Published: 4 June 2015

Summary: Scams and cybercrime such as identity theft impose significant financial, legal and reputational costs on thousands of small businesses each year. Recording of a free forum hosted by the Australian Competition and Consumer Commission and the Institute of Public Accountants on 19 May 2015.


[DR SCHAPER] Afternoon everyone. My name is Michael Schaper, I’m the Deputy Chair of the Australian Competition and Consumer Commission, and it’s a great pleasure to welcome you all here this afternoon slash this evening.  This is a session as the name suggests about really trying to educate and ultimately empower the small business community about one of those threats that isn’t talked about a lot, but which really can affect all businesses as well as all consumers.  This is part of what the ACCC in conjunction with the Australian Consumer Fraud Task Force runs each year, namely Consumer Awareness, Fraud Awareness Week.  And every year we also have a special focus on small business issues in one forum or another.

Now, the proceedings for tonight are that we’ve got three speakers from a variety of different areas, and I’ll introduce them to you shortly.  We’ll go through each of their sessions, and then at the end of it we’ve left some time for Q and A before perhaps even more important than Q and A the food and refreshments.

A couple of housekeeping issues just for the sake of making sure everyone knows them.  Bathrooms are down out the back and to the left and to the right respectively, should you need them.  As I said, refreshments will be served at the end of the proceedings.  We are recording this as well so that if anyone wants to refer back to any of the information afterwards, you’re more than welcome to do so.  And we also have some information packs which are available from the front counter.

Big numbers.  Big, big numbers, and not big data.  Big data is the opportunity about where marketing might go to, then scams are also about big data.  Ninety thousand phone calls, e-mails and inquiries every year to the ACCC Scamwatch Contact Centre about scams.  Eighty-two million dollars lost, reported lost by Australians, and that’s only the tip of the iceberg.  For small businesses, which are a subset of that, almost a million dollars alone lost in ransomware, that insidious practice of locking up databases and basically asking firms to pay over in order to get access back to your own financial records, your own customer records.

The ACCC’s been running Scamwatch for several years now, and those figures don’t shrink.  Indeed, this is probably the first year where they haven’t grown exponentially.  And we do put that down to basically a bit of a message about you need to be aware, you need to be really cautious about what you’re doing.  But in a business context that’s a little bit harder, because there’s so many other pressures on what you’re doing and what you’re trying to manage, day in, day out.

So tonight we’re trying to put a bit of a focus on some of the practical tips, some of the suggestions that you can use in order to make yourself I guess perhaps not scam impervious, but at least scam aware and make sure that you don’t fall victim to it.  And we’ve got three speakers that I think are going to help us with each of that.

The first one tonight is Doctor Louis Geneste, and Louis’ actually flown over all the way from Perth especially for this event.  Louis is a lecturer in entrepreneurship and strategy at Curtin University Business School, and along with a colleague has been one of the co-authors of a recent research project, the first time to actually look at small business owners specifically.  And he’s going to talk tonight a bit about some of the experiences that he’s found in terms of who’s most susceptible, and what are some of the strategies people are using as well to try and fight back.

Secondly we’ve got Boaz Fischer who is the CEO of his own business, Commnet, and Louis and I were, with a slightly jealous tone, regarding Boaz’s title of his last book, which we thought was a stunningly clever one called How to Protect Your Business from Cyber Attacks in only Ten Minutes a Day.  And I think in terms of book titles it actually tells you what it’s about and why you should buy it.  I think that’s a really self-evident proposition there.

And finally Christine Linden from ANZ Bank, who’s Head of Small Business for both Victoria and Tasmania.  And I think it’s really important, not only because Christine has a variety of experience from both the corporate and the small business world, spread over not just Australia but a variety of other countries, but also because it’s important to get the perspective of the financial institutions, the key partners in the Australian Consumer Fraud Task Force and the work that we do, and it’s important that any financial fraud ultimately will also involve the activities of a bank as well in terms of how do I get around and how do I deal with this.

So we’ll go through the presentations, each of the speakers is going to talk for about twenty minutes, and at the end of it we’ve got a Q and A session before we break open for refreshments as well.  So if you can, if we don’t, we don’t have sufficient time in the allotted segments, hold those questions till the end, because I’m sure, we’ve already got the seats out, we’ve got the cameras on them and we’ve got the microphones ready to make them work.  So without any further ado, I’ll pass you over to Louis.

[DR GENESTE] Thanks Michael, and thanks everyone for the opportunity to share the research that my colleague Paul Webber and I have carried out on scams perpetrated against small businesses.  We wanted to do some research that certainly had real world application, and what we were trying to do is identify some risk factors that put small businesses at a greater susceptibility of being exposed to a business scam.  We wanted to identify if there were specific business risks as well as owner-related risks, and hopefully to come up with some potential interventions, to come up with some change strategies in terms of business processes, to reduce the possibility to being exposed or being impacted upon by scam, but also change strategies in relation to the owner behaviour.

Why did we actually want to do this research?  We wanted to develop an understanding of the prevalence of the different types of small business scam approaches.  We also wanted to see where losses were actually incurred by the small business owners.  We wanted to see the different approaches that were taken in relation to the small business scams and the communication media that were used by the scammers as well, in the hope that we would come up with some strategies and prevention efforts for the small business owner.  We identified some risk factors that we wanted to investigate further with our research.  We identified a range of owner strategies, which I’ll share with you shortly as well, and some surprising responses.

We conducted the research over 2011 and 2013, and we were able to, through the help of the ACCC and their Small Business Advisory Group, to enlist the twenty-five peak industry associations who could then enlist the small business owners to actually be aware of this survey that we actually carried out.  And in two thousand and twelve we carried out the National Small Business Spam Prevalence Survey.  It was actually funded by Curtin University.

The good thing is that we’ve had some findings already, and we’ve disseminated some of the findings through publications in an academic journal, The Journal of Enterprising Culture.  We’re hoping to actually get more publications in academic journals as well.  We also got an increased interest in actual small business scams through the efforts as well of the ACCC, and we actually presented at the Small Business Development Corporation in Perth at an event that was sponsored by the ACCC.  And we actually have our report by the way that’s accessible at the Curtin Business School website, so if you’d like to have a look at the whole report please help yourselves to that particular site.

So what were the key findings of that research?  We found that over seventy percent of small businesses actually wasted time and/or money actually thwarting a scam attempt in two thousand and twelve.  Twelve percent actually experienced a loss, a financial loss.  We found that if the business owner engages in unprotected or unguarded exposure activities, and we’ll talk about the RAT, the Routine Activity Theory with you shortly, as well as gullibility, then the losses are actually likely to be larger.  We also found that businesses were losing up to one hundred hours of productive time actually dealing with the consequences of the scam loss.  And hopefully the message that we’re sending to you here is don’t let that be you.

Unfortunately we also found that the evidence is that the small business owner actually spends money on protecting themselves once they’ve actually experienced a loss.  So eighty percent of the amount that’s actually spent on defending the business is actually spent once the loss was incurred by the small business owner, and only twenty percent is actually spent before that loss occurs.

We also found that the exposure to a loss, or if a small business owner’s actually experienced a loss, that they lose trust of other businesses that they deal with.  We found that fifty percent, they’d lose up to fifty percent of the trust of other businesses as a result of having lost to a scam.  And we found there was a clear association between e-commerce activities and online activities and losing money to a scam.  So maybe there’s a role to play here with marketing strategy advisors and website developers as to what strategies can be used by the small business owner to again avoid the potential loss through a scam.

