Cyber security for your business.

Hi everyone. On behalf of Westpac, I would like to welcome you to Cybersecurity for Your Business, brought to you by the Davidson Institute. I'm your host Rosa Cortez, from Westpac's Cyber Culture team.

Before we begin, I would first like to acknowledge that this online presentation is on the lands of the Gadigal people of the Eora Nation. I would like to acknowledge the traditional custodians of the various lands on which you are all listening to today. I pay my respects to Elders, past and present, and celebrate the diversity of First Nations peoples, and their ongoing cultures and connections to the lands and waters of Australia.

And also, before we get started, I need to also let you know that the information contained in this presentation is general and has been prepared without taking your objectives, needs, and overall financial situation into account. For this reason, you should consider the appropriateness of the information for your own circumstances, and, if necessary, seek appropriate professional advice.

Thank you for taking the time out to listen to this presentation.

By the end of this hour, you should hopefully walk away knowing more about the different types of cybersecurity threats to your business and feel better armed with key steps and resources to help you manage cybersecurity risks.

Now, presenting for us, today we have Shannon Brown, Forensics Manager from our digital security team, and Simon Brown from Westpac's Information Security Group.

Shannon is part of the team responsible for the robust security measures and real-time risk-based authentication that we provide our customers across the Westpac Group when banking online. Shannon will be presenting on current trends in digital fraud and common scams, we see targeting our personal and business customers. Without further ado, I'll now hand over to Shannon.

Hi. Thank you, Rosa. And thank you to those at home to joining us for this webinar.

For the next set of slides, I'm going to be taking you through some real-life examples of fraud and scams that we're seeing targeting our customers. We're going to explore the way that some of these cybercrime types have evolved over the years. We're going to look at the way that they are specifically targeting businesses. And we'll highlight a few things that you can do to prevent and identify these threats yourself.

Now, before we get into the examples, it's important that we differentiate between a fraud and a scam. These terms are often used interchangeably, However, the way that we define them as a bank and as an industry are very, very different.

A fraud occurs when a customer did not authorise a transaction or a method of loss and they are not aware of any activity taking place. Now, an example of this would be, if your credit card is stolen and purchases were made without your knowledge.

A scam, however, is different as it occurs when the customer has willingly participated in the transaction, but they have been misled regarding the benefit or the purpose. An example of this would be if you know what you want purchasing an item off an online marketplace or a social media site, and you are asked to transfer money through online banking is a payment.

After you make the payment, the seller then cuts off contact, and you do not receive the advertised item, this is an example of a scam. And it's really important for us to be aware of the difference between a fraud and a scam as we move through the rest of the slides.

Today, we're going to be exploring the three most common types of threats that we're seeing targeting our customers.

Firstly, we'll talk about phishing. Phishing attacks are at the highest level in three years, both in terms of the volume that was seen and the level of sophistication that we're seeing in lures.

We will then look at some examples of malware and how malware is delivered. The majority of malicious software is delivered as a link or attachment in an e-mail. And with more and more of our communication and correspondents moving online, we have an increased risk of receiving malicious software.

And, finally, we'll be discussing business e-mail compromise scams. Now, these can take a number of different formats, and we'll take a look at these in more detail at the end of the presentation.

As mentioned, we are seeing a constantly increasing and evolving number of phishing attempts being reported by our customers. Now, phishing is the practice of requesting personal or sensitive information to the user in a fraudulent way.

This could be your online banking credentials, your credit card number, or even your e-mail address and password. This information is most often requested, through phishing links that are delivered via email or SMS's that are impersonating legitimate organisations and businesses.

If the link is clicked on, it will take the customer to a fake site which is called a ghost website and this has been designed to look like a legitimate website. But when the customer enters in their information, it is then captured for fraudulent usage.

There is quite a common misconception that phishing emails are poorly constructed, and easy to spot as junk or spam, like the example on the screen. However, there's been increasing education over the years around how spot phishing e-mails and, therefore cyber criminals have had to evolve, and this has resulted in more sophisticated lures going out to our customers.

