"Data is the new gold rush,” said cybersecurity expert Chris Watson, Grant Thornton, warning that cybercriminals are diligently prospecting for valuable information, exploiting vulnerabilities and forging new techniques to seize this digital treasure trove, posing an ever-growing threat to individuals and organisations across Australia, during his session at The Tax Summit 2023.

MELBOURNE 7 September 2023: In a gripping presentation on day two of The Tax Summit 2023, cybersecurity expert Chris Watson, Grant Thornton, sounded the alarm on Australia’s escalating cyber threats. In his session, entitled "Hunted by hackers? Cyber risk and client/supplier created exposures”, Watson delivered a compelling message on the imperative of proactive cybersecurity measures.

Drawing parallels between traditional crime and cybercrime, Watson stated, "Before the internet, thieves would put a stocking over their heads, grab a shotgun and go to rob a bank. The problem with that was, not only was there a high chance of getting caught but also of being shot.”

However, with the advent of the internet and the interconnectedness of the world, cybercriminals have seized upon the opportunity to target individuals and organisations with alarming efficiency. Watson's message was unequivocal: "Cybercrimes are real, they are happening, and they will affect you at some point in your career, if they haven’t already."

Breaking: Most cyber attacks lack sophistication

One of the central points of Watson's presentation was the fallacy of portraying most cyber attacks as "sophisticated". He challenged this narrative, emphasising that many attacks stem from individuals, surrendering passwords or unknowingly downloading malicious software.

Watson went on to explain that hackers go through a certain process to compromise a victim’s systems, which can be broken down into three key areas:

1. Identifying who you are 
2. Figuring out how to get a foothold in your network
3. Deciding what they want to steal from you

He then shared an analogy, likening cyber hacking to breaking into a home. He said, “I'll draw the classic analogy with the burglar walking down the street. I'm walking down, and I'm looking at houses. I’m checking the houses, [looking] for the ones that appear to be less secure and a bit more inviting than the ones that have padlocks and the CCTV. 

“OK, I've found a house that actually left the back door open. And I've stepped in and gained access to the network – that's the first part. The second part is, OK, I'm in there now. I want to see how far I can wander around your house and see if I can get to better parts of the house. I walk in and find an open door that has all the crown jewels. And the third part is, I have gone through the house, and I have found the places where I want to steal stuff from.”

Data: The new gold rush

Watson highlighted the increasing importance of data protection, asserting, "Data is the new gold rush. These criminals are coming after the data, and that's the danger to your organisation.

“We’ve found that once they have access to the data, one of two things often happens. One, they steal it or two, they encrypt it to prevent you from having access to it. When this happens, you have to pay the money in order to get access,” Watson explained. 

Hacking with AI

In the modern world, AI plays a crucial role, executing tasks that traditionally demanded human intelligence and resources. The fundamental distinction between humans and machines, however, lies in the swiftness, precision and accuracy – ultimately, the enhanced efficiency – with which specific tasks are accomplished. And cybercriminals are using it to their advantage.

“AI is being used extensively to identify, sniff out and compromise systems. [Hackers] use a variety of tools and techniques to get that back door open. There’s social engineering where you go around and grab discrete pieces of information that when put together, form a picture around what your security looks like, what your password is or how your systems are configured. And they’ll use that information against you,” Watson cautioned.

A cybercriminal’s toolbox

During his session, Watson also delved into various tactics used by cybercriminals, including phishing/spearphishing and the vulnerabilities posed by third-party providers.

“Phishing and spearphishing are common techniques that criminals use to get into our systems that involve sending emails or calling people to get information. And it was exacerbated by COVID, with so many people working from home. This flexible working created a number of vulnerabilities in an organisation’s network that didn’t exist before,” he explained.

“Third-party risk is one of the biggest risks out there at the moment, happening to companies like Medibank, Optus and Latitude. Third-party providers were the weak links to those organisations. They had the backdoor open and allowed somebody to get in.”

Australia tops the charts for hacking

Australia is the 5th most hacked country in the world, by density, with almost 2 million leaked accounts, or 15 leaked accounts per minute – 11 times more than the first quarter. “We’re the most targeted country in the world,” Watson pointed out. 

Cyber incidents are estimated to cost as much as $29 billion globally. And over $3.1 billion was lost to scams in Australia in 2022, according to ACCC. “These are pretty frightening numbers in terms of what it costs Australia’s economy,” he said.

