Australians' casual attitude to security is due to a combination of lax attitudes, and a lack of mandatory disclosure laws, says Symantec.
Australians work hard, but don't take themselves, or life, too seriously. It is this very attitude that causes lapses, according to Symantec senior principal systems engineer (security), Nick Savvides.
“Our laid back attitude that has so many benefits in other parts of society, really lets us down when it comes to cybersecurity," he said.
“I think there is a bit of laziness about it, but I think it has more to do with complacency when it comes to consumers.
"No matter how many times consumers hear about malware incidents, they still have an attitude that it won’t affect them."
He believes there is a correlation between mandatory disclosure of security breaches by business, and public attitudes toward security.
“It makes people feel artificially secure when they don’t realise what is happening to their data. I definitely think mandatory disclosure laws are important.”
According to the recently released Symantec Internet Security Threat Report (ISTR) 2014, five out of six large organisations globally (organisations with over 2500 employees), have been targeted with an attack specifically crafted for that organisation.
“Australia is a microcosm for the rest of the world,” Savvides said.
“A lot of the targeted industries are very well represented here in Australia. If we look at our top industries such as finance, health, mining, energy and exploration, those are the top five globally.”
The Role of State Sponsored Malware
Highly sophisticated malware campaigns are no longer the exclusive purview of state-sponsored actors, Savvides said. Cyber-criminal gangs are now looking to exploit those same vulnerabilities for financial gain.
These criminal organisations are able to commit a large amount of time and resources to these sorts of attacks and, in some cases, operate in a similar manner to legitimate businesses.
“We profiled one organisation that had an intern program. A bunch of crooks with an intern program..." he said.
“When we look at the targeted campaigns, we can split them up into two broad categories, small business and enterprise.”
“In Australia, small business is over represented, 39 per cent of targeted attacks are directed at small business, that’s companies with 250 employees and under.”
“Enterprise, firms with 2500 or more employees, constitute 35 per cent of all targeted attacks. The rest is split up into chunks of companies with 500, 750 or 1000 employees, those are medium sized businesses.”
“The bulk of these attacks are directed at small business and the large end of town, but the attacks are different. At the small end of town, we are seeing a lot of crypto-malware. This is serious business. From our stats alone, we are looking at hundreds of infections of crypto-malware in Australia per day. Most of these attacks are executed using malware kits.There is a big economy in purchasing those kits.”
Criminal entities have really moved up a level in terms of professionalism, he believes, and wonders how long we can continue to call these attacks 'sophisticated', or 'exclusive' when so many entities are using them as standard.
“We saw a massive increase in crypto-malware on the consumer side. 45 times the number of devices were locked up in 2014 as opposed to 2013," he said.
Share and infect alike
The other reason crypto-malware has been so successful in Australia is that it is linked to our high use of social media. And its not all bots.
“Globally we found that 70 per cent of threats shared on social media were manually shared. Someone was tricked into sharing something.”
Australians were 17 per cent more likely to share this type of malware than anywhere else in the world. In total, 87 per cent of threats on social media were shared manually.
Australia ranks seventh worldwide in crypto-malware infections.
“Unfortunately, Australia is always so well-represented in the figures," Savvides said.
"There are a number of reasons for this. Australia is a sophisticated and wealthy country with a lot of early adopters, and a lot of people that have ubiquitous access to data across smartphones, tablets and laptops.”
“This makes Australians very attractive targets to cybercriminals.”