Winning the Cyber War

This article appeared in the 2023 March/April issue of InClean Magazine.

High-profile ransomware attacks in Australia are a reminder that cleaning and hygiene companies need a cybersecurity plan to protect their businesses and people.

For cleaning company executives, it would be easy to dismiss the recent ransomware attacks on Medibank and Optus as an irrelevance for them.

After all, why would cyber criminals worry about relatively small businesses when they can go after the big fish?

Such complacency is highly risky, according to Monica Schlesinger, a cybersecurity governance expert and CEO of the Australian Health and Science Institute.

She notes the extensive use of subcontracting in the cleaning sector means smaller players are often called in to assist bigger companies.

“This three-person business is doing the cleaning services for some high-security companies and they’re suddenly the gatekeeper,” she says.

“They open the door to that business, whether they open the door with a physical key, a swipe card, or with a phone that is not secure and can be hacked.”

Such a scenario can leave businesses of all sizes exposed to cybersecurity risks and potential class actions if a ransomware incident occurs.

“Putting your head in the sand doesn’t work anymore,” Schlesinger says. “An attack can affect not only your company but your clients’ networks as well.”

Safeguarding your data and documents

TEAM Software’s Ben Howden provides advice for cleaning companies seeking to protect data related to tender documents, contracts, employee information and payroll technology.

  1. Ensure employees’ operating systems and software are updated regularly to ensure they are using the most secure version.
  2. Implement regular or automatic data backups of your business’s most important information.
  3. Utilise multi-factor authentication (MFA) for access to key systems. MFA typically requires a combination of something you know (username and password), something you have (physical token, authenticator app) and something you are (a fingerprint or another biometric).
  4.  Implement access controls to manage who can access specific data within your business environment. Access controls help by restricting access to files, applications, databases, mailboxes, networks and other sensitive information. Many businesses follow the principle of ‘leave privilege’, which gives users the bare minimum permissions they need to perform their job.
  5.  Consider using a password manager to enforce minimum password rules and prevent re-use of passwords across multiple systems.

High price to pay

The Australian Cyber Security Centre estimates that cybercrime costs Australia about $42 billion a year, with the government agency receiving more than 76,000 cybercrime reports in 2021-22, an increase of almost 13 per cent from the previous financial year.

The average cost per cybercrime is $39,000 for small businesses, $88,000 for medium businesses, and more than $62,000 for large businesses.

Ben Howden, Asia-Pacific director of growth at workforce management solutions business TEAM Software, says the Medibank and Optus cyber-attacks highlight the critical importance of investment into IT and cybersecurity within the cleaning industry to protect against possible financial and reputational losses.

“Given the profile and scale of these cyberattacks, businesses, employees, and consumers now have a heightened awareness of how their
data is being handled by third parties,” he says.

Howden says given the notable increase in cyber-attacks in Australia during the past 12 months, cleaning companies should consider
taking the following steps to reduce risks:

  • engage a professional cybersecurity provider to conduct a security review of your business
  • ensure staff are trained in IT security to minimise the risk of a security breach
  • consider hiring someone with experience to manage IT security
  • conduct a review of your IT and software providers to ensure they are following security and data best practices
  • ensure your business has a defined disaster recovery plan in the event of a cyber-attack or data breach.

Directors and boards notice

Regardless of the size of the cleaning operation, Schlesinger says directors have a duty of care that includes understanding and acting
on cybersecurity risks, while also appreciating that attacks can impact them personally.

“It takes vision, time and knowledge,” she says.

Crucially, Schlesinger says cyber threats are much more than an IT risk and require multiple lines of defence – incorporating staff training; HR policies that protect the business and its data; and robust finance and risk management strategies.

To that end, cybersecurity should be on the agenda at every meeting, with CEOs, directors and IT experts driving the knowledge and education that helps ensure the long-term sustainability of the company.

Although they may not have the IT or management resources of bigger entities, Schlesinger she says a good starting point for smaller
companies seeking to understand their cyber-risk responsibilities is to access sources such as the ASX Corporate Governance Principles and Recommendations; the Corporations Act – Sections 180-183; the Privacy Act; General Data Protection Regulation (GDPR) in Europe; and the Australian Institute of Company Directors’ Cybersecurity Governance Principles.