The characteristics of the respondents to this particular survey are no different to the small business owners here today.  So thirteen years in business, approximately fifty-five hours a week, fifty weeks a year, the average age of the respondents was nearly forty-five years, and approximately four employees working for the business.

We found through our research for instance a range of different scam types and different losses that were incurred by the business owners.  Some examples there include losing a hundred hours through bank account phishing and five thousand dollars, ten thousand dollars through error allowing a hacker access, sometimes through a Facebook site.  Spam free offers, ten thousand dollars lost, eighty hours spent as well.

We had a hundred and ninety-two respondents to the survey, so that gave us enough of a sample size to be able to look at some interesting patterns.  The gender balance was pretty much representative of the national profile, so sixty-five percent males, thirty-five percent females.  And the turnover of the businesses, ten thousand dollars to twenty million dollars a year.

So we had enough responses as we said to actually have a look at some patterns.  So it gave us the opportunity to test a particular theory that had us thinking that put small business owners at a greater risk.  And so we call it the Routine Activity Theory, interestingly enough we call it the RAT, and are trying to prevent people from being exposed to these RATs.

So the Routine Activity Theory, our research actually found a significant relationship existed between the level of the e-commerce activities that are carried out by the small business owner, and also the amount of the losses that were incurred by the business.  We also found that there was a group of hard core risk takers, that despite seeing an offer that’s probably too good to refuse, still evoked the curiosity or provoked the curiosity of the small business owner to actually identify that offer a little bit more.

So what is the Routine Activity Theory?  What is it all about?  And essentially you need these three elements for the Routine Activity Theory to be enacted if you like, for want of a better term.  You need first of all a motivated offender here, the scammer.  You need suitable targets, so the small business and the small business owner.  And thirdly you need an absence of capable guardians, you don’t have regulations and controls in place.  And the other point is the probability of falling victim to a particular scam increases the more time that’s actually spent in harm’s way.

So let’s look at this a little bit more in layman’s terms.  Imagine a person who uses a dark alley to get from point A to point B.  And that dark alley, there’s no police there, there are no security cameras that are in place.  The more often that person uses that dark alley to get from A to B, the more likely that person is to be mugged or attacked by one of these motivated offenders.  So you can imagine the more activities you carry out, imagine that being that dark alley.  And therefore the greater potential you are of being actually exposed and caught out in the scam.

So we found that there was that relationship between business related internet-based activities and losing money to a scam.  Specifically the items that we looked at included, and the items that showed where businesses were at the greatest risk was when they were conducting online purchasing of goods and services, and when they were actually sending e-mails to their staff.  To a lesser extent making sales via the own e-commerce activities as well also increased their exposure to a scam.  We found that there was no significant relationship between the personal online related activities of the business owner and being exposed to a scam, and potentially losing to a scam.  So it almost says that a business scam is a phenomenon in its own right, that the personal activities of the business owners actually didn’t have that relationship with that RAT measure that we looked at.

So here’s an example of one of the respondents who understood the implications of the Routine Activity Theory.  So some of the respondents actually gave us some examples of case studies.  “As an online business with our own payment portal, we’re regularly targeted, more than three times a week.  I’ve taken extensive steps to ensure that our payment gateway is as heavily secured as can be achieved.  This mitigation comes at a cost of about ten thousand dollars to fifteen thousand dollars per year in proactive mitigation”.  So the owner continues to say “If we were not extremely security conscious, I can confidently say we would have had our entire customer credit card databases stolen multiple times since we started business three years ago”.

Unfortunately this is another example in this time of one where the new business owner didn’t understand the implications of the routine activities.  “Here the attacker somehow gained access to my suppliers’ computer or e-mail account, and was able to intercept e-mails coming from me to the supplier and from the supplier to me.  For both my supplier and me, the e-mail address on the intercepted incoming e-mails was correct, but when I hit reply, or my supplier hit supply to send to me, the e-mail address changed very slightly to go to this hacker instead.  So we would then change it and forward on.  Using this technique the attacker was able to intercept an e-mail from my supplier sending me a deposit invoice, change the bank account details and forward onto me, I then made the money transfer to this incorrect account and forwarded my supplier the payment receipt for them to check the details”.

So in the end, as a result of this interception, this business owner actually lost four and a half thousand dollars.  “A huge loss to my brand new business, not yet launched and our banks not very helpful in this situation, as technically they’ve done nothing wrong.  This scam is extremely clever and something more businesses should be aware of if dealing with offshore suppliers”.

We were also interested in having a look at the prevalence of an approach where the scammer is approaching the small business owner directly.  And so the examples here include the job employment business opportunity one.  Sorry.  The numbers are a little bit out of order.  The lottery and sweepstake unexpected prizes, seventy point eight-three percent, seventy-one percent, number one.  Number two was the spam free offers of sixty-three point five-four percent, in other words “You’ve won this prize for free, please click on this link”. And the advance fee one is the typical four-one-nine Nigerian scam, number three for the most often approached, or the approach that was taken most often to the small business owner.

Essentially these are targeting the gullible victims.  It had us thinking about the gullibility of some of these business owners, and is it in fact an issue?  So in order to examine that, oh, I’ll talk to you about that shortly, sorry, I’m getting ahead of myself.  Other scams were actually identified by the respondents, and in red, these red ones only actually apply to businesses.  Contract tender inducements for instance, fake purchases, for no other motive than just being a nuisance.  Business identity theft as per the example we gave you earlier, phishing, aiming to steal the identity.  Safety inspections are unauthorised, and fictitious events with participation fees.

Just going back to what I mentioned before, we were curious to find out is gullibility an issue?  So we actually asked the respondents to click on this, because we wanted them to know that there is a prize by completing this survey.  The prize could either be winning a tablet PC, or the possibility of winning ten million dollars, ten million dollars that would require the business owner to actually pay a fee.  So we wanted to test this out.  And the last one there, “No thanks, I don’t want enter either prize draw”.

Sixty-five percent went for the PC, twenty-three percent said no thanks.  Twelve percent went for the ten million dollars.  Twelve percent.  And they would have been clicking through to see “Okay, what else do I need to do here?”.  It could just be a curiosity, but it highlighted to us “Wow”.  We were almost thinking “No one’s going to click on this”, so when we got the twelve percent result it was really eye opening for us.

So interestingly twelve percent who chose that large prize also reported having a lower confidence in their ability to actually spot the scam.  So perhaps getting these individuals to rate their own capability to spot a scam is already identifying who might be at greater risk of being caught out with one of these social engineering approaches that are used by scammers.

Is it just coincidence that the twelve percent also matches that figure of twelve percent that actually incurred a monetary loss?  And it begs the question, we often hear that a sucker is born every minute, but actually how does a criminal actually target these business owners?  And this is quite interesting.  We’re just drawing on some research that has been carried out by Herley.  We’re actually saying “You know what, we know the four-one-nine scams, and we know that a lot of these scammers do say that they’re from Nigeria, so why would somebody actually click through and follow on to say ‘Okay, well, what is this offer about?’.  And why would the actual scammer say they’re from Nigeria when it highlights that this is one of these potential Nigerian scams?”.