One way in which they're doing this is by adapting genuine messages or communications from organisations for fraudulent usage. Now, the example on the screen is a genuine email that Westpac sends to our customers, when the monthly statement is available for viewing online.

Now, if we take a look at the example, we see that, we address the customer by name, and, we provide the steps under that 'how to access' part to direct the customer to navigate into this page themselves in online banking.

You'll see that there is no link in the email. As Westpac will never provide you with a link that will take you directly to a login page or any other form that is requesting personal information.

This next email however is an example of a phishing e-mail, whereby the genuine template from the original email has now been used for fraudulent use. In this e-mail, the receiver has not been addressed by name, and they have instead been addressed by the email address. This lack of personalisation is a huge red flag to look out for in emails.

If the email is claiming to be from a bank or a business or another organisation that you already have a pre-existing relationship with, they will always address you by name. So, this lack of personalisation is an indication that something isn't right, or this communication isn't coming from someone that you already know.

Under the How to Access menu, there's also now a hyperlink where it says 'Sign in' and 'Login to your banking' and, if clicked, this will take the customer to a fraudulent 'Westpac themed’ site to request their information. Now it can be really difficult to assess whether an e-mail is genuine or fraudulent, especially when they look this similar.

However, a handy trick to get in the habit of, is hovering your mouse over a hyperlink, because when you do this, it will show you the web address to where the link will take you. And if we do it now to the 'sign in' prompt, you will see the link is taking me to a web address that is not associated at all with Westpac. So, getting into the habit of doing this can help us to identify fraudulent e-mails and phishing links before we click them and enter in any information.

We're also constantly seeing an increase in SMS phishing, which is also known as ‘smishing’. And this is the delivery of links to phishing sites via SMS. The example on the screen is one that we saw in 2020 and is one of many phishing attempts that mentioned COVID-19.

Cyber criminals will often use lures that reference a stressful situation, like COVID or the threat of a fine or a penalty to elicit an emotional response from the person receiving that SMS. When we have an emotional response to something including that of fear, our rational thinking is suppressed, and we become more likely to perform actions that we wouldn't normally. Like clicking on links or making a payment.

With any e-mail or SMS that is asking you to provide your personal information, consider two things. Consider am I expecting this and is there another way that I can verify this request, whether that be through contacting the sender with a trusted method or independently logging into your online account to check not via the link in a message. And, as with emails, Westpac will never send you an SMS with a link taking you to our online banking login page.

Now, if the receiver had clicked the link, they will be taken to this fake Westpac website. Which, when we take a look at, it actually looks quite legitimate. It's got all of our correct branding. They would be asked to first input their online banking credentials. They would then be asked to provide their credit card details.

This next page then asks for even more information, including identity documents, such as driving license or passport, which, if this information is provided, can put customers at risk of identity takeover.

More information is then requested, including home address. And finally, email address, and email account password is requested as part of this phishing site.

Over the last few years, we have seen an increasing amount of phishing kits requesting this information. If we take a moment to consider all of the information we have in our emails, we know why this is so concerning. We have our personal correspondence photos, other sensitive information. Our emails are often our two-factor authentication, for resetting our social media or other account passwords.

And, also, if you're a business, you may have other people's data, and invoice, or payment request, in your emails.

If a criminal has access to your email accounts, they now have access to all of that information, and it can result in further compromise or further attacks. One way in which we see this affecting businesses, is the interception of invoices or requests for payments. If cybercriminals intercept these, they can then update them with fraudulent account details, before sending them on for payment. And we'll talk a little bit more about that a little later on.

Now, here are some tips on how to protect your business for phishing. And while they're all equally as important, I'd like to emphasise the need to invest in staff awareness and training. This is absolutely critical.

Now, while those software and technology can help to keep us safe online, we can't assume that it will block all fraudulent e-mails and the human layer, so the person, is a final line of defence to filter out fraud and scams attempts.

To educate your staff and test their resilience, share resources like this webinar, or bring them along, and hold regular internal training sessions on cybersecurity. You can also co-ordinate phishing simulations, to test your employees and you can monitor their ability to pick up fraud.

