Born To Be Wild

Blog

  • The Rise of Virtual Kidnapping

    The Rise of Virtual Kidnapping

    While our feeds have been flooded with news and developments on COVID-19, other disruptive events have subtly moved their way into people’s lives like an unexpected storm.

    It seems like only yesterday celebrities, news outlets and hashtags around the world directed their reach on the Australian bush fires that would cost the country up to $101 billion in property damage and economic loss. 46 million acres of land was burnt, killing at least 34 people, hundreds of millions of wildlife, and billions of vertebrate species. This historical destruction all seems like a bad bonfire now that focus shifts to COVID-19.

    This is not news, and blame should not be put on the general population’s attention span. But professionals, organisations and those in the public space need to strongly consider the extent of other events occurring alongside COVID, because they are!

    This year alone, RiskLogic has supported dozens of clients deal with major cyber-attacks, loss of key staff, natural disasters, supply-chain disruptions, ransomware attacks and disruptive large gatherings and protests to name a few.

    As we round up the year, we will dissect other events in a mini-series dedicated to parallel crisis events, these we will cover:

    • The variety of scams that have appeared and increased during the pandemic
    • An overview of other incidents happening during COVID
    • A discussion on incidents that you would seldom anticipate (like virtual kidnapping)

    At the very least, we hope this provides a break from the bombardment of COVID related updates.

    Virtual kidnapping is happening right now

    Virtual kidnapping is an extortion scam that has historically targeted Chinese international students in Australia.

    The scam targets individuals with threats of deportation, before forcing them to contact their families for significant sums of money. The NSW Police reported 8 cases in the 2018-2019 period, but they believe the real numbers are in their hundreds (with families generally too nervous or ashamed to reach out to foreign authorities). Millions of dollars have been confirmed to have been paid to the culprits; $3.2 million AUD since September 2019.

    While the restriction of travel caused many international students to become somewhat stranded in foreign locations, it is believed this has contributed to a spike in cases.

    What is virtual kidnapping and how does it work?

    Virtual kidnapping is an extortion scheme that tricks victims into paying a ransom for a loved one who they believe is being threatened with violence or death.

    The scam commences with a phone call from someone pretending to be from the Chinese Embassy, asking for personal details – usually pertaining to passports or visa status. The call then escalates to threats, with the victim being accused of participating in criminal activity before being threatened with warrants from a fake international criminal police organisation.

    They are then told the only way to save themselves and their loved ones is to hand over bank account details or significant sums of money.

    The scheme gained traction in 2015 when it spread from Taiwan to Western countries and has rapidly evolved with the spread of technology.

    Recently, we have seen virtual kidnapping attacks occur at several Australian Universities including UNSW and unconfirmed Victorian universities, which have both reported dozens of instances of the scam occurring.

    For Australia, the scam appears to be largely targeting students in NSW and Victoria, with police in both states confirming that victims often do not contact the police after they have been scammed as they often feel ashamed.

    As such, police are unable to confirm accurate numbers of virtual kidnapping victims.

    The kidnappers are purposely targeting Chinese International students and are communicating in Mandarin – making investigators believe that the bulk of attacks are coming from a crime syndicate located on Kinmen Island, off the coast of Taiwan.

    RiskLogic has additionally seen in Australia a rise in students staging the kidnappings themselves to obtain additional money from their families, although we can’t confirm whether this is related.

    Chinese and Taiwanese International students are being targeted because they are far away from home, making it more difficult for their parents to confirm whether they have been kidnapped or not.

    The AFP (Australian Federal Police) had reported 54 confirmed instances of these kidnappings – however they believe that the actual number could have been in the hundreds in 2020.

    Why should this matter to you?

    The AFP believes that hundreds of instances have occurred throughout Australia, Europe, America and Canada, showing that virtual kidnapping can happen anywhere.

    In pre-COVID Australia, international students made up more than a quarter of enrolments at universities, with the approximate number of international students in the country sitting at around 542,054 in 2019.

    Chinese students made up 31% of this number and accordingly were the largest contributing country to Australia’s international student population.

    These international students contributed around $32.2 billion to the Australian economy per year, according to the Australian Bureau of Statistics, with the vast majority being enrolled in universities. The associated fees and living expenses represented Australia’s third largest export (currently behind coal and iron ore) a figure that had increased 22% since 2016.