And the research is essentially arguing that the reason why the scammer takes this approach is that they’re targeting the most gullible of all individuals, and it’s these gullible individuals that they’re targeting through this approach.  Yes, it is a Nigerian scam.  Everybody else will, most people will recognise this as “A Nigerian scam, I’m not going to click through”.  But the gullible ones are the ones that will still go through and have a look.

So there’s only a small proportion of these potential victims where they’re gullible enough to actually fall for this scam.  But I think there are some strategies that can be adopted to make sure that individuals that might fall to these scams should be, should implement some mechanisms, and I’ll talk to you about that shortly as well.

As far as scams are concerned, there’s the social engineering ones, on the far left, if we have a look at when targeting makes sense for an attacker.  The customised attack are the social engineering approaches we were talking about earlier.  The highly scalable ones are the ones where we have the phishing e-mails that are sent to pretty much everybody, hoping to hit a few people to respond to those.

So what are the implications of this particular research as well?  And hopefully we’ll identify some RAT killers in this particular mechanism here, in this particular grid that we’ve come up with.  So as far as social engineering scams, maybe there’s a role here for family and friends to identify, “Hey, hang on, this is a scam that you should be avoiding”.  Perhaps get two people to sign off on any payments that are over five thousand dollars to at least protect the small business owner.  Vanilla scams, business processes you can implement to make sure your employees are aware of potential scams associated with these overpayments or office supply invoices.  And then at a more sophisticated level, the mechanisms that hopefully we have, government and other regulatory authorities that could look at protecting small business owners.

Okay, some tips from owners fighting back.  And I know that Boaz will cover this in a little bit more detail shortly.  So some of the ones that we found from our respondents included checking the supply details, such as a phone number.  Does this phone number actually exist?  Using a separate debit card with a small available balance.  Google the offer.  So if there’s an offer that’s made, Google the offer and include the word ‘scam’ to see if in fact this is a scam.  Use Google Maps to see what is the, does this address actually exist, what is at the address that’s claimed?  Develop a list of websites that list scams.  Have a look at the Scamwatch website from the ACCC.  Ask for references and check them as well.  So these are all available on our report, so to have a look at these more closely I invite you to have a look at our report that’s available through the Curtin Business School website.

So finally, our research finds in the end it’s too little, too late.  Seventy-two percent have experienced some scam or another in the last year alone.  Twelve percent report having lost money.  Eighty percent have decided to pay for defence mechanisms only after having lost through a scam.  And we’ve found that a lot of our business owners actually, or the business owners that have lost to a scam lose trust with their business relationships as a result of having lost to that scam.

So I think on that note I’ll pass you on to Boaz, who can highlight to you what further mechanisms you can use to protect your businesses.  Thank you very much.  I’d like to thank the ACCC and Nigel Ridgeway and the support of Kim Parker who’s no longer with the ACCC for their assistance in the research that we’ve carried out, and thank you Michael again for the opportunity to be here today as well.  Thank you. Boaz.

[MR FISCHER} Thank you.  I really like this picture, I was going to look at the back.  This picture’s very interesting in many ways.  Why’s that?  Because it actually tells us a story.  It tells us the story about how we are all connected.  I mean, imagine, thirty hours of video uploaded every second.  Two hundred and four million e-mails sent every second.  Over two million searches through Google every second.  But it’s a dark sinister area that involves the internet.  And it’s a price that we have to pay.

In the latest internet threat report produced by Verizon and Symantec, they say that small businesses, or even businesses, are doing it tough.  They say that attackers, let’s call them thieves, are producing malicious code faster, more craftier, more malicious, yet the defence is lagging.  Just look at the numbers.  Three hundred and seventy pieces, million pieces, should I say, of malware every year.  That basically comes down to about roughly a million per day, or ten pieces per second.

Now, what’s the scariest thing about this, is sixty percent of these attacks are targeting small business.  Why is that?  Because small businesses are easy prey.  They don’t have the budgets, they don’t have the expertise, they don’t have the time like large organisations.  These two pictures behind me just demonstrate from a survey conducted by Symantec, that business say that cyber attacks are increasing. In ninety per cent of incident cases that Verizon has studied, they’ve said that hackers have used bugs, vulnerabilities, since two thousand and two.  And this seems crazy to me, because really what you could do is eliminate it straight away, by just making sure that your system’s up to date.  So why don’t businesses do it?  Is it because they don’t have the time?  Is it because they don’t have the expertise?

So let me define a hacker.  I’ve actually got three sorts of people.  We’ve got the activist, which are what I call people who could be political inclined, who like to disrupt, so disrupt services as such, or embarrass.  On the right hand side we’ve got the spies, they know exactly what they want and they’re very targeted and they go and try and get information.  They usually are sponsored by countries.  And then there’s the middle part, which are the criminals.  And the criminals could be using either of those two as well, but criminals are looking for financial gain.  They’re looking to get into your business and take as much information as they can.

Now, there’s one element that’s missing here, and it’s called the insider, which is something that I’ve been very keen lately.  But insider also has the potential of being a criminal in trying to get, access information, but their benefit is they are already a trusted user.

This picture shows that most of the attacks that are happening are very much financial motivated.  So if you look at the attacks that are happening today, the three hundred and seventy million pieces of malware is because there’s a huge reward in gaining money.

I like this picture, and I’ll tell you why.  I often have discussions with businesses, and they always say to me “I’m never a target.  I’m too small.  I don’t have anything of value.  I don’t have IP.  Why would they attack me?.  Obviously there’s a big organisation.  I’m small”.  So here’s a picture that I’ve borrowed from Crab’s Security who’s a very well known journalist who deals with the underground, and if you want to call it, the black community.  And he basically described the value of a hacked PC.  And this is very important.

If you look at the bottom right hand side, a hacker will be very keen in trying to get your financial information, and even account information, because they can monetise it.  If they’ve got your account details to a bank, they can straight away access your bank and take money out.  But what else can we use your hacked PC?  We can use it as a means to attack other computers.  We can sell that computer as a [inaudible] activity, and it’s very lucrative.  We can also use it as a phishing expedition.  We can also turn it maybe into a website to invite victims to come down and be infected.  We can also access your social media, and maybe access your Facebook and entice your friends or pseudo-friends to do something for you.  So the value of a hacked PC is great.  And so for a business to say they’re not a target is rather laughable.

Here’s another example of a hacked e-mail account.  And you say “Well, what’s the value of an e-mail account?”.  Well, e-mail has a large trove of information.  What about a way of trying to get a whole, or siphoning all the contact list?  Now I can send to all your contact list a link with an attachment, which so happens to be malicious.  And what’s better?  It comes from you, which you happen to be a trusted friend or user.  But within an e-mail or a mail system you’ve also got a lot of other information that you can start looking for and using, whether it be financial detail, maybe log in details to various application, there’s a huge amount of information to be gained by hacking an e-mail account.

So this is a time scale.  A time scale of data breaches usually takes minutes, maybe hours to compromise a computer.  But it takes months to find out that you’ve been compromised.  And I’ve read roughly it’s about two hundred days.  And it takes maybe weeks to fix it.  So for an organisation to say they’re not a target is quite laughable.

But what’s the key here?  Ten, twenty years ago when an organisation got hacked, the hacker was laughing, it was all about ego.  “Check this out, I’ve hacked your website, am I not good?”. But these days hacking is all underground.  “Why am I going to tell you?”.  The whole purpose of hacking is to maximise the return from your business.  See, if I can extract as much information from your business, the better, because I can sell it.

