Our staff security awareness articles provide insights and advice on how to successfully implement security awareness initiatives in your organisation.

Now, more than ever, securing your data is about improving the awareness and astuteness of your staff regarding phishing and other similar scams. This can be a challenge because, let’s face it, behavioural change and human factors are not usually the IT department’s greatest strength.

Phishing attacks cost time, reputation and money – and the opportunities to penetrate your organisation increase with size.

FAQ: Consumer Data Rights (CDR)

With regular reports of data breaches, information security and privacy protection are increasingly important concerns for many Australian consumers.

Implementing rigorous data protection measures can be a good corporate differentiator – setting your business apart from the competition by giving your customers the confidence their confidential personal and financial information is secure.

Another important driver incentivising Australian businesses to implement stricter information security controls is the new Consumer Data Rights initiative.

Over coming years, the Government will roll out Consumer Data Rights across a number of Australian industries. Whilst this offers businesses exciting new opportunities to attract more customers, it also comes with additional obligations regarding data protection and privacy.

In order to make the most of Consumer Data Rights, it’s important to understand how this new initiative can affect your business and what steps you can begin taking to prepare for its implementation.


1. What are Consumer Data Rights?

1. What are Consumer Data Rights?‘Data is the new oil’.

That was the catchphrase first coined by UK mathematician Clive Humby in 2006. Like oil, data needs to be mined and refined so it can be useful to us. However, the analogy has its limits. Unlike oil, data is not a finite resource. The same data can be used in many different ways, revealing many different insights. Arguably, the more data is used, the more valuable it becomes.

Consumers are increasingly aware of data’s value. Seemingly endless reams of information are collected every day about consumers and their behaviour patterns. Many consumers now believe they should have some rights over the data collected on them.

Until now, consumers faced an uphill struggle finding out specifically what information is being collected, let alone gaining access to it or controlling its use.

That’s all about to change with a new government initiative: Consumer Data Rights, or CDR. 

Under CDR, consumers will have the right to access certain types of information businesses collect on them. They will be able to direct a business to transfer that data to an accredited, trusted third party of their choice.

If, upon receiving the data, the third party is able to offer the consumer a superior product or service, the consumer will be able to switch brands quickly and easily.

So, not only will CDR empower consumers by giving them greater control over their data, it will also encourage greater competition in a range of industries.


2. What industries are effected?

CDR will start off in the financial sector.

Banking customers are notoriously ‘sticky’ and tend not to switch financial institutions regularly. That inertia hampers competition in the sector. The government is committed to an initiative called ‘Open Banking’ which has CDR at its heart. The aim is to make it easier for consumers to ‘shop-around’ for the best financial products such as mortgage or credit card rates.

Once CDR is implemented within the financial sector, the government plans to extend it to other industries, starting with energy and telecommunications.

Further sectors will follow over time.


3. What are the principles underpinning CDR?

CDR will be implemented according to four key principles:

Principle 1

CDR should be consumer focussed. It should be for the consumer, be about the consumer, and be seen from the consumer’s perspective.

Principle 2

CDR should encourage competition. It should seek to increase competition for products and services available to consumers so that consumers can make better choices.

Principle 3

CDR should create opportunities. It should provide a framework from which new ideas and business can emerge and grow, establishing a vibrant and creative data sector that supports better services enhanced by personalised data.

Principle 4

CDR should be efficient and fair. It should be implemented with security and privacy in mind without being more complex or costly than needed.


4. What are some of the considerations informing the implementation of CDR?

Information security and privacy considerations are core features of the CDR initiative.

With consumer data being transferred to multiple parties via API, it is essential controls are in place to prevent breaches, leakage or unauthorised use of the data.

Among the data protection considerations are:

  • Measures to ensure businesses only transfer data to accredited third parties at the direction of the consumer;
  • Measures to ensure consumers control how their information is used by those third parties;
  • Obligations surrounding the deletion or de-identification of data by third parties once the data has been used in accordance with the consumer’s wishes;
  • Rigorous data transfer and storage standards;
  • Extension of provisions within the Privacy Act 1988 to other organisations currently not covered, such as organisations with less than $3 million revenue per annum;
  • Avenues for consumers to seek meaningful remedies for breaches, including external dispute resolution and direct rights of action.


5. How can businesses participate in CDR?

5. How can businesses participate in CDR?There are a range of security implications when transferring sensitive and potentially highly valuable consumer data between organisations via API. That’s why businesses will be required to meet a rigorous set of information security and privacy standards in order to participate in the CDR initiative. These are necessary to ensure consumer data is not compromised.

The Australian Competition and Consumer Commission (ACCC) has responsibility for overseeing the initiative and accrediting those organisations that meet the cybersecurity standards. Accreditation is necessary in order to participate in the initiative.

CDR will also impose obligations on businesses to provide access to data on the goods and services they have on offer. This will enable comparison websites to gain up-to-date information so consumers can make more informed choices.

In some cases, achieving ACCC accreditation will be possible if the organisation already meets other similar information security and privacy standards. For example, an Authorised Deposit-Taking Institution (ADI) will already meet many standards that align with the ACCC rules, so accreditation to CDR shouldn’t encounter any hurdles.

However, if any breaches of the ACCC rules occur, an organisation’s accreditation may be suspended and they will not be able to access any further consumer data.


6. What are the technical requirements for CDR participation?

Many businesses stand to benefit significantly from the adoption of CDR.

However, it comes with onerous requirements that must be adhered to.

At a minimum, you need to ensure your organisation meets the necessary technical standards. These have been formulated through four work streams:

  1. API standards enable consistent transfer methods that meet acceptable levels of safety, convenience and efficiency and include specifications for data description and recording.
  2. Information security standards consist of techniques to protect users of the system, networks, devices, software, processes, information in storage, applications, services and systems.
  3. Consumer experience standards provide best practice language and user experience (UX) design patterns to request consumer consent and guide authentication and authorisation flows.
  4. Engineering standards focus on demonstrating the API Standards through the delivery of usable software artefacts that assist ecosystem participants demonstrate conformance with the standards and rules for CDR.

