Getting cyber smart


Cyber securityTo be competitive dental businesses are required to be part of an internet-based economy. But what can you do to ensure your sensitive commercial information remains uncompromised? Tracey Porter reports on cyber security.

At first glance American group Advantage Dental, Australian users of trade site Gumtree and an embattled former Prime Minister of Iceland would appear to have little in common.

Yet in recent months all three have suffered high-profile losses financially, emotionally or professionally after falling prey to cybercriminals whose sole agenda was to manipulate their victims’ confidential information, stored online, for their own means.

According to the latest Australian Cyber Security Centre Threat Report, the first of its kind to be declassified, the Government’s Computer Emergency Response Team dealt with 11,073 cyber security incidents affecting Australian businesses in 2015.

The report noted that during one four-month period a programme that provides participants with daily notifications of IP addresses vulnerable to malicious exploits or infected by malware reported over 15,000 malware compromises daily to Australian Internet Service Providers. 

The estimated cost of cyber crime to all Australians is around $1 billion per annum with the perpetrators ranging from teenagers learning the trade on freely available (but still extremely powerful) software to internationally organised syndicates with a web of servers and skilled hackers across the globe.

Facing the growing threat

In fact so concerned are the country’s leaders about the threat posed by online criminals that two months ago Prime Minister Malcolm Turnbull launched the Government’s new Cyber Security Strategy, a set of 33 initiatives backed by $230 million in funding to help anticipate and respond to cyber security threats.

Technology firm Symantec, in its 2016 Internet Security Threat Report, says its research shows attacks are “increasing in number and sophistication” with the types of actions ranging from ransomware and spear-phishing-where an email that appears to be from an individual or business that you know but is then used to access your credit card and bank account numbers, passwords and other financial information-to fake technical support scams.

Australian Federal Police cybercrime operations team leader Scott Mellis says cybercriminals have become smarter, engaging in reconnaissance missions to ensure maximum gain from compromising online payment systems, rather than performing smash and grabs.

The threat to your practice

But what does all this mean for Australia’s small and unassuming dental community? Well, in short it means you may have cause for concern if you have failed to update your anti-virus software.

In the case of Advantage Dental, the company was forced to send out notices to its 151,000-strong customer list after an online security breach led to concerns valuable patient data may have been leaked. It is understood the company’s internal membership database was compromised for three days during a 2015 incident that occurred after malware was loaded on an employee’s computer and then used to access the group’s membership database. The data accessed by the hackers included patient names, dates of birth, phone numbers and home addresses. This sort of situation is why businesses need to have a robust cloud security platform, or some other form of solid security, in place.

“Small businesses are rarely targeted for their data. It’s usually for the server power.” – Chris Garrett, Hack Rescue

Cyber crime experts agree Australian businesses need to change their mindset from assuming they’re safe from attacks to realising they are probably going to be compromised at some point.

Software developer Chris Garrett, who runs Hack Rescue, a digital data restoration service, says in order to be effective, hacking requires processing power-the more power the quicker “they can get in.”

“If, for example, a hacker hijacked 1000 small business servers without the knowledge of the owner and used them as a single and very powerful machine, they could then go after more valuable targets. Small businesses are rarely targeted for their data. It’s usually for the server power.”

Garrett says the most common way to hack a website is to guess the password. Free software is available that runs on an ordinary desktop PC that can check over 100 million combinations per second. A complex eight-digit password using mixed cases, numbers and symbols can be cracked in less than 17 minutes.

Keeping patched up

Garrett says cyber crime has been allowed to escalate because many web administrators are struggling to stay current on patches.

Such was the case of Iceland’s ex-Prime Minister who was forced to resign after being caught up in the Panama Papers. Allegations his family attempted to hide millions in offshore accounts were leaked following an alleged hack of law firm Mossack Fonseca. It was later found the information was able to be hacked simply because the law firm had not been encrypting its emails, he says.

“The firm’s Outlook Web Access software had not been updated since 2009 while it was also running an outdated version of WordPress. In addition its content management system was using an outdated version of software that had 25 known vulnerabilities.”

Garrett says larger businesses tend to have a better understanding of the importance of cyber security and allocate appropriate budgets.

The real gap, he says, is in small business. “It’s a cost that is rarely prioritised. Many of them think that they have nothing worth hacking, but they do. Everyone does. Often you won’t know that your site has been hacked. The hackers will be using your server for their own purposes. They may be relaying spam emails or building pages with malicious code or SEO spamming. If Google or other indexes detect anything suspicious, your URL will end up on a blacklist and they will not direct users to your site. These lists are difficult to get off.”

If the hackers are given enough time, they may gain further access, taking control of internal systems and devices.

Nothing is certain

Currently there is no product on the market able to offer 100 per cent cyber security protection.

“There is no such thing as 100 per cent security, but there is a lot you can do to deter hackers long enough for them to move to easier targets,” says Garrett.

To ensure their online IP is protected, Garrett says all SMEs, including those operated by dental practitioners, should budget a minimum of about $1000 per year to have their web developers update all software.

He suggests thinking of your business website as you would your real world security by identifying your weak spots, then finding ways to defend them by installing anti-malware, anti-spam and firewall software. There are loads of companies out there that would be willing to help you with this sort of thing as well. 

Garrett says there are a number of ways dental websites or other vulnerable sites that perform financial transactions or store confidential data can protect themselves. These include:

  • Employing passwords that have 12 characters with mix of upper and lower case, numbers and characters;
  • Having an SSL (Secure Socket Layer) Certificate that encrypts data in and out of the site. Email is not secure unless it is sent via SSL;
  • Making sure the system you use encrypts the data in storage;
  • Limiting the number of people with access. If the data doesn’t need to be accessed by anyone outside the office, set up a VPN Tunnel (Virtual Private Network);
  • Blocking all IP’s but your own on a software or server level;
  • Installing a firewall such as Cloudflare or Sucuri which are efficient and relatively inexpensive.

He also advises practices consider undertaking a digital audit each year, which investigates online security across all websites and email and includes an assessment of the software in use and how it has been set up and hosted.

Previous articleDental Board to overhaul assessment of overseas dental specialists
Next articleInto the web


Please enter your comment!
Please enter your name here