So let’s get into a little bit more the meet and greet. Ransomware, which I usually call cyber kidnapping.  So ransomware has really picked up in the last three years, and I’ll explain why shortly. But ransomware works.  Why does it work?  Because it attacks people’s emotions.  And when it attacks people’s emotions, people then react. Why do they react? Because it attacks their personal information. So I just want to relate about maybe three areas.

One is scare-ware. I don’t know how many of you may have received an e-mail pretending to be from Microsoft saying that you have illegal software on your computer. Click here to pay a fine. That’s a good way of downloading some malicious codes.

Another one is a great one, it’s police ransomware, where you might get also a very similar message but coming from the Australian Federal Police, saying that you have violated or you have stolen or you’ve done something illegal. Please pay here. But typically what ransomware does, it likes to disrupt your system.  It likes to stop your system, make it change your data, maybe delete the data, or as a last one, crypto-ransomware wants to encrypt your data.  And what this malware does, it looks for all your data that you may have on your machine, whether it be Word files, spreadsheets, et cetera.  And what it does, it encrypts it, and then sends you a message and says “By the way, we’ve encrypted your machine, or all your data, please pay X amount of dollars in bitcoins to me”.  And over the last three years, crypto-ransomware has increased by five hundred percent.

So here’s an example. I’m not sure how many of you have heard of it. It’s called the Gold Coast Medical Centre. They got hit by ransomware called CryptoLocker. It encrypted their server. This organisation thought that their system was all fine. They had all the antivirus, they had all the firewall.  And yet, they still managed to get through.  What was the down side by the organisation is the backup.  They were able to restore the backup until the last 12 months.  So they had a choice, either pay or live without.  So they paid four thousand dollars.

To give you some more examples.  This is a Sheriff, a County Sheriff in the States, Tennessee, Detroit, where they also got encrypted, and they paid for it as well.  So it just shows that even sophisticated businesses, organisations, irrespective of where they are, it does work.

Another one is Greenland Town.  They had all their computers encrypted.  Now, the sad story about this one is by the time they realised that their systems were encrypted, they couldn’t do anything about it, because the time to pay had passed, so they lost all the data for the last past eight years.

Now, this one is actually taking place right now.  It’s called TorrentBlocker.  And it’s basically infected I think about thirty-nine thousand computers around the world.  For some reason Australia is second.  It’s generated close to six hundred thousand dollars in the last few months.  This is an e-mail.  I actually got it.  It usually comes with a logo from Australia Post, it makes it look real.  Now, the interesting thing is, it asks you if you don’t do anything about it we’re going to charge you five dollars eighty-one per day.  So the emotion is there, “Well, I don’t want to be charged, I want to do something about it.  What I’m going to do is click this link”.  And that’s how you get infected, okay?

So I want to talk about the next seven slides, because these are critical slides.  This is how you know that you might be a target.  So number one.  As I said before, small business have a tendency of not doing much.  They don’t update their systems.  And most of the bugs that hackers use are like ten years of age, and they still work.  So why not update your systems?  It’s like saying “I’m going to drive my car, but I’ll never check my tyres, I’ll never my oil, I’ll never check anything.  I assume the car will drive for ten years”.  How well would a car drive?  So it’s a key importance to make sure that systems are updated.

Interesting seeing the Verizon Data Breach Report a few years ago said seventy-five percent of data breaches were based on an opportunity, which means like you left the door open to your house, invited someone in, didn’t close the doors.  It’s really basic.

Passwords.  Passwords are [inaudible], there’s so many passwords to remember.  How many applications do you use?  Twenty?  Thirty?  Banks, applications, Facebook, your business.  It’s very hard.  And they keep on telling you, make sure it’s long, make sure it’s different.  Well, it needs to be different, because there’s some really scary stories whereby a user basically got hacked, managed to get their user identification and their password, and he used that same password authentication for all his applications.  So you have to create something different.  So I get a complaint, “Well, I can’t remember that many passwords”.  There are applications, free applications, that you can use called password managers that will make that job really easy.

Clicking on links, like the one I showed you.  You’ll probably get a lot of e-mails asking you do something, specifically to click a link.  This one was malicious.  I get probably ten or twenty such e-mails a week. Opening attachments also.  I mean, have a look at it.  Six thousand, eight hundred and forty-one dollars.  “Really, did I do that shopping?  Really?”.  But it doesn’t look correct.  So you have to have your eyes, you have to sort of realise that something is not wrong.  But why even bother?  Don’t open it.  And the reason why it’s a dot zip, because it’s trying to get through your firewall.

Installing applications you didn’t ask for.  This is great.  Fake antivirus programs.  You go somewhere and something’s saying “Your system is not protected.  We found problems on your machine.  Please download this application”.  Did you ask for it?  No, so don’t download it.  Don’t install applications you didn’t ask for.

Divulging information.  People like to divulge information.  “Guess what, I was born on this date, this is where I live, here’s my personal information”.  You’re just making it easier for someone to understand who you are, piece the story.  And guess what, we can do maybe some identity theft, we can pretend to be you.

Another one.  Responding to requests.  “Look, we want to know that you are alive, please tell us”.  Why tell them that you are actually a real user?  You’ve just given them an e-mail address that they can do something with.  So the whole point is not to tell them anything.

So it comes down to what I call is a User One Point Zero.  Because we haven’t changed.  We’re still doing the same basic mistakes.  Now, in this diagram, Verizon basically addressed all its attacks that it sees over the last ten years into what I call is about ten different patterns.  Probably a huge amount of threats, but if you sort of condense them, they usually come down to these patterns.  What is not clear from first sight is that if you look at the top four, they count to ninety percent of incidents, which is us, people.  We either goof things up, we either get infected, we either do the wrong thing, or we lose something.  Like we leave a mobile in a taxi or a bus.  So what I usually say is put your hand up, point to yourself and say “I am the problem”.

So how do we go to User Two Dot Zero?  So this is really simple.  It’s not rocket science.  You don’t need to go and spend a huge amount of money on sophisticated security.  Any business could do this.  Make sure your system’s up to date.  All your systems, okay, including your routers and firewalls, things you don’t think of.  Make sure you use a strong password.  Use a sophisticated password manager, and you won’t have to worry.  Don’t tell people your passwords.  Don’t write it down somewhere.  Don’t respond to requests, which means attachments, don’t click on links, and don’t respond to people asking for information.  If you want to, give them a phone call and say “Are you the person who just sent me this e-mail?”.  Verify.

Now, the key thing here, number four, is backup.  What I tell businesses, you do the three, two, one method.  Three backups on two different media, and one offsite.  Now, for the more security conscious organisation I do add two more.  Remove the administration rights from your computer.  Why?  Because without admin rights, very hard for malware to install itself.  And six, make sure you control what applications you’re running on your system.

I want to finish by one last thing.  The Australian Signals Directorate has said if you did one, five and six consistently, then eighty-five percent of your intrusions would have been protected.  Thank you very much.

[MS LINDEN] So thank you.  It’s great to be here supporting the National Consumer Fraud Week.  We appreciate you joining us today.  What’s interesting is the government’s very focused on helping small businesses make money, so it’s really great to see the ACCC and the IPA actually running a forum about making sure they don’t lose it as well, which I think’s a really important point.  With over two million small businesses in Australia I think lifting the awareness, improving education and fundamentally taking some real action is as fundamental for small businesses as it is for big business.