In cases where data holders or data recipients breach the CDR rules, there are a range of possible penalties, ranging from infringement notices, civil penalties, compensation orders, enforceable undertakings and potentially de-accreditation.


7. When will CDR start?

Whilst the CDR start-date has been pushed back pending resolution of some details, the Government is now committed to begin launching the initiative for the finance sector by July 2020.

Initially, the Big Four Banks will begin complying with the initiative, with other financial institutions to follow 12 months later.

CDR rules for the energy and telecommunications sectors are still under development.


8. What’s the first step to get ready for CDR?

8. What’s the first step to get ready for CDR?Whilst the rules surrounding CDR are yet to be fully finalised, it’s clear that privacy protection is going to be a central feature.

The Privacy Act 1988 established a range of privacy standards for organisations with revenues in excess of $3 million per annum. However, under CDR, we know that aspects of the Privacy Act will also be extended to financial organisations with lower revenues. The same may also be true for smaller organisations in other sectors.

The Australian Privacy Principles (APPs) form part of the Privacy Act. These apply to organisations holding consumer data and are designed to ensure that Personally Identifiable Information (PII) and other sensitive data assets are handled responsibly.

The APPs require organisations to maintain sufficiently robust controls to prevent unauthorised access, disclosure or use of information.

In addition to the APPs, CDR will also see the creation of Privacy Safeguards. The Privacy Safeguards are likely to be more onerous than the APPs as they apply to both individual data and organisational data, which is harder to de-identify.

The Privacy Safeguards will come into effect once a consumer makes a data transfer request. They will outline how transfers via API are to be conducted and how the third party receiving the data needs to handle it.

Making sure your organisation is compliant with the Australian Privacy Principles is a good first step to preparing for CDR so you’ll be able to take advantage of the benefits it offers once it is rolled out across different sectors of the economy.


How Shearwater can help you?

For further information about complying with the Australian Privacy Principles, Contact Shearwater. We have extensive experience assisting organisations of all sizes ensure they have the systems and policies in place to protect your information assets.

Know Everything About Password Security? It’s Time for a Rethink

As organisations continue to struggle with the issue of password security, many of the old assumptions are being re-examined.

If you make one cybersecurity-related resolution this New Year, commit to re-thinking your organisation’s password controls by considering some of the latest advice.

Passwords are the front line in your battle against cyber-attacks. Hackers rely on a variety of tactics to dupe people into revealing their passwords. So, it’s critical you have the right systems and policies in place.

Here are 6 TIPS to ensure your organisation’s passwords remain secure:


1. The Longer the Better

As a general rule, the longer the password, the more secure it is.

Therefore, it is best to advise your staff to opt for a passphrase rather than simply a password.

According to Australian Government guidelines, passphrases should be made up of at least four words and be longer than 13 characters. Making the passphrase meaningful will make it easier to remember. It’s important passphrases are memorable so people avoid being forced to write them down or store them in other locations.

Furthermore, different passphrases should be used when accessing different systems or applications. Using the same passphrase for multiple purposes makes people vulnerable, as if the passphrase is compromised once, attackers may gain access to other systems or applications.

2. Complexity Isn’t Always Better

Many organisations require passphrases contain a combination of upper-case letters, lower-case letters, numbers and other symbols. The thinking behind these requirements is that the more complex a passphrase is, the harder it is to hack.

However, according to the most recent advice from NIST (America’s National Institute of Standards and Technology), overly complex passphrases are not always better for password security. 

NIST argues there is limited benefit in requiring overly complex passphrases. It has analysed breached password lists and found many examples containing complex combinations of characters. Mandating overly complex passphrases may be counterproductive by encouraging risky behaviour, such as writing down passphrases on a post-it note and sticking it on the computer monitor.

3. Don’t Change too Regularly

The latest advice from both the Australian Government and NIST is to avoid rules that require password changes every 30, 60 or 90 days.

This requirement may lead people to come up with insecure passphrases as they struggle to think of new ones so regularly. Rather, NIST’s current advice is to come up with a strong passphrase that can be easily committed to memory and kept in use for longer periods of time. NIST recommends passphrases should be changed if there is any suggestion of compromise.


Know Everything About Password Security?

4. Implement Multi-Factor Authentication

Wherever possible, require multi-factor authentication (MFA).

By requiring users to input something they know (such as a passphrase), alongside something they have (such as a one-time password or OTP), you’ll ensure unauthenticated access becomes much harder.

NIST advises that SMS messages are not used in MFA. This is to help prevent social engineering attacks in which a hacker may have convinced a mobile phone operator to redirect the victim’s mobile phone messages to the attacker.

It is preferable to use time restricted OTPs from an MFA app such as Google Authenticator.

5. Use a Password Manager

Installing a ‘password manager’ on your computer or mobile device can be a useful way to generate large numbers of passwords for use on multiple systems and applications, without having to memorise them all.

Just be aware that there have been cases in the past when ‘password managers’ have been compromised.

It is not recommended to store your most important passphrases, such as your email or online banking passphrases, in a ‘password manager’.

6. Implement Password Training for Staff

The Australian Government offers the following advice when it comes to password security: 

  • Don’t share your passwords with anyone;
  • Don’t provide your password in response to a phone call or email, regardless of how legitimate it might seem;
  • Don’t provide your password to a website you have accessed by following a link in an email—it may be a phishing trap;
  • Be cautious about using password-protected services on a public computer or over a public Wi-Fi hotspot;
  • If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well.


Ensuring your staff are trained in password security best-practice needs to be an ongoing priority.

