Cyber Security | Enterprise |

Getting the basics of cyber security right

By Telstra News March 30, 2021

Artificial intelligence. Blockchain. Zero-day detection. The cyber security marketplace contains a litany of confusing buzzwords that can make an already complex subject sometimes even more confusing. But like so many other fields, before you can make any progress in cyber security you first need to get the fundamentals right.

The fundamentals are often called the ‘basics’, but this doesn’t mean they’re easy. In fact, some big technology companies in the world also struggle with what can be thought of as cyber security 101.

The Australian Government has created a straightforward guide to the cyber security essentials, and how to implement them, to help you protect your business against online threats.

What is the Essential Eight?

The government’s cyber security experts have identified eight essential mitigation strategies designed to help limit your organisation’s exposure to the vast majority of cyber threats.

These eight strategies are a subset of the Australian Cyber Security Centre’s 37 Strategies to Mitigate Cyber Security Incidents and form a strong baseline of protection.

The Essential Eight is broadly aimed at:

  • Helping prevent attacks
  • Limiting the extent of cyber attacks, and
  • Recovering data and systems availability.

Helping prevent attacks

The first step to protecting against an attack is to prevent it from occurring in the first place. The vulnerability of your systems and users can be reduced by implementing the first four steps in the Essential Eight:

  1. Application control. This is one of the most effective steps in helping to ensure the security of systems. While application control is primarily designed to prevent the execution and spread of malicious code, it can also help prevent the installation or use of unapproved applications, which can bring harm to the security of your systems and data.
  2. Patching applications, or applying updates, is a critical process to help ensure the security of all your IT equipment. Patches often fix known vulnerabilities or flaws which might provide an entry point for anticipated threats to be released into systems and software. You should aim to always use the latest version of applications where possible, and to patch applications with “extreme risk” vulnerabilities within 48 hours.
  3. Configure Microsoft Office Macro settings. Macros, a staple in IT systems, automate regular tasks to save time. However, some macros can pose a security risk. A person with malicious intent can introduce a destructive macro in a file to spread a virus on your computer or into your network. You should block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
  4. User application hardening. With the rapidly shifting technology landscape, a regular clean out of old tools or applications is important to ensure your security posture isn’t being weakened by vulnerabilities in systems (like unpatched software) or processes (like default, weak, or reused passwords). You should especially consider configuring web browsers to block Flash as well as ads and Java, and disabling unneeded features in Office, web browsers, and PDF viewers; these are popular ways for hackers to push malicious code onto your systems.

Limiting the extent of cyber attacks

Breaches are inevitable but they need not be destructive. The next three steps in the Essential Eight will help limit the damage:

  1. Restrict admin privileges. Hackers actively seek admin accounts to give them greater access to data and systems. Which means the less admin accounts you have the better. Don’t let anyone be the administrator of their machine unless they have a legitimate business need. Set privileges in accordance with the user’s duties and role; someone who mainly works in email and the web doesn’t need to be an admin. Regularly revalidate the need for these privileges.
  2. Use multi-factor authentication. Multi-factor authentication is a powerful tool in your cyber arsenal. This defense makes it much harder for a hacker to break into your network, and limits their ability to move around should they be able to gain initial access. Aim to have multi-factor authentication on as many systems as possible, especially for VPNs and other remote access tools.
  3. Patch operating systems. Patching appears twice in the Essential Eight because vulnerabilities in systems and software are regularly used to hack into organisations. Again, you should always aim to use the latest version of operating systems – specifically avoid using unsupported versions – and patch “extreme risk” vulnerabilities in computers and network devices within 48 hours.

Recovering data and systems availability

Have you ever lost a camera or a phone and therefore the photos that were stored only on that device? The same pain is felt when ransomware attacks encrypt a business’ critical data, rendering it inaccessible.

It is often only when something goes wrong that business owners think about their backups. Backing up important data should be an ongoing exercise.

  1. Daily backups: To ensure information can be accessed following a cyber security incident or outage, back up new or changed data, software and configuration settings daily, and retain it for at least three months. Aim to follow the 3-2-1 backup rule: store your production data and two backup copies on two different mediums (like a cloud service and an offline disk drive), with one of these copies stored offsite (not connected to your network) to ensure you can recover in the event your network is taken offline.

Where and how to start with the Essential Eight

It’s easy to get a little overwhelmed with all the tools and services promising to protect you online.

Master the fundamentals with a trusted security partner. Telstra’s security experts can help assess the maturity of your systems, and help you implement the Essential Eight in the most relevant way for you.

