24 November 2023

TRANSCRIPT

Australian Small Business and Family Enterprise Ombudsman Bruce Billson interview with Leon Delaney.

Radio 2CC Canberra

24 November 2023

Leon Delaney

Banks right across the industry have joined forces to launch something called the Scam Safe Accord. Now, the centrepiece of these Scam Safe Accord is name matching to account numbers, something that perhaps should have been done years ago. Nevertheless, never to look a gift horse in the mouth, better late than never. Joining me now, the Australian Small Business and Family Enterprise Ombudsman, Bruce Billson. Good afternoon.

Bruce Billson

Leon, fab to be with you and your listeners. 

Leon Delaney

Thanks for joining us today. This is especially important for small business operators, isn't it? Because obviously one of the big scams that targets small businesses is when communications or invoices are intercepted and the scammers, the crooks, substitute the correct account information with incorrect account information, which means they get the money and everybody else loses. So how is this new initiative from the banking sector going to help? 

Bruce Billson

This is a really positive step. You're right, it's been in place in some jurisdictions overseas. The UK have had something similar for a while. What basically happens is when you put in the account name, the BSB and the account number, it checks against that name and if there's an irregularity then it stops the payment going through.

This is fantastic news. If you and I had a regular relationship with another business or a customer, they may well be expecting the invoice to come through an email. And where this cyber scam kicks in is people then go in and change those banking details silently. You don't know. It all looks legit. It's expected. It's gone to the right customer. The sums are the right amount. You make the payment and then it's whisked away into a bank account and usually within moments probably converted to crypto currency. The customer or the supplier loses the money, and the business that's produced the goods or service doesn't get paid either. So, everyone's out of pocket. There's no good outcome and that can be really catastrophic for businesses that are caught up in that. I don’t know about you but some of those big bills that we pay as consumers, who's got the money ready just to replace that payment and settle that account? 

Leon Delaney

Well, apparently, according to the data from Scamwatch, small businesses lost almost $14 million last year, and that represented an increase of almost double from the previous year. So obviously, there are crooks out there that have been making plenty of hay while the sun was shining. Maybe now the sun will be a little bit dimmer for them. 

Bruce Billson

Well, I'm hoping so. And the banking industry's announcement - and a credit to those financial institutions for getting involved in this way - it comes off the back of some really useful announcements by the government earlier in the week as part of this cyber strategy. That's tools that let small businesses establish just how strong their cyber protections are. Some practical advice on the actions they can take. And also an announcement of a one-to-one help service in the event that you are the subject of an attack, what you do to recover. 

Now, why is this so important? Well, the average cost of a small business cyber scam is about $46,000 Leon, but it can be more catastrophic than that. The business might lose the capacity to actually function. It might lose the confidence of its customers. And for too many small and family businesses a cyber event can be a business ending experience. And that's why it's so important to do what we can, to be protected as we can be, and to know what to do in the event of an incident.

Leon Delaney

What exactly were these two programs that the Federal Government announced earlier this week to help protect businesses? 

Bruce Billson

The first one is a safety health check that looks at just how ready your business is. You know, it's part of a small business cyber resilience service. And you get onto the Australian Cyber Security Center's website. It’s pretty easy to find it's www.cyber.gov.au and in it is this cyber health check program and that can be really useful just to knowing where you can make stronger improvements in your cyber protection. 

But beyond that, the Government's also announced that it will be going out to tender to get businesses to bid for a service that actually provides one-on-one support for a business that does experience an event because that can be really challenging Leon. There's a whole bunch of reporting obligations that businesses have to meet. But there's also advice, someone getting alongside you. What to do if there's a demand for a ransom? How do you recover your business system so that you can trade again? And also, what do you need to do with your customers and those that are in your business ecosystem to let them know that something's happened and to take appropriate steps?

This is the kind of practical advice and support we've been calling for, and it's pleasing to see some of these services responding to the needs small businesses themselves have identified. 