    Whilst COVID has almost halved the number of International Students currently residing in Australia, the economic impacts of the virus have also seen a significant increased the rate of scams. The AFP therefore reports that the increase in financial demands seen via the scam has increased significantly.

    Despite most virtual kidnapping attacks originating from Taiwan, the reputational damage the attacks cause is targeted directly at Australian Universities and their perceived inability to ensure the safety of Chinese international students.

    The inability of a university to adequately or appropriately manage the virtual kidnapping of one of their students could therefore result in reputational damage to the institution. Leading to significant financial impacts if this reputational damage translates into Chinese students no longer deeming the university safe, and therefore opting for alternate universities.

    For those not in the education space, it is perhaps only a matter of time until these types of threats reach a wider variety of organisations. For more public facing entities, this could be a real risk.

    Furthermore, this incident (that few could have anticipated) should be evidence that the threat landscape is forever changing.

    What is most likely to happen during a kidnapping?

    The AFP reports that the average amount of money handed to kidnappers is $38,000, with a total estimated handover of $10 million occurring in 2018.

    Already in 2020, the NSW Police have confirmed that millions of dollars have been sent. Cases report sums between $20,000 and $500,000 being sent, and even one reaching $2 million.

    This amount of money is significantly higher than the average amount obtained through other types of scams.

    Serious emotional and psychological impacts to the victims and potential reputational damage to the universities can occur.

    What you should do if this occurs to you?

    The AFP suggests that Chinese students in Australia protect themselves by doing the following:

    • If you get cold called by someone making threats about arrest or deportation, it is a scam. Do not send them any money. Instead, hang up the phone immediately and report it to your local police.
    • Never give your personal, credit card or online account details over the phone unless you made the call, and the phone number came from a trusted source.
      – Banks or financial institution will never ask you for your card details, even when you’ve called them. These institutions have access to your personal details once you provide a security check and do not need to ask.
    • If you think you have provided your bank account details to a scammer, contact your bank or financial institution immediately and give them as much detail as possible
      – Top tip: research your bank’s fraud and security phone number and email now. Put this in your phone in case you need to get immediate access (these are often found on the back of your bank cards too).
    • When dealing with uninvited contacts from people or businesses, whether it’s over the phone, by mail, fax, email, in person or on a social networking site, always consider the possibility that the approach may be a scam.
    • You can contact IDCARE(a national identity and cyber support service) for support if you have concerns about your identity being compromised. Contact them via the online form or phone: 1300 432 273.

    The Scamwatch website has information about scams in Chinese languages.

    Further resources and instances in the news

    • Families have lost millions of dollars in a virtual kidnapping scam targeting Chinese students in Australia

    A 2020 update on the instances of virtual kidnapping scams as they increase in frequency and seriousness ➜ Read more

    • Australian university students preyed on by terrifying kidnapping scam 

    An article looking at the impact that the virtual kidnapping can have on parents of the victims and concentrating on the history of the scam and its origin in Taiwan. The article goes on to confirm that the advantage of these scammers targeting victims in Australia is that the distance between the victim and their family increases the difficulty in confirming that the victim is actually safe and well, and that no charges have been laid against them by the Chinese Government ➜ Read more

    • Student loses $500,000 in phone scam that’s still active

    A report on one Chinese student in Australia who transferred $500,000 to virtual kidnapping scammers. The victim was eventually found by the Australian Ferderal Police 10 days after she was first contacted by the scammers ➜  Read more

    • AFP Scam Warning for Virtual Kidnapping ➜  Read more

    Subscribe to our newsletter to get content like this direct to your inbox.

  • Sensitive Data: The true cost of whatsapp

    Sensitive Data: The true cost of whatsapp

    With over 1.5 billion users, Facebook-owned WhatsApp is the world’s most popular messaging app. WhatsApp, which uses the internet to instantly transmit text, videos, images and even documents as attachments, is free, easy and convenient. Users can communicate with individuals and groups using any kind of mobile device to chat, set up meetings or appointments, manage orders and deliveries, and transmit product and marketing messages.

    But is WhatsApp an asset or a liability in the workplace? Multi-national companies like Continental, Deutsche Bank and Goldman Sachs are so concerned about the risks, they have actually banned employees from using free messaging systems like WhatsApp and Snapchat.

    End-to-end encryption and the illusion of safety

    WhatsApp’s end-to-end encryption protocol is a key attraction for many users. End-to-end encryption means data and information is converted to code (encrypted) throughout the entire transmittal phases so that only the communicating users can read the messages. Not even telecom and internet providers, or WhatsApp itself, can access the messages.

