Preparing Your Business for a Merry Holiday Cyber Season


Many businesses are gearing up for one of the busiest seasons of the year.  Unfortunately, so are many cybercriminals who are notoriously waiting in the shadows to lure victims into their malicious web. According to Anthony Enticknap from TMB Group, ThreatMatrix predicts over 1 million cyber attacks during this time of year.[1]

With cybercrime on the rise in 2018, it would be wise for all businesses to adopt a number of cyber threat tactics to ensure they enjoy a well-deserved holiday season of sales.  This article covers three immediate steps businesses can adopt to minimise the risk of cyber threats this holiday season whilst also offering some practical tips as to what to do if you believe you have been a victim of cybercriminals

Step #1: Change passwords prior to the holiday season

The first threat to any business is the lack of a password policy.  Currently, any cyber criminal can purchase, or download, a rainbow table of usernames and passwords.  A rainbow table is a database of a collection of usernames and passwords, in a form of a hash, generally obtained from data breaches.[2]

Data breaches have been escalating over the years, which is one of the reasons why the GDPR (General Data Protection Regulations) was established in the European Union.  The Facebook data breach in September, which impacted over 50 million users, is just one example of a data breach that happened this year.[3]

Generally, passwords are encrypted into a hash.  A hash is a string of letters, characters and numbers that represent your password.  If a person types in the wrong password, then the hash of that password changes.  As a result, a person is denied access.  We designed a little exercise of hashing for our readers later in this article.

Businesses, who do not have a password policy, may be at increased risk these holidays.  According to DarkWeb News, over 1 billion passwords have already been decrypted and are ready to be used.[4]  As a result, cybercriminals are waiting for the right time for a ‘Holiday’ attack. It is recommended that all staff should be changing their passwords prior to the holiday season.

Things to AVOID for passwords:

  1. Do not use a date that relates to a birthday, anniversary, etc.
  2. Do not use a name related to a person (yourself or someone you know) or pet.
  3. Do not have fewer than 12 characters in your password.
  4. Do not share the number of characters in your password with ANYONE.

For more password ideas, please read Online Vulnerabilities Facing Small Business Today.

Step #2: Adopt an email policy

According to Josh Fruhlinger, 97% of malware is still be delivered by emails. [5] One of the biggest email cyber threats are Trojans, because they deceive victims in believing the email is from a valid source. According to ProofPoint, the ‘danaBot’ is the newest threat to the financial market. It lures victims into believing an email came from an accounting software, a mail server, or any other application a victim may use.[6]

In order to reduce the risk of downloading a Trojan on any business device, it is recommended that a business should adopt an email policy.  This email policy should include:

  1. A list of stakeholders that businesses are expecting to work with over the holiday season.
  2. How to report suspicious emails.
  3. Instructions not to open attachments (unless it is from a verified and trusted source).
  4. Instructions not to click on links (unless it is from a verified and trusted source).
  5. Advice on how to scan emails, especially attachments, with an updated antivirus application.
Step #3: External storage devices to be scanned for malware before use

The USB Drop is one of the easiest ways to deliver malicious code to a computer, or device.  Simply put, cybercriminals plant USB storage devices, with malware on it, in different locations.  According to Graham Cluley, 98% of their USB drop exercise, was picked up.  More importantly, is the fact that 48% of those USB’s were plugged into a device and files were clicked on.[7]

Businesses should make it policy that no external storage devices are to be used on a computer, unless they have been scanned for malware.  Ideally, businesses should issue storage devices to their employees to reduce the risk of this type of attack.

A Little Hash Exercise

As promised above, following is a quick exercise for readers to understand a little more about hashing –

  1. Visit: md5hashing.net
  2. Choose Md5 in the Green Box on the Right
  3. Type in, or copy and paste, this hash: 65d56e6dc85b7a372c5e557a75e794d9
  4. The message should read: ‘Have a Cyber Safe Holiday’ (please note it might take a few seconds to decrypt).
What should I do if I fall victim to a cybercrime?

