Lock it down: Cybersecurity for NDIS business

Australian Cyber Security Centre (ACSC)
cyber.gov.au

Stay Smart Online
staysmartonline.gov.au

Scamwatch
scamwatch.gov.au

Cyber Check. Me
cybercheck.me

Avast Free Antivirus
avast.com

Bitdefender Free Antivirus
bitdefender.com

LastPass
lastpass.com

Let’s Encrypt
letsencrypt.org](https://letsencrypt.org)

Have I Been Pwned?
haveibeenpwned.com

Business.gov.au Cyber Security Information
business.gov.au

Office of the Australian Information Commissioner (OAIC)
oaic.gov.au

Cyber Aware
cyberaware.gov.au

ReportCyber
cyber.gov.au/report

IDCARE
idcare.org

ATO
ato.gov.au
Direct link to report scams involving MyGov, Medicare or Human Services/Centrelink

ASIC
asic.gov.au
To report businesses not operating within regulations of Australian companies, financial markets, banks and professionals who deal in investments, superannuation, insurance, deposit-taking and credit.

Services Australia
servicesaustralia.gov.au
For direct reporting to Service Australia (Centrelink) for scams and identity theft.

Lock it down Cost effective Cyber security hacks to protect your NDIS business-20240703_030100-Meeting Recording 

 
Hi everyone, hope you are warm and toasty where you are today. We'll just give everyone a minute or so to show up and then we will kick off today's session. 

  
I have my blanket and my actually, I don't have a warm cup of tea. That would have been a really good idea. But next time, that's alright. Alright, 

 

Ohm minutes and we will launch in
Alrighty, let's get this show on the road. Hello everyone, welcome to our Kenora webinar. Lock it down cost effective cybersecurity hacks to protect your NDS business to today we are joined by 1 member of the brains trust of my plan manager, Isis Murphy. Thanks for your time today, Isis. We'll get to the webinar shortly after some quick housekeeping. My name is Yvette. I'm part of the team here at Kenora and I'm also joined by 

Erin who will be manning the chat. If you're a Canon, remember there she is, there she is. If you're gonna remember, you might recognise us as coaches within the community. Today's webinar speaks to all indis service providers out there that use technology like email, mobile phones and the Internet in their day-to-day operations. So I would say that's nearly 99.99% of service providers out there. In today's world, if your business is technology enabled or dependent, you're exposed to a risk of cybersecurity threat and data breaches. Even if you think your business is too small to be of any interest to big time hackers or scammers. This might sound concerning, but it doesn't have to be. Cyber security is a serious consideration that all service providers need to dedicate some time to addressing. But in today's webinar, we'll hopefully make the situation clearer with some actionable steps. This webinar is about level setting for Ndas businesses, including sole traders. About what is actual, What is an actual consideration for them in regards to cyber security rather than a scare campaign, it will be a checklist of practical knowledge and cost effective steps to ensure your business success isn't compromised by online sabotage. All right, welcome. Before we get into it, I'm pleased to introduce and speak today with Isis Murphy from my Plan Manager. Isis works within risk and compliance and her job is to be across issues that affect provider compliance within the NDS space. Needless to say, she is a very busy woman. Thank you so much for being here today, Isis, and welcome. 

 
Thank you, Evette, and thank you to everybody out there.
Amazing. Just before we get started, some light housekeeping and a brief background on Kenora. 

If you're already a member, you may be aware that we record today's session to share the replay of the webinar and any resources that we speak about within the community. If you're not a member, don't worry, we'll send the replay and the resources direct to your inbox. 

 
If you'd like to set up closed captions for today's session, click More at the top of your screen, then select Language and Speech, and finally turn on Live Captions. Also, while you're looking at the top of the screen, you can find the chat button. This is where you can introduce yourself into your comments and ask any questions as we go. Erin will be monitoring the chat today and any questions that come up during the session will answer them at the end of the webinar. Any that we don't get to, we'll make sure that we put the answers into the community and follow up with you directly if you can test it out now, let us know in the chat what you'd like to get out of today's session so we can make sure that we tick it off the list. 

 
Just a bit about Kenora if anyone knew to our webinars. Kenora is a safe and supportive online community where you able to get support for your NDIS questions from us coaches and the community of thousands of NDIS participants, their support people and fellow service providers. You can also ask specific Ndas, business questions and network with service providers in the providers only channel. 

Finally, before we get into it, I'd like to make an acknowledgement of country 

 
in the spirit of reconciliation. Kenora acknowledges the Traditional Custodians of country throughout Australia. As I come to you from the land of the Wrenbury people of the cooler nation and wherever you are around Australia and their connections to land, sea and community, we pay our respect to the Elders, past, present and future. We acknowledge the culture, diversity, knowledge and experiences of First Nations people and celebrate their contributions and specifically those living with disability, their families. There is an individuals dedicating themselves to a career in supporting people with disability. 