Leon Delaney

Yeah, this matter of paying ransoms to get your own data back again, there were reports that the Federal Government was considering making it actually illegal to pay a ransom, but the government in the end decided not to go that far. Was that the right decision? 

Bruce Billson

Look, I think so. It's difficult. If you and I or your listeners and I were running a business and some critical information was being held and we were told that if we paid a fee, we'd get it back. Sadly, that's the business model that the scammers operate under, and it's not always certain that you'll get that information back or that what they've gleaned through a cyber attack still won't end up on the dark web.

So, there's no guarantees. But what happens when those ransoms are paid is you're actually feeding the business model of the scammers, and therefore they'd be encouraged and resourced to keep going. Where the government's landed is to look to businesses to notify them that there's been a ransomware incident and what's happened. No penalties arising from the actions you take. But just a real hope that you share that experience, share the intelligence that can be gleaned from it, and then through the experts that are part of government steps can be taken to guard against further episodes. 

Leon Delaney

Yeah, as you indicated, I'd be hesitant to pay any kind of ransom in the first place because I would not be convinced I would actually get my data back anyway. I would assume that they're just going to take the money and burn me anyway. But apparently, from what I've been able to read, there have been instances where businesses felt that they had no other option but to pay the ransom. And they have indeed got their data back, which I guess is a good outcome for them. But it was a hell of a gamble, wasn’t it? 

Bruce Billson

I ache for the small and family businesses that are in that situation. You can imagine you put 20 years of your life into building that business. Some jokers jumped in through a cyber attack and has taken control of your accounting system or systems and technologies that are really critical to your business operations. You're sitting there wondering do I give up all of that lifetime of work or do I effectively gamble on criminals being decent? That’s a horrible call to have to make, which in my eyes, and I hope my encouragement to listeners Leon, is to take those steps that can be taken.

The banks are doing what they can do in the payment systems. The telcos that are implementing what they call a clean pipes measure where they cut off a lot of traffic that's run over the telecommunications system. But I'm urging small and family businesses to take the steps that are within their means. I mean, no one would leave their shop open with the light on and the door wide open in the middle of the night. It's taking appropriate steps in the cyber world like you would take in the real world. And it's good that there's help and support available with that. 

Leon Delaney

Absolutely. And just back to this announcement from the Australian Banking Association and the Customer Owned Banking Association involving the entire gamut of the banking sector banks, credit unions, building societies, they're all part of this. It's called the Scam Safe Accord. 

The thing that I can't help but question is that for all these years, whenever we make an electronic payment, we have to put in the BSB number, the account number and the name of the account holder. Why did we ever have to put in the name of the account holder if the banks weren't checking the name until now? 

Bruce Billson

You're probably better off asking a banker about that Leon. I suspect it's got things to do with record keeping and the like.

Leon Delaney

They always used to tell us, though. Make sure you've got the numbers right because the name doesn't matter. Well, if the name doesn't matter, why did we have to put it in? 

Bruce Billson

Well, it matters plenty these days. And maybe it's fortuitous, but now that information's being correlated. Where it can’t be confirmed that the payee is who you've got in mind, they’ll be blocks to that.

There's some other things too about biometrics checks and people opening a new account just in case they're trying to mimic you or have got some personal information. Even some warnings and notifications and delays. You know, I think the banking industry have said if there’s a pretty juicy big payment that might be suspicious, they might just slow the whole show down and maybe send some warnings and just check that this is what you intended to do. And make sure someone's not on the receiving end of a cyber criminal threatening them to do certain things unless big sums of money are transferred.

So, I think these are all good steps. You're probably right with a little bit of scepticism around timing, but it's a step in the right direction and that's why I'm welcoming it.

Leon Delaney

It is indeed a step in the right direction. Bruce, thanks very much for your time again today.

Bruce Billson

Good to be with you, Leon, and your listeners.