With Shearwater’s Phriendly Phishing and Keep Secure modules, your staff will receive ongoing training in how to identify phishing emails and the strategies they need to stay safe online.


Gamification: Making cybersecurity awareness and professional development engaging

The cybersecurity threat landscape is constantly evolving. New attack vectors emerge weekly. This necessitates the adoption of strategies to engage and upskill teams on an ongoing basis.

Whether it’s raising general awareness about cybersecurity among your staff, or specific professional development training for your IT and development teams, there are many ways you can incorporate gamification to enhance your organisation’s cybersecurity posture.


Gamification to Raise General Awareness

It’s easy for staff to slump into a rut of boredom and complacency.

Getting your staff motivated to regularly learn new skills is a significant challenge in many organisations. This is particularly true when it comes to cybersecurity awareness training.

All too often non-technical staff see cybersecurity as ‘someone else’s problem’. There is an assumption the IT department will handle the issue.

Such attitudes are not only wrong, they can be dangerous for your organisation. With human error now one of the leading causes of cyber breaches, getting everyone on board when it comes to your organisation’s cybersecurity posture is essential.

A concerted effort is required to drive awareness among staff across the entire organisation. Building a security awareness culture, with specific emphasis on stopping phishing emails, is now a major priority for many organisations.

webinarAs a leading cybersecurity service provider, Shearwater is committed to helping organisations achieve a cyber-aware culture. Our recent webinar outlined the 3 Pillars that form the basis of cultural change within an organisation. If you haven’t yet had the opportunity to watch it, you should. It is filled with important strategies you can implement within your organisation.

One of the core pillars highlights the importance of engaging staff by winning hearts and minds.

Gamification can be a powerful tool to achieve this.

By incorporating game mechanics and game thinking as a component of training, gamification seeks to engage learners in interesting and fun ways. It encourages problem solving and motivates staff by introducing elements of competition and reward.



Shearwater’s Phriendly Phishing is a leading Australian training program that uses gamification elements to help organisations teach staff about email security.

Phishing email awareness is critically important. Attackers increasingly seek to exploit human error in order to infect your organisation’s IT infrastructure with malware, or to carry out Business Email Compromise (BEC) attacks.

PHISHING AWARENESSPhriendly Phishing succeeds in educating staff because it injects fun and excitement into its training modules.

The training begins by imparting basic phishing knowledge. Then, through a series of fun learning modules that combine interactive elements of gamification, staff analyse a variety of phishing emails. This highly interactive course is scenario-based and aims to enhance the phishing detection skill of learners.

According to Damian Grace, founder of Phriendly Phishing, “Gamification is an important training methodology because it significantly boosts learner engagement. By implementing gamification, we can ensure learners achieve ‘wins’. This increases the effectiveness of the learning processes as studies show learners are motivated when they have a sense of achievement. By incorporating innovative and interactive gaming elements, learners acquire new skills and retain that knowledge for the long term.”


Gamification in Professional Development

Gamification is also a useful tool in professional development strategies.

With your IT and application development teams requiring ongoing training opportunities, gamification can be an ideal way to enable them to up-skill.



Application developers focus on developing great applications. However, all too often they either don’t take into consideration security issues, or they try to bolt-on security measures at the end of the development pipeline, just before going live.

It’s essential to find ways to up-skill developers, so they have the necessary cybersecurity awareness to adopt a ‘shift-left’ approach and begin implementing security measures from the beginning of the development lifecycle.

That’s one of the main reasons we host the annual Shearwater Hackathon.
Hackathons are a great example of gamification, because they allow developers to participate in a fun and engaging competition whilst honing their security awareness skills. Also known as Capture-the-Flag challenges, a hackathon typically involves uncovering and exploiting vulnerabilities in a simulated web application.

The recent Shearwater Hackathon attracted over 150 participants, many from leading Australian companies. Participating in a winnable competition, in which staff can earn recognition and prizes, is a great professional development strategy.

According to Shearwater’s Chief Strategy Officer, Shannon Lane, the best type of education is ‘learning by doing’. Hackathons encourage participants to “look at applications as an adversary would – underlining the significance good security controls have in the launch of products and services” said Mr Lane.



Training application developers about the importance of writing secure code is now on the radar for many organisations. It’s increasingly understood the first step to developing a secure application is writing high quality code. Shearwater is often called on to provide Secure Development Training as part of an organisation’s professional development initiatives for its application developers.

A useful benchmark when developing any web or mobile application is the OWASP list of common vulnerabilities. These outline some of the most regularly seen attack vectors used by hackers.

So, OWASP’s decision to begin incorporating gamification as a strategy to raise awareness among developers about security is welcome news.

new poker-like card game The new poker-like card game is designed to be an easy to learn introduction to the risk concepts of the OWASP Top Ten. It is designed to teach developers best practice security measures in an environment that reflects a sense realism and excitement.

It pits black hats against white hats to see who can be the first to hack their opponent’s website.

Whilst this new game is still in development by OWASP, it’s further evidence that gamification is beginning to be incorporated into a wide range of cybersecurity professional development programs.



Even when a nation isn’t at war, the armed forces don’t stop training. Ongoing drills and exercises during peace time are essential to ensure the military is combat-ready whenever an attack occurs.

The same should be the case when it comes to your IT and SOC teams.

Through cyber-attack simulation games, you can ensure your organisation is ready to handle a wide range of real-life attack vectors.

Like hackathons, attack simulations are a form of gamification. They pit teams against each other in a competition to develop an incident response plan for a realistic cyber-attack.

Reports indicate that as many as 76% of Australian organisations do not have a formal cybersecurity incident response plan. Addressing this requires IT and SOC departments to have professional development training so they understand what elements comprise an incident response plan. This is where attack simulation games can be extremely useful for your organisation. They identify gaps within your organisational capacity to handle a cybersecurity breach.

