If you run a small to medium enterprise or not for profit organisation, you are at risk from cyber threats. We all are, but SMEs in particular are being hit and losing real money as a result of criminal activity that is deliberately setting out to cause harm.
With experience pitching cyber security products to banks and government departments, I have learned some valuable lessons at a strategic level that can be applied to the smallest of businesses. The first lesson for me was that technology is only part of the solution, but needs to be behind every aspect of business and security.
First, we must get our strategy right – what is important to protect, who are we protecting it from and how we are going to go about protecting it? Not even the banks and government can buy every security technology they are offered, and they must prioritise their spending to ensure the biggest threats are addressed first.
The biggest threats are still from people inside your business space, insider threats, or the guy sitting next to you on a plane reading your emails, your proposal or your pitch deck on the way to a presentation.
The next scale of threat may well be your staff opening something in their email they should not have, in a moment of distraction or low attention. Not a malicious act but a simple mistake. As we all deal with too many emails and too many websites and tools with passwords, it is relatively easy to be distracted into giving away access to data. Sure, not every email every time with every staff member, but it’s the one that gets through that counts.
The next level threat is the opportunistic attack where your network is breached by a systematic, automated search for vulnerabilities and some feature of your systems is exploited or breached.
The top level threat is when a targeted attack is launched on your business to penetrate your systems to find specific data or to manipulate your systems, as in the case of Facebook recently where 50 million accounts were harvested.
So, how do you combat these threats?
The steps to getting your strategy right are to determine what it is you are protecting and the value of it. As an SME, you have a legal obligation to protect your client’s and staff personal information and your businesses IP and financial information. If your business uses IT systems to run the business, as most do these days, you also need to ensure continuity and disaster recovery of those systems.
A breach may not be as public an event as Facebook’s and definitely will not reduce your share value by $17 billion in a week, it may however cause you pain and expense in a number of ways. At worst, it may lead to the end of your business.
Determine where the need to protect is, determine where the need for continuity is and implement technology to fix that. Determine who has access either physical or over the network or internet and ensure suitable restrictions are put in place. Plan a budget to train your staff on suitable use of IT systems. Ensure you have access to the right advice and the right resources.
The success of all businesses is determined by the people involved – unfortunately, so is the failure. If you have people in or around your business it is wise to train them to be “Cyber Safe”. Recognising a threat in the form of a bad website or email message is a good step to take. Physical security of your servers by keeping them in a locked room is good, and restricting access to folders on the network drives is all the standard stuff to ensure your own people are not stealing your data, sharing it inappropriately or letting it get infected by a virus on their PC.
Today there is so much more we need to take into consideration, with people globally attempting to access your computer. Have you ever had that thought that one in a million people on the internet are probably trying to get at you one way or another? With four billion connected users, that’s 4,000 threats – you need to set up defences against these people every day. The fact that you are in Australia means you are one of the wealthier demographics and as such you and your business are targets.
So, when you are setting up for cyber security, think about how people might want to do wrong by you.
When your strategy is right and your people are considered, you then want to ensure you use the best products to minimise the impact to your business. You cannot afford to use every technology out there for cyber security but you can choose safer options in every little decision. You need to select and deploy the best of antivirus solutions and spam filters, firewalls and web filters. You can also make use of two factor authentication so it is harder to access your networks remotely but not so hard your staff don’t bother.
Often it is the little differences, not the big decisions that make the biggest difference. For example, when you select a laptop for business use, you can buy a consumer grade product, or for a few dollars more you can by an HP laptop with a limited viewing angle option on its screen, so when you are in public the view of your laptop screen is limited to stop people reading off the screen. It is about buying secure printing devices, like those from HP, which do not cache your files in a way that lets intruders copy them. It is about the little things that stop people accessing your wireless networks because your patching is managed and up-to-date.
There are products for everything but it is about getting the right advice that then lets you use common sense to take the protection you can for the components you must. We do not need to turn it all off and start again but we do need to take security seriously. We must allow for planning and investment of time and money to be on top of cyber security in 2018 and beyond.