Our second topic for today is malware, short for malicious software. Now you may have heard of terms such as viruses, trojans, worms, keyloggers. These are all different variations of malicious software. And while you don't need to know how they all work in detail; you do need to know that they can be difficult to detect. And malicious software in general just looks to cause extensive damage through the theft of money and data.

Some malware types can interact directly with an online banking session, changing pay details, while controlling what you continue to see on your screen. And what this means, is that you might think that you're paying a payee, that you have previously paid, with a known account number, but the malware has changed the destination account, to an account controlled by cyber criminals and this isn't visible to you. This is all happening in the backend.

Now, malware is mainly delivered via attachments or leaks and emails. And I'm going to walk you through an example now.

One really common way that we're seeing malware delivered to businesses is through a fake ASIC renewal email. As you can see on the screen, this is an email that was received by a few of our customers, that told them that their business registration was due for renewal. If they clicked on the renewal letter prompt in the middle of that email, they'd then be downloading and executing malicious software onto their machine.

Now, a lot of businesses don't know when their business name registration is due for renewal. So, a lot of businesses actually clicked that link.

Similar to phishing e-mails, it's important to consider whether an e-mail is expected. Is it from someone you know? And most importantly, can you verify this information somewhere else Independently?

One of the most damaging types of malicious software that we see targeting businesses is ransomware. It is damaging in terms of the financial loss, but also in terms of the costs involved with the downtime that is suffered by businesses if they go offline due to a ransomware attack.

Ransomware works by encrypting and locking up files before demanding a ransom in exchange for the decryption key. This ransom will often be demanded in crypto or digital currency.

Now, no matter how big or small your organisation is, you can be a target for ransomware, as cyber criminals will try to make you pay for the information that you already have, that's important to you.

Now, Simon will be talking a little later on about cybersecurity fundamentals, but one thing that is really important in reducing the impact of a ransomware attack, is ensuring that you have a backup of all of your files.

If you're unsure follow the 3-2-1 rule; keep at least three copies of your files, store them on at least two different types of storage media, and store at least one copy off site.

Now, this is an example of an email that delivered ransomware. The e-mail is impersonating AGL energy and saying that the customer has a bill to view. Now, again, if we hovered our mouse over the hyperlink, we can see that the web address there is taking us to a website that is not associated with AGL.

However, if the user clicked on the link, they will be presented with this screen, and asked to enter a capture card. If they completed this action, they would then be shown this next screen that tells them the files are now locked, and they have to pay a ransom to unlock them.

So, how to protect your business from malware. Make sure you keep all of your systems, applications, software and POS (point of sale) systems up to date with the latest upgrades. This is really, really important for patching any vulnerabilities that are known by the company. Backup data in any secondary location and make sure you're encrypting important information.

Restrict your system and data access to only those who need it, and make sure you're deleting and removing all users. And most importantly, implement a cybersecurity policy and incident response plan.

Our final topic for today is business email compromise scams. Now you may have heard these referred to as impersonation scams, or payment redirection scams and they can take a number of different forms. However, they are all designed in trying to trick people into sending money or sensitive information to scammers.

Now business email compromise scams generally don't use any malicious links or attachments so they can get past antivirus programs, and spam filters. And again, this is why the human element is really, really important and why we need to be investing in staff awareness, and training. People need to be aware that they are the final line of defence for any kind of cyber-crime attempt.

Now in 2021, the average loss per successful business email compromise attack was $50,673. Now, I personally, have worked on a couple of different cases of losses in millions of dollars. So, I know that this number, while it may seem large, is actually quite small in comparison to some of the successful scams that we've seen.

If we move on to the next slide, this is quite a basic example, that we see targeting businesses at the moment. Whereby scammers will contact businesses impersonating an employee and asking to change the account details that are associated with their salaries.

Now, if we have a look at this example. In the first line, they say, "How are you doing today? I'm having technical difficulty with a HRIS page and need your help in updating my account details."

Now, this is really quite a smart line that the cyber criminals and scammers have put into this email. Because, over the last few years, a lot of businesses have moved to online portals where employees manage their own account details. So straight away, the criminals are calling that out there. They're making them aware that they know that that is part of the process, and they're saying we're having issues with that.