 

Alrighty, if you're just joining us now, the aim of today's webinar is to demystify the topic of cyber security and to take it out of the realm of Hollywood blockbuster action films and something only big businesses with Russian enemies should worry about. And they go back to ensuring that your and your clients details continue to remain safe and your business interests, however modest, continue on without disruption from online threat. For providers who join us today and those who watch the replay later, we'd really like you to feel supported and nowhere to go for further information on cybersecurity as your situation and your needs change. Again, just a little reminder to let us know in the chat what you'd like to get out of today's session. 

 
Alright, I'm gonna stop sharing now and before we really get into ISIS, was there anything further that you wanted to stay in relation to what you do and what you'd like to see as a result of today's webinar? Sure. Thanks, Yvette. Hi everybody. As she said, I hope you're certainly hope you are keeping warm. 

 
Yeah, as Yvette said, I'm from my plan manager group. I work in the quality and risk team. My focus is actually on fraud and serious non compliance within the NDIS environment. So whilst I'm not an IT or cyber expert, I do spend a lot of time with our IT professionals and sourcing information all over the world from what are our emerging threats and risks. And what we've seen is, as I said, my focus is fraud and serious non compliance in the NDIS. And there always seems to be a cyber component to the activity that we say.
I am somewhat new on my journey as well, but I think that gives me a good place to start with you so that you're not being overwhelmed with some of the technical jargon that can really port you off and sort of go, I'm just going to put my computer away and just hope that nothing happens. 

 
Yeah. And even just starting with the basics is a good place to start for sure. Absolutely. And starting to know how to think about risk and think about cyber. So for us here in the My Plan Manager group quality and risk team, we're all about getting individuals and businesses to recognise and manage their own risk and not to be over reliant on other peoples other peoples advice and solutions. So it's really about getting you to recognise that you have the skills and ability to identify and manage your own risk in this space. 

 
Yeah, amazing empowerment for small business management or big business management and just extending that to today, the cyber security space. That's great. Amazing. All right, So thank you. In terms of, um, what the situation is at the moment. So can you give us a rundown on 

 
I guess the latest stats or the findings in regards to trends and threats in cyber security in small business and I guess more specifically to do with the NDS industry? Yeah, absolutely. So look, I spent a lot of time trying to keep up with the current trends and emerging risk and it can be quite tiring. And I'll ask you to humour me while I prepared you with little animation, just to kind of show you what it is actually like. Bear with me a SEC. 

 We've got the world map. Fantastic. Thank you so much. Now, this is my first time joining a webinar, so and a bit of an amateur, so bear with me. Thank you. Right. So as I said, constantly gathering stats and information and it can get quite overwhelming. So I thought I'd try and illustrate that for you. And it was, it seems as fast as an attack happens, the statistics change as well. So it is quite hard to keep up with. But we're looking at things like, you know, they're quite scary. 37,700 ransomware attacks every hour, 578 per minute. 30 million new malware samples detected in 20237 million global phishing attacks detected in 2023. What are the costs looking like? Well, cyber criminals are making off with some decent money, about 1.1 billion in 2023 alone. The global cost of cybercrime was 8.44 trillion in 2022, the expected forecast. It's a jump to 23.84 trillion by 2027. Cost of data breaches is quite significant. As you can see, the stats are overwhelming.
Mexican businesses were the most likely to fall victim to multiple attacks. Oh dear. Followed by Australia. So what's happening in Australia then? We are, yes, Now the Australian Signals Directorate. They've been around since the First World War. Look and they help, you know, they form our intelligence within Australia and protect our shores. So they work a lot in cyber and they collect the the statistics and post some really good reports. So they saw nearly 94,000 cyber crime reports last year, up to 23%, and they receive a report every six minutes, $29 billion in losses and detection and recovery costs every year. For Australia alone, 53% of those costs are on detection and recovery and some of the things that they're blocking every day, 172,000 attacks up 336%. 

So as you can see, it starts to get actually say that this wasn't going to be a scare campaign. Nice and look. Overwhelming, isn't it? Yeah, it really is. Look, there are some good things though. Australia is seen as the 4th global leader in cyberspace resilience, and that's takes us to where we want to go today. So you're exactly right, Ebet. You focus on these stats and you're probably gonna be too scared to do anything. Where do you even start? So we all know that it's a risk now. So trying to keep up with these stats every day, it's not actually very helpful. We need to look at who is committing these crimes, how, why and where. And that's what we wanna look at today to help you start thinking about risk and thinking about how cyber criminals work, what they're after, and how you can better protect it. 

 
Amazing. Alright, 

So is this where we move on to asking where NDS businesses are the most vulnerable when it comes to security breaches? Sure. So under the NDIS at the moment, we know that, you know people. Sorry. Thank you. So sorry. I'll talk a bit more broadly about cyber crime 1st and then we can actually look at how it plays out in the NDIS. So who's committing these crimes? Unfortunately, most of us live in trustworthy communities, and most of our friends are trustworthy. So it's hard to imagine that people would be motivated to do the wrong thing by others. But unfortunately, they are. A lot of people are motivated to take from others. And we know that it's a growing industry. Like, worth trillions of dollars. So that's right. Can't even comprehend trillions of dollars, can we? Yeah. Yeah. But we see four type 4 main types of threat actors. It's important to know who these are because then as we move into the NDIS environment it'll make a bit more sense. So we have cyber criminals that operate both internationally or are associated with organising opportunistic, opportunistic NDIS crime. We know there are organised networks within the NDIS markets, and you only need one or two within those networks to have the skills and ability to infiltrate systems. And then that data becomes quite a valuable asset that can be sold off. 