Tonight I’m going to cover off a couple of things which draw on my experience.  Firstly some real life scenarios that have actually happened, which are focused on different types of small business theft.  And also as my past two speakers have also covered off, some really practical and some helpful hints, what can small businesses actually do to reduce the risk?

So I thought I’d kick off first, I wanted to actually imagine a scenario with you.  You run a successful construction business.  Your business has grown.  You’ve contracted a bookkeeper to assist, and they seem to be working out really well.  They’re actually enabling you to spend more time on your business rather than just in your business.  You’ve not been really checking in very often with the bookkeeper, you figured they were pretty efficient, they knew what they were doing.  But your bank balance isn’t really where it needs to be.  It’s actually a bit short of where you thought it would be.

So you start to ask some questions.  You’re told a simple answer around “Well, a customer hasn’t actually been paying in the usual payment terms that they have been historically”, which on the face of it could make sense, that happens.  But you actually decide to take the next step, and you call the customer.  You actually want to work out what’s going on.  This is your small business and you’re interested.

The customer actually says to you “I don’t know what you’re talking about.  I’ve actually been paying your invoices, I’ve been forwarding them to the bank, you forwarded them to me, I forwarded them to the bank, the bank’s been making the payments, I’ve got evidence on my bank statements”.  So you take a look, you actually go another step, you have a look at the invoices.  And actually the reality is they’ve been paying their bills as they told you, but they haven’t been paying you.  So your bank account details on the invoices have actually been amended by the bookkeeper, and your customer is actually paying someone else’s bank account.  And worst of all, the money can’t be tracked.  So that’s six months of construction invoices completely down the pipe.  And actually the bank tells you they can’t assist, because their customer had been giving them the right instructions, according to the bank, they were paying an invoice that the customer had instructed.

So it’s an interesting scenario, unfortunately too common a scenario, as you can see from some of the press up on the screen.  Some learns from this scenario.  The business was trusting, but not verifying.  So the bookkeeper was going along for a long time without actually anyone looking at what they were doing.  And it’s absolutely okay to trust, but for small business owners it’s your business, so it’s important to trust and verify.

The internal controls in the business were obviously pretty weak, and this includes also onboarding staff.  So when we look back over this example, there were no upfront reference checks, there’s no national police checks, and importantly the small business owner didn’t actually ask anyone or done any internet searches about this bookkeeper.

So this type of fraud as I mentioned earlier is prevalent, and actually the learns for this type of fraud are really no different in the offline world as they are in the online world.  And so this is really about trying to make it harder for it to occur in the first place, and trying to make it harder for the thief to actually get control of invoices in this example.

So I’m going to move on to another real life example, and this is e-mail hijacking.  And I know Louis you highlighted an example before around an invoice perspective.  But if I think of the scenarios that we see at the bank, and this s where e-mail hijacking has occurred, the first one, and I’ll read it out, because I’m not sure how clear that is on the screen.  This is a purported customer asking to withdraw twenty-five thousand, “I’ve lost my nephew yesterday night.  I’m in the middle of a family funeral.  I’m requesting for an outgoing wire transfer of funds to be issued on the basis of an exception, the funeral’s occurring”.  A sad e-mail, as a recipient.  I’m going to move on to another one.

The next example is from a hijacker who found the business owner’s son’s e-mail address in a mail box.  They set up an e-mail account with a small variation to the name, and proceeded then to interact with the bank.  So it says, and there’s bigger amounts here, transfer for two hundred and twenty thousand.  “I’m asking the bank to let me know the balance of my account, and please go ahead and make a telegraphic transfer from it.  I’m out of town, I’ve lost my sister, I’m at the funeral, and you can call me on the mobile number if you need clarification”.  Again, on the face of it, another potentially really sad story.

And finally, in terms of e-mail hijacking, “I’m looking for US sixty-five thousand.  I intend to transfer to my client account in Malaysia on an urgent basis, but I’m not sure where this should come from.  What’s your advice?  Wonder what the indicative respective exchange rates and the total charges by ANZ to do the remittance.  And for the sake of good order, the original telegraphic transfer instruction will be sent by courier upon my return to town”.

I’m sure that you can see there are common themes here.  These are all real life examples again.  There’s a common theme around a sense of urgency being created.  There’s excuses that are used to bypass controls, for example, “Don’t worry, I’ll courier the documents to you at a later point”.  They absolutely play on emotions, so in these examples, terrible deaths and funerals.  And they absolutely dictate terms on how they actually want to interact with the bank by providing contact details.

So one important piece of advice here is to make sure you’ve set up and really understand the rules of how you as a business owner are engaging with your bank, whether that be ANZ or any bank, to actually carry out transactions.  For example, who can interact on your accounts, what method of communication is acceptable, and then the bank will actually act on your instructions.  So in some of these cases where we’d set up e-mail authorisation from the customer, on the face of it these examples could have turned into real loss.

The next scenario is on phishing, and I know we’ve again highlighted a few examples earlier, but just from a bank perspective, and I know we’ve talked about dropping in and clicking on links in e-mails, these are some of the things that we see that our customers receive.  And in the digital age this is absolutely becoming more complex and also particularly more difficult to identify.  Customers from a number of, and across all of the Australian banks have been targeted with hoax e-mails and also phishing.  And like the examples on the screen, at first glance these screens look to be genuine ANZ Bank screens.  They use our logo, they have the exact same set up as an internet banking screen that we have at ANZ.

So a business owner, or their staff, receive an e-mail that’s purporting to be from the bank, and they request a link that’s clicked on, maybe to return a payment that has been made by the bank by mistake, or to update their security details and passwords into an authentic looking but very fake website.  And the fraudster is absolutely impersonating the bank, but the purpose isn’t the impersonation of the bank, the purpose is absolutely to log on and put in your account details, and to make sure there’s enough personal details that they can collect to commit identity theft.

And an important message here is then what the fraudsters actually do with that information, because it’s enough to just collate it, but unauthorised purchases on accounts are quite common when this happens, on credit cards as well.  They’re used to open other accounts.  So you start one day with one account, and then a few months later you realise there’s three or four accounts that are actually opened up in your name.

They absolutely can create fake businesses.  They lodge fraudulent GST claims and then become the recipient of those GST claims.  They take out loans.  And some of these examples turn into extremely bad credit ratings also, which become under the business name.

So these are absolutely immediate consequences for a business and they’re devastating, but it’s actually even more than the immediate consequence.  It’s the cost and time that it actually takes to rectify the accounts, to reset your identity, and the risk it carries both for personal and absolutely for business reputation.  And effectively, and this is the tough bit, the onus is on you as the business owner to prove that you weren’t involved, sometimes.

If I take ANZ as an example, we commit not to send an e-mail and ask you for your account details.  We don’t ask you for financial details, we don’t ask you for log in details.  So it’s really important for small business owners to check the standard that applies for other business partners as well, and being just aware of what the standard operating procedures are.

So what can small businesses do?  And there’s been great helpful hints and tips, and I just wanted to cover off a few of these.  Firstly if I think about securing documents, seriously, mail boxes should have locks on them.  It sounds old school, but it’s absolutely relevant.  And making sure that documents are locked away is a really simple example.