    ‘This encryption protocol can give users a false sense of security and privacy,’ says Daniel Muchow, RiskLogic’s Head of Cyber Consulting. ‘Even though the encrypted information is deleted at that point from the WhatsApp server, the information or data may remain on the recipient’s device indefinitely.’

    Penetrating the impenetrable

    With so much emphasis on end-to-end encryption, it’s easy to overlook the fact that not all information WhatsApp collects is inaccessible or private. ‘WhatsApp stores contact details and address books which may contain confidential corporate and customer data,’ confirms Mr Muchow. ‘For organisations, this raises serious privacy concerns.’ WhatsApp may also retain data about who has communicated with whom and when this communication took place.

    While the end-to-end encryption process offered by WhatsApp might sound watertight, attackers and scammers can and do intercept and manipulate messages to create and spread misinformation from what appear to be trusted sources. On investigating the app, Check Point Research found several vulnerabilities including the ability for an attacker to use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. They can also alter the text of someone else’s reply, or send a private message to another group participant disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.

    Handing the control of corporate information to employees

    There is another immediate challenge for organisations. Employers have obligations to their clients about storing information and need to be able to monitor, manage and archive transmitted information appropriately. This level of organisational visibility and communication management is not possible with messaging apps like WhatsApp.

    Unlike corporate email, which is transmitted via the employer’s server, there is no way for employers to track communications, or remotely access or delete messages transmitted by WhatsApp. ‘This lack of transparency gives employees enormous control of company information,’ says Mr Muchow. ‘If the device is lost or stolen, business data and content may be gone forever or used in a damaging way.’
    Inappropriately sharing information can also have serious consequences. For example, a former UK Jefferies bank investment managing director was recently fined £40,000 by the Financial Conduct Authority for sharing confidential client information over WhatsApp because he wanted to “impress” recipients.

    When a free service costs more than it’s worth

    If the communication system is down or there are technical issues, organisations need access to immediate support at any time of day or night. This 24-hour support by dedicated personnel is not available with free messaging apps like WhatsApp but may be critical for an organisation to maintain business continuity.

    While WhatsApp and other free messaging services may be attractive to users, there is a serious hidden potential cost to employers. The lack of control and transparency of these free messaging services not only poses financial risk, but may result in a serious privacy breach and reputational damage.

    For advice setting up a secure and resilient messaging service in your organisation and increase your cyber security response preparedness, contact RiskLogic today.

  • 3 ways to fail crisis communications

    3 ways to fail crisis communications

    Imagine a job where you are given 10 new major projects this morning, with a deadline of this afternoon. The IT system is down, your phone is ringing off the hook and the Executive wants hourly updates.

    Welcome to the world of crisis communications.

    In a major crisis, the workload, pressure and expectation on the communications team goes through the roof, making it very challenging to communicate clearly and effectively.

    The three key reasons businesses fail in this space are:

    1. Their Crisis Communication Plan is poor or non-existent
    2. If they do have a plan, the communications team don’t know how to use it
    3. The critical knowledge is locked inside the head of one or two people

    These factors can cause staff to either freeze, melt down or completely evaporate.

    Teams who thrive in these situations have a robust crisis communication plan, where the majority of the heavy lifting has been done in advance.

    They have checklists, templates, runsheets, phone lists and pre-approved messages at their fingertips.

    They have trained and exercised potential crises regularly, including scenarios where they can’t access their IT systems or offices.

    They can even pull staff in from other business units to help in the first 24-48 hours.

    A failed communications strategy during a crisis can significantly magnify the cost of the crisis, or worse still, it can become part of the story.

    Doing it well requires preparation, training and regular exercising, long before a crisis hits.

    So pull out your Crisis Communication Plan today and put it though its paces.

    If you are feeling a little vulnerable in this space, get in touch today.

    Author: Tim Archer – Head of Communications

  • APRA Prudential Standards CPS 234 Information Security

    APRA Prudential Standards CPS 234 Information Security

    New cyber security requirements for financial services industry

    To combat the rising threat of cyber-attacks and ensure entities have measures in place to maintain the integrity and security of sensitive client data, the Australia Prudential Regulation Authority (APRA) has released the new Prudential Standard CPS 234 information security. The standards are in place to ensure organisations within the financial services sector develops resilience against cyber security incidents, making certain they can respond swiftly and effectively in the event of an information security breach. The Prudential Standard CPS 234 sets out a strict and comprehensive series of requirements that entities should meet to protect themselves against information security threats. It is critical that all Australian regulated entities familiarise themselves with the requirements of CPS 234 to ensure they are compliant when the standard comes into effect on July 1, 2019.

