THE PRACTITIONER'S COMPANION
Thursday 10 October 2024

How to close the door on pirate and parasites

There is a dark and sinister element circling Australian businesses … and it’s all under the cover of darkness. Criminals are looking to expose any weakness in systems for their own gain. That’s when people like Shameela Gonzales step in.

11 min read
Director – Strategy and Consulting, CyberCX: Cyber criminals are invisible. Photo: Julian Andrews

DIGITAL technology is central to the business of conveyancers and lawyers. The transition from hard-copy searches and transactions to online feels like a natural progression.

Business is better and faster – in the main – but the shift to digital has created an Achilles heel of sorts. Although the openings are small and closing, cyber pirates and parasites are finding their way through the cracks.

Criminals are looking to expose any weakness in systems for their own gain. The victims are often everyday people – mums, dads, and businesses.

As industry matures, so do their defences against fraud.

Vigilance is key.

In this exclusive Q&A, Shameela Gonzalez from cybersecurity firm CyberCX speaks to Australian Conveyancer Magazine about the rise of cybercrime in our industry and what conveyancers can – and should – be doing to keep their clients and their businesses safe in cyberspace. 

Australian Conveyancer: How important is it for conveyancers to protect client data in a digital environment? 

Shameela Gonzalez: Start by understanding that digitisation is the fundamental core of your business. For anyone handling financial services, what you’re really holding onto is a goldmine of data. Once you understand that, you start to realise the complexity of it, not just in terms of capturing it but how long you store it, how you meaningfully store it to perform your function as a conveyancer, but then also storing it for regulatory and legal purposes.

When you realise for any individual client it’s their personal information, their privileged and sensitive information that you’re holding, then you can start to think about how a criminal might want to exploit that – both for financial gain and to make someone vulnerable. You realise the real gravity of what you’re holding on to. It’s generally uncommon for someone to understand how a criminal looks at their business. 

AC: How do criminals look at businesses like conveyancers and real estate agents? 

Gonzalez: In a digital forum, criminals are basically looking for any gateway in. If you have a device, are running on systems or operating a network – any way you can access your information – these are all avenues a criminal would look to exploit. If you run an organisation with a few employees who have to log in to do their job, a criminal could be looking at all of that as a possible gateway in. They are looking for the keys to the kingdom.

Let’s say you’re using a username and password to log into something. Typically, you’re opening a platform and are running a simple process, transacting, and filling in a form. In the eyes of a criminal, all of this is an opportunity to gain access and potentially steal large amounts of data. Typically, they will then either keep it or on-sell it to other criminals.

AC: How will you know if you’re being targeted?

Gonzalez: You are going to see more and more suspicious emails coming towards you. While these requests will seem innocent and straight forward, they will usually ask you to transact in some way or to hand over some vital information. For example, you will have actors mimicking government bodies asking for some kind of information. 

A common indication you are being targeted is a sense of urgency from the criminal. A criminal actor might ask you to do something with some kind of immediacy and threat. It might involve a risk to your license if you don’t respond, or it could be something to do with taxation. That’s how a criminal will look for the keys to your kingdom and the information that is precious to them. 

AC: What is ransomware? 

Gonzalez: If a criminal takes over your systems, hacks into them and takes away your ability to use and access them, then the criminal is effectively holding you to ransom. 

If the criminal can demand a payment for you to regain access to your systems, by taking over access to critical systems, encrypting them and then demanding a ransom payment for access to them again, we call that ransomware. 

AC: Where are these cyber criminals? Where do they live?

Gonzalez: Some of them could be down the road, but the majority are international players. Because we live in an internet age they can physically be located anywhere around the world. It’s groups of criminals who could be living anywhere, but cybercrime can also involve nation states. These might be the states themselves or maybe politically motivated groups supported by certain governments. The important takeaway is that cyber-criminal groups can be anywhere, and they are looking for financial gain most of the time.

AC: Is Australia at risk because of our net high wealth?

