Why high profile data breaches matter to SMEs

In 2018, while you wait in the reception of any Australian office, big or small, you are almost assured of seeing one thing: delivery of a crate of express bags and small brown boxes. With the arrival of Amazon Prime’s famed two-day shipping, expect to see more!

We strive to provide employees with a place of balanced productivity and only the biggest Grinch would tell their people to have their new purchase delivered to the front door at home, right? 

In fact, if someone wants to have lunch at their desk whilst they shop for new golf balls, share the morning’s running time with their friends or check their eBay auction, that’s fine, it’s their break.

Often marketing email campaigns are optimised to support this behaviour. You’ve experienced this; an email arrives at 10 am or 11 am, you see it, park it, and revisit it over a sandwich when you get five minutes to yourself. It’s a very convenient, effective marketing strategy and it’s not interrupting your or your staff’s productivity, so it’s no big deal.

It’s not a strategy unique to retail - this week’s update from Adobe or PayPal, tips on networking from LinkedIn, “new for you” on Netflix, a newsletter from your private health insurer or your super fund. All these updates delivered right to your inbox. 

Most of us subscribe using our work e-mail and managing log-in details and multiple passwords can be challenging. Consequently, the figures are scary: Verizon’s Data Breach Investigations Report 2018 found 59 percent of all respondents said they mostly or always use the same password. Australians fared better but, still 36% say they reuse passwords.

When data breaches hit the news, we have a tendency to think to ourselves:

“They’re a big target, they’re in the US or Europe, cyber criminals have no interest in my business”

The reality is that these large-scale data breaches potentially put access to your network up for sale.  Compromised e-mail addresses and passwords from mega-breaches like Linkedin (2012), Yahoo and Adobe Sytems (2013), ebay (2014), Ashley Maddison (2015), Uber (2016) or most recently Twitter and Under Armour, inevitably find their way to marketplaces on the Dark Web.

The Australian government said last year 12.5m Australian e-mail addresses have been published online, and that was just on a single identified server!

Recently, the team from Edmund caught up with one of the leading threat intelligence companies  in the US. They showed us through some Dark Web monitoring that showed compromised e-mail addresses and passwords available for sale. What we saw was striking. We were quickly able to identify known e-mail domains that had been compromised and were for sale alongside the password in use at the time of compromise.

And therein lies the potential problem for Australian SMEs. If this many Australian e-mail and password records are available to buy and 36% of Australian’s (admit they?) reuse their passwords, we are much closer to the big global data breaches than we think we are. With an e-mail address and password, or better still an e-mail address and a number of corresponding passwords, cyber criminals may be able to quickly work out how to gain direct access to your business network. At the very least, they are well equipped to launch phishing and/or social engineering campaigns against you or your staff.

From there, they can try:

  1. Launching a fraud scam on your unsuspecting staff so they pay funds into a fraudulent account;
  2. Using Ransomware to lock your network down and extort funds from you to regain access, or
  3. Stealing your client data and putting it up for sale on the Dark Web,

to name just a few, any of the above may result in significant cost to your business.

It’s hard to stop people using their work e-mail for subscriptions, but there are steps SMEs can take to protect themselves.

  1. Practice good password hygiene and make sure your staff to do the same.
  2. Check to see if your e-mail has been compromised and if it has, revisit your login credentials thoroughly!! You can check it here.
  3. Visit Edmund today and get a cyber insurance quote for your business. We’ve made it really easy for SMEs in Australia to get cover, which takes about 8 minutes. If you are hacked, threatened or lose data, we’ll cover you for the costs to recover, for any loss of profit and provide you with a 24/7 Emergency Response team when you need them.