    Key takeouts

    The APRA Prudential Standards CPS234 is a Board responsibility. It requires information security related roles to be clearly defined, policy framework and plans to be in place and regularly tested.

    Entities must notify APRA of breaches to their information security within 3 days. This includes information managed for regulated entities by third parties.

    Entities have until 1 July 2019 to comply with these new standards.

    Who does CPS 234 apply to?

    CPS 234 applies to all APRA-regulated entities. These include:

    • Banks (authorised deposit-taking institutions (ADIs) including foreign ADI’s authorised under the banking act;
    • General insurers;
    • Life insurers;
    • Health Insurers.

    What are the requirements of CPS 234?

    CPS 234 required APRA-regulated entities to:

    Roles and responsibilities

    • The Board is ultimately responsible for the information security of the entity
    • The entity must have clearly defined information-security related roles and responsibilities, covering roles of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.

    Information Security Capability

    • The entity must maintain an information security capability commensurate to the size and extent of potential threats to its information assets.
    • Entities need to ensure third parties managing their assets also have the security capability to manage these threats.
    • The entity must actively manage its information security capability with respects to changes in vulnerabilities and threats resulting from changes to information assets or its business environment.

    Policy framework

    • The entity must have policy frameworks in place.
    • The framework must provide direction on the roles of all parties responsible for maintaining information security.

    Implementation of controls

    • The entity must have information security controls to protect its information assets, including those managed by third parties.
    • Regularly test and exercise these controls (Minimum annual testing).
    • Update controls if deficiencies are identified during testing.

    Incident management

    • The entity must maintain plans to respond to information security incidents.
    •  Response plans must include mechanisms for managing all relevant stages of an incident from detection to post-incident review
    • Plans must be tested annually and reviewed to ensure it is still for for purpose

    APRA Notification

    • The entity must notify APRA of an information security incidents no later than 72 hours after becoming aware of an incident.
    • The entity must notify APRA no later than 10 business days if a weakness within the security control is detected, which the entity expects it will not be able to re-mediate in a timely manner.

    RiskLogic has expanded services to include Cyber Consulting to help entities strengthen their cyber security controls and comply with the new standards by 1 July 2019. For further discussions, book a consultation today.

  • Digital Threat Environment: OAIC Notifiable Data Breaches

    Digital Threat Environment: OAIC Notifiable Data Breaches

    Quarterly Statistics Report – October – December 2018

    The quarterly report released by the Office of the Australian Information Commissioner (OAIC) reports on notifications received by the Federal Government entity under the Notifiable Data Breaches (NDB) scheme. Under this scheme, a notifiable data breach is any breach in which the personal information of an individual that was being held by an organisation is either lost or subjected to unauthorised access or disclosure which results in serious harm to the individual.

     

    Key Report Takeaways:

    The following key points were outlined in the OAIC Quarterly Statistics Report from October – December 2018:

    • During this period, 262 notifications of breaches were reported to OAIC – the highest number of notifications since the scheme was introduced in February 2018.
    • Of these breaches, 33% were due to human error, 64% were due to malicious or criminal attacks and 3% were due to system faults.
    • 60% of these breaches involved the personal information of 100 individuals or fewer.
    • OAIC reported that the majority of the malicious or criminal attacks were largely the result of exploiting vulnerabilities involving a human factor, such as phishing emails or disclosing passwords.

    How could this impact your organisation?

    Reputational: A data breach of any size would attract strong media coverage and create significant reputational and political damage. A cyber-attack could also damage employees confidence around the protection of their personal information and detract future employees from wanting to work there.

    Legal: Legally, your organisation has an obligation under legislation such as Australia’s Notifiable Data Breach and the European Union’s General Data Protection Regulation (GDPR) to report any significant data breaches that have impacted customers and their personal information. Following this reporting and dependent on the scale of the breach and any fault that has been found to lie with the organisation, your business may be subjected to a number of legal ramifications including significant fines.

