Internet security is a rising concern in an increasingly digital world. How should minerals consultants deal with this risk?
If you are a minerals consultant, there is no doubt that the issue of internet security will have affected you in some way. The topic was raised at a recent Consultant’s Society Committee meeting and it was agreed to prepare a note on this topic, sharing current observations, in the hope that it might promote further discussion.
This is not an advice note – after all we are not IT professionals – but we are hoping that as the AusIMM’s digital transformation takes shape, it will touch on this risk area in ways that might help all of us to manage our internet use safely.
Where do internet security threats originate?
It is clear that security threats originate wherever and whenever one is online. This means that threats exist as follows:
- when using the consulting company internet access
- when using one’s home computing internet access
- when using public access internet (such as in airport lounges).
What is the scope of the potential security threat?
The risk of a security breach is not a problem confined to the working consultant. We have a responsibility for our client’s data as well – when it is in our possession. This often extents to contractual obligations, particularly for sensitive projects. But it does not end there – as the security risk may be further expanded through social media and any kind of electronic messaging as well.
How do the threats manifest?
It seems well established that internet security threats manifest in different ways. Here are a few common ‘entry points’:
- virus attack (via email or browsing)
- other email interference
- ‘ransom ware’
- harvesting of personal details
- financial-related scams
- cloud-related access.
What sort of threats are common?
We have tried here to list some known, common threats. In most cases, the threat is either malicious, financially related, or aimed at stealing personal data. The responses in each case are different. For example, if we look at each of these threats, the usual defence responses are easy to list:
- Virus attack – keep anti-virus software current. Telstra recommend Malwarebytes but software choice is an area where advice is needed and it is constantly changing. Running more than one anti-virus software can cause interference.
- Email interference – it is possible for your own emails (or those from clients) to be intercepted and altered. This occurs mainly where banking or credit card details are exchanged.
- Ransomware freezes your computer until a ransom is paid. Usually the unlocking fee (and associated code) are not expensive and most people just pay up to save time.
- Harvesting of personal details occurs either by misuse of social media (incorrect personal settings or provider vulnerabilities) or emails from a provider seeking some sort of ‘update to our records.’ Retailers also offer ‘prizes’ for participation in ‘surveys’.
- Financial scams abound – credit card ‘skimming’ at ATMs, keystroke monitoring (to get passwords or logins), invoice payment manipulation, inducements by phone to have your computer vulnerabilities ‘fixed’ and so on. Can you add to this list?
We’d be interested to hear of any security breaches you may have encountered. Below we describe some examples.
Case 1: A major minerals consulting firm became aware that email accounts within its business had been fraudulently accessed. The data loss was confined to subcontractor data and related to passport details for overseas visa applications. The firm contacted all its clients and alerted the officials at the Notifiable Data Breach (NDB) office, set up under the related NDB Act.
Case 2: An email containing bank details for invoice payment was intercepted and the scammer’s bank details inserted, replacing the payee’s details. The payment was made to the scammer’s account.
Case 3: Similar to case 2, but in this situation the bank considered the overseas bank details suspicious and contacted the payer for verification. The payment of over $600 000 to the wrong account was averted.
Case 4: Suspicious credit card payments – these are now monitored by most banks and routine payments often queried by text message from the bank to the payer. Often, this results in card cancellation and nuisance in the re-issue delay time.
Case 5: An anonymous phone caller advises that you have a computer problem. This can be remedied by handing over control to a ‘technical team’ who then require credit card details to provide their ‘service.’ They keep calling back at all hours of the day and night.
Case 6: Automatic subscription renewals that are impossible to cancel. These require that the credit card used for that subscription be cancelled and re-issued.
Who is the gatekeeper?
The Notifiable Data Breaches Scheme
The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.
The NDB website provides information to help entities comply with the NDB scheme. Its guide, ‘Data breach preparation and response’, provides a comprehensive overview of the NDB scheme, as well as a general framework to help to prepare for, and respond to, data breaches. An overview of the scheme, including a summary diagram, is included, along with links to additional resources that may be helpful for entities regulated by the Privacy Act.
ACORN – the Australian Federal Police group
Online fraud is the jurisdiction of the state or territory police if the victim is not a Commonwealth Government department or a Commonwealth Authority. The Australian Federal Police investigates fraud committed against a Commonwealth Government department or a Commonwealth Authority.
In general, state or territory police jurisdiction exists in the state or territory where the offender has committed the crime, and in the state or territory where the victim has been defrauded – this includes situations where the offender is located overseas.
If you are the victim of online fraud or a scam you should report the incident to the Australian Cybercrime Online Reporting Network (ACORN). Reports made to ACORN may be referred to police for consideration and possible investigation. Details about ACORN can be read here.
Additional defensive measures
So far as we are aware, email monitoring is only available by anti-virus software or in-house email filtering. Personal or business URLs can be monitored by specialist providers for an annual fee. An example is Sucuri, which provides a weekly report for an annual fee of about $300. This might be useful protection for sole traders. Any company should have IT and data security addressed under a robust IT policy that provides guidelines for use of IT in the workplace (on or off site) including management of sensitive data.
The security landscape is set to change constantly. Be vigilant and consider backing up your data to your own peripheral, in addition to in-house or cloud options.
The Australian Government’s Small Business Guide, ‘Stay Smart Online’.
We’d like your comments
If you can add to any of these observations, get in touch with the ConSoc Secretariat Stephanie Ashworth, via: firstname.lastname@example.org. We’ll keep this topic live in our newsletter.