So, it's kind of like, they're using it to make themselves seem more trustworthy, or more legitimate as the staff member that they're posing as. Now, they're also asking them to confirm when it's updated and confirm the exact payday.

Now, this is a red flag, as most employees and most people already know their next pay date. So, that in itself is a red flag, and when it comes to these kinds of emails in these types of scam attempts, we are looking for any deviation in normal language or requests that we wouldn't normally see from someone and this in itself is a change.

The next example is quite similar, but in this, in this example, they are taking advantage of a supplier-to-supplier relationship. This is an example of a letter that one of our customers received a couple of years ago. It came attached to an email and advised them of new account details to pay their next invoice into.

It looked quite legitimate. It had a letterhead on it. It included the previous account details, and it came from an email that looked to be from a contact and a company that they had always dealt with.

For us, we recommend that if customers, or businesses, or individuals receive an email for a change of account details, we ask that you call a trusted source, and you verbally validate this before you make a payment.

Unfortunately, in this particular example, they did not verbally validate and there was a loss of 1.2 million dollars to the customer. So, it's really, really important that we are verbally validating.

The next example is another example whereby an invoice has been intercepted. But in this case, they have put in the fraudulent account details, but also left in the genuine account details.

Now, if we click here, we'll see a little red arrow pop up, and this is pointing to the fraudulent account details, at the top. And down the bottom its actually pointing to the genuine account details.

So cyber criminals, I don't know whether they got a little bit lazy or work was a little bit busy, or if they just missed those, but they didn't take out the genuine account details, and they've just left in the fraudulent ones. In this particular case, unfortunately, the receiver did not pick this up, and it did cost the business $45,000.

But it's just important to note that sometime cybercriminals do slip up, and it's important to look at everything that we have before we make a payment. And again, if you're unsure, pick up the phone and verbally validate with a trusted source of the business.

Now, some tips on how to protect your business from business email compromise scams.

Now, I've said it a couple of times, but just to reiterate, verbally validate any email requests for sensitive information, urgent payments or change in account details. Make sure you're doing this on a number that you trust, and never use the contact details that are provided in an e-mail or an SMS.

Use multi factor authentication and dual payment approvals, where available. This will always help to provide an added layer of protection, or an additional set of eyes to look over something before a payment leaves.

Make sure you're empowering your employees to question any request that they are unsure of, or that do not follow standard process.

Now, for these kinds of scams, hence, we do often see them targeting, either newer employees or employees that are in reception or admin roles, who are doing a million different things at once and dealing with a lot of different people. And a lot of different requests for payments.

And one of the reasons they do that is because they think that staff will either be so busy, that they won't have time to verbally validate. Or if they are newer, they will have somewhat of a fear the boss mentality and will feel too awkward or embarrassed to question a payment that they are unsure of.

So, make sure you're having conversations with your staff and letting them know that it's OK to question a payment, or a request for payment, and let them know who they can contact in the event of that happening.

And we also recommend, if you can, register your ABN for PayID. By doing this, it means you can provide your ABN instead of your bank account number for someone to make a payment to. It means that when they input your ABN, it will show them your business name, and they can have more confidence in who they're paying.

If this is something that is, you're not sure about, contact your Relationship Manager or contact Westpac directly, and we can advise whether your account is eligible for that. Thank you Rosa. And onto reporting.

Please report any suspicious activity immediately. If you, or your business has been involved in scam, attempted scam or any other type of cybercrime, please report it. Now, the first place you need to report it is to your bank or credit union. That is so important. Money moves so fast, and for us to have the best chance of recovering your funds, you need to report it as soon as possible.

We also recommend that you then report it to the Australian Cyber Security Centre, and also to Scamwatch, and all of that information is passed on on our website at westpac.com.au/security.

Thank you, Shannon. Our next speaker is Simon Brown, Head of Cyber Strategy and Advice for the Westpac Group. In this role, Simon is accountable for the cyber security strategy for the Westpac Group, its operating model for cyber security and embedding cyber security across the broader group.