 
So why are they doing it? Well, previously, you know, people would try and redirect monies. Now information is actually more valuable. And by accessing information, you can commit multiple attacks and get multiple financial benefits from those and all the different things. Yeah, yeah. And of course this can happen anywhere at any time. It's not like traditional theft where it might only happen after hours or criminals don't tend to, you know, be fussed about working overtime and they're rather autonomous in their roles. So they'll hit you, you know, outside whenever they want. And. And then also. So. Yeah, breakfast movie. Yeah. And they can just. Yeah, sure. Sorry. Back when we were talking about The Who. So obviously international cybercrime conglomerates, whatever, that's the thing. But then it's known that there are specific NCIS, specific groups that are targeting the particular industry.Like is that that's definitely a known thing? Absolutely. Yep. So we know for a fact that there was a significant data breach and that was internal to the agency and a significant large amounts of Bendis participant data were accessed without authorization, like access without authorization inappropriately. And they've been sold off to organised crime networks who would then target those participants for their their funding. Yeah, right. OK, cool. So it's definitely a real thing within the industry that absolutely. And government programmes have always been targeted. And internationally, activists and cyber criminals know that Australia is a good target and the NDIS is quite lucrative. So I can say for a fact that we know that international cyber criminals recognise the NDIS as a lucrative target. 

 
Interesting they go. Not necessarily what we want Australia to be known for, but yay. 

 Anyway. Sorry, moving on. No, we've got and the what? Yeah, and the why is obviously for information. What have we got next? We've got where? So where are they doing it from? We can operate remotely. People are operating from the other side of the world, but they can also be operating from within your systems and physical locations, in your offices nearby and in participants homes. We're seeing people providers go into participants home accessing their personal devices, setting up communication channels for them as a like to operate on their behalf as opposed to working alongside them and assisting them to manage their own information. So yeah, it's not not like traditional crime where you know, it might happen in, you know, in your banks, in the shops and things like that. It's it's anywhere and everywhere. 

Hmm. 

Again, the why? It's seen as easy money. It's seen as highly available and easily accessible with a low risk of or fear of detection and penalties. 

So it's saying it's like there's not much chance of punishment. Um, people may commit cyber crimes because of economic pressure or want to feed a lifestyle. You know, it's a much nicer to cry in a Lamborghini than it is, you know, in your old Corolla that's needs new tyres. So, you know, people are motivated by all sorts of things. It's important to remember as well that people develop motivation over time, particularly when you're talking about internal threats from your own staff accessing information they shouldn't. You know, it's important to focus on workplace culture and look at the environment that we're all living in. 

Are you, are your staff under stress? Are they under economic pressure? And they may start to, you know, they might take advantage of easily accessible information or they might decide to start, you know, committing fraud because the opportunity is there and because your controls are relaxed. 

 
Hmm. So opportunity, um, internally is definitely a thing to consider. Absolutely. Yeah. Yeah. But then obviously with stringent internal processes and all of the safeguards in place, then that makes it much less likely for those sorts of circumstances, which I'm sure we will get into down the track as well. Yeah. So can we are we able to we want to actually move on to how where the businesses India in the NCIS most vulnerable to breaches? Absolutely sure. Cool. 

 
So there's a couple of things that before I go into like how how these attacks might present and little practical tips are really want to sort of get across the idea of the way you're thinking about risk is really important. So there's no point looking for some quick fix tech solutions if you're not really clear about what problem you're trying to solve. 

We find that providers are most vulnerable where they have the least information, knowledge and attention. Totally. Because I don't know what they're looking for or what they're starting from, what you're protecting. Yeah. So your information? 

Is your most valuable asset and it's really important to know what data you hold and where you're storing it. I've got a bit of a something I'd like to walk through with you if that's OK. Yes, bit of an example because I find that trying to think about crime and cyber attacks in that your environment can be quite overwhelming. You know, it's not. So do you want to get inside the mind of the criminal? Yeah. So I thought I would, 

I liked it. So in the quality and risk team, we do a lot of scenario based thinking, so a lot of whiteboarding. And so and that really helps us to think creatively about how fraud or cybercrime might occur, when and where and what we need to have in place to potentially stop it and helps us be more prepared for real life examples. So I'm just going to talk through this and then we're going to think about how this might apply in the Ndas environment. So Lucy is 22 years old and moves to a new neighbourhood and EIS she's on her own for the first time. 