Despite one’s best efforts, regrettably people will still victim to some form of cybercrime, whether that be online identity theft, hacking, e-mail spoofing or malware to name a few.

These occurrences can be stressful and can cause irreparable damage to one’s business. For that reason, whilst it is critical to understand what you can do to minimise the risk of cybercrime, it is equally important to know what you can do if you think you have become a victim. In fact, the first 24 hours after discovering a data breach are often crucial to the success of any response with a quick response substantially decreasing the impact on affected individuals[8].

Below are 4 brief tips to help you react to a cyber intrusion.

  1. Have a data breach plan in place. It is important to the contact details of an expert at your fingertips. Following the occurrence of a cybercrime, time is of the essence so it is critical to have already identified a party to contact who is capable of assessing the extent, if any, of any cyber breach.
  2. Be aware of your Notifiable Data Breach obligations. For certain businesses, if you form the view that serious harm is likely, then you must notify all parties affected that their information has been compromised as well as the Office of the Australian Information Commissioner.  If you are unsure of your mandatory reporting obligations, seek legal advice.
  3. Lodge a report with ACORN. The Australian Cybercrime Online Reporting Network is an online reporting and referral service for online crimes. This network can be sued to direct any complaints to the appropriate law enforcement agencies. Again, time is of the essence so to give investigators the best chance of catching the culprits, all reports must be made expeditiously.
  4. Get legal advice. If you are the victim of cybercrime, it isn’t just the criminals that need to be dealt with. Often there are 2 sides of a cyber breach which may inadvertently pit 2 innocent sides against each other. In those circumstances, it is important to know who to call to assess liability.

The sad reality is that whilst the holidays are meant to be a joyous occasion, there are a band of increasing sophisticated cybercriminals looking to prey on businesses. By employing sensible practices to prevent and respond to any potential cyber threat, you are putting you and your business in the best possible position to get through the holiday period without any tears.

About the Authors 

Brenda van Rensburg has an extensive background in computers and technology.  Over the past four years, she has educated over 6000 Western Australian children with computer literacy skills through one of her businesses, namely TechCamps4Kids.  Notably, this business was also nominated as a finalist for 2017 Telstra Business Awards.

Brenda was accepted into Murdoch Law School at the beginning of 2018.  She is concurrently formalising her cyber security certification through South Metropolitan TAFE.  Notably, her goal is to combine her passion for computers with law and specialize in Cyber Law in the near future.

Kott Gunning thanks Brenda for the opportunity to collaborate on this article.

Tim Kennedy has extensive experience with cyber fraud related matters. This has included obtaining compensation for all three victims of the infamous property fraud cases which saw properties in Western Australia and the ACT sold by scammers who had assumed the identity of the owners. Read Astell v Australian Capital Territory

Tim has also advised service providers and consumers in relation to “man-in-the-middle” scams which sees hackers alter the bank details of invoices so customers pay the hacker instead of the providers.

The information published in this paper is of a general nature and should not be construed as legal advice. Whilst we aim to provide timely, relevant and accurate information, the law may change and circumstances may differ. You should not therefore act in reliance on it without first obtaining specific legal advice.

[1] Anthony Enticknap, ‘How Important Is Cyber Security At Christmas?’

[2] Techopedia, ‘Rainbow Table Attack’

[3] Kate O’Flaherty, ‘Facebook Data Breach — What to Do Next’

[4] C.M,  ‘Leaked Database Reveals Decrypted Passwords of over 1 Billion Accounts‘

[5] Josh Fruhlinger, ‘Top cybersecurity facts, figures and statistics for 2018’

[6] ProofPoint, ‘Danabot – A new banking trojan surfaces downunder’

[7] Graham Cluely, ‘Does dropping malicious USB sticks really work? Yes, worryingly well…’

[8] ‘Data breach response plan essential for all Australian businesses 2018’