In terms of overseeing staff, I suppose my best hint here is don’t be an absent small business owner, because you trust your staff totally.  The concept is trust, but verify.  If I think of the invoice duplication scenario mentioned first off, regularly reviewing invoices would have absolutely helped to reduce the extent of that crime.  And I think it’s important that small businesses really think like big business.  So do you have policies in place around how your employees are going to interact with internet security or use social media during office hours?  Are you sure there’s segregation of duties within your business?  So are you sure that invoices can’t be raised and paid by the same staff member?

Thirdly, and I suppose the third box on the slide is know who you’re dealing with.  It sounds so obvious, but who are you getting into business with?  Whether that be customers and suppliers, whether that be service providers, whether that be your bank, and importantly whether that be employees or contractors as well.

So I suppose a rhetorical question for small business owners is if you received an invoice that looked the same as the one it did the previous month, but all that had been changed is the account number, would this have been picked up in your business?  We see examples every day where simple details are missed.  An unusual fax number.  A request that’s come from an e-mail address but it’s changed e-mail address from previous correspondence.  The question is how do you know that the simple things are being picked up in your business?

If I think about bank security and software, I’m really always surprised to hear from customers that don’t have simple banking security in place, and that they haven’t checked with their bank as to actually what’s available.  And I know small businesses are time poor, I completely understand that.  But I’d really encourage all small businesses to think about their banking security actually no different than they think about their computer software security or they think about their documents.

If I use ANZ as a specific example, we have a product called ANZ Shield, which is when you’re utilising internet banking, and it has a two factor authentication system that sort of works on the basis that you identify yourself first with something that you know, and then you identify yourself with something that you have, so that means you get a text to a mobile phone that you’ve nominated, and use that text to actually complete the transaction online.  And we also have something which is called Challenge Questions, which are a security feature that means you’ll get questions that you set up originally, and then they’ll ask you to verify your identity as you go through internet banking.  And all the major banks have some form of security software for their banking, but it’s important that small businesses understand to check that out and know what they’re actually engaging with from a bank perspective.

So in closing, as I said at the start, identity theft, cyber crime theft, and whatever name you characterise it, is just as relevant, important and impactful for small businesses as it is for big businesses.  The aim of the hints and tips that I’ve set out is to make sure your business is not the most attractive target.  And it’s sort of like if you think of a row of houses on the street, the ones with security doors, the ones with alarms, the ones with dogs, they’re less attractive to the homes with the keys left in the front door.  Remember it’s important to trust, but verify, and know your customers, know your staff, the other businesses you rely on, and ask lots of questions if you’re not sure. Thank you.

[DR SCHAPER] Christine, thanks for that.  Boaz and Louis as well.  Sitting here of course it’s always quite easy to feel just a little, I was going to say a faint tinge of concern, but I think sometimes at the end of these sessions far more, much more than just a faint twinge, but rather a “Oh my goodness me, where am I at and what have I done?”.

Look, the emphasis here is very clearly about what do you do in terms of making yourself, make sure that you don’t become susceptible.  And now is a chance to, we’ve got a Q and A session for about 15 minutes, so now is a chance to ask a few of those questions, so you may have some.  But I’ve got one first of all for the audience, and then I’ve got one for our assembled experts.  For the audience, I’d like to see what sort of scams if any people here have reported being approached on recently, and then secondly I’d like to see whether or not from our respective guests whether or not any of those are ones that they’ve come across recently, first of all.  So what are people’s experiences here in the room about scams or rather approaches, rather than hopefully ones you’ve fallen into?  Yes.

[AUDIENCE MEMBER] I received a phone call where they say it was the court case against the banks, that the monies that they overcharged me were available, that the government is finding people to pay those monies back, and they asked me for my bank details to pay those monies back.

[DR SCHAPER] Other experiences?  Yes, Pam.

[AUDIENCE MEMBER] I was e-mailed about the Australian Federal Police, and I thought “Mm, this is a bit weird”, and then I looked at the amount of money I had to pay, and it was a very unusual sum, and I reported it to Scamwatch.  It would be really easy if we could just forward the e-mails to Scamwatch, rather than having to fill in all the information.

[DR SCHAPER] Good, we like it when you do too, yes.  Other experiences?  Anyone else?  Yes.

[AUDIENCE MEMBER] [inaudible] Recently I received e-mail from ATO saying that “We’ve got a voice activation authentication system, can you call and go through the procedure to authenticate yourself”.  Now, I know this is legitimate, but what the hell, I said “I’m not going to do it”.  If ATO wants me to call up and authenticate myself through their voice activation system so they don’t go through that checklist of your name, birthday, what your tax number is, they can write me a letter.  So I guess this is more the opposite, is that you kind of look at these e-mails, and you know that they’re legitimate or they’re probably legitimate, but you discard them anyway, saying that “I’m sure this is legitimate, it looks legitimate”.  And I know in fact it’s legitimate, but I discarded it and thought “Well, ATO shouldn’t be using this medium to contact me, use snail mail”.  So I guess what my point is that once you lose trust on the internet, it has a real, I believe, an impact on the small business owner, because they stop using some of the services that could make life so much simpler for them, so much easier, so much, they could much more beneficial as well, so we don’t kind of look that side.  We should.

[DR SCHAPER] Well, let’s get some comments on that from each of the three.  I think it touches both not only different types of scams, but also that issue about trust.  Louis, did you want to start off?

[DR GENESTE] Just in relation to that trust issue that you were talking about, when we did our research we identified individuals that, well, we looked at gullibility as being an issue, and looked at the percentage of people that actually clicked through to that gullibility question.  But it was interesting that there was a person that actually won a mini iPad.  It took us three months to convince him that he actually had won the mini iPad, and it wasn’t until he checked out our credentials on Google to actually say “Well, these guys are for real, I’ll send them an e-mail and find out.  I keep getting this e-mail that says I’ve won a prize.  Have I definitely won a prize?”.  And we thought “Well done, well done for actually doing the checks to confirm that we are bona fide researchers, and yes, you’ve won the prize, congratulations”, and we finally sent him the mini iPad.  But it was interesting that it may well have been because he had been caught out before that he was distrusting of the e-mails that we were sending him.

[DR SCHAPER] Christine?

[MS LINDEN] Yeah, I don’t disagree with you on the issue of trust, I think that’s really relevant, and that will continue, is my view.  I think though I would encourage you to think, and for any business owners in the room, to think about going through that ATO process is likely to save you a hell of a time down the track, and I’m sure that’s not what you’re suggesting, but, yeah, I think [inaudible]

[AUDIENCE MEMBER] [inaudible]

[MS LINDEN] And the ATO voice verification’s a really great security layer to have in place, because we think of banks and the e-mail hijacking, but the ATO’s exactly the same in terms of the extent of impersonation that goes on, and once your tax file, your business details are known, the ability for that to be replicated is very prevalent.

[DR SCHAPER] And Boaz?

[MR FISCHER] Well, here’s a challenge.  How many e-mails do you receive every day?  Fifty?  A hundred?  As a business operator, do you have time to really judge and really understand whether it is real or not?  So pretty much as a business operator you don’t have time, so you click, or you delete.  Very hard to say whether an e-mail is real or not.  These days hackers are doing a really good job.  As Christine showed with some of their ANZ banking phishing, they look identical, they have the same look, the same logos, how do you know that ANZ Bank or Westpac or whomever doesn’t send e-mails directly to clients?  You don’t know.

[DR SCHAPER] We have a comment here sir.

[AUDIENCE MEMBER] Mine was more a comment rather than a question.  A lot of the e-mails, you can usually tell whether they’re dodgy because there’s generally spelling mistakes or grammatical errors or punctuation errors, so a lot of the time I guess that’s just one thing to look out for I guess.