Simon has more than 20 years’ experience in cyber security, across a broad range of sub fields, including security, engineering, operations, architecture, red teaming, and research, as well as technology strategy.

Simon holds an MBA from MGSM, and a Bachelor of Science with Honours from the University of New South Wales. Simon, thank you for joining us, over to you.

Thanks Rosa. Hello, everyone. And thanks for taking the time to join this webinar. Shannon shared a really comprehensive look at the way fraud and scams can affect businesses, and that can be really confronting. In saying that, what I'd like to do now is take a look at some of the ways you can try and prevent these things from happening in the first place.

I don't want to continue on a negative note, but 2022 is seen quite a few data breaches announced publicly in Australia. Indeed, I'm sure you've seen the headlines and you may even have been affected. t's safe to say that that's made all of us much more aware of the environment that we're operating in here, and certainly those escalating cyber challenges.

So, now, more than ever, it's important to really think about how you can protect your business from cybercrime, and to continue having that conversation.

Preparation is absolutely the best strategy to have when it comes to facing these threats. And what we're all doing today is really helpful to talking about these things so we can understand them better and share these messages with colleagues and fellow business owners.

So, today, I'm going to now talk about some of the things you can do to feel more confident in your businesses' cyber security preparations.

So, to set the scene with a little more detail, we're going to jump into a view of the Australian Cyber Security Centre’s Threat Landscape Report. The ACSC are a government body who lead the Australian Government's efforts to improve cyber security, and they see their role is helping to make Australia the most secure place to connect online.

To support that, they monitor cyber threats continuously, they alert Australians early on about what's going on, and they provide advice to businesses of all sizes, including small businesses. One of the things they do is then synthesise a series of that advice into a view of how the threat is evolving every year, and what they're seeing in those cybercrime reports that Shannon mentioned earlier.

You can see some of the key findings on the right here.

So, certainly, it continued to increase to give you a sense. Last year they were confirming that they received a report of a cybercrime every eight minutes. It's now every seven minutes. So, that's about, as it says on the next row, about a 13% increase, in the number of incidents reported to them.

They've also reported a rise in the average cost per cybercrime report and for a small business that's now typically averaging about $39,000 per event. For larger businesses, it can be as much as $60,000 or even $90,000. Again, growing at about 13-14% a year, in terms of that average impact, they're describing.

You'll see some common types of cybercrime that they see reported here. But I think the most important thing to remember is that every sector of the Australian economy, has seen at least some impact from those ransomware incidents.

So those incidents are essentially indiscriminate. The criminals are going after any organisation that they can find that is vulnerable. So, it's really important to reduce the vulnerability of your organisation.

So, quite often, you see a lot of these threats bundled together. It's helpful to separate them out a little bit, to give you a sense for what are the kind of key categories of threat that an organisation might face, and what are the key things you can do to face into that?

The first, on our list here is ransomware, as Shannon talked about. And so we're gonna go a little more into detail here, but essentially it will echo what Shannon said. So, ransomware is the type of malicious software that infects a computer or device. It encrypts the files and renders them unreadable and unusable until a fee is paid.

Some ransomware actors, in addition to blocking that data and sending ransom notes will increasingly threaten to attack in other ways as well, like, for example, publishing that stolen data publicly in order to embarrass the affected organisation.

The key thing you can do to limit the effect of a ransomware attack on your business is to have those regular backups. And Shannon talked about the three-step process of ensuring that you have those copies, and that they're in multiple physical places and offline.

And the more quality you have in your backups, the more frequently they're collected, and the better they protected, the more options you have if you do experience a ransomware incident.

It's really important to, as we'll talk about in subsequent slides, to make sure that your systems are not vulnerable to the extent you can, so that includes things like patching but, absolutely, those regular backups are your most powerful defence against a ransomware event really affecting your business.

Second, on business email compromise, fraudsters are going to try to break into the email accounts that you have and the email accounts of your suppliers and customers, and then either if they can get into your email, convince your customers and suppliers to send funds to other places.