Telstra strongly encourages all businesses to read and consider how the Essential Eight could be implemented within their organisation. More details can be found at the Australian Cyber Security Centre website.

Consumer | Cyber Security |

We’re now blocking around 1.5 million scam calls a week

By Andrew Penn February 16, 2021

Growth and the overall success of the digital economy is inextricably linked to connectivity. Equally important is having a secure network that keeps those connections safe.

Cyber criminals and scammers have not failed to notice that millions of Australians are now much more dependent on being able to live, work and learn online because of COVID-19 and cyber-crime is on the rise again. Scam calls are not only annoying, they also have a real financial impact on Australians and are estimated to have cost ordinary Australians nearly $48 million last year.

This is why we’re announcing today that we are doubling down on efforts to address scam calls and are now blocking around 6.5 million suspected scam calls a month on average from reaching end customers. Scam volumes fluctuate day-to-day but on an active day for scammers, we’re sometimes blocking up to 500,000 calls a day before they can potentially defraud our customers, which is a huge increase from the 1 million plus scam calls we were blocking on average per month previously.


We are doing this to protect our customers and their livelihoods because we know that we can have a significant impact by taking proactive action at a network level.

This activity is part of our Cleaner Pipes initiative, where we are working to reduce the harm of phishing, malware, ransomware and other scams across our networks both online and through voice and SMS. We recently introduced a new pilot program to make SMS safer too, with the first impact being to block illegitimate messages pretending to be from Services Australia from reaching Telstra customers’ phones.

A lot goes into operating national and global telecommunications networks, from the physical assets of the fibre, exchanges and data centres humming away in the background of our cities and towns, to the operations that happen in the digital layer that keep this infrastructure and the people that use it safe.

Blocking scam calls is no mean feat. Our Networks team has built a smart platform that enables us to monitor inbound calls on our network that have suspicious characteristics, and block them before they can ever reach our customers.

We were already blocking around 1 million calls per month using a manual process, so the automation is a huge boon to our capabilities. Scammers use a range of methods and some of the more popular types at the moment include ‘wangiri’ or one-ring scams, and spoofed number calls either pretending to be a legitimate service (like the ATO) or a random number entirely.

We built this technology in-house and we are proud of the scale and expertise of our cyber security and networks teams as leading Australia’s telecommunications industry, but we also know that this is a team sport. The telecommunications industry and the Australian Communications and Media Authority (ACMA) recently introduced the Reducing Scam Calls Code is an important step towards a collaborative industry approach, creating the framework to work together on protecting Australians from scam calls.

Our efforts will always need to evolve to target new, creative tactics that scammers will use so no technology platform will ever stop scam calls entirely. Customers should always remain vigilant.

Related: Five ways to spot a scam call

If you think you are receiving a scam call, our simple advice is: hang up. Scammers operate on confidence and often victims are influenced to act quickly; if you buy yourself some time to think critically then your chances of avoiding a scam are far better. As a reminder, if Telstra is legitimately calling you, we will only call between 9am–8pm Monday to Friday, and 10am–3pm Saturday wherever you are based, and not on a Sunday. The exception to this is if you have an unpaid account or a customer-initiated inquiry with respect to an order, fault or complaint, someone from Telstra may call you outside of these hours. We’ll respect your wishes and terminate the call if you say no thanks and we won’t call repeatedly if you don’t answer – these are all hallmarks of scam calls. If you think you have been scammed, contact us.

The security of our activities online and on our smartphones is more important than ever, and it is critical that we take action to help our customers trust in the connectivity we provide. We see a future where scam calls of this type are effectively ring-fenced and eliminated from our network. It will take more investment and innovation, and continued support from Government but we have an ambition to make these kinds of changes to continue to improve the level of trust that Australians have in their phones, their emails and the websites they visit, and to encourage the rapid expansion of our country’s digital economy however we can.

For tips and advice on how to spot a scam phone call, visit our website.

Valentines Day Cyber Security Scams
Cyber Security | Tech and Innovation | Telstra News |

Cyber security won’t win your Valentine

By Darren Pauli February 12, 2021

This year you did Valentine’s Day right. You booked that exclusive restaurant months in advance. The babysitter is sorted. And that present, nestled in a box and finished with a bow, lies ready to light up her face.

And so it is with despondent confusion that, hours later over raspberry mascarpone and Veuve Clicquot, your stare at her as she roars in laughter, doubling over and swinging your gift around.

It wasn’t meant to end like this. Do you laugh along? You have seconds to decide as you drift between wrenching pain and confusion.

