Cyber crims get savvy, sophisticated
by Kate Tilley, Resolve Editor
Cyber criminals are sophisticated and savvy at risk management, KPMG Forensic Advisory partner Stan Gallo told the AILA Queensland insurance law intensive.
Cyber crime was becoming so common that KPMG's monthly investigations were triple the volume of 2017. Mr Gallo, once an undercover detective who infiltrated criminal motorcycle gangs, said the incident response team had grown by 50% in the last six months, fuelled by greater awareness of cyber crime and changes to privacy laws, including Australia's notifiable data breaches scheme.
He said cyber criminals operated like bikie gangs. "Organised crime is a business" and its participants examined the risks and the rewards. Bikie gangs created distribution networks for guns and drugs and gangs worked together, "even though they're competitors". The former Howard government's laws on gun control that followed the Port Arthur massacre - a mass shooting in April 1996 in which 35 people were killed and 23 wounded in Port Arthur, Tasmania - had made the gun trade "a lucrative market".
Mr Gallo said bikie gangs saw the internet evolve and knew they could use it because of the ability to be anonymous. They outsourced and recruited globally to get people who could facilitate identity theft. Bikie gangs knew the internet "would outstrip what they could make from guns and drugs and the risk was far lower".
The “baddies” included:
• Hacktivists - people with a strong sense of right and wrong who released sensitive information, like the Panama papers - 11.5 million sensitive documents leaked from a Pananian law firm in 2015
• Organised crime - people making money from manipulating or stealing data
• Insiders - accidently or maliciously providing access to systems, sometimes via free wi-fi or USBs
• State-sponsored infiltration, for example, the Russian Government’s involvement in the US elections.
Mr Gallo said organised crime was sophisticated enough to hire "shrinks" to write phishing emails that encourage people to click on links without thinking. The criminals included human interaction to build trust. "The easiest way to get someone's password is to ask them," he said. If someone trusted the person they thought they were talking to, they would reveal information.
Mr Gallo said law firms were a key target because they held lots of sensitive information about their clients.
While there was increasing cyber awareness at board level, there was a "disconnect" in middle management. "Many have considered insurance but not proceeded because of the cost. Businesses are looking for advice on [the range of] policies available."
Mr Gallo said user education was cost effective and a good form of risk management. "We need to get the message through."