“Cybercrime is affecting businesses up and down the country. But not every organisation can survive the cost, the financial losses if they’ve had to pay a ransom and the cost of what’s being called cyber resilience, which is the time it takes to get back up. You have to pay lawyers and PR expenses — the cost to an organisation is significant,” he explained.

Honour amongst thieves: A false notion

Watson also dispelled any romantic notions about hackers and implored organisations to adopt stringent cybersecurity measures. “We have a romantic notion around who hackers are,” Watson said. “Particularly, when we talk about ‘hacktivists’ who are hacking because they feel passionate about a particular issue in environmentalism or animal welfare, for example.

“This notion of there being honour amongst thieves is ridiculous, especially within the cybercriminal fraternity. There’s no such thing.”

Hire a hacker on the dark web

“They have markets on the dark web where anyone can go and hire a hacker. You can say I want XYZ to be hacked. How much [can you do it for]? Basically, anyone can download a shrink-wrapped hacker package off the dark web for a certain amount, aim it at an organisation and not really understand the damage they’re about to cause,” Watson shared. 

He added, “If you are subject to any cyber attack, you must have a thorough and robust plan in place to cleanse the systems and get yourself back up effectively with a clean system. That can be in the form of backups or other sources.”

Passwords need a secure upgrade

Today, passwords remain an issue. “The most common password is still ‘password,’” Watson confirmed. “The second most popular password is ‘password1234’. We still haven’t gotten around to improving our password hygiene. 

Watson said: “I urge you to go out there and educate yourselves around passwords, whether you use password managers, passphrases, whatever. Just improve. Don’t use your favourite football team. Don’t use ‘password’.

“The basic exercise of improving passwords will go far in improving cybersecurity both as individuals when we’re working from home or when we’re in the workplace.”

“The other thing I want to challenge is to get over the notion that you don’t have anything that someone would want to steal because you do. Every organisation in this world has what these criminals are after – data. That’s the names, addresses, telephone numbers, credit card numbers and bank details,” he said.

“We’re talking hundreds of thousands, if not millions, of identities, profiles and credit cards are being compromised in a single attack. Cybercriminals are organised and they’re hacking, ultimately, for money. The best way to get that money is to breach into the organisation and take the data out,” Watson said.

Cyber rules 101: Don’t trust, verify 

“The rule of cyber is don’t trust, verify. You need to take the stance that you don’t trust anybody inside or outside of your network. There have to be constant gateways and checks, whether that’s through multi-factor authentication or through multiple passwords for different parts of the business,” he said.

5 ways to protect yourself from hackers, according to Watson:

1. Improve your password hygiene 
2. Check out Essential Eight at cyber.gov.au
3. Enable multi-factor authentication (MFA) and back up your systems
4. Maintain a meaningful educational awareness program within your organisation
5. Ensure your disaster recovery and business continuity plans encompass and consider ransomware and business email compromised attacks within them — and test them. 

The Tax Summit 2023

With a theme to ‘Spark Change’, the Tax Summit 2023 has an inspiring line-up of the nation's most forward-thinking minds, including Karen Payne, CTA, Inspector-General of Taxation and Taxation Ombudsmen; David Thodey, AO, Chair of Xero, Director and Chair in waiting at Ramsay; Australian Sporting Legend Kevin Sheedy; and many more. Held at the Melbourne Convention and Exhibition Centre (MCEC), The Tax Summit 2023 brings together taxation specialists, lawyers, accountants, newcomer tax professionals and business leaders as well as anyone with an interest in the latest issues impacting businesses on a local and global scale. 

The Tax Institute is the leading forum for the tax community in Australia. It is committed to furthering tax education, representing its members and continuously improving the tax system for the benefit of all. For more information on The Tax Summit and its line-up of more than 70 expert speakers, covering topics including economics, property, business, global tax developments and technology, please see the full program. 

About Chris Watson, Grant Thornton

Chris is a Partner within Grant Thornton’s Consulting Team and has over 25 years’ experience in cyber security and risk management. Chris spent 12 years in the City of London Police as a Detective in the Crime Scene Investigation Unit, and was responsible for building the Computer Crime Unit.

Since moving to Australia, Chris has worked for Big 4 and mid-tier forensic practices as well as acting in a risk and compliance role in the oil and gas sector. During this time, he conducted investigations into numerous matters including the theft of intellectual property, fraud, employee misconduct, bribery and corruption, and Sarbanes Oxley reviews.

Chris has led a number of engagements in the Financial Services sector encompassing banking, superannuation and cryptocurrency which have included the investigation of financial crimes, and facilitating workshops in relation to internal controls, fraud, AML, and regulatory risk.