Too late. Her eyes open and she sees your deadpan face. “Wait, wait, you’re serious?” she asks incredulous, still laughing. “After all this you give me…” she trails off, screwing her face up at the little black rectangle, unsure of what it is.

“A multifactor authentication USB key,” you finish. “It’s the best thing you can use to secure your accounts.”

A hard sell

Cyber security experts care a lot about security. Every day we see the at times devastating real-life consequences on ordinary people who get it wrong.

My colleagues in Telstra’s cyber security team report to authorities thousands, sometimes tens of thousands, of usernames and passwords stolen from Australians and organisations across the country every week.

Any one of these people may have endured some of the consequences of having their passwords stolen.

Fear and anguish as their hacked work email account spreads malware to their peers. Tens of thousands of dollars lost as thieves doctor invoices in their work inboxes. Countless hours of uncertainty and stress while recovering from identity theft. Or the simple embarrassment of having their friends and work colleagues see their hacked social media posting scams.

However, much of this potential pain and fear can be all but eradicated with free and simple security apps.

So, you could be therefore forgiven for thinking my job promoting cyber security awareness is easy.

It isn’t. Better professionals than I have tried for decades to develop and promote these technologies yet seen little uptake. Google promoted hard for years the benefits of multifactor authentication but only 10 percent of users listened and took it up, according its most recent figures.

I pay myself enough credit to say I wouldn’t hand my partner a multifactor authentication key this Valentines Day. She too, would laugh.

But I do try, slowly, to get her to adopt it. I argue no security technology is more important. It is absolutely essential for your important accounts.

Multifactor authentication works with a code generated in an app or sent over platforms like SMS. You enter that code in after your password, and generally only once for each new device you use to log in, such as when you get a new phone.

Only a few security die-hards, and those with access to very important data, use the multifactor authentication USB key wrapped in that Valentine’s gift box.

But while most hackers need to work extremely hard to get that extra multifactor code and therefore give up (Google says use of the code eliminates common phishing) it is not impossible.

Criminals who can win your heart can win your wallet. Multifactor authentication won’t stop them if they have your trust. It’s one of the reasons romance scams are so dangerous and effective.

The love factor

Many of us consider online dating in the run up to Valentines Day. And that raises the chances we will be exposed to romance scams.

These scams are a staple of online cybercrime because they are so effective at separating victims from their money and property often under the guise of the scammer requiring flights, payments for debts, and funds for medical procedures.

Their damage goes beyond bank accounts; the months of deception can inflict deep emotional pain on victims. They can also be dangerous with some luring the victims overseas where they are exposed to international criminal networks.

Don’t think the scams are something for lovestruck fools; the average victim is a middle-aged and well-educated woman. Other characteristics include a propensity for urgency and sensation-seeking, trustworthiness, and an addictive disposition.

They are common, too. The Australian Competition and Consumer Commission received 3,680 romance scam reports last year of which a third resulted in financial losses. All told Australians lost more than $37 million to the scams last year.

The scams work, as we have written in previous years, by constructing a ‘hyper-personal’ relationship that is overly intense. They slowly capture and isolate victims increasing the victim’s dependence and decreasing the likelihood outside intervention will disrupt the relationship.

Much of this takes place on social media but prominent dating services are not immune so consider the scammers a risk in all online dating scenarios.

Stay safe

Experts agree that your best bet is to recruit a friend or family member as your confidant from the start of the online relationship. Their job is to be the objective voice of reason who can see relationship red flags before you will. Listen to them.

Requests for money by someone you met online are the biggest red flag of romance scams. However, if you are intent on wiring money, you must use Australian financial networks like those offered by your bank. There remains a chance of repatriating stolen money if these are used. Funds are much harder to claw back when international transfer services such as Western Union or cryptocurrency are used.

The Federal Government offers a range of services where victims of romance scams can seek assistance.

Finally, if you are not online dating but know someone who is, offer to be their confidant. By lending a trusting ear you will be giving them the best protection possible while enabling them to date safe.

Shop smart

Scammers abound elsewhere. Many of us who participate in Valentine’s Day will open our wallets at some point.

It is essentially impossible to determine if a website has been hacked and difficult to reliably spot scam sites. Defend yourself by shopping online with a card that reimburses fraudulent purchases.

Read your card’s terms and conditions. The short of it is that banks will often reimburse fraudulent purchases made against major credit cards provided they are reported within a certain period.

The website Finder has a good article on this. But, in general, it states, most big banks require credit card fraud to be reported within 30 to 60 days of it occurring for reimbursement to be considered. Check your statements to ensure a smooth and fast reimbursement.