Shearwater scholarship recipient, Margueritte Saboungi, recently participated in her first cyber-attack simulation game. Known as CyBCA, the exercise recreated a real-world incident in which an attacker had disabled all connections to a bank’s ATM network. Armed with some basic facts, such as the network configuration layout which detailed how the ATMs linked back to the bank’s servers, Saboungi and her team had just a few hours to develop a comprehensive incident response plan.

Incorporating gamification in the professional development of your IT and SOC teams will enhance your organisation’s security posture, test your ability to prevent attacks, and teach ways to handle breaches when they occur.


How Shearwater can help you?

In a variety of different ways, gamification is increasingly prevalent in strategies to motivate staff to become more cyber aware and in efforts to enhance cybersecurity skills through professional development.

Shearwater specialises in a wide range of cybersecurity training services. Some, like our phishing awareness modules, already combine elements of gamification. Others, like our secure development training, can be combined with novel gamification elements to have a big impact on your staff.

Speak with Shearwater today to learn about training options for your organisation. 

What is security documentation?

So, you have been told by an auditor that your security policies and other security documentation are out of date or non-existent.

“Okay, so let’s draft a two-page policy and tick that box”.

Such glib responses are all too common. This is definitely not an appropriate way to address your organisation’s risk-profile and enhance your security posture.

At the other extreme, some organisations become mired in the process. I’ve witnessed organisations take over 12 months, with multiple iterations, trying to develop security policies. There is a fear that comprehensive security policies will be too restrictive and crippling, even when taking into account the organisation’s specific requirements.

So, what exactly does security documentation consist of and what value does it add?

What is security documentation?Some obvious documents include Agency Security Policies and Acceptable Use Policies. However, the spectrum of security documentation is far broader and can include standards, plans, policies, operational documentation and registers, and system specific documentation and registers.

Security documentation should be more than just rule-setting. Whilst it does help define the expectations of how people work, importantly it should also provide direction on how to get things done in a secure, consistent, and efficient manner.

The entire IT landscape, in particular the connected cyber world in which we all live, is changing rapidly. Developing, maintaining and actively using updated security documentation helps ensure staff are working securely. The right documentation is also a necessary precursor to ensure systems and information are appropriately secured. Documentation also keeps staff up to date with changes, itself a form of on the job training.

In today’s complex world, it is almost impossible to write concise, user-friendly policies and standards that meet every business need. It is therefore important that security documentation is drafted to meet most users’ needs for most of their daily activities. Exception handling processes should be available to ensure special circumstances are considered in a controlled and risk-based manner. Staff are more satisfied when most of their work can be undertaken seamlessly, so that whenever they have special requirements, those can be considered rather than just being told “no”.

Some documentation, such as incident response plans and in-depth procedures, may not be used frequently, however are equally important. When key subject matter experts are unavailable, or when things go wrong, there is usually still a focus on getting the job done quickly. Without the guidance of well thought out documentation, things can and do go wrong. In the rush to get things done, for example when restoring system availability after a cyber incident, it can be easy to lose forensic evidence, thereby hindering the ability to understand how the system was compromised. This means protective measures to stop future incidents cannot be put in place and it may be difficult to determine the full impact, such as knowing if sensitive information was stolen.


How Shearwater can help you?

When it comes to developing comprehensive security policies and documentation for your organisation, you need to get the balance right.

You need to ensure your policies have sufficient breadth and depth so they make a positive contribution to enhancing your organisation’s security. At the same time, they shouldn’t be so cumbersome that they hinder your operational performance.

With Shearwater’s security consultants, your organisation can be confident of getting the balance right. Our team of experts will analyse your business practices and assess your circumstances using a risk-based approach. We will work with you to ensure the security policies and documentation are appropriate and achieve the right outcomes for your organisation.

Contact us today on 1800 283 613 to discuss your needs with one of our consultants.


Business Email Compromise – Advisory

Business Email Compromise (BEC) attacks are increasingly prevalent. While there are several varieties of BEC attacks, the majority manifest themselves as follows:

A phishing email is sent to an intended target. The target is prompted to enter their credentials on a website, after which the attacker gains access to their mailbox. 

Typically, a forwarding rule is created to send emails to an external mailbox, RSS feed, or a different subfolder.

This flow of emails is monitored. When an invoice email is seen, the attacker may attempt to hijack the conversation. Precisely how this is done depends on the account they have compromised and whether the organisation is receiving a payment or needs to make a payment.  Often there will be a request to change payment details, resulting in money being paid into the attacker’s account. 


What can your organisation do to prevent a BEC attack?

  1. Have a good process for changing any payment details that does not involve emails, or information contained in an email.
  2. Enable Multi Factor Authentication (MFA) when using o365. Should credentials be compromised, the user will be prompted to supply their MFA at a time when they are not expecting this. The attacker will be denied access to the account unless permission is provided.

Recently, it was discovered that accessing a mailbox was possible in some instances, despite MFA being enabled. Following an investigation and subsequent testing, it was found that o365 mailboxes could be accessed using protocols other than the standard protocol used by your outlook client.

This was the case when IMAP and POP3 protocols were being used to access o365 mailboxes.

When either of these protocols are used, only the standard UserID and password are required to access the mailbox. There is no prompting for MFA.

Whilst a UserID and password help limit attackers, accessing email through IMAP and POP3 circumvents the MFA that’s enabled on o365 accounts.

Whilst Microsoft does encourage tenants to disable legacy authentication methods and protocols when enabling MFA, it’s currently not the default. Many organisations still have these protocols available for use on all mailboxes.

So, in addition to switching on logging, enabling MFA and having good processes when dealing with payment changes, it is also preferable to switch off IMAP and POP3 on all user accounts in o365.(1)

However, before doing so, there are a few things you need to keep in mind:

  • You may have service accounts that access particular mailboxes using IMAP or POP3 as part of a business process. You may need to make an exception for these mailboxes.
  • Older Android phones may access o365 using IMAP or POP3.
  • Mail applications on IOS (excluding apple mail and outlook) may use IMAP or POP3
  • Integration between different cloud services that use email, may use one of these two protocols to access the mailbox.

