We help a lot of Australian businesses out with security incidents, as well as recovering from hacks and breaches. Many of them can be attributed back to human error or poor security hygiene. I thought I would share some of my top tips to help you avoid a costly hack, or brand damaging breach.
Patch Patch Patch
This is an easy one. Operating system vendors don’t just release patches for new features, they’re also patching security vulnerabilities regularly. Keep desktops and laptops up to date and enable automatic updates wherever possible. Apply the same thinking to critical applications such as Microsoft Office (Vulnerabilities in Microsoft Office have risen 121 percent over the last 6 years ), to keep ahead of problems.
Enable Two Factor
Many successful cyber security incidents start with an account being stolen or ‘phished’. One way to help stop these attacks being escalated is to have a second factor of authentication beyond just your username and password. This means that even if an account is stolen, the attacker can have a difficult time accessing the second login which may be a token or application that runs on a users smartphone. Two factor can be enabled selectively such as when a user is outside your corporate network. Some 2fa vendors to consider are Ping Identity https://www.pingidentity.com/ and Azure MFA https://azure.microsoft.com/en-au/services/active-directory/ .
Bake security into your culture and people
Cyber security is not just about technology and processes, it’s also about your people and the way they go about their day to day business. As a successful cyber attack can shut down your business or irrevocably damage your brand, It’s key that management and executive set a good example as this attitude then flows throughout the organisation. Ongoing cyber awareness training to make staff more conscious of potentially malicious behaviour will improve the cyber-hygiene of your business, with more mature organisations now also including cyber security training into staff onboarding.
Accounts that are stolen or included in breaches often end up being sold on the dark web for use in other attacks. There are resources available for you to check if key staff accounts have been included in previous breaches. https://haveibeenpwned.com/ allows you to search for staff email accounts, and any that are discovered should have passwords reset and even enabling two factor authentication on.
Have a plan
There’s a common theme with many of the companies we assist with security incidents; They didn’t plan for one. They often have a health and safety plan, and even a terrorism plan! This doesn’t need to be war and peace, and can be a single pager on roles and responsibilities, as well as who to contact including any cyber security partners you work with to assist in responding to incidents. If you have any regulatory bodies or government agencies you liaise with make sure to include any reporting structures that may need to take place here. The Australian Office of the Information Commissioner has a good guide on data breach plans . Make sure you’re also familiar with the Notifiable Data Breach Scheme .
Engage a security partner
There’s lots of talk about the increasing skills shortage in cyber security. And let’s face it, cyber security is probably not part of your core business so you’re constantly going to be playing catch up with a rapidly changing landscape. By partnering with a cyber security specialist you’re also subscribing to the ongoing skills and herd intelligence to help you plan and protect your business and brand from being the next headline. Just make sure they’re a specialist and not someone who’s also trying to sell you phones systems and printers.
Australia’s emerging enterprises are facing the same security risks and suffering the same incidents the big end of town are, but with much less capability to respond and protect themselves from a rapidly changing space. By baking security into your businesses DNA, and partnering with strategic cyber security specialists, you’re setting yourself up for success.