PayPal also reimburses fraudulent payment in the same way as participating banks.

Fraud occurring when money is wired into accounts using direct transfers (BSB and account number for instance) is rarely covered so be careful when using these for online purchases.

There are a lot of complex and dynamic parts to cyber security. Passwords, phishing, malware, and fraud. It’s at times technical and tough. But start small by setting up multifactor authentication and a password manager. Head over the Government’s consumer cyber security site to learn how.

In time, you’ll master it. Perhaps you’ll become so enamoured you’ll want to help others become more cyber secure. Just spare the Valentine’s gift.

Crisis support services exist. Contact Lifeline on 13 11 14 or visit www.lifeline.org.au. For information about depression or anxiety, contact beyondblue on 1300 22 4636 or visit www.beyondblue.org.au

Consumer | Cyber Security |

Getting cyber smart heading into 2021

By Matthew O'Brien February 8, 2021

Tomorrow is Safer Internet Day, a day when the world comes together to #startthechat about how we can make online experiences better for everyone. With more devices connected to the internet than ever, it’s important to make sure yourself and your family are safe online.

To help with this, we’ve launched Telstra Cyber Security Device Protect with cyber security leaders Trend Micro to make it easier than ever to protect your household devices online. Whether it’s managing your kids’ screen time or helping to keep your devices safe against hackers or protecting your ID, we’ll have you covered.

To go with this, we’ve put together a few tips on how to stay safe online, as well as a few of the ways you can use Device Protect to manage it all in your sleep.

Managing the content your kids can access

They’ve just got back to school after a big break, and tests are already starting to come up that your kids need to study for, but all they want to do is chat to their friends online. Rather than stay on your kids’ backs the entire time, it can be much easier just to control what content they can access online and when they can access it.

With the Parental Controls feature in Device Protect, you can prevent specific categories of websites from being opened, and even set different rules for different computer accounts. You can also limit internet usage through time control on a shared PC at home, so your kids won’t be able to get online until they’re done with their study or homework.

Your Wi-Fi router may have settings that you can log in and set up, but Device Protect takes the concept further than just your Wi-Fi and helps keep your family’s devices safe individually wherever they are. Our Mobile Security for Android devices includes an App Lock for restricting app usage for even more in-depth control.

Did you know only 46% of Australian parents feel confident about dealing with the online risks their children face and 95% want more information about online safety? To mark Safer Internet Day eSafety is hosting a series of webinars for parents and carers this week on Cyberbullying and online drama. They also have a suite of resources available to help you start the chat about being safer online.

Protecting yourself on public WiFi

Free public WiFi can be a saving grace when you don’t have any mobile reception or want to pull out your laptop for some quick work, but you also need to make sure you’re careful around what things you do online. When you connect to a public network, you can never be too sure who runs it, or if anyone else on the network has managed to get in and snoop on other devices.

Because of this, a general rule of thumb is to never use a public WiFi network for any sensitive data – think online banking, making purchases online with your credit card or even signing up to things that reveal a lot of personal information. Try to always do these things on a private network, either on your mobile or on a WiFi network at home or at the place of someone you trust.

However, if you really need to make an emergency bank transfer or want to regularly pop down at your local cafe to work, having a Virtual Private Network (VPN) installed can help mitigate those risks by hiding from the network what you’re doing over the internet.

With Device Protect installed, your VPN will automatically turn on and encrypts your data communication when it detects you’re connected to an unsecured public network, giving you peace of mind without having to fuss around with securing your connection.

Keep safe against cyber threats

As we become more reliant on our devices for shopping, banking and connecting to others, it opens us up to more risks against cyber criminals.

It might be someone pretending to be from your bank or from a social network claiming you need to reset a password or have received a special message you need to log in to see, where they then try to take you to a fake page to steal your information. They could also make attempts to access your devices and information by sending you dodgy links that infect your device with a virus giving them access. Or they could try something even more advanced and sneaky!

But as long as you keep your eyes open and be vigilant with your device protection you should be able to keep yourself safe. Make sure to always pay attention to the URLs of links you click, and that they match the same place you’d usually login. Likewise, check the email address of who’s emailing you to make sure it’s correct and that they’re not using a fake name.

Or let Device Protect do the checking for you, such as automatic monitoring of anything you download to have confidence there are no viruses hiding in the file, getting alerts when a website you enter known to be a bit fishy or even add an extra layer of protection when entering your credit card or bank details.

Keeping your passwords and identity safe

Most of us are guilty of recycling passwords across most of our accounts online, but doing this is really risky – it means that a cyber- criminal only needs to get access to one of your accounts to get into all of them that share the same password. But on the flip side, it can also be quite hard to remember dozens of different passwords across all your accounts to be extra safe – which is the reason most of us don’t bother!