In other words, take care when disabling IMAP or POP3. However, doing so will help protect your organisation from a BEC attack that uses this particular approach. 


(1) You can do this using the exchange portal under office.com.


Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

Gone Phishing

Shearwater spearheads innovation to improve email security

It’s the bane of every IT department’s existence:
How to weed out dangerous emails without also blocking legitimate ones.


False Positive: An email that’s been wrongly identified as dangerous, when in fact it is safe.
False Negative: An email that’s been wrongly identified as safe, when in fact it is dangerous.

IT teams face a near impossible balancing act. They need to keep the organisation’s infrastructure and systems safe. But at the same time, they also need to ensure operations are not impeded by over-zealous security measures.


Staking your security on reputation alone is risky business.

Typically, an organisation’s IT department relies on reputation-based intelligence to determine if an email should be considered high-risk. Relying on dynamic databases of known IP addresses, from which phishing emails have been sent in the past, any emails originating from these sources will be flagged and weeded out.

Certainly, this strategy is preferable to no strategy. However, it is far from foolproof.

IP addresses sending phishing email that have yet to be identified won’t be blocked. Likewise, if a trusted IP address is compromised by hackers who send out phishing emails, these could be let through your security filters with potentially devastating consequences.

That’s where staff training steps in. It’s the people within an organisation that represent the last line of defence. Organisations rely on people having the skills to identify potentially dangerous email, and to notify their IT department about it.

Naturally, errors occur. People often mistake phishing emails for legitimate correspondence. Once a dangerous link or attachment has been clicked, the damage has been done.


Shearwater’s commitment to email security is long-standing.

Shearwater’s Phriendly Phishing awareness product leads the way in giving people the skills they need to identify and report malicious email. With ongoing training modules that get progressively more advanced, people within an organisation become significantly more adept at stopping phishing emails in their tracks.

However, with hackers adopting increasingly sophisticated tactics, those of us developing defensive strategies are also constantly striving for improvement.


Using data to drive new insights.

Working with organisations across multiple industries, both in Australia and globally, Shearwater has accumulated extensive datasets. With this data identifying the origins of dangerous emails, as well as the destinations of any links they contain, it is a treasure-trove of potentially useful information that can be used in the fight against phishing.

When Lachlan Gabb, a Shearwater security analyst and Bachelor of IT (Network Security) student at TAFE NSW, suggested an innovative approach, his initiative was encouraged as potentially offering organisations a new defensive weapon.


Mapping the world of email phishing.

As part of his final-year capstone project, Lachlan wanted to deep-dive into Shearwater’s datasets, with the intention of identifying patterns of behaviour used by those sending phishing emails.

The first step was anonymising the data. Due to the confidential nature of many of the emails, only data specifically relevant to Lachlan’s project was extracted and internally processed on dedicated, secure systems.

Using data visualisation methods, Lachlan successfully mapped many thousands of phishing emails, showing clear trends in terms of origin and destination. He was able to generate interactive animations showing both sender and receiver locations, as well as any link locations contained in the emails.


Interestingly, Lachlan was able to visually demonstrate that source countries for phishing emails are not usually the same as link destination countries. While email source countries are often those with less robust cybersecurity governance and controls, the links contained in those emails often direct to countries not known for malicious activities and with reputations for more sophisticated law-enforcement.


The ongoing fight to stop phishing.

Work continues to implement the findings of Lachlan’s data analysis into Shearwater’s email security platforms, so organisations can benefit from its insights. With the focus of Lachlan’s research thus far mainly centred on English-speaking countries, the next stage is to expand the analysis to include other countries, providing an even more comprehensive understanding into the patterns of behaviour used by those engaging in email phishing.



How Shearwater can help you?

If your organisation isn’t yet taking the threat posed by phishing email seriously, it’s time you started.

The costs associated with ransomware and malware can be crippling.

Yet there are steps you can take to help safeguard your organisation.

With Shearwater actively engaged in research to continuously drive improvements in email security, SPEAK TO US TODAY to learn how you can benefit from our research and expertise.

PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.



Machine Learning Boosts Cybersecurity

Robots are taking over the world!

That’s the dystopian vision conjured in the minds of many when talking about Machine Learning.

But don’t be swayed by the hysteria. Machine Learning offers enormous potential. The key is to find ways to leverage it so it opens up new insights into patterns that we humans simply can’t detect without a bit of computer assistance. 

At Shearwater, our commitment is to your security. We are constantly on the hunt for new and innovative ways to defend organisations from a broad range of cyber threats.

We believe Machine Learning can play a significant role in the quest to achieve stronger levels of cybersecurity.

The challenge of identifying threats

Network security monitoring requires a broad range of technologies and tools. To achieve a comprehensive security posture, each of them needs to work together harmoniously.

However, getting them to communicate with each other can be a major challenge.

When the plethora of tools don’t communicate with each other, there’s a risk you’ll only gain visibility into a small fraction of network access requests.

And even if you do achieve a high level of visibility, deciphering all the data requires specialist skills.

Security Information and Event Management (SIEM) provides a solution by collecting information, aggregating it and turning it into insightful, meaningful knowledge.

In theory all your network activity will be logged and you’ll have the required visibility.

Perfect!  The end.

Not quite…visibility is only half the battle.

Attackers are operating under a cloak of anonymity, often disguised as day-to-day users. Significantly, the most serious threats are the ones you can’t see. Attempting to identify their activity among the troves of logs can be difficult and cumbersome.

Just imagine the vast depth of data your network security tools record each day:

· Application logs
· System logs
· Security logs

And that’s just the beginning. Consider every failed password attempt – it would also generate a log. There can be literally thousands of these logs each day. And this represents a tiny fraction of the activity being recorded.

