Why Australia is a hacking magnet

If asked to name one of the most-hacked countries in the world, few people would pick Australia. It may be a huge country geographically, but it has a relatively small population of 24 million. Yet according to recent reports and the experiences of analysts and security experts, Australia is only just behind the US in terms of both prevalence of attacks and susceptibility to them.

The recent Australia Post phishing scams have brought this issue to wider attention, but it's not a new phenomenon. From spear phishing to ransomware, Australians are being targeted more than almost anyone else in the world. Unfortunately, they often fall for the bait.

Here's Charles Lim, senior industry analyst at Frost & Sullivan:

"In recent threat research data, it has been observed that Australians have become the next key target of ransomware, just after the Americans. The Cryptolocker attack, which uses Crypto-algorithms that are irreversible, were effective to force victims to pay up for their files to be unlocked, and an estimated 50-60 per cent of the global generated attacks [using] ransomware were detected in Australia."

Gartner agrees. According to Anne Robins, research director, “Ransomware is getting a lot of interest. That's especially so in the SME market, perhaps more than for larger organisations. Australia is the second most commonly attacked country after the US for ransomware now. In fact [Australia is] catching up with the US. That's kind of unusual, and it may be that Australia is simply viewed as having a well-performing economy. The ultimate goal of most hacking is profit, so it makes sense to go for a strong economy."

Jason Ha is national manager of the security practice at Dimension Data, whose latest threat report can be found here. He concurs.

"We have four big banks that are quite well cashed-up, globally speaking. Any supply chain to those banks is a good target. Any exportable business seems to be a target area, such as mining, agriculture, even education. For spear phishing, we're one of the highest targeted countries. All of this is low-cost, high-profit activity for hackers. A recent speeding infringement scam had about a 95% success rate. Even a fairly well-educated person would have to think for a while to decide whether it was genuine. And the rate for the Australia Post scam was 80%."

Such high success rates are obviously gold for the hackers, who therefore scale up their attacks, in a positive feedback loop. They often target specific employees in organisations, using spear phishing attacks. They want to steal corporate secrets, credit card details, customer lists, IP and more, and they have many different tools available, not just malware.

According to Bryce Boland, APAC CTO of FireEye, “One analogy is a military base, with walls, guns and guard dogs. Then someone finds a parachute inside the compound, the equivalent of malware. You don't just burn the parachute! Instead you need to analyse it, work out where it came from and where the person (or persons) went. Have they poisoned the water supply, planted a bomb, unlocked the front gate? So if you're stuck thinking about malware, you're missing the fact that there's an attacker behind that malware. You have an adversary challenge, not a malware challenge."

To make life more difficult for beleaguered Aussie IT security teams, patch management is another major issue, with a recent report from Verizon showing that a surprisingly common point of access for hackers is systems that have been unpatched for a year or more.

Jason Ha thinks some of Australia's high vulnerability can be traced to elements of the Australian psyche, culture, demographics and way of life.

"We have a growing, ageing population. Generally they are the ones who are more highly susceptible to attack: mum, dad, granddad. They get a call or email saying, 'I want to help with your computer...' and they respond. Aussies tend to be quite trusting in nature. Australia Post is pretty well trusted, which is why that scam did so well. Also there's a level of complacency: we're Australia, who would attack us?"

Phillip Simpson, principal consultant, Dell SecureWorks, sees this behaviour in organisations, not just individuals, and says it manifests in a lack of security awareness in the boardroom.

"It's partially based on [the] misperception that the bad guys are only attacking big American and European businesses. The reality is that the reason it appears this way is both Europe and the US have mandatory reporting laws. Australia experiences giant breaches almost every day but without mandatory reporting laws neither consumers nor boardrooms will ever know."

He continues: "The cybersecurity budget of an Australian hospital is a fraction of a similar sized hospital in the US – primarily driven by the fact that the US holds C-levels accountable for cyber security failures through the HIPAA laws. No such laws protect Australian consumers."

So it's no longer enough to say “She'll be right” and hope for the best. But what can be done at an organisational level? What can organisations in Aus do to train their staff to be, well, less Aussie?

We'll start with what can't be done. FireEye’s Boland says, "It's fascinating that a lot of security professionals believe they can train people to not click on links or attachments. It's just not practical. If you're an HR professional and asking for CVs, or if you're in accounts receivable and you receive an invoice, or if you're in the department of immigration receiving application documents, you're going to open them. Organisations have people whose job it is to open documents. If you tell them not to open them, you break the business."

Here's Dan Miller, country manager for Australia & New Zealand at Splunk:

"I think including security by design in business processes ... to make sure appropriate security controls are built into business processes [is helpful]. There's a responsibility to customers to protect their information. Technology is part of helping solve that problem, but investing in the right people and getting them trained and improving their understanding around event detection and investigation is vital for organisations to invest in. [This] can lead on to other uses for the security data that's gathered, such as improved operational efficiencies and business analytics."

According to Dimension Data’s Ha, "Companies need to understand that these [hacking] businesses are coming after them, so they need a change in mindset. Most of our time is spent trying to educate clients to fundamentally understand how effective their security is: not compliance or best practice, but understanding an organisation's assets and how much protection you need for those assets."

Dell’s Simpson can have the last word: "Innovative business leaders should challenge the security status quo and look at security as a differentiator. The sad truth is that inevitably companies that don't lead their sector, when it comes to cyber-security, will be the next headline and will watch their cost of doing business sky-rocket."


« App Association predicts the next phase of the app economy


Jive Software: "Email is gone" »
Alex Cruickshank

Alex Cruickshank has been writing about technology and business since 1994. He has lived in various far-flung places around the world and is now based in Berlin.  

  • Mail


Do you think your smartphone is making you a workaholic?