 
So I'll try to perhaps. Having grown up with her mum and dad and two older brothers, Lucy is unaware that the neighbourhood she has moved into is facing increasing crime, particularly breakings and theft. So the NDIS, we sort of thought it would be a safe place to operate business. Turns out there's some there's some threat that we there is that we didn't say. So Lucy secures her property at night and keep some jewellery in a locked drawer. She knows the totally raised valuable and so she locks it away. She has however inherited a large coin collection and various ornaments from her grandparents but doesn't recognise their value and she just kinda keeps them lying around the house. One day she's entertaining friends out at the back and leaves her front door open. Someone sees this opportunity and enters the house, stealing everything and anything they can find. When Lucy and realises she has been robbed, she's unable to determine exactly what has been stolen or from where. 

 
She didn't know where she was keeping it. Yeah. As a result she under reports her losses because she didn't recognise the true value of all her belongings. Not to mention her parents are pretty upset when they realised that their family valuables have been lost. 

So what does this look like in terms of information security and the NCIS? What is your? 

 
What is your open door? Is it your archive database, so your backup information? Is it your devices such as mobile phones? Is it your staff awareness? Is it your system and user permissions? 

Sorry, I guess I'm trying to let you know that I'm trying to compare it to traditional crimes that we can easily understand and think about and put measures in place. So if you can apply that same thinking to cyber, you're better prepared to identify the risk before it happens, put preventative measures in place, and respond quickly when it does occur. 

 
Hmm. So in that scenario, say, um, for a service provider, the things that the things that are in the vault are say your client data and information, because you know that that's important. So that's under lock and key. But then say the coin collection and the various other jewellery and whatever is say, your mobile phone or your laptop or anything else that potentially has access to those things. Or 

I mean, what else are the things that we don't necessarily regard as super important when it comes to security, like access to information within an organisation with our staff and that sort of thing. So I guess the point is, I'm trying to get you to recognise that you need to know what it is that you hold that is of value. So you need to know what information. So criminals know the value of your data and the combinations of that data. So the first step is to recognise what information you hold, where you store it and what value it has to criminals. Because like Lucy with the coin collection, she saw the value in the jewellery, which might be NDIS participant in, you know, and participant NDIS numbers, banking information, employee details. Yeah. Coin collection is things like your artefacts, your health information, Somebody might send an OT report to you, a service agreement, things like that. Consent to share information. There's still, yeah, there's value and those pieces of information you need to know where they are and and the value to keep them well, where to put them and where to put them exactly. So even having dispose of them properly as well, that's right. You don't actually need them. Yeah, yeah, yeah, for sure. 

 
OK. So in that scenario, everything's locked down. 

How can businesses and sole traders actually identify that they're at risk or have been compromised? 

I guess that's one, you know the importance, sorry, say that again, how you've been compromised. How do they know? How do they know or or how do they find out where they're at risk before they're actually attacked or that have been have had their data accessed? Sure. So again, really work to identify what your business does, what processes and activities exactly, what prices and activities you have, what high risk activities there are and what information you're holding and where it is stored. 

 
Then you can start to develop better incident response and business recovery plans. Yep. And then you can start to also better understand how some of the ways which cyber criminals operate, which we can go into shortly. Umm, now that that threatens your your information for sure. Amazing. Alright, so with that in mind, we've identified what's valuable, where we store it, what we do with it, everything's locked down. What would be your minimum recommendations for small businesses and the NDS space to make sure that everything is secure? Like what do they need to kind of check off? 

 Yeah, sorry. 

Again, information, get yourself well informed. Start thinking in terms of risk, start doing scenarios of if I have this information and it is stored here, how could people try and access it? Where are our weaknesses? Get them well mapped out and ensure that you understand exactly where those open doors are and what people might try and take and when and where and how. So that would be so your internal policies and protocols in terms of, um, data management and storage, you risk assessments in terms of of data access and then the process that you would take if that happens and who you would contact and how you would go about informing people and reporting it and that sort of thing. So making sure you've got that ready to go in your absolutely file facts of your business information for sure. Yes. So we really focus here on prevention, detection and response. So, and hence my focus is on the prevention, the really informing yourself. Don't even try and take those next steps until you're quite clear about what it is your business does, what processes they have, what the high risk activities are, what information you obtain and how and where you store it. Then you can start to actually think about what other solutions you need in place to protect yourself. You don't want to go and invest in a heap of tech solutions if you don't even understand the risk that you're trying to mitigate. So you need to as a starting base really be sure of what it is you 

 
OK within your operating environment, where those risks are and how you can and how you can best mitigate them. Then you can start to look at those tech solutions. But a lot of it starts with you and your ability and how you're thinking about risk and how you're then let's say he managed from there. Yeah, yeah, so certainly, sorry, risk, risk management policies and procedures, insecure information security management policies and procedures. Identify those high risk activities and make sure that there is some very robust policy and procedure. Internal staff may you know data breach is going to occur through negligence or just gaps in policy and procedures. Really focus on your workplace culture, ensuring that staff appreciate information security and understand cyber risk and know what to do and who to notify if they have concerns and how to identify suspicious activity. 