    Financial: Globally, cyber-attacks are believed to have accounted for the loss of approximately $600 billion USD, with the Asia Pacific region alone losing an estimated $171 billion to cyber-crime in 2018. The Australian Government estimates that the average cyber-attack would cost a business approximately $276,323. As such a breach of this magnitude would be significant for any organisation. Whilst this estimate encompasses the aspects of the actual cyber-attack, it doesn’t factor in the additional longer-term financial repercussions such as loss of business as a result of reputational damage.

    What can you do to safeguard your organisation against these breach attacks?

    Microsoft has reported that from January to December 2018, email phishing attacks increased by 250%. Considering the immense financial, reputational and legal impacts that these breaches may have on an organisation, it is imperative that the appropriate safeguards are in place to mitigate any breach.

    Recent reports indicate 91% of all cyber-attacks are now conducted via email, confirming that human error is one of the key reasons for these attacks. One activity you can undertake to counter potential attacks is to raise employee awareness around cyber attacks, security and the risks that these attacks carry with them. Our article on phishing attacks and how to spot them is a great place for your employees to start this awareness around cyber and it’s impacts.

    By educating staff of the dangers of phishing emails, social engineering and malicious human targeted attacks, you will simultaneously improve the confidence of your staff when dealing with possible cyber-attacks and thereby increase the chances of them spotting something so the relevant staff can be alerted. This will greatly reduce the chance of staff being caught by one of these attacks and suffering the ramifications these attacks can carry.

  • Phishing Scams

    Phishing Scams

    Have you ever received a phishing email?

    Odds are you probably have (and might not even know it). These type of cyber attacks are easy to do, are increasing in their difficulty to spot and are very successful – current statistics list 91% of all cyber attacks starting with an email. That’s why it is important you and your staff know how to spot a potential phishing attack.

    What is a phishing attack?

    Phishing emails are targeted online scams used by cyber criminals to attack an organisation (via their employees) to gain access to information and sensitive data. These attacks are incredibly common, with 83% of organisations recently reporting that they were the victim of an attempted phishing attack.

    These emails may:

    • Contain malware carried in an attachment such as a PDF or file download.
    • Ask you to click on a link, taking you to a questionable website.
    • Be masquerading as a legitimate organisation requesting confirmation of sensitive data or a password change.

    Phishing attacks come in all shapes and sizes – the most common being a mass-scale phishing attack in which the cyber criminals send out mass, non-specific phishing attacks hoping to trick a number of people into revealing sensitive information or data.

     

    How could this impact your organisation?

    Cyber attacks or phishing and breaches can have extremely detrimental effects on organisations. If you were to suffer one of these attacks, they could expect to face severe reputational, legal and financial effects that impacts the organisation both at the time of the attack and for years to come.

    How do you spot one?

    The best thing any organisation can do to prevent a phishing attack from impacting them is to build staff awareness around identifying and stopping phishing emails. Following staff awareness training, nearly 60% of organisations saw an increase in employee’s ability to detect and stop phishing attacks from impacting their company.

    Despite their prevalence, phishing emails can be easy to spot if your staff know what to look for. There are five key red flags that employees should pay attention to when reviewing emails:

    1. Request for personal information – If the email you have received appears to be from a legitimate source but is requesting information that the known organisation wouldn’t typically request, there is a high probability you are being targeted by a phishing attack. For example, your bank requesting that you confirm your account details and pin number via email.
    2. Unknown or questionable senders – If the email you have received is from an unknown sender, or a name you don’t recognise, and they are requesting that you download an attachment, click on a link or submit personal information to them, it could be a phishing attempt. Similarly, if the email is not personalised but instead begins with a phrase such as ‘Dear Customer’ there is a high chance it is a phishing attempt.
    3. Spelling and grammatical errors – If you have received correspondence from a well-known organisation, however their email contains a number of spelling and grammatical errors there is a high chance it is a phishing attack.
    4. Misleading URLs or domain names – When reviewing emails that appear suspicious, one way to confirm if they are a phishing attempt is to confirm that the URL listed aligns with the hyperlink provided. If you hover over a URL without clicking, the embedded hyperlink will appear – if the hyperlink within is different to the shown URL there is a high probability this is a phishing attack.
    5. Demanding or alarming wording – Emails that contain phrases such as ‘Urgent Action Required!’ or ‘Your account has been hacked!’ are phishing attacks designed to illicit an immediate response from the recipient. These attacks capitalise on the recipient’s anxiety upon receiving these messages and the likelihood of them responding and providing personal information.
  • Melbourne Factory Fire

    Melbourne Factory Fire

    In the early morning of April 5th, the Metropolitan Fire brigade were called to an industrial fire at a factory in Campbellfield. What they saw was an out of control inferno with projectiles shooting into the air like rockets. The factory at the centre of this blaze was Bradbury Industrial Services – the Waste business that had its licence suspended this year by the EPA after a failure to clean up its act in March. At the time of the fire, the chemical factory had a stockpile of chemicals almost 3 times the allowable level. Whilst the fire was contained to the premises, it covered Melbourne in a thick blanket of toxic smoke, forcing nearby businesses to evacuate.