[MS LINDEN] They’re getting better though.  But I don’t disagree with you, some of the grammar’s interesting, yeah.

[DR SCHAPER] Look, we’ve got a couple of comments there, and then at the back and then at the front, please.

[AUDIENCE MEMBER] I know mine’s not kind of really small business as much as educating my child, because he’s a fifteen year old who gets e-mails from his school and friends, which aren’t, excuse me, which aren’t personalised, so it might be a group e-mail.  I think it applies to the same in business, that people think you can send a group e-mail, no personalisation, and you trust that one, and yet they’re actually often the ones that are the most suspicious, because they don’t have “Hi Caroline, hope you had a nice weekend”, something or other that might actually help you connect it with not a generic fake e-mail.  But kids are really great at that one, they just leave off all the personalisation and click on links to think that they’re going to some YouTube site or something like that which they think is safe, and yeah, it’s hard to convince people, “Can you make sure you personalise your messages you send to me, otherwise I’m not going to respond to them”.

[DR SCHAPER] Any comment?  No?  Furious agreement.

[MS LINDEN] Complete agreement.

[DR SCHAPER] Furious agreement.  Madam.

[AUDIENCE MEMBER] I have a comment also on this question of trust, because although I think in the past it was often possible to detect a hoax e-mail because of the poor spelling, I’ve found a lot of e-mails recently, the Australia Post one is a good example, and phone calls from call centres overseas where the person says “I’m calling from Microsoft, we can see you have a problem with your computer”, well, who doesn’t have a problem with their computer at some stage or another, if not a little bit of a problem every day.  And so the thing, the question of trust is quite significant, because the scammers are now using the names of big organisations who are trusted, and you do have dealings with them.  So the Australia Post one, my business partner asked me, or commented to me that she, I think she possibly did click through, but she knew that she had a parcel that was coming from Australia Post, and so therefore, and you do get tracking notices from Australia Post if you have a parcel.  So it is very difficult to work out exactly.  I don’t think you could really avoid every trap.

[DR SCHAPER] Does that mean we all have to be a little less trustful of each other in the future?

[MS LINDEN] I don’t know of each other, but I think it’s healthy, I think it’s really healthy to have a high level of inquisitiveness, and certainly if it’s phone calls, I am in definitely the practice of suggesting I’ll call the person back, I’ll get a phone number, I’ll go onto the web and I’ll check it, and yes, that absolutely takes time, but goodness me, that’s a much bigger time saving than if I actually go through with what’s being requested.  So I think it’s important to think about whilst I’m time poor, you’re going to be even more time poor and potentially put your entire business at risk, and reputation, if you don’t just do that extra little bit.


[MR FISCHER] I was going to add something.  I think it’s important in today’s climate where you’re continuously bombarded with some form of attack, is just to err on the no side, which basically means actually don’t respond, okay?  One of the e-mails or one of the slides I showed actually said “Look, if you don’t pay”, like the one that came from Australia Post, “If you don’t do something we’re going to charge you five dollars eighty-one per day”.  So they’re trying to get you emotionally charged and to do something.  This is the time when you need to realise “Hold on, why are they charging me, why are they asking me for money?”.  And as Christine says, it’s probably not a bad idea, if you think it’s coming from Australia Post, give Australia Post a call.  Not what it says on that e-mail, because they might have their own number.  But actually you look in the White Pages or Yellow Pages and find Australia Post and give them a call and say “Did you send this e-mail?”.


[DR GENESTE] The other thing is that through our research we’ve found that these business owners have an average of about four employees.  So some of the actions that are taken on behalf of the business is by the employee.  So you can imagine an employee getting an e-mail that says “You have to pay Australia Post”.  And the employee might be thinking “Well, I don’t want my small business owner to be in trouble here, I’m going to go through and actually make this payment”.  So it’s a good idea to also make sure your employees are aware of the risks that are there, and let them know of the different activities that are carried out by the business that could also put the business at risk.  And so it’s not just incumbent on the business owner, but also the employees to be aware of the potential risks as well.

[DR SCHAPER] And a comment at the front there, a question.

[AUDIENCE MEMBER] This is a real story.

[DR SCHAPER] Oh good, we like those.

[AUDIENCE MEMBER] I’ve been an agent in licensing and franchising for ten years with a particular company, started in nineteen twenty-three.  And for the last couple of years I’ve used my own trading name, because it was a foreign name, so I said “Well, I’ll change it”.  Anyway one day I read up news, they’ve used my trading name for, they changed the company name, they used my trading name.  So it means the whole company, and I’m talking a multi-million dollar operation, so it is incredible.  And the particular CEO is a barrister.  So I’ll let you rest on that.

[DR SCHAPER] Audacious is the other word that comes to mind there too.  Michael, just another comment back, just on the other side there.  And I don’t know if anybody else has got any or seen any one of that sort of order of magnitude, although there have been a couple of houses sold underneath people in Perth on a similar sort of basis, yeah.  Boaz?

[MR FISCHER] I was going to add a comment.  Every organisation has got what we call a domain name, which basically means this is how you identify yourself on the internet.  It would be www dot whatever it is.  You manage the domain name.  Every two years you probably have to renew the domain name.  Now, one of the critical situations is that domain name can be hijacked.  How do they hijack?  They might get the username and password.  And then they can squat and ransom you for the domain name.  So it’s very important to understand your branding, and very important that you start protecting your branding, and domain name hijacking is quite strong.

[DR SCHAPER] We’ve got another comment over there, and then I’ll check and see over this side, because this side of the room’s been quite quiet, we have a very vocal group over here and a much quieter one here.

[AUDIENCE MEMBER] Yeah, we’ve got the winning team here.  These types of sessions are really good.  I was just looking forward now.  I know that we have, the government in association with other institutions have Cyber Security Awareness Week, they have Privacy Week.  I noticed, I’m not quite sure if it was for the first time that there was a Fraud Awareness Week, last week, May 12th.  I know they had it in the States, but I didn’t know they had it in Australia.  So we have all these programs happening, but they’re obviously not reaching the targets, the people that should, the small business owners for example.  There’s lots of money being thrown, there is Scamwatch and I know there is Cyber Stay Smart Online for example.  Sorry, I’m in the security industry, so that’s why I know.  So how are we going to reach out to those masses of people that are out there that are not getting this message?

Should we for example, you know, we have all this thing that happens but still people are being, so could we brainstorm and say “Well, maybe we need to advertise rather than just on the internet, use the television which reaches a larger audience maybe?”.  I don’t know, do we go, whoever does the ABN says “Well, before you get an ABN you have to sit through this online module to kind of increase your security awareness, and maybe apply that retrospectively to small business owners.  I mean, there’s lots of things that are being done, but they’re not really reaching the people.  I’m sure by the time this generation is up, I have two sons, and nephews in primary school, I know they will be a lot more sophisticated and a lot more knowledgeable about how to use the internet in the most effective and whatnot way, but still we still have a whole heap of generation that needs to be educated right now, and trained.  So what do you suggest?