Cool. So like an extension of policies and protocols internally would also be staff training and awareness of what those policies are. Obviously letting people responsible, excuse me, letting people who are responsible for that response and communication so they know where to go to find. Because you would hope it's not an everyday occurrence for your staff to be able to deal with a circumstance like this. So just making sure that they're aware of where to find these processes to follow if and when it actually happens, correct? I want to make a point in terms of like data management of say client information and staff information as well. A lot of businesses use say cloud based software or programmes to obviously facilitate easier business operations. Is it worth having an understanding of what these individual apps and business tools, what their cybersecurity capacity is like? Is that something that you would recommend these businesses to to look into themselves? Absolutely. And sorry, my nerves have probably got the better of me. OK. It's, you know, there's so much information and so much knowledge to take in and pointing you in the right direction is very important. 

 
Sorry, sorry, what was the story? So one of the ones, I mean, when I was just at the NSA conference early in the year, shift care was one of the ones that came up there. So they're obviously it's scheduling for support workers, that sort of thing. And so it's got employee data, it's got client data, it's potentially got addresses, it's got times when people are at certain places. So that sort of information is, well, it's got like primary information in terms of client details, but then it's also got, as you said, the less important but can also contribute to piercing together that situation like so scheduling like rosters and that sort of thing. Yeah. So being aware of what these programmes and tools and apps and absolutely something, yeah, yeah. So spending some time on that discovery, again, what information do we come across and is there stuff that we don't ask for but that we get anyway? So we, like I said, the OT report, somebody sending you an email about a participant when there's way too much information in it. You support coordinators would see that quite a bit. Now you get some of these whole life story that's putting you at risk. You don't need to hand be holding that information. So it's really about discovery. Find out what information comes across your business, where you store it. As you said, you've got some informations in the cloud, some is in physical assets. You need to be able to identify and list and describe the data and the assets in which they contained and the level of risk associated. Your employee ID documents are obviously high risk. You NDIS participant information is high risk. In developing code is high risk. So identify again the information where you're storing it and whereby the solutions are outside of your area of expertise. That's where you go and get your IT support and expert assistance. The best place to start for that sort of objective information is this, the Australian Cybersecurity Centre, you know, they're not trying to sell you any products, they're very well informed, they're objective. Go there, they have some great resources which will send you at the end and they'll take you through step by step. Firstly, how to assess your business functions and how you operate and then what solutions might be best for your business. And then you can find out essentially got like pre audit, like templates or suggestions to how to go through and find, yeah, they've got great potential for resilience. Yeah, See where you're at within your business and what would be the best tech solutions for you. 

 
I don't wanna be to the idea of oh, sorry, you don't wanna be what? No, I was gonna say you can over invest. You know, if you get somebody who's just trying to sell your product, you'll over invest in potentially in the wrong area. So you need to know what area is your risk and then address that. But do discovery first.
So kind of in that in that frame of mind. So with discovery and then doing stock take of all of your potential like information assets and what it is and and where it is. How would you do that? How would you suggest like is that something as simple as like a note on your phone or is that an Excel spreadsheet or would do you invest in like like I'm your you're in risk and compliance. I mean, I'm not I'm not I'm looking how you actually collect information resources. Yeah, it really depends on where you're at. If you're fortunate enough to have an exec team, get your exact team together and do some whiteboarding. If it's just you know, there's nothing stopping you from on the weekend over a glass of wine, getting out a piece of paper and scribbling down from my listening of what everything is. That's right. Just continuously thinking, known as I think, yeah, no, just get thinking. Just start to. I think the best step is to not be looking for quick wins, not be looking for all the answers. It's to just start removing some of the beer. Yeah. And thinking logically how you would go about it. You could manage your home security. You can manage this. It's just about getting thinking about it correctly. So yeah, do it on a piece of paper. 

You can do it at anytime. I often do some thinking and scenarios on the weekend because that's when I'm more creative. And when you come back to document it, though, you're absolutely right. Start moving it into a spreadsheet. Create yourself a register, get some coding. You know, there's so many capitalist society, there's so many resources out there, you know there's plenty. Get good with your Google searches. You can find so much on your own, Yeah. So just start looking. What would you? What would you be Googling? 

 
What would I be Googling? How to determine data value? 

 OK, cool. Great. Yeah, just start thinking, Yeah. 

 Then along along the lines of so being aware of your assets and being aware of waste all them and what's valuable in the same sort of breath of being an NDS service provider and compliance to being a registered provider. Are there any specific requirements when it comes to cybersecurity and and internal policies or security in any measure? I guess is there something specific that's outlined as part of registration? 

Look, there are requirements, there are some significant technical requirements, particularly for plan managers and the APIs and things like that. There is a requirements for ISO 27,000 and one to meet certain information security management standards. For the most part though, non registered or registered, we're bound by the Privacy Act, we're bound by the code of conduct. You know, we all have an obligation and responsibility to make sure that we collect, handle and store information, you know, in a transparent and fair way. So yeah, nothing. Yeah, nothing specific. There's no, but unless you're dealing with huge amounts of data and then that's very much part of your internal, that's part of your day. You have people that yeah, that absolutely. Yes, Yeah. Alright, so since you love scenarios so much, in a worst case scenario like of a data breach, how would you suggest a business goes around managing the situation and communicating to their stakeholders what's happening? 

