient. This calls for advanced security measures to effectively counter these evolving threats.
3. Business Email Compromise (BEC)
Imagine a scammer impersonating your boss or a business partner. They trick employees into transferring money or sensitive information. It’s the digital equivalent of a wolf in sheep’s clothing.
Business Email Compromise scams continue to plague businesses, with over 156,000 incidents reported daily. Cybercriminals would impersonate executives to trick employees into transferring funds or disclosing sensitive information. Even the most cautious can fall prey to these well-orchestrated attacks.
BEC attacks are not just financial fraud; they involve intricate strategies like domain impersonation, internal phishing, and mass spam mailing to disrupt and deceive.
The evolution of BEC criminal networks and the up-skilling of threat actors, often educated in industrialised countries, show a trend towards more sophisticated and hard-to-detect attacks.
4. Ransomware and Extortion
Imagine your business data suddenly becoming inaccessible, held hostage with a demand for payment. That’s ransomware, and its impact goes beyond data loss – it erodes customer trust. Microsoft has observed a more than 200% increase in these attacks since September 2022, indicating a move towards more targeted, sophisticated methods.
The growth in ransomware-as-a-service, increasing by 12% in the last year, suggests a structured and expansive criminal industry, with 123 tracked ransomware-as-a-service affiliates. This highlights the critical need for robust device management and security protocols.
5. DDoS Attacks
Distributed Denial-of-Service attacks can cripple your website or online services, leading to lost revenue and reputational damage. They overwhelm your website with traffic until it crashes. Not a pretty sight for any business.
The rise of DDoS-for-hire services poses a significant risk to the cybersecurity landscape. These services, offering botnet subscriptions, have made DDoS attacks more accessible and damaging.
The 20% increase in DDoS-for-hire platforms in the past year alone reflects a growing trend towards commoditising cyber weapons.
The use of these services in ransomware attacks to exploit vulnerabilities signifies a convergence of different types of cyber threats, amplifying the potential damage and complexity of attacks.
Be prepared to counter these digital floods with robust security measures.
Australian Cyber Security Strategy
How is Australia as a nation responding to these threats? This brings us to the Australian Cyber Security Strategy, a comprehensive plan charting the course for national and individual cyber resilience.
- Strong Businesses and Citizens: This emphasises building security awareness and resilience within organisations and individuals. Think cyber hygiene training, incident response plans, and secure IT practices.
- Safe Technology: The government is actively working to secure critical infrastructure and promote the development of trustworthy technologies. This means businesses can expect tighter regulations and a higher bar for cybersecurity standards.
- World-class Threat Sharing and Blocking: Collaboration and information sharing are key to combating cyber threats. The government will facilitate intelligence sharing between public and private sectors, helping businesses stay ahead of the curve.
- Protected Critical Infrastructure: Our hospitals, power grids, and financial systems are vital targets for cybercriminals. The strategy focuses on hardening these critical assets and ensuring their resilience against attacks.
- Sovereign Capabilities: Australia aims to develop its own cyber security expertise and technologies, reducing reliance on foreign solutions. This will empower our nation to respond to threats more effectively and independently.
- Resilient Region and Global Leadership: Australia recognises that cyber security is a global challenge. The strategy emphasises international collaboration and sharing best practices to strengthen the collective cyber defenses of the region and the world.
What Australian Businesses Can Do
Understanding the Australian Cyber Security Strategy sets the stage for action at a business level. The strategy outlines the framework, but how do we, as businesses, fit into this picture? Let’s translate strategy into actionable steps.
Improve Your Defensive Security Posture
Think fire drills but for your digital assets. Invest in robust authentication systems, regularly update your software, and train your staff to spot the digital rustlers.
Added to this, you must ensure that your systems are appropriately hardened against attacks from both internal and external sources. Monitor and enforce this hardening so holes are not opened in your fundamental defences.
Identify areas where you may need investment
Don’t wait until the digital stampede hits. Consider cyber security insurance, penetration testing, and expert security consultants to fortify your defenses. By taking step in item 1 you may reduce your insurance premiums.
Explore ways to make your training programs more effective
Interactive simulations, role-playing exercises, and gamified learning can make security training engaging and memorable. Remember, a well-trained staff is your best line of defense.
Wrapping It Up
This digital Wild West may be harsh, and we need to level up our cyber defenses. By being informed, proactive, and working together, we can turn the tables on cybercrime and build a safer, more secure digital future.
So let’s make the digital space a place where innovation thrives, and cybercriminals get left in the dust.