October is Cyber Security Awareness Month, an annual reminder for all Australians to stay secure online. This week’s theme is “How do you ‘act now’ to stay secure?”
As large-scale data breaches become more common, customers and consumers are becoming increasingly aware of the fragility of their digital security. On the back of the Optus data breach notification, more people are asking “how secure is my information?” and “what are the organisations that I provide data to doing to protect me?”
Organisations of all sizes, in all sectors, across Australia are under increased pressure to improve the security of their information, technology and people. There are many solutions, activities and products designed to help organisations feel prepared to answer their clients’ questions. Though the possibilities are endless, not all solutions are fit-for-purpose.
Get to know what you do not know
The unknown can be scary, but when it comes to Cyber Security, we need to lean into learning what we do not know. There are always going to be things we do not know and things we do when it comes to our operations and capabilities as a business. The things we do not know are opportunities to better understand our operations and our people. Ideally, these opportunities will help to improve your team’s performance. Ask yourselves, your peers, or your Information Technology (IT) team the following questions:
- Do we understand our information security objectives and what we need to do as an organisation to achieve them?
- Do we have these objectives, requirements and processes documented and communicated?
- Do we have an asset register that identifies the information, technology, and applications we use?
- Do we have a plan of what to do and how to recover if there is an information security incident?
- Do we understand our business processes and the information that flows through them?
- Have we identified, and do we understand, our information security risk?
- Does our understanding of our risk inform and support our investments as a business?
If you answered “no”, or “I don’t know”, you have an activity that your business can undertake to evolve your cyber security practices, understanding and culture. Collate these opportunities, and those in the following sections, to create a basic cyber security action plan for your organisation.
Secure your technology
Depending on the size and complexity of your organisation, you may have an IT team, a service provider acting as your IT function, or you might be setting up your devices yourself. Whatever structure your organisation has in place, the fundamental protection requirements at a technology layer remain the same. Ask yourselves, your peers, or your IT team the following questions:
- Do we have passphrases, pins or biometric authentication enabled for all portable devices (including mobile phones, laptops, and tablets)?
- Do we use multiple factors of authentication before allowing access to systems containing sensitive information?
- Do our portable devices automatically lock after inactivity?
- Are our portable devices, and servers if applicable, encrypted?
- Have we configured our devices in line with vendor or industry security hardening guidelines?
- Do we have backups of our information and technology configuration?
- Are software and operating system updates installed within 48 hours of release or as soon as possible following testing?
- Do we have any unsupported software or operating systems in our environment?
- Do we capture and monitor actions in logs that may indicate technology systems are breached?
- Do we conduct regular vulnerability scanning and penetration testing to identify technology weaknesses?
- Is our website secure and accessible using the latest version of SSL/TLS (through https)?
The best course of action if you have questions about how to secure your technology, is to ask your vendor or ask an expert. The Australian Cyber Security Centre has a range of “how to” guides that can inform individuals and their families, small and medium businesses and large organisations of best practice guidance on cyber security. This includes specific advice for protecting different types of operating systems, on both mobile phones and laptops, as well as security advice for commonly used applications and services.
If you can’t find what you need online or don’t understand the technicalities, reach out to us for guidance and help in setting your technology security priorities.
Secure your people
The greatest potential exposure point for many organisations is their people. People are fantastic at helping each other. Unfortunately, this desire to be helpful can come at a cost to those people or their organisation. Too often, we hear of people falling for scams and sending nefarious actors their money, or company funds, while thinking they are doing the right thing. Your employees’ desire to help should be celebrated, and part of that means giving your people the right tools to recognise when something looks a bit dodgy. Ask yourselves, your peers, your IT team, or your Human Resources team the following questions:
- Do we provide regular information security training to our employees?
- Would our employees be able to identify a phishing email or text message?
- Do our employees understand what to do with lost, or found, technology equipment (e.g., USBs)?
- Do our employees understand not to use public Wi-Fi for work purposes?
- Do we conduct background checks on employees handling or processing sensitive/financial information?
- Do we have the right processes in place to reduce the harm of business email compromise?
- Do our employees understand how to report a security concern or incident?
- Have we embedded a culture of no-shame and no-blame if they report a security concern or mistake?
Your people are usually your first line of defence, and it is critical that you not only arm them in the right way to protect your business but also support them to protect themselves.
Finally, effective cyber security requires that people, processes, and technology fit together in a way that is complementary and supportive of an organisation’s overall strategy and information security objectives. If the first line of defence fails, there must be other layers ready and available to catch an error and protect your organisation.
Now, if you have answered “yes” to every question posed in this article and have the evidence to back it up, congratulations! If not, then it is time to dig a little bit deeper and find out where your blind spots lie. Contact one of our dedicated cyber security advisers today.