 Yeah, again, I can't stress enough that the discovery is really important because how do you know what's occurred and what you've lost unless you really understand the possible threats? So the first part of if a breach has occurred is determining what exactly happened, what have you lost, what was impacted, who was impacted and how significant was it. We find because I do do a fair bit of incident response here at my plan manager and the first thing I need to do is identify what type of attack it was because each attack type requires a different response. 

If I, if we have, you know, in some instances we will need to support the affected person. Yeah, 

they may appear, you know, and at some stage demand, you know, and, and at some stage there's uncertain, It's unclear whether a provider has been hacked or don't know why that happened. You're in demand and you're in the dark. Goodness, yeah. So we need to work out the type of threat first before we can determine how to respond. So again, going back to the discovery is really important. 

You had some examples of potential forms of attacks. Did you want to show those ones? No. Yes, that's all great. Let's show those. Yes. So this is definitely help to establish what the attack was. Yeah. And then towards what's been compromised, Here we go. You can say that. Yeah, yes, we can. 

 
So for the most part, look, and you'll hear so many technical terms, but for the most part, cyber criminals are just trying to trick you. They're trying to trick you into providing information or taking action or giving them access to things. So, you know, all these types of attacks are essentially trying to do the same thing. They're trying to trick you and this type of if you, if you can start to learn and get information about what these attacks look like and how they present can recognise them in real life. Yeah. And your staff can recognise them too. So typically all are gonna be fishing. So fishing is the term for trying to get, you know, trying to get your attention or get you to do something. And they typically look like this. And you'd be so surprised. People do they'll you've got free pizza, free parking, free anything. People will click on it, even our IT experts. So email phishing typically looks like this. You know, it's all bells and whistles, exciting, quick, quick. You don't want to miss out. So that's what a phishing one will look like. And that's typically how most significant attacks will occur. They start off like this. You press a link or you download an attachment and then your systems become infected and then some monitoring occurs and then they'll determine that's from there what happens if that thing is downloaded or so there's so many different types of malware out there and ransomware is one of them. You probably heard of ransomware. So basically they've it infects your system, takes it over, and then they'll say, hey, you can't access your systems unless you pay us some money. 

 
You know, that's France somewhere. Other infections will allow for cybercriminals to sit and monitor your incoming and outgoing communications for some time. And that's where we find small businesses are particularly at risk because they're not necessarily the intended victim, but they are the host. And then bigger players like ourselves or the agency will actually be the intended victim. Yeah, so they might. So they'll come in to a small business account via these phishing links and then they'll sit in there and then they'll attempt some of these other methods of getting action. So one thing we do see is they'll sit in the inbox and then locate somebody that they can impersonate, and then I'll attempt another attack. So it might be an internal staffer they'll impersonate, or it might be another supplier. And as you can see, it's an impersonation, impersonation emails. And you can train your staff to detect them because they'll be subtle differences in in email header. As you can see our plane manager.com dot AU. And they typically say things like, hey, look, it's me. Can you quickly do this? Oh, it's me. I know I just sent you an invoice, but can you update my bank details? 

Yeah, there's example, that example there. You might think, oh look, my stuff wouldn't be silly. People wouldn't do that. 

 People are actually more scared of the embarrassment of looking alarmist and paranoid than they are of making a notification. So it's really important to drive that staff awareness and that culture of you see something, you call it out currently. And the most dangerous to all of us, particularly because your cyber insurance policies may not be covered if your policies and procedures aren't in place. It's spoofing an account takeover. So this is a tech. Spoofing is a technical process where from outside of systems, a cybercriminal can make their email header appear the same as annoying as a known sender, right Check. There are tech solutions that can detect that, but they're not 100% foolproof. So the staff awareness training is really important again to sort of pick up that the tone and the and the timing and that's right is expected and that's right just out of the blue. Yeah, yeah. And then the account takeover. So again, that starts up the top. They've come in through phishing. They sit in the account, they monitor, they find a good target like us that my plan manager or the OR the NDIS, and then they operate as the host X Solutions will not detect that whatsoever because of that cyber insurance and will not be provided if you do not have robust policy and procedure in place because tech solutions will not detect that. So that's things like callback procedures. So if somebody asks you via email to change their bank accounts, you're expected to give them a phone call. So in terms of those internal oops in terms of those, yeah. I mean, I guess specifically for today's cybersecurity pros, protocols and whatnot, are there, are there like templates or are there places to go for that sort of information, especially for say like sole traders who don't necessarily have vast teams of IT or risk and compliance people or even even smaller just small businesses that they may have a few people, but not necessarily that sort of level of technical knowledge. Like would those sorts of templates or protocols exist in some form that they can adapt for their own use? The Australian Cybersecurity Centre has the best tools available. They're really fantastic and they have an information security manual and the Essential 8, so some basic mitigation strategies that people can put in place. A lot of these are aimed at small businesses too. So they have some some screening it's that you can use and some guides and some templates. Again, they also stress you need to understand each threat type and your risk position before you should even bother trying to put things in place. So it's really about that discovery, trusting that you have the skills, the ability. You know, we're a relaxed country, but we're not a stupid country either. You know, we have the ability to seek information, network with others and really build our knowledge and. And I guess that's wrong. Yeah, totally. So along the same sort of lines, where can 

 
I guess small service providers to big service provider providers go for further information and to what would be, I mean, we've got the Australian cybersecurity, no cybercrime, Yep, Australian Cyber Cyber Security Centre run by the Australian Centres Directorate. Yep. And so that's at cyber.gov dot AU. 