What is Machine Learning and how can it enhance your security posture?

It’s clear the traditional approach for logging and flagging security threats in organisations is far from efficient.

However, Machine Learning can assist us in this task by providing some degree of automation.

By tapping into the potential of Machine Learning, there exists the possibility of mapping datasets, from which the computer can learn to identify and flag potential threats. Over time, the computer will learn from both its successes and failures to enhance performance automatically without the need to be explicitly programmed.

Harnessing this technology can quickly and automatically produce models that can be used to analyse even larger, more complex datasets. This in turn delivers more accurate results, more efficiently.

Enter Ken Liu, Shearwater’s latest security protégé.

 Ken Liu

Ken Liu

Ken, a Shearwater Security Analyst and recent graduate from the Bachelor of IT (Network Security) degree at TAFE NSW, is a keen Machine Learning student.

As part of his studies, Ken’s research focused on training a computer to monitor logs of server “traffic.” By analysing extensive database logs, Ken enabled the computer to identify what appeared to be “normal” events that weren’t in fact actually “normal” at all – they were hackers in disguise!

With this level of insight, Ken was then able to factor in other known issues and feed them back into the system. For example, as the machine learnt to successfully identify and flag significant events, it remembered how to detect them in the future.

This saved Ken hours of data trawling and created a virtuous learning cycle.

Achieving accuracy was challenging due to several false negatives in which potential threats were flagged that were not in fact threats.

Yet, with ongoing support and assistance from the Shearwater team, Ken was able to overcome this challenge and achieve a much higher level of probability that only genuine threats were being highlighted.

This offers an instructive lesson: for Machine Learning to succeed in providing value, it requires an element of human experience and intuition. By combining the strengths of a computer’s analytical and pattern-matching capabilities, together with human experience and intuition, Ken was able to achieve an optimal outcome.

Humans provide the thinking.
Computers provide the horsepower.

Through his research, Ken also found that different approaches were required for analysing different database logs using Machine Learning. A one-size-fits-all strategy will not work. Every organisation requires a unique approach, as each differs vastly in terms of size, industry and their own internal IT environments.

So, what’s next?

Ken is planning additional Machine Learning research with a view to integrating his work with the advanced security monitoring systems Shearwater already uses.

By integrating the insights gained from his work, Ken believes Shearwater will be able to improve the quality and efficiency of the security services it offers clients.


How Shearwater can help you?

Do you need to get a handle on your logs? Does your organisation have a plethora of security systems that are not communicating with each other effectively?

If you’re in need of an integrated SIEM strategy and want to take advantage of Shearwater’s commitment to innovation in the security space, speak with our Managed Security Services team today.

By tapping into our expertise and innovations, you’ll enhance your organisation’s security capabilities to protect yourself from the growing range of threats.




Innovating with Data

Shearwater champions new insights in battle against BEC

The data is in and the picture it paints isn’t good.

For thousands of recent Australian victims, the fact that Business Email Compromise (BEC) attacks are on the rise comes as no surprise.

BEC continues to be a highly profitable attack vector for cybercriminals.

Using highly sophisticated methods, attackers are targeting businesses across the world, and we are particularly vulnerable.

According to the Australian Competition and Consumer Commission (ACCC), BEC losses exceeded $3.8 million in 2018, representing a 53 percent increase from the previous year.

Combine these losses with those reported to the Australian Cybercrime Online Reporting Network, and email scams have cost Australian businesses in excess of $60 million!

Clearly new strategies are needed to fight this growing threat.


Using data to drive new insights

When it comes to the battle for email security, data offers us potential new strategies by yielding fresh insights. 

During her final year as a student in the Bachelor of IT (Network Security) program at TAFE NSW, Fariha Uddin undertook her capstone project in conjunction with Shearwater.

Together, we sourced vast sets of email metadata that had been used by Enron, the defunct US energy giant.

Why Enron? As a large organisation that no longer exists, we could access many years’ worth of publicly available historical metadata, without breaching any privacy requirements.

By doing a deep dive into their metadata, Fariha was able to identify important patterns of behavior. Using heat-mapping data visualization techniques, Fariha explored the vast volumes of email traffic, and the times of day they were transmitted.

The key questions Fariha was seeking to answer included:

· When were emails sent and received?
· Who sent or received them?
· At what times of the day?
· Were they from internal or external sources?

This data offers the potential of yielding valuable insights to help predict where and when a BEC attack is likely to occur.


What are BEC attacks?

What are BEC attacks?BEC attacks prey on people’s innate desire to be helpful by quickly responding to “urgent” or “important” email requests from superiors or suppliers. 

Attack emails are sent from a compromised or spoofed email account with a forged sender address.  The emails are cunningly crafted to persuade employees to transfer funds into a ‘new’ bank account.

For example, a CFO may regularly send requests to a member of their accounts team with instructions to pay for certain goods or services. A BEC email would exactly replicate the nature of such email requests, including the day and time when they are usually sent. The only difference would be that the fake CFO email would contain bank account details belonging to the attacker. The unsuspecting member of the accounts team would make the payment in line with the instructions in the fake CFO email. By the time the error is discovered, the attacker will have received the funds.

The high-quality nature of the emails and sending them at times when the employee is known to be under stress or particularly busy, make BEC email attacks extremely effective.

BEC attacks often occur after a prior phishing attack. A successful phishing attack can disclose valuable information to the attacker, such as the Chief Financial Officer’s correspondence, schedules, calendars, and much more. This detailed information enables the attacker to know the types of requests the CFO usually makes of their staff, the times they usually make them, and even their writing style can be impersonated.

Armed with so much valuable information, the attacker is able to ensure the requests to transfer funds seem like business as usual to staff in the organisation.