Alternatively, if they're broken into someone else's e-mail, they're going to try and convince your people to do the wrong thing.

So, there's a lot of value here in really teaching your employees to be suspicious about those e-mails, that don't quite make sense, that unexpectedly tell you that someone's banking account is changing. That's a good sign of an inbound business e-mail compromise.

Or, alternatively, being aware of those conversations with customers or suppliers, where they ask you why your bank account has changed. And it's really important to kind of catch those early warning signs quickly.

In terms of then, phishing attacks, scammers are sending bogus e-mails pretending to be legitimate businesses to try and steal financial personal data. Usernames and passwords are a big target here, and these scam emails can pretend to be essentially anyone, whether that's a law enforcement brand, or something like a package tracking system.

So, in addition to the employee awareness piece that we talked about in business mail compromise above, the other element that's really important here is using that strong, multi-factor authentication wherever possible. What that means is, if an employee gives up their username and password, or, you know, a piece of malware, takes a copy of that username and password, the username and password is not enough to gain access to your accounts.

You need that additional step, whether it's a SMS one-time password, or a confirmation on a second device, or even one of those hardware tokens. So, building your systems in such a way, that an attacker can't get access to your system, if they've just gotten a username and password, then that additional step protects you as well. And that's particularly important for your email systems.

Last on our list here is malware. Everything we've said above applies to certainly being suspicious about links and attachments will do a lot to help protect your organisation. The additional specific step that you can take here is making sure that you've got that antivirus software installed on your devices. That you're getting the software updates done quickly, as soon as they're available. And, again, encouraging your employees not to download suspected or slightly dicey files and documents.

So, more broadly than that, what can you do to protect your organisation? Again, while reflecting a disclaimer at the start, that this is general advice and doesn't take your circumstances into account, here are some things that we'd encourage you to think about in helping make your organisation a harder target and a more resilient organisation, from a cybersecurity perspective.

The first one won't surprise you at all. It's really to have that plan in place. So, we’ll talk about a thing called the cyber response playbook next, and this is a piece of content we've produced with ACSC (Australian Cyber Security Centre) to help you structure your plan to both prepare for and reduce the incidence of cyber attacks.

But fundamentally, having sat down and spent some dedicated time, looking at your business and understanding the cyber security profile of your business, and what your assets are, and how you protect them; having sat down and done that work will already put you in a much stronger place than many organisations across the economy.

So, once you've got that plan, the most important thing to do straightaway, is to really take a hard look at those backups and the monitoring that you've got in place for your systems and applications.

It's really important to backup your systems and critical data regularly. So that anything you need to run your business, you've got a copy of it. And, that you've got a copy of it that’s separate from where you keep your day-to-day business data.

So that backup, that digital copy of the most important information, like customer details, financial records, is critical in order to enable you to have options, if you experience a ransomware attack, but also, if you're experienced a system failure, or if a service provider suddenly can't help you because they've got their own issues. Having independent copies of that data really makes a difference in terms of protecting the ongoing continuity of your business.

Ideally, those backups are automatic. They're default, kind of set and forget, but it can be helpful to have an element of human processing there as well. Particularly, you know, safely disconnecting and removing, occasionally, a copy of that data to make sure that it remains completely offline.

Third, managing employee access is really important, and I know this is tough in a small business where you don't have lots of people, so segregation of duties is really difficult.

But managing who can access what within your businesses' computing environment, within your online accounts, and even your social media, is really important. Now, that's not about whether or not you trust your employees. Clearly, you trust your employees, but it's worth remembering that those attackers that we're trying to defend against are trying to compromise those employee usernames and passwords.

So, by limiting which of your people can access which systems, by making sure that you've got segregation of duties or two to sign, particularly financial transactions.

You might trust your employees entirely and that's appropriate. We're also trying to make sure that if an attacker gets control of their accounts, the attacker can't do too much damage. That's particularly important for employees that have administration access to systems, or who work across different areas in your business.

And it's probably appropriate, even at relatively small scale, to have them use different accounts for their day-to-day low sensitivity operations, versus those accounts that have lots of significant control over the systems.