Also, I have a scam watch. They're very good. They show the most recent scams and provide you tips on how to report and notify. The office of the Australian Information Information Commissioner also has really good tips on how to identify and report, as well as the Australian Federal Police. They're really good. They're worth following as well. And I noticed recently within SA, a local community police station at Murray Bridge, they're actually holding something similar, a community event focused on E crime and cyber security for small businesses. So, you know, be proactive, get out there and ask councils, ask your police, you know, try not try to stay away from, people who, you know, commercial selling a product. Yeah, totally. Yeah. Until you know what it is you're looking for and the solution you're trying to provide, then maybe stay away from people who have trying to sell a product that have an agenda. Yeah, yeah, yeah. But the Australian Cyber Security Centre and new police, they're the ones free to access and want everyone to be safe. And so. Exactly. Yeah, yeah, yeah. You know, they're gentle. There is going to be similar to yours, yes. Amazing. Alright, So is there anything further that you wanted to touch on ISIS or can we throw to some questions from the chat 

You have probably running out of time so quickly through the chat. Thank you to the chat. Aaron, have we got any questions that came up? Yeah, we did something that you have any questions in the chat here today? We did have a couple come through via email of members that couldn't be here Live Today, but you have kind of actually answered them already. ISIS, there was a question about your obligations under the NDR, yes, specifically for providers as far as their privacy policies and stuff like that go. But you went through that. The other one was about conducting a risk assessment for your organisation. How do you go about that? I presume that would just be going to that Cyber Security Centre website, reading through all of their templates and things like that and adapting it for your own business. Would that be the best, best step in that case, do you think? Solutely, yeah. Yeah. Without knowing about everybody's individual business and what activities they do, I don't particularly want to give advice to anyone. I think it's best to yeah, yeah, yeah, absolutely. I can see there's a couple of people writing questions now, so we'll just wait for those to pop up. But in the meantime, I thought a question that I had, you've kind of talked about it already, just, I guess everyone knows how important cybersecurity and all this stuff is, but what would be the worst case scenario if someone did get breached? Like 

what could happen to that business? Really? Like, have you seen, I know you don't want to mention business names or anything like that, but what could be your worst case scenario if someone didn't go through all of these steps and get their policies, procedures in place and things like that? 

 What do you think would be a, yeah, bad outcome from that? Look, the average cost is saying to be about $46,000 for small businesses alone for each breach. And there's reputation damage. Some some do not recover there's some won't be able to continue business. The reputational damage is can be devastating. Yeah. And look, the even just know whereby a loss hasn't occurred, just that uncertainty can disrupt your business for, you know, up to, you know, 5 to 10 to 15 days. So, and particularly, you know, if you're the best thing to do, of course, if you suspect a breach is to lock down accounts. 

 
So locking banking, locking communication. So when that occurs, there's going to be delays. I mean, I know, you know, we, we make sure that we communicate regularly when it occurs here at my plan manager. Thankfully, it doesn't happen too often, but on the occasions that it has, you know, we're both trying. We're trying to identify, We're trying to contain. We're trying to communicate. We're trying to report. We're trying to inform ourselves. It's a lot happening at one time. Yeah. And during that time even, like I said, even if something losses haven't occurred, those sole traders, those small businesses are going through up to two weeks of fear and uncertainty and two weeks of not being able to do what you're actually doing in your business. Yeah, and they've got to jump through hoops. 

We won't allow. You know, we've got, we'll have to follow certain security measures if you let us know that there's a breach. So that's going to mean I'm not gonna, we're not gonna transfer payments to you for a little while until we know that your accounts are secure. 

And again, if you, you know, that's why the discovery is so important, because you need to know what you're looking for. You need to know how to identify how to contain containment measures are different for each type of attack. Don't be overwhelmed, though, there's only a couple. Once you start to get your head around it, you'll recognise that there's sort of just different versions of the same types of attack. And you can start to refine your policies and procedures from that. Yeah. OK, Now one of the questions that just got put up. You kind of answered there already, but it was what would be the first steps to address something like this if they suspect a cyber crime has occurred within their business? Thinking of those different types of cybercrimes, would you take the same steps no matter what? Just shut everything down, It'll be different. Yep, that's exactly right. So hence again, why I'm really stressing and I'm sorry. It's probably not what people are looking for. You know, they probably won't. Give me 3 quick reality you can install tomorrow about how you'll be back in six months asking for the new ones. 