    The huge plume of toxic smoke generated by the fire became a health concern to people with breathing problems. Particularly those with heart or lung conditions, including asthma, children under 14 years old, pregnant women and people over 65 years old. The EPA went further to advise people to stay indoors and close doors, windows and vents.

    This fire was likened to the toxic West Footscray fire in August 2018 which took almost a day to control.

    License to operate suspended in March 2019

    The chemical factory had its license suspended in March 2019 due to a failure to comply and rectify issues identified by the EPA. These included:

    • An inspection of the premises found 3 times the amount of material being stored on the premise than it was licensed to store.
    • Storage containers were inadequately labelled.
    • Storage containers being handled outside appropriate areas.

    The chemical factory was allowed to hold a maximum 150,000 litres of material including solvents, inks, paints and other flammable materials – before being processed. At the time of the fire, the factory was storing more than 400,000 litres of the hazardous material. It was almost 3 times the allowed level.

    For residents and businesses in area, the impact was immediate. With reduced access to neighbouring sites and lock down procedures underway, concerns naturally started for the health and wellbeing of people, but quickly moved to economic fallout for the area. The hidden and less talked about impact is how this now affects every industrial business from Perth, to Penrith to Townsville.

    The likely impact on your insurance premiums

    The Campbellfield chemical fire is another critical incident adding to global industrial losses in high hazard areas. The recent Insurance and Business Continuity lifecycle webinar presented by RiskLogic and Aon highlighted the tightening insurance market, with underwriters refusing to insure organisations that are within this high-risk category. Impact of incidents such as these are continuing to evolve the appetite (or there lack of) of insurance companies to underwrite high hazard industrial exposures. This ongoing drop in appetite for industrial hazard risks is likely to spread further than the recycling industry. Organisations that have higher hazard operations including heavy manufacturing, or hazmat exposures are likely to see premiums hike and greater risk retention on a good day and an inability to source insurance terms every other.

    Immediate considerations to prepare for renewal

    Differentiating your risk is key.

    Traditionally underwriters and engineers have largely focussed on Material Damage exposures and risk management strategies, however as underwriters continue to scrutinise risk, the more you’re going to have to differentiate your organisation’s resilience to business interruptions.

    This means getting your business continuity program into the insurer spotlight, providing evidence that:

    1. Your business understands its threat landscape including likely maximum foreseeable loss (MFL) for business interruption
    2. You have robust contingency plans to mitigate that exposure should a catastrophic scenario unfold (i.e. a well documented Business Continuity Plan)
    3. Your leadership and management have experience in testing the validity of its key contingency strategies to recover the business after a major loss (Business continuity scenario testing and exercising).

    Presenting clear evidence of these three elements is going demonstrate your organisation’s attention to managing risk and provide comfort that you’re further up the risk maturity curve than the industry in which you operate – thus differentiating why you’re a safe bet.

    “Being able to provide evidence and confidence to the underwriters during their insurance renewal cycle is going to assist organisations in having an optimal insurance outcome and increase premium savings as they move through their insurance renewal cycle.” advises Marcus Vaughan – Director Growth Strategies at RiskLogic.

    Sources:
    news.com.au
    heraldsun.com.au

  • Communicating in a crisis – make the public apology count

    Communicating in a crisis – make the public apology count

    Learning from your mistakes is often painful, especially when it knocks some shine off your reputation.

    Learning from the mistakes of others is a much better option.

    Our Head of Communications Tim Archer analyses a very public apology by international fashion brand Dolce & Gabbana:

    Background
    Late last year D&G ran a campaign on social media to promote an upcoming fashion show in China. The marketing videos they broadcast in China were widely criticised for being lame, culturally insensitive and the reinforcement of stereotypes.

    In the social media backlash that followed, it appears Stefano Gabbana may have entered into a war of words with a member of the public on Instagram. The alleged messages were vile and degrading comments that outraged the Chinese public.