Gonzalez: We do have a robust and strong economy so that makes us attractive. The ABC interviewed a criminal group as part of an investigation earlier this year in which they asked the group is Australia an attractive target. The response from the criminal was something like Australians have ‘a lot of money and no sense’.

Obviously, we reject this, but it gives you some understanding of the criminal mind. Maybe it does come from a history of being somewhat trusting. We’re urging people to become more distrusting, become more suspicious. For some, that might be the opposite of the culture and nature that we have as Australians because we want to see the good in people. 

AC: It’s actually becoming very worrying for Australian business?

Gonzalez: After the past 18 months to two years, in which we have seen some high-profile attacks, there is a general level of awareness and concern. People need to ask, if I was phished, if I was scammed, what does that mean for me and my business? It is your responsibility to all your customers to ask, what is the bare minimum I should do to keep me, and my customers protected? 

AC: Where can mid and small tier businesses get help to make sure they are complying with basic cybersecurity requirements?

Gonzalez: Bodies like the Australian Cyber Security Centre are there to help with information that is free. The ACSC publishes a range of really helpful and easy to use advice and guidelines. They have something called the Essential Eight framework which goes into the detail of what is considered essential. The ACSC even has a small business guide where they simplify for any small business owner what are the three or four minimum things, they can do to protect their business. Check out cyber.gov.au.

AC: So why do you think some conveyancers are ignoring the warnings?

Gonzalez: No one thinks there’s a live cyber attacker somewhere actively targeting their business. Because cyber criminals are invisible. 

At CyberCX we respond to hundreds of incidents a year. A lot of the time our digital forensic team uncovers that a threat actor has been inside observing an organisation’s systems for months before anyone noticed. The information they gather is very valuable for the day they want to trigger an actual attack.

AC: Do you think cyber criminals see conveyancers as an easy target?

Gonzalez: We talk a lot in our world about high-value targets, and that can be organisations or individuals. So, from a conveyancer point of view, one thing a criminal will consider, in terms of individuals, is, who are the Australians that are financially better off? What do they represent? What postcodes do they live in? What are their mortgages? The properties they’re buying. What do their portfolios look like? That information becomes really lucrative for cyber criminals to then go and exploit an individual or on-sell the information to other cyber-criminal networks. 

AC: How could business email compromise affect a conveyancer’s clients?

Gonzalez: A criminal trying to replicate your business could spoof your email address, making a slight change so it still looks like your email address. They will probably have uncovered an email of yours and they will do their best to replicate it and probably steal your logos and branding. The criminal will put a lot of work into making sure any correspondence looks exactly like it would if it came from you. Then they’ll reach out to your legitimate customers in an email that looks exactly like yours asking for funds to be transferred to a bogus account. 

This can create serious reputational damage. If customers don’t feel like they can trust you anymore, they are not going to come back to you. Obviously that can be detrimental to many businesses and really difficult to recover from. 

AC: And once the money is gone…?

Gonzalez: The money gets funneled through and shuffled in many ways. In the world of fraud and scams there’s something called muling which is basically the transfer of your funds that have been stolen to another possibly innocent individual and then funneling the funds through them. The point is that cyber criminals have ways and techniques of making stolen money disappear quickly.

AC: And it happens in seconds?

Gonzalez: We are in an age of rapid transactions. Payments happen almost instantly. From a financial services perspective, what that basically means is that all the controls, the monitoring, the friction, if you like, that we want to have in terms of checking a transaction before it goes through, have been lost because moved towards ease and convenience. So we live in this constant world of tradeoffs. We want immediacy of payment and transaction because it helps people financially but how do we bolster the right controls to make sure we can monitor and scrutinise everything that might not be as innocent as it seems? 

AC: How can a conveyancer do that? What are the steps they can take?

Gonzalez: In a conveyancing world one of the benefits, they have is it doesn’t have to be a real time transaction. So, they can sit there and scrutinise the transaction. In a lot of ways this is an advantage.

AC: How do they safeguard themselves?