Howden says cleaning companies drive the majority of their revenue from supplying labour and, therefore, typically employ
large workforces. As a result, they store a large amount of personally identifiable information (PII) employee data across a number of different internal and external systems.

“PII data is particularly sensitive as it can be used on its own, or with other information to identify, contact or locate a single person, or
to identify an individual in context,” Howden says.

“This type of data is attractive to cyber criminals as they can use it to hold businesses to ransom, or drive income from selling the data, or attacking individuals.”

He says the nature and volume of this data puts cleaning companies in a position of increased risk, noting that it was only recently that
employees at both public and private sector organisations had their data compromised during a ransomware attack on a popular timekeeping and payroll solution that is used by several large facilities management and cleaning companies.

Get appropriate insurance

The primary lesson to be learned from the recent spike in cyber-attacks is that education is the key, regardless of the size of the business, according to Jane Mason, head of product, channels and risk at insurance service provider BizCover.

She notes that both the Optus and Medibank attacks largely came down to human error. Optus left an application programming interface (API) – which is essentially a gateway to information – open online, allowing hackers to access sensitive customer data. The
Medibank attack, which released the sensitive medical records of thousands of people, occurred simply because one single desk support worker did not have multi-factor identification.

In addition to ensuring that qualified IT professionals install and manage best-practice cybersecurity systems such as encryption, firewall and antivirus software, Mason says businesses should take out a cyber insurance policy to protect against the financial consequences of an attack.

For any risk, Mason says business owners in the cleaning industry need to ask themselves, ‘could I stay afloat by myself if this risk were to happen?’

“If the answer is ‘no’, then you might want to consider if there is an insurance product that can protect you from that risk.”

She adds that a business is at risk of cybercrime if it uses PoS devices, emails or has online systems (it does not need to be a website) to manage business, or if it handles important data that could be compromised (that could either be personal data related to your customers, or even your IP).

“Many small businesses are also at risk of phishing, where a fraudulent request is sent via email to charge a bank account. This is a very real scenario that can happen to nearly any business owner, regardless of the industry.”

Mason says a cyber liability policy can protect a business from the financial consequences of an attack.

“Not only might businesses need to deal with the cost of recovering the data and investigating the attack, but they may need to account for business-interruption costs and the expense of bolstering cyber defences. Then there might be the cost of dealing with the reputational damage cybercrime can cause, as well as the potential fines and legal costs associated with the attack. If you don’t think your cleaning business can handle these situations, then you may want to consider getting cyber liability insurance on top of your current insurance.”

Mason says there are two typical errors that small business owners make when taking out cyber insurance. First, some may think that they do not need to worry about cybersecurity as much because they are covered by cyber insurance.

“But cybersecurity and cyber insurance are both critical parts of a cyber risk plan that serve different functions.

“Cybersecurity helps prevent cybercrime from occurring and reduces the likelihood and impact of an attack. Cyber insurance protects your business from the consequences if an attack occurs.”

Second, some small businesses may think they can just set-and-forget cyber insurance, but if their risk changes their insurance may not cover the situation.

“If the business is operating with new online systems or equipment since the last time they renewed their policy, it may need a review to cover the new risks.”

Tips to thwart the hacker

Building Service Contractors Association of Australia CEO Kim Puxty offers cybersecurity tips for facilities, cleaning companies and employees:

  1. Back up your data – and make sure you can restore it when needed.
  2. Train your employees – they need to know:
    • Why cybersecurity is essential
    • What they can and must not do (from a cybersecurity perspective),
    • What are they allowed to share outside of your business
    • What are the ramifications of doing the wrong thing
    • How to identify and prevent phishing scams and malware
    • What is the acceptable use of your work devices.
  3. Use strong passwords – include a mix of letters, numbers and special characters, and use different passwords for different accounts.
  4. Use multi-factor authentication – this dramatically reduces the damage a stolen password may inflict.
  5. Install the necessary cybersecurity software – if you are not sure what’s needed, get professional help.
  6. Keep your wifi secure – only share your details with existing staff.
  7. Never use public wifi – it’s too easy to steal your information, so use your mobile data.

Puxty adds that cleaning companies’ IT security strategies should provide details on how to protect data and resources and outline what should be done if things go wrong.

“Having a response strategy keeps you a few steps ahead,” she says. “This IT security strategy should also include a sound data destruction policy, which includes mobile phones, tablets, flash drives and computers. Just deleting files doesn’t mean they’re gone.”