So, for example, if you're an accounting business, you might have a day-to-day user account that you use to access your accounting platform in order to do user transactions, but when you need to make those really significant changes, like adding and deleting accounts, or changing banking details, you probably want a separate account for that kind of access.

And, again, you've got to make sure that you've turned on that two factor authentication wherever it's offered.

That brings us nicely to the fourth one, which is that two factor authentication. So, anywhere that you can turn on that multi factor authentication, the two steps to sign in, that really significantly makes it harder for an attacker to get into that bank account.

So, multi factor here, the factors are often described as something you know, is one factor like a pin, or a password, or a passphrase. Second kind of factor is something that you have, like a smartcard, a physical token, or a mobile phone. And the third thing is something that you have, a biometric or a facial recognition.

And multi factor authentication just means you have to prove two of those things in order to login.

It's really critical to have that in place around your email accounts, your bank accounts, and any other critical systems that used to run your business. Think perhaps, your accounting system, your customer records, and your intellectual property.

Multi factor authentication is one of the most effective things you can do to protect against unauthorised access to your information and your accounts. And it does make it significantly more difficult for criminals to attack your business.

Fifth, keep software up to date and have a patching habit.

All of us have got one of those devices with the little red icon in the top right that's, you know, been hanging around for 2 or 3 weeks reminding you to do a software update. I'm here to tell you that, a little like eating your vegetables, you know, getting the software updates done is really important.

Pretty much every software update is fixing a security hole. The longer you leave it before doing that system update, the longer that known vulnerability is in place. To give you a sense of best practice, the ACSC recommends patching these kinds of vulnerabilities within 48 hours.

So, it really is an urgent task to just, kind of, get it done, and get that patching done.

Finally, people are a critical component of the security of your organisation. They can be potentially an opportunity for the bad guys to get in, but they're also your best sensor network. They're your first line of defence. So, helping your employees understand the importance of cyber security, what it looks like, what a danger looks like, and particularly the things that they can do on this page, to help improve the security of your organisation, your people really are one of your best assets

As Shannon outlined earlier, phishing and any business e-mail compromise scams are really common and if your people are great at spotting and resisting those ,that again, buys you a really big chunk of cyber security improvement quite easily.

So, I mentioned a minute ago the Incident Response Playbook. This is something that we've developed with the Australian Cyber Security Centre.

It's published on our website, with their support, it essentially sets out a series of steps that you, as a small business can go through, to really both strengthen the security of your organisation today, to reduce the likelihood that you will experience a successful cybersecurity attack.

But, more than that, it also helps you prepare for what to do if an incident occurs.

So, if you do experience a cyber security incident, you don't want to be coming up with the plan in the moment. The more thinking that you can do in advance, to then more swiftly execute your plan, that'll help.

So, the playbook works through both some things you can do to protect your business today. But also too, an outline for how to think about building a plan that you can use if your organisation does experience a cyber security incident. To again, help you move a bit more swiftly through the process of understanding the incident, containing it, and then responding to it and helping protect your organisation.

So, finally, we'll leave you with this slide here. This is a series of links for places to go for additional help and support. You'll see here at the top there are some Westpac resources, which we'd love for you to check out. They contain a lot of the insight and advice which was produced earlier in this conversation.

The second are some key Australian government sites. So cyber.gov.au is the Australian Cyber Security Centre. Scamwatch is part of ASIC, and so on. These are great ways of building a better understanding of the kinds of challenges facing organisations across the economy.

And at the bottom, there are some particular alert-services. So, free services where you can subscribe to additional information about the kinds of attacks and challenges that organisations and the government are seeing across the economy.

Again, in the spirit of helping you understand what's going on, and therefore, better prepare, to resist those challenges, and to protect your organisation, and to protect your customers as well.

So, thanks. That’s a bit of fast tour through some of the key things you can do to help protect your organisation. Rosa, with that, I'll pass back to you.

Thank you so much, Simon, and thank you, Shannon. That concludes our webinar on Cyber Security for your Business. On behalf of Westpac and the Davidson Institute, thank you for listening. We hope you found it valuable.