Gonzalez: First and foremost, train yourself. Educate yourself about what a cyber-attack looks like. Understanding the risks and potential vulnerabilities within your business is a critical step. Essentially if you understand your risks, you’re more likely to build in contingency and understand how to react if those risks are realized. 

Another advisable step is to invest in simple things like an antivirus on your computer. Those basic security tools that are not too complicated to use. 

AC: What would be the ballpark costs to a medium size conveyancer to ensure they’re cyber safe? 

Gonzalez:  It varies depending on the size of a business. Best practice, especially for a conveyancer who might be particularly worried about high value targets, 20-30% of your annual technology spending should be allocated to security.

If you understand what the cost could be to your business by not investing in it, you will find that it is a reasonable investment to be making. We strongly recommend to a lot of organisations, if they’re struggling implementing security that’s where we at CyberCX are here to help. You shouldn’t have to try to decipher it all on your own when you’re not a cybersecurity expert. 

AC: What is the cost of not doing anything? 

Gonzalez: It’s reputational. It’s loss of licence. It’s the inability to even operate.

We don’t say these things because we’re trying to dramatise the implications of a cyber-attack, we’re not. We want to see an industry that can withstand a cyber-attack, recover and be resilient as quickly as possible.

AC: What are your top three tips to keep safer online?

Gonzalez:

  1. Look at your online personal footprint. What information is out there that could give criminals a lens on your life? What innocent things have you shared with friends and family that someone could stitch together if they were going to guess your password to manipulate you or your clients?
  2. Use strong passwords that cyber criminals would find hard to guess even if they have hacked your online presence. 
  3. Use multi factor identification on any services you use. Wherever your customer’s personal information is being handled, always opt in for two factor authentication. It will bolster your defences. 

AC: ASIC has put companies on notice that they will come after them if they don’t protect their business. But what does that effectively mean? 

Gonzalez: In the most severe cases ASIC can threaten licenses and your ability to operate. They can issue significant fines that could put you out of business. 

You should be able to demonstrate to the ACSC that you have been looking at guard rails like the Essential Eight. In other words, that you comply with ACSCs published minimum standards. If you are struggling to do that as an independent task, seeking the help of a third-party professional to do that for you could be a great demonstrable asset to show ASIC that, yes, I have been compromised by a cyber-attack but here’s evidence of where I went to understand what my cyber risk is. Here’s how I got a third-party firm to come in and validate that for me. 

AC: Tell us about incidence response planning?

Gonzalez: It’s not just the preventative side of things but the reactive side of cyberattacks. What kind of planning and preparation do you have in place should you get hit? Can you put some proactive steps in place to think about how your recovery process will look? A simple example is, do you back up? If so, how often? Once an incident or attack has closed off, do you have systems in place to restore your services?

AC: So it’s not a matter of if it will happen but when?

Gonzalez: If you don’t think of a cyber-attack as something that is likely you are therefore unlikely to consider it as a legitimate risk. You probably won’t make the effort of quantifying it. 

AC: Do you think conveyancers are generally prepared for scammers?

Gonzalez: They are generally aware but probably not generally prepared. That’s largely an observation on the whole financial services sector. And that’s because the definition of prepared keeps changing. The nature of the threat is constantly evolving – what could be defined as ‘prepared’ last year, may not meet the definition next year, and certainly not the following year. Preparation is an exercise to constantly revisit. 

Unfortunately, the sophistication of attackers means they will always try and be one step ahead. And, at CyberCX we will do whatever we can to prevent that from happening. But investing in being resilient is the best mode to adopt. Accepting that it may happen and then focusing on how quickly you can recover from it may be the best success for your business to make sure you withstand it, survive it and learn from it. 

AC: Is there a role that the Government can play?

Gonzalez: The role of government is critical, but it’s not necessarily something the government can solve on its own. Working cooperatively with industry is really important.

I think it has been broadly acknowledged by both industry and government that there is so much more to do to get things to a level where it is much faster and more rapid for all tiers of industry to take hostile actors down. 

Other People