Knowing the tactics that are being used, Shearwater is keen to explore new avenues that can help us get one step ahead of the cybercriminals.


What have we learnt?

Thanks to Fariha’s analysis of the Enron email trove, new perspectives were ascertained to answer the critical question:

Who, in an organisation, is most likely to be susceptible to a BEC attack?

From her data analysis, we were able to visualise “normal” email behaviour patterns. Anything that did not conform to “normal” behaviour was flagged as a sign of a possible attack.

If we can learn who the attackers are likely to target, extra training can be provided to these individuals. Furthermore, care may need to be taken to ensure they are not deluged with email, so they have the capacity to adequately verify the veracity of items landing in their inboxes.

The collaboration between Fariha and Shearwater was so successful that this project will continue to Phase 2 and will be passed onto another student for further development.


How Shearwater can help you?

Shearwater’s commitment to innovation in the email security space is uncovering important insights that may ultimately prove invaluable in the battle to improve email security.

With rapidly escalating costs associated with BEC email attacks, such innovation is timely.

By developing the talents of the next generation of cybersecurity professionals with real-world problems to solve, Shearwater is looking to the long-term to provide a safer connected world.

If you want to have the latest email security in your organisation, speak to Shearwater.
Our commitment to innovation will give you the best chance to stay safe.



PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

3 Pillars for Security Awareness Success

“Are your staff going to be your greatest risk, or your greatest assets?”

That was the question posed by Damian Grace, General Manager of Phriendly Phishing – the comprehensive email security awareness program developed by Shearwater Solutions.

The modus operandi of those intent on harming your organisation has changed.

With the focus shifting away from hacking into network or web applications, principally due to significant advances in cybersecurity over recent years, human error is now the soft underbelly of many organisations.

Recently we’ve witnessed a marked uptick in email phishing, ransomware and malware, all designed to trick your staff into opening the wrong attachment or clicking the wrong link. Never have people been so under attack as they are now, with cyber-attacks ramping up across the board.

All it takes is one mistake and hackers, with the intent of stealing your confidential data assets, will have compromised your computer systems.

The impact on any organisation can be devastating – which is why every organisation requires a security awareness culture.

Only by inculcating your staff with a deep understanding of the threat profiles your organisation faces, and crucially, the role they need to play in mitigating those threats, will you begin to ensure your protection.

Change starts from the TOP

As an IT Manager, CTO or CISO, it’s imperative you persuade upper management to embrace a change in corporate culture. To achieve that, you need to understand what it takes to become an influencer within your organisation.

We know change is never easy. Especially the sort of long-lasting change that’s required to cultivate a security awareness culture. Grace likens it to pushing a big rock. At first the challenge seems insurmountable. But once you begin pushing and momentum builds, the task becomes easier.

While many stakeholders may initially be reluctant to embrace the sort of behavioural adjustment required to achieve a more robust cybersecurity posture, the task will be made easier if everyone involved understands the context.

Your entire staff, from top to bottom, needs to understand the reasoning behind the changes you’re seeking to implement and why it’s of critical importance to the organisation.

That’s why your most important initial task is to get upper management embracing your initiatives and leading the way.

Assess your current Learning Culture

Begin with a frank assessment of the learning culture currently existing in your organisation.

Even before commencing, you can determine how successful your attempts at cultural change will be based on existing attitudes. Our experience with Phriendly Phishing shows that non-mandatory training completion rates vary dramatically based on the learning culture that exists within an organisation.


Learning Culture Completion Rate
Low or No Interest 40%
Indifferent 55-70%
Highly Engaged 80% +

If there is little to no interest in learning and acquiring new skills, unfortunately your task will be challenging. Luckily, among respondents to our poll, only 4% reported having a “no interest” culture.

By contrast, if your staff tends to be highly engaged and eager to expand their knowledge and embrace new strategies, your task will be much easier. With 27% of our poll respondents reporting a highly engaged workforce, that’s definitely good news.

However, by far the largest cohort of our poll respondents, in excess of two thirds, report an indifferent culture when it comes to change. This indicates the workforce will embrace change if required, but don’t seek it out otherwise. Whilst you will experience challenges changing the culture in such an organisation, you shouldn’t expect to receive too much intransigence or resistance. With a bit of effort, you should be able to achieve the results you want.

3 Pillars for Security Awareness Success Poll01

Whether your workplace shows no interest, is highly engaged or indifferent to learning, none of this is set in stone. With the right leadership, spearheaded by senior management, everything can change for the better.

Three Pillars to Create Strong Foundational Change

When considering how you can best enhance cybersecurity awareness in your organisation, it helps to focus on the following three pillars to ensure the new culture you’re cultivating is built on strong foundations:

Pillar 1: LEAD
Be a route or means of access to a particular place, or in a particular direction.

Real change starts from the top.

While you understand the importance of cultural change in reducing the organisation’s exposure to risk, upper management may not be sufficiently technologically literate to grasp the significance of what you’re proposing. However, it is vital to get their full support if your initiative is to succeed. This is to ensure your initiatives aren’t stymied by those within the organisation who may be resistant to change.

Following these 4 steps, you’ll stand a good chance of successfully persuading upper management of the necessity of your initiatives:

  1. Drive awareness by providing evidence to senior executives of the impact an organisation’s culture has on its bottom line.
  2. Demonstrate the impact your changes will have on the organisation by focusing on outcomes. By learning to translate “IT-speak” into “business-speak”, you’ll be able to align your initiatives with business metrics in a way that will be highly persuasive to upper management.
    Emphasise the costs of inaction. Ransomware attacks have the capacity to shut down business for multiple days, costing millions in lost data.
  3. Push to get agreement on moving forward with your change agenda.
  4. It’s vital to get firm commitments, preferably in writing.

While this process of persuasion won’t necessarily be easy, it is absolutely vital you lead the internal conversations within your organisation to get the commitment and support from upper management to succeed.