 Yeah, yeah. Stop thinking and ultimately discovering and learning and risk. Yeah, yeah, yeah. OK. There's one more question from Conley Counselling. Is there a secure email for reports? Now? I'm not sure if that's to report when a cybercrime has occurred. That might be the case, maybe reports or for clients And yeah, how do you send reports via email securely? Yeah, maybe let's answer those because they're both kind of important questions there. Yeah, 

\
And I imagine that you're talking about sending reports because we touched on OT reports and sensitive information and there is the ability, depending on what email system you are using, there is ability to encrypt emails. Most Outlook would have that and that's a nice easy option. So I think I'm just going to guess if you're able to find it quickly, basically under file, there's an option for encryption and then the person whose email address you put in, only they can unencrypt that deep. Alright, I didn't know that was on TV either. Yeah, yeah, simple. Yeah. But there are other things you can do depending on the size of your business. If you're looking to be a large business, you can probably look at like the government do, where they have data classification labelling and sensitivity labelling. But encryption C, easiest and probably easy PDF, any reports you're sending as well, But you probably already know that doing it. So yeah, yeah. And as far as in case you weren't, that wasn't what you're talking about reporting to the OIC in Australian cybersecurity. If they're not encrypted, well, I think we'd better let them know if they're vulnerabilities. So I think those are pretty secure. They should be yes. What about watching vulnerabilities? Yes, that's a yeah. Is there so just those places again, they have based on the website, you can go report exactly what happened. Even if there was no monetary loss or anything. You can give them the details and they can look into it further. Even if there is losses. I mean, obviously it's get speak to your bank if you've lost credit card information or any financial loss. Speak to your bank if you've lost monies, redirected monies. 

 
If you report to the Australian Cyber Security Centre that will immediately lodge a notification report with the police within that your area. So you will be notified by a police officer with it, with the cyber security back, like you know, cyber security investigations background who will manage that whole case. But it's important to lock up with the Australians Cyber Security Centre first. So there they immediate, they're the first point for reporting. OK. And if participants details have been breached somehow, would you recommend telling the participants straight away or waiting until you have all the information about where it's gone, what's happened, and then letting them know the kids? 

 
I'd be doing it case by case. Yeah, because you've really got to consider the participant circumstances at times. I mean, obviously we all want to know and we have the right to know if our information has been breached or misused. So that does need to occur. When and where you would do it would depend on the participant circumstances. Don't go calling a participant on a Friday at 5:00 PM when you're going to be unavailable and they're already distressed. Yeah. So really think about if there's no media threat to them. Yeah, yeah. And in some cases it may be better off notifying the Office of Australian Information Commissioner or the NDA and they can manage that depending on what it is. I mean, we have, you know, some low level information breaches where somebody might accidentally upload the wrong invoice or something like that. We would notify a participant straight away. 

Hmm, yeah. And let him know, you know, what we've done to remedy it. Yeah. And what, you know, increased the measures will take moving forward and that there has not been any impact. There's no foreseeing impact. If there's a foreseen impact, again, that's when you should really consider what are those, what are the circumstances for that participant? And you can actually offer them support resources as well, direct them to, you know, those, those reporting tools and those resources that you already know of. There's also, and I'm sorry I should have remembered this, ID Care. 

 
So they are fantastic. They are worth partnering with. You might not want to partner with them ongoing, but certainly at the time if a breach occurs, partner with ID Care. They can also support your customers if they are impacted and they'll really talk you through and they're very good at managing the emotions that come because when. Yeah. So they're great. Yeah. I feel like I dealt with them when the Optus situation enhance. Yeah, yeah, yeah, yeah. And I partner with IDK care. That's good to know. Yeah. And I guess helping your participants through it, if it does happen, sort of helps with that. Reputational. 

 
Yeah, We trust rebuilding trust. Yeah, yeah, yeah. And I think we're all in the business for the right reason. And that's for protecting vulnerable people and helping them recognise and and manage their own risk. And the last thing we want to do is make them feel more vulnerable or more scared so quickly. Yeah. Taking our responsibilities seriously extending to online presence and data protection for sure. 

Amazing. Alright, well, I think unless we've got any others, Erin, no, that's all the question. We're, we're sizes amazing. No worries. I think we've made it to the end of the webinar now. 

Have you got anything else that you wanted to add, Isis? If, if we find, if we come across any Nuggets after we've finished up, we can add it into the conversation and into the email that we'll send everyone of the recording of today's conversation. 

 Been here today. The conversation doesn't have to end here. 

We'll see you in Kenora. We'll also be sending you the replay direct to your inbox with all of the links that ISIS has been talking about, with all of the templates and audit resources that you can adapt to your own business needs. 

 
Thank you for being here today, my sis. It's been an absolute pleasure having you for your first webinar experience. You please stress that it was my first. I do apologise. 

It was amazing. So good. Yes, thank you. Yeah, exactly. Said your name. Your, your presence is appreciated. All right, 

Yeah, we've reached the end of the webinar. Everyone that's registered, you'll get the email, post the video into resources. I'm Yvette. That was Aaron before. Thank you for your contributions, Aaron. We've been joined by Isis Murphy from my plan manager. We hope to see you in Kenora soon. Have a great day. Thank you. Bye. Good luck.
Thanks. Bye.