To make this easier, you can use a password manager like the one included in Device Protect to not only store all your passwords, but automatically generate super secure new passwords for you. You can then log into all of your accounts with one tap, so you’ll never need to think about passwords again!

While keeping your passwords protected is important to keep your data secure, it’s also important to make sure you haven’t already been hacked or had your personal information stolen.

Device Protect will also monitor sites on the internet and on the dark web for you to see if your personal information is posted or is for sale anywhere, then alert you if it’s found. That way you can contact the police, cancel your credit cards before anything is spent on them and get new ID documents to minimize the damage done.

Keeping your devices and identity protected online can be a bit scary, but there are simple things you can do as mentioned here to ease your mind and help protect yourself and your family. If you’re looking for a solution to help protect your family’s devices for you, Device Protect will help keep your digital world safe and secure.

Consumer | Cyber Security |

How to stay safe shopping online this festive season

By Jen Stockwell December 17, 2020

This year, we’ve been stuck inside – and on our phones and computers – more than ever. More than a million Aussie households shopped online between March and September this year for the first time ever. If that’s you, we have some advice to help keep you safe.

Australia Post predicts this trend is here to stay too, and it’s easy to see why. Shopping online lets you browse and choose what you need from the comfort of your lounge, and in the past few years Black Friday and Cyber Monday have become record-breaking online shopping events in Australia.

There’s another side to this, though: scams. According to Scamwatch, Australians have lost over $7 million to online shopping scams so far this year – up by up 42 percent this year. Scamwatch also says that scammers are typically out in force over Christmas, as families rush to get through their festive season shopping and bargain hunters trawl through all the digital Boxing Day sales.

Last year it was shoes, smartphones and tickets to concerts and events that were most likely to be listed online by scammers looking to make an illegitimate buck. This year, concert tickets aren’t likely to be as popular, but you should be more cautious than ever about making sure your online purchases are legitimate. As is usual on the internet, a little bit of caution can save you a lot of heartache.

One of the most popular methods of scamming you out of your hard-earned dollars while you’re online shopping is for a scammer to set up fake online stores. Scammers often set up fake websites that look convincingly real, or use social media platforms to host storefronts that may look like a genuine retailer’s. Often they have popular items at prices that may seem too good to be true. The big difference is that when you pay, you won’t see anything arrive in the post like you were expecting.

Another popular scam to watch out for is on classifieds websites, where scammers create fake seller profiles and list popular items at attractive prices. If you’re shopping for items on a classifieds site, a seller might suggest they’re travelling and a friend or agent will complete the sale for you once you’ve paid. There’s a reason that ‘buyer beware’ is a popular saying…

Here are some common-sense tips to help you stay a bit safer while shopping online:

  • If you’re shopping at an online store with its own website, do some research before you click ‘buy’: to check if it’s reputable. Look for independent reviews of the retailer. Are there clear contact details? Make sure you have trust in who you’re buying from, and where possible try to stick to reputable platforms (like eBay and Amazon) that will guarantee your purchase.
  • Shop with a credit card or VISA debit card from a reputable bank, or use a payment processor like PayPal, and check your statements regularly for any fraudulent or unexpected payments outside of your shopping. Always shop with a payment method that allows for disputes to be raised if necessary. And keep track of your purchases!
  • Be alert to phishing attacks: scammers are highly active this time of year. Treat every email or message with caution, especially if it’s asking you to do something or if the offer sounds too good to be true.

And if you’re browsing the classifieds for a second-hand bargain:

  • If possible, picking up the item that you’re buying in person is always preferable. It means you can inspect what you’re buying to ensure it is real and in the condition you expect, and you can agree with the seller to pay in cash or with an instant transfer. You want to avoid paying for the item before you have access to it.
  • When you’re communicating with a potential seller, ask for some proof that they have the item you’re looking to buy – like a new photo of the item. One of our favourites is taking a photo of the item on a recent newspaper with the day’s date. Digital timestamps on photos are also useful for this, especially if there’s no newspaper handy.
  • Carefully consider how much personal information you share when you shop online. Only complete the bare minimum mandatory fields needed to complete your order as any information you enter during sign up could be exposed if that website gets hacked.
  • And, of course, there’s one other piece of advice we’ll never shut up about: always use a strong and unique password, and turn on multi-factor authentication wherever you can. That way, if someone manages to guess your password, they won’t be able to get into your account.

Happy shopping!