    D&G said their Instagram had been hacked, but that was met with a large degree of scepticism.

    In the face of a major reputational crisis in the world’s biggest marketplace, D&G issued a video apology.

    The script
    The wording of the apology is not the main problem here. As a written statement, it is not terrible. It takes ownership of the issue, expresses genuine remorse and provides a sincere apology.

    However, I would mark it down heavily for the use of the word “if”. This word should be banished from any public apology. Saying “sorry if we made mistakes” totally misses the point.

    It is also a little trite to suggest they understand Chinese culture because they have been to its cities.

    The video
    This is where this apology goes wrong.

    Even before they open their mouths, Roberto and Domenico’s body language is terrible. They appear bored and uncomfortable. It looks like their PR people have dragged them to the table against their will.

    The setting also creates a barrier between them and their audience, with the exclusive looking room, gold walls and big table between them and the camera.

    They appear to be reading from a script, which makes the words insincere and hollow. It would have been more genuine if they spoke off the cuff, from the heart, in their own words.

    If a script is unavoidable, then a good quality autocue is critical.

    The final words in the video are in Chinese – “we are sorry”. However they are tacked on the end with a crude edit. If you want to try connecting with an audience in a foreign language, do it in a way that shows you have actually remembered the words, without relying on an editor.

    Finally, it is interesting the video didn’t repeat the claim that their Instagram account had been hacked. Remember, in the absence of information, people will assume the worst, so any apology needs to address the elephant in the room.

    Result:
    As a public apology in a crisis, this video is a failure. It disregards the basic principles of crisis communications – transparency, empathy, credibility, consistency and authenticity.

    Score:
    3/10

    Tip:
    If you need help preparing for or responding to a crisis, get in touch today.

  • Data Security

    Data Security

    The internet as we know it has evolved dramatically from its inception 28 years ago, from basic text-based pages to image and video filled screens that are incorporated into almost every aspect of people’s day to day lives. With an estimated 56.1% of the population currently having internet access, we’ve seen it become an ever evolving and changing function that is now integrated into our daily lives – altering the way we communicate, shop, conduct business and even find love.

    However, this constantly adapting system has also changed the way people conduct crime. Consequently, we need to ensure that we are doing everything we can to mitigate against cyber-crime on our systems when surfing online.

    Australian regulations and schemes
    In their most recent report on Notifiable Data Breaches, the Office of the Australian Information Commissioner reported that the most prevalent form of cyber-crime currently impacting Australians are malicious attacks. These attacks, they confirmed, often target vulnerabilities in relation to human error. With technology now occupying almost every aspect of people’s lives, it is imperative employees know the safe and secure ways in which they should be using the internet. Awareness is critical. Simply clicking a link in an email can open the door for malware, compromising the organisation’s security network and exposing client data.

    Under the Australian Privacy Act 1988, the Notifiable Data Breaches scheme was introduced in February 2018. This scheme includes an obligation for organisations to notify individuals whose personal information is involved in a data breach. The notification must include recommendations on what the steps the individual can take to protect their data. The Australian Information Commissioner must also be notified of these data breaches. Failure to adhere to these obligations could result in hefty fines being imposed on the organisation.

    Further regulations are placed on APRA-regulated entities with the introduction of the APRA Standard CPS 234 – information security, which came into effect on 1st July, 2019. In addition to the notification of data breaches, these entities need to ensure they have policy frameworks in place – such as Business ContinuityCrisis Management and Incident Management plans. These plans need to be commensurate with the size of the organisation, exercised and reviewed annually.

    How could this impact your organisation
    If exposed to a cyber-attack, your organisation could face serious issues impacting almost every aspect of the business:

    Human – A cyber-attack could result in the loss or exposure of significant confidential data and information, some of which may impact your employees. A breach could see employees reluctant to provide confidential information or, in severe cases, could see employees leave the organisation.

    Reputational – A cyber-attack on the organisation could affect ongoing relationships with customers and key stakeholders whose confidential data and intellectual property may have been accessed in a hack. The threat of customer information being lost or stolen due to a perceived fault on your organisation’s lack of cyber security could clients and prospects reluctant to continue engaging with you.

    Operational – In many instances, a cyber-attack will target specific systems and programs that are used by an organisation. These attacks can significantly impact the functionality of systems and programs that your organisation relies on, thereby interrupting critical business functions and impacting operations.

