Australia’s finance sector often tops the most breached vertical with regards to cyberattacks. “Follow the money” seems to hold true to cybercriminals as much as anyone else.
Most businesses use Microsoft Office on some level. Whilst relatively secure, financial firms, in particular, become slightly more exposed to the security vulnerabilities of Microsoft Office due to their frequent use of macros.
The risks of macros are such that even the Australian Cyber Security Centre lists configuring your Office macro settings as a key component of their Essential Eight Cybersecurity framework. We’ve even done a guide on that that you can read here
There are numerous methods cybercriminals use to exploit macros. A common method is attaching an office document to an email from which they can initiate the attack.
Firstly, most professional organisations (including the government) generally don’t send emails with documents to people out of the blue (if at all). So that’s already a red flag and you should be checking with your IT team to confirm.
Even if you were to open the attached document, there’s another red flag inside. The booby-trapped Word document asks recipients to enable macros.
Word doesn’t let you do that by default, and with good reason. It’s a common ploy used in ransomware attacks because it allows hackers to leverage legitimate Windows components to deliver the rest of their malicious payloads.
What You Should Do About It
At the very least we recommend upgrading your Microsoft Office subscription to Business Premium
This one upgrade provides you with more advanced security capabilities not available in lower-tier subscriptions.
Furthermore, after being configured to your needs, many of these additional capabilities operate passively requiring no additional work to reduce your cybersecurity risks.
As an additional no-cost extra, we also recommend you follow our guide to configuring macros here
This isn’t a total solution but it’s a good start and very easy to do and we’re here if you need more in-depth help. We are always happy to provide a complimentary consultation for the finance sector because money is hard enough to make, let’s not lose the money we have to some dickhead hackers.