[DR SCHAPER] Well, I’ll make a comment in a minute, but I’ll just ask if anyone in the panel has anything they want to-----?  Look, it’s a perennial problem for all regulators and all government agencies, there’s your fifteen minutes up obviously.  There you go, well and truly, I’d better keep it short.  It’s a perennial problem in terms of how you educate people, and the issue about do you force them is not necessarily always one that works in the way that you might think.  Look, it’s a crowded world.  This is just one of many things.  And indeed I know that talking to some of the people in the room today, there are people here who are thinking about starting a business as well as those that are already operating a business.  And it doesn’t matter whether you are thinking or whether you’re already doing, all the things you have to think about, you’re own particular field in terms of what you actually do for a day to day living, accounting, human resource management, all of the issues, this is just one more thing, another brick in the wall.  So to say to people “Well, I want you to spend a lot of time on this issue”, it’s like “Yeah, well, what else am I going to take time away from?”.

And interestingly enough, some of the laws that we administer require for some particular industries for people to actually, basically to go and get independent professional advice saying that they have been effectively counselled about what they’re signing up to, and in particular industry model and what they’re going to do, and it’s fine, they all sign it.  You go back and survey them and you actually find about half of them, if you actually ask them honestly, will say “Well, I signed the form of course, because I just wanted to get on with the job.  But you know, did I do it?  Of course not”.  You can lead a horse to water, but unfortunately you can’t educate them.  And that’s I guess where ultimately scamming thrives on.  Now, are there any questions on this side of the room, please?  Thank you.

[AUDIENCE MEMBER] Larger corporations have been using encrypted e-mail and VPN for quite a while.  Is that something that small businesses should be moving towards?


[MR FISCHER] Yes, if it’s sensitive.  If they’ve got sensitive information, why not?  And it’s pretty easy.  There are applications out there that provide you the ability to send sensitive communications, irrespective of what size they are.  So I totally agree.

[MS LINDEN] And I think no, you should be thinking no different, as if you were a big business, and so absolutely agree, you should be in.  Look, also we talk a lot about your own personal information that you need to protect, but you need to also be thinking about your customer data itself that needs to be protected as well, and a burglar comes in, grabs your computer, something’s encrypted, there’s very little chance that that can go any further.  And I think that’s as important as just thinking about your own personal security and documents.

[DR SCHAPER] And has that been an issue, just out of the way, that loss of customer data?

[MS LINDEN] Yeah, and I think if you think about the US story of Target as an example, that is absolutely in the media and absolutely simple examples where businesses protect everything else other than their customer list, because there’s a sense that “Maybe it’s not my customer, that’s their business and that’s their information”, and that’s absolutely a great way, as one of the slides earlier mentioned, of finding and actually going further along the line of identity theft, so yep.

[DR SCHAPER] We’ve got time probably for two last comments, so sir.

[AUDIENCE MEMBER] With people in general operating more in the cloud, is there something we need to be, well, concerned about in terms of having data and applications like Dropbox and OneDrive and all that sort of thing?  I mean, I’ve heard that some of that data may not be very secure.  What should we be doing to make them more secure?  I mean, is something like Office 365 more secure than say Dropbox or something like that?  Do you know?

[MS LINDEN] I’m not an expert on what is more secure, absolutely not, if one of you-----

[DR GENESTE] Nor am I, so I’ll just pass you on to Boaz.

[MR FISCHER] That leaves me.  Look, if you want to use Dropbox, that’s fine. There are other lots of cloud applications which provide you with cloud storage, that will give you good security, that is not expensive.  So it’s just a question of just looking around and what’s out there, and one of them will be for example Sharefile.  Great technology, from Citrix, it costs maybe thirty dollars a month I think, great.  Having said that, if an organisation’s thinking about going to the cloud, which means basically taking the business to the cloud, not just some data, that’s a different story.  Why do I say that?  Because there have been some examples where the cloud provider has gone out of business.  So if your whole business is sitting on a cloud, then you’ve lost your business.  So what I usually tell to organisations is “What’s your exit strategy?  Can you move your business to another cloud provider?”.  That’s one of the things that I would tell you right from the start.

[MS LINDEN] And I think once, you know, technology’s going to continue to get more prevalent and complex, and as we continue to digitise everything possible, nearly including ourselves up on stage at some point, I think what’s really important also is know what your strengths are and know when to ask for help.  And so technical experts that can talk to you about what cloud, what not cloud, what else could you do.  You know, I certainly find businesses that are more focused on what’s their marketing strategy to go online, use cloud, do whatever they’re doing, versus actually getting the right backend support information about “Is what I’m doing going to lead me down the right path or not?”.  So you’re asking the right question.

[DR SCHAPER] And a final question slash comment.

[AUDIENCE MEMBER] Just further to that, thank you, in the business of giving business advice, and I’m finding that as an accountant we are being forced and forced by the software developers further to advise clients, and especially start-ups that a quick and easy horrible method is to chuck them on the cloud, on a nice easy slap and bang program. Now, you’ve got two bank feeds that come in, one is Yodlee, and the other is BankLink that happen in Australia. Now, Yodlee is known to have absolute gaping holes in it. Where does the liability lie?  Does it lie with the bank, does it lie with the software provider, does it lie with the customer who actually has no usability or security system at their end, but they’re being signed up, they’re being forced into this small little appropriation of data, and it’s not, I would think, it’s not actually insignificant data, it’s their bank transactions, it’s potentially their banking details, and from a bank’s perspective where do you draw the line there?

[MS LINDEN] Yeah, I think you’re right, I think as we continue to have more things like that arrive on our shores, the real challenge is for every customer or business that uses it is to be very, very clear about where this is going and how much information I have to put on.  And I think the challenge is that a lot of this is up to the individual to decide, is that an acceptable risk for my business or not?  And in lots of cases, there’s not enough due diligence done to identify the gaps that you’re talking about, and you’re in a relatively privileged position as an advisor, because you see lots of situations.  So I think there’s no clear line.

[DR SCHAPER] Any other comments from Boaz or Louis?  Look, that issue about accountants though I think is a really important one, and not least because I’m standing behind an IPA banner.  But I do think it’s important to put on the record the support that the profession and in this case especially the IPA, the IPA has been a very active partner with us in this, and in fact those of you involved with the Institute will also know that last year for example they were putting up a whole series, a very convenient, little sticky labels that you could actually put on your bills, and it says “Have you done these six things before you pay the bill to make sure you don’t get scammed, and here’s the Scamwatch link”.  That sort of stuff is really useful.  And we’ve got Michael Link here for the Institute and a couple of other members from the Institute floating around as well.  I’d like to put on the record our thanks for them and their support, not only in this, but on ongoing measures.  So that is an important one for those of you clearly who are advisors here.

Look, before we conclude, I think there’s a couple of points.  I was going to say takeaways, but we’ve got food in the background, so that may not be the right word to use.  But look, be cautious, but don’t necessarily be scared.  I think use a measure of common sense.  There are a couple of important points that have come out of here, not only the simple ones about making sure that passwords and your technology, protection technology, your firewalls and so forth are up to date, but also it’s not just the machinery, although the machineries are the deliveries of these, but it’s also the attitudes.  Don’t be rushed, take your time to think a little bit about who’s putting a proposition to you, and ask yourself the question “Should I do it?”.

Thank you everyone for attending.  We have food and refreshments available.  For our speakers tonight, I’d like to thank them, and I’d ask you to join me in doing so.  We have a small gift of thanks which I’ll pass out to them in a minute, and everyone, we’ve got food and refreshments at the back, so please, thank you for your time and your questions, please, enjoy yourself and have a chance to meet and talk to others as well.  Thank you very much everyone.