    Legal and Financial – organisations are required to report any notifiable data breaches to the OAIC within 30 days of the breach being discovered. Failure to comply with these reporting guidelines could result in a fine of up to $1.8 million. Furthermore, if an investigation is conducted and your organisation is found to have not taken adequate steps to mediate the risk of a breach, you may face additional fines and penalties.

    What can you do to mitigate cyber attacks?
    Awareness is critical. These six simple steps can ensure that the internet is being access safely:

    1. When browsing webpages, ensure that the site has a web address commencing with ‘https’ and that there is a padlock on the left side of the browser address bar.
    2. Make sure the URL is correct if you follow a link from another webpage or email.
    3. Only conduct banking, shopping or payment of bills on a trusted network – like at home, or through your mobile data. Don’t conduct these activities on a public network like in a café or airport.
    4. Don’t post highly personal information on public sites. Also ensure that your social media accounts have appropriate levels of privacy settings. Personal information shared publicly can be used to steal an individual’s identity or give unwanted people access to private accounts.
    5. Remain wary of unreputable sites and possible phishing attempts sent via pop-up advertisements or emails.
    6. Do not click on links in emails from unknown senders
  • The very public and never ending Baltimore ransomware attack

    The very public and never ending Baltimore ransomware attack

    In May 2019, the US City of Baltimore fell victim (for the second time in 12 months) to a ransomware attack which paralysed part of its computer network. As at 20 June 2019, these systems are still reportedly disabled. The success of this attack is an important reminder about the need to have robust recovery plans and a resilient backup strategy in place.

    Baltimore was just one of the big US cities to be hit with the ransomware attack. Others include Atlanta, Georgia, San Antonio and Texas. Even smaller cities like Greenville, North Carolina and Allentown, Pennsylvania were targeted.

    Although Baltimore immediately notified the FBI and took systems offline to keep the ransomware from spreading, the malware had already taken down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations. Hackers had reportedly demanded 3 bitcoins (nearly $24,000USD) to unlock each system or a total of 13 bitcoins (nearly $102,000USD) to unlock them all. Despite the costs and months of work that will be required to reverse the damage, Baltimore Mayor – Bernard Young, has told a news conference “I’m not considering” paying it and is also encouraging other cities “not to pay either”. To date, Baltimore has incurred an estimated $18.2 million in losses as the city tried to restore services and servers.

    How did Baltimore communicate during the crisis?

    In spite of the attack, business had to continue and recovery processes implemented. As government emails were offline, officials turned to Google as an alternative communication channel and created bulk Gmail accounts. Unfortunately, the creation of multiple accounts within a short period of time from the same network triggered a response from Google – the new accounts were consequently flagged as spam and shut down.

    Tim Archer, Head of Communications at RiskLogic, highlights the importance of setting up alternative communication channels well and truly in advance. “Organisations need to consider an independent cloud-based communications tool” and keep an “offline database available so you can still reach out to people when systems are down”, he advises.

    To add fuel to the fire, the hacker has also chosen to communicate with the council very publicly via Twitter, causing significant public pressure and damaging the reputation of the city. Many Baltimore locals and council peers have publicly weighed in on the organisation’s lack of “Cyber hygiene” and stance on the ransom demand.

    Should Baltimore have paid the ransom?

    There is no guarantee that hackers will honour their end of the bargain if the ransom is paid. Even if the hacker unlocks the system, victims may find that they cannot always recover all their data.

    A better response is to be prepared for, and have contingency plans in place to mitigate the negative impacts of such attacks.

    How common are ransomware attacks?

    Ransomware attacks are growing significantly and becoming more sophisticated all around the world. In the first half of 2019, security researchers are already tracking over 1100 ransomware variants preying on unsuspecting web users.

    “Organisations need to shift their mindset to thinking that anything is possible if you’re connected to the internet” says Daniel Muchow – Head of Cyber Consulting at RiskLogic. “A common blind spot is thinking that it can’t or won’t happen to us”, he adds.

    Daniel also states, “The scale and velocity of a cyber crisis cannot be underestimated, and organisations should have cross functional plans that are regularly updated and exercised”. Daniel advises that these plans (ie Cyber Incident Response, IT Disaster Recovery, Business Continuity and Communications plans) should be exercised at least twice a year “with your systems offline” and “it is important that exercises and plans consider all possible scenarios, factoring in the potential operational impacts to critical business functions.”

    For advice or to review your cyber hygiene, connect with us today.