Engage by winning hearts and minds.

Traditional training methods are notoriously ineffective. Periodically pushing out highly technical information is not the way to engage people. That’s why it’s crucial you develop an effective plan that encourages people to embrace the project.

The training modules you use need to interests learners and be enjoyable. Importantly, you want to make sure people feel like winners.

Don’t make training too complex. Remember, every person has a unique comfort zone. Your goal should be to nudge them slightly beyond their comfort zone for long enough to enable them to absorb a new concept. This concept will then become part of their new, expanded comfort zone.

Through gradual, incremental training, you’ll achieve long-term cultural change.

This is what we’ve achieved with Phriendly Phishing. While we use challenging emails for our initial risk assessments, when it comes to raising awareness and achieving behavioural change, we use phishing emails that are more easily identifiable. This encourages people to learn, grow and build confidence. It makes them feel like winners.

We’ve also found that when testing behaviour, it’s best to send test emails randomly. There’s little point sending out test emails according to a pre-determined cadence, when the individual knows they’re being tested. By randomising your testing, you’ll gain a clearer insight into the effectiveness of your training.

Some other factors to consider when fostering engagement:

  • Whenever possible, focus on the personal benefits they will experience from the training. When it comes to email security, the awareness they develop through the training will assist them and their families stay safe online.
  • Ensure you map out training modules to align with your goals and communicate your timelines with participants. Long-lasting change may require a learning path over multiple years.

3 Pillars for Security Awareness Success Poll02


Pillar 3: CHANGE
An act or process through which something becomes different.

Long-lasting change requires ongoing training.

Don’t try to effect substantial cultural change overnight. It will take time. Start with small, bite-sized chunks, then progressively educate your staff about what changes they should make.

Crucially, staff need to understand the reasons behind the push for change.

This is why context is critical. When staff understand why they are being asked to change, and why it’s important for the organisation, you’ll generally achieve greater success.

Without this context and understanding, staff will be more likely to demonstrate resistance and your attempts to achieve cultural change will unlikely succeed.

We recommend focusing on the three R’s:

  • Repeat – Maintain ongoing, consistent and gradual approaches to achieving change.
  • Repair – Always seek to identify areas of weakness, where change hasn’t been achieved, and focus on those areas for improvement.
  • Report – Constantly monitor your progress and report back to stakeholders regularly.

In our experience, ongoing computer-based training (CBT) is the best model to follow. In the poll we conducted, almost half of respondents stated their organisations implement CBT strategies. A further 32% implement ad hoc training initiatives. While certainly this is a great start, it’s important to bear in mind that not all CBT is created equal. To be successful, CBT strategies need to be engaging and tailored to the individual requirements of different staff members.

3 Pillars for Security Awareness Success Poll03


Follow the Phriendly Phishing Model to Achieve Cultural Change

By implementing these three pillars, Phriendly Phishing is successfully changing the culture in many organisations surrounding email security awareness.

Phriendly Phishing’s engaging and interactive modules gradually progress learners through various pathways tailored to their individual levels of awareness. With incremental learning delivered this way, staff gradually build up their understanding of the threats posed by email phishing, and how they can play a crucial role in identifying such threats.

Importantly, staff are also made aware of the ways in which email security awareness can benefit them personally. The lessons learned are equally relevant for personal email. In this way, cultural change is more successful because it can personally benefit each staff member, as well as their families.

Ready to begin implementing cultural change in your organisation?
CLICK HERE to watch our webinar for more tips on how you can succeed.

Your staff is the front-line in your security strategy

“Every organisation is a custodian”.

That was the message delivered by Shannon Lane, Director of Shearwater Solutions when he addressed the team at ARC Student Life at the University of New South Wales.

We’re all entrusted to hold confidential information on behalf of our customers, staff and stakeholders. That’s just as true for a private business as it is for a university.

It’s a significant responsibility.

With others so reliant on us to safeguard their data, it’s incumbent upon each of us to do everything possible to maintain the highest levels of cyber security.

Large organisations, such as UNSW, maintain databases containing a vast array of private information. From financial reports, to student records and confidential staff information, any compromise could be extremely costly for both the university, as well as the individuals effected.

Data breaches can also be detrimental to an organisation’s reputation, undermining trust in its capacity to fulfil its role as a reliable custodian of other people’s records.

While most organisations understand the need to invest in data-protection technology to prevent hacking, malware or ransomware, those who are motivated to breach these defences are constantly on the lookout for new ways to circumvent security systems.

Unfortunately, human error by those within an organisation can be a weak link. By clicking on the wrong link in an email, or opening the wrong attachment, staff can inadvertently open the back door to hackers, enabling them to gain access to an organisation’s IT systems and steal confidential data.

That’s why it’s imperative for all organisations to provide staff with ongoing training in identifying potential risks.

In line with ARC Student Life’s strong commitment to data protection, it adopts a proactive approach to maintaining stringent cyber security measures, including staff-awareness campaigns.

Give your team the tools & skills they need to block phishing emails

Shearwater has developed Phriendly Phishing, a proprietary software system with training modules that makes it easy for any organisation to enhance its online security.

Phriendly Phishing Awareness Training

A key component of Shearwater’s approach is ongoing staff awareness and training.

The Phriendly Phishing S.C.A.M. framework makes it easy to educate staff in identifying and blocking phishing emails:

  • S – Sender: Who is really sending the email?
  • C – Content: What’s the email’s content?
  • A – Action: What action does the attacker want me to take?
  • M – Manage: What do I do with the scam email?

With this 4-step approach to email security, Lane helped arm the ARC Student Life team with the awareness they need to enhance their security posture.

How can Shearwater help you?

Visit us for further information about Shearwater’s Phriendly Phishing software, so your organisation will be best placed to prevent email being used as a tool to compromise the confidential data you’re entrusted to protect.


PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.