Want some help? BizProtect is here to help you through this journey by providing technology, support, advice and ongoing management to ensure your safety. Get in touch today.
It’s a sunny morning and as you sit in traffic enjoying the sunshine on the way to work, you are thinking about your day ahead and the things you will do with it. Out of the blue, your IT department calls you to let you know the systems are down and it looks like you have been hacked.
Suddenly, you are not noticing the sun, the traffic has become a blur, and your mind races to try to figure out what you do next. How will you figure out what has happened to your systems? Do you have a secure backup to recover from? Who do you need to tell? What is the process now?
Do you take a deep breath, remind yourself that your business is prepared for this and instruct the IT manager to follow the plan, contacting key managers to play their role in the actions of clean up and communication? Or do you sit and wish you knew what the next best step is in the absence of a plan?
If your business has over $3 million in turnover, you now have mandatory reporting of any data breach that may have accessed personal information. If you are unsure of the nature of a breach and what data has been accessed, you have up to 30 days to determine the impact before reporting it.
On 16 March, ARN reported that there had been 30 breaches reported in just 3 weeks, and I am sure we can expect to hear about a lot more as data is being breached regularly. Often the organisation being breached does not even know it is happening.
What can you do to be ready for a data breach?
For starters, have your data backed up so that any corrupted machines can be wiped clean and restored.
Have control of your security systems so you can lock intruders out quickly
You should also be ready to follow the four recommended steps as per the OAIC web page:
Step 1: Contain the Data Breach to prevent further compromise of personal information
Step 2: Assess the data breach
Step 3: Notify individuals and the commissioner if necessary
Step 4: Review the incident and consider actions to prevent future breaches.
Recently, we saw $17 billion in value wiped off Facebook when their breach notification hit the press. They are still trying to figure out how the breach happened due to the complexity of the mess and the scale of the leak. To say they are bleeding money over it is an understatement.
What is the likely fall out to your business of a reported breach? Do you have the right communications strategy ready to go, just in case? Sure, it won’t be $17 billion you drop, but what if you lost a few of your best clients over it – would you survive?
If this leaves you cold, ask Combo for advice and assistance to ensure you are ready for a data breach when it inevitably strikes.
As of February 22 2018 new legislation took effect.
There is now new legislation on mandatory reporting of breaches which impacts all organisations and businesses in Australia. The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) establishes requirements for entities in responding to data breaches.
Who must comply with the NDB scheme?
The NDB scheme will apply to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others.
For the purposes of this mandatory reporting, a breach is defined as follows:
“data breach is when personal information held by an entity is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Examples of a data breach are when a device containing personal information of clients is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person.
A ‘data breach’ may also constitute a breach of the Privacy Act, however this will depend on whether the circumstances giving rise to the data breach also constitute a breach of one or more of the APPs, a registered APP code”
What if we are breached?
It used to be that if you were breached the work was in cleaning up the mess that it made. Now there is the added burden of contacting any individual or organisation who may have had their information accessed or leaked. You must inform them of the breach and make recommendations as to the action they should take to protect their data. You must also report to the Australian Information Commissioner with the nature of the breach. Thus the concern over reputational damage.
A failure to report this may carry a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
What does this mean for you?
We will begin to hear more about businesses that have been breached. As a result, the scale of the problem will be better understood. However, we will also begin to avoid businesses where breaches are reported. The brand damage and the cost of clean-up is worth avoiding.
What can we do to avoid being breached?
Combo offers BizProtect Cyber as a set of products and services for the SME market place. If your business or organisation has 30 to 500 computers we have services and products to ensure your data remains safe on your network or in the cloud, giving you peace of mind that updates are reliably and regularly applied and that breach points are managed and monitored to ensure your data remains safe.
More information and advice is available:
If you have any concerns about the state of your cyber security or the validity of your management processes and staff policies please don’t hesitate to contact us.