In this short two-part series on Cyber-Security, I will be identifying 12 insights every business needs to consider to ensure cyber-security. Part 1 will target myths and threats and later in part 2 I will identify methods of defence.
12 INSIGHTS EVERY BUSINESS NEEDS TO CONSIDER TO ENSURE CYBER-SECURITY.
Any executive or business owner who does not appreciate their cyber-security threats is living in la-la land. For the 12 months prior to June 2020, the Australian Cyber-Security Centre received 59,806 cyber-crime reports at an average of 164 cyber-crime reports per day, or one report every 10 minutes. Further, the growth rate in cyber-crime has been exponential since the COVID 19 crisis began. In the same period, cyber-scams alone cost the Australian economy $634 million.
Every enterprise in Australia in 2021 will need to address cyber-security if they are to avoid the significant threat it poses to their productivity and ultimately, profitability. Indeed, for many businesses failing to address cyber-security adequately will threaten the very survival of their business. It is almost inevitable that businesses attacked with ransomware, for example, will go broke in 2021. The data suggests that more than one reader of this article will face a cyber-security threat this year. The real questions are – will it be you, and what will be the cost?
TWO DANGEROUS MYTHS ABOUT CYBER-SECURITY
There are many myths about cyber-security, but two are especially troubling. The first relates to the focus of the dark-web and the second related to external threats.
1. NO – THE DARK-WEB IS NOT THE BIGGEST THREAT TO YOUR CYBER-SECURITY.
Often without understanding the ‘dark-web’, many executives and an alarming number of IT consultants view it as the biggest threat to their cyber-security.
The fact is, while an important consideration, the ‘dark web’ is no more or less a threat to a business than the ‘social-web’ that we all use every day. Indeed, many business risks are far more likely to involve the ‘social-web’ than on the ‘dark web’. A hacker needs no association with the ‘dark-web,’ to break into your system to install ransomware or malware.
The ‘DARK-WEB’ sounds scary – but in itself the ‘dark web’ per-se is unlikely to be the primary threat to your business.
Just as the focus on the ‘dark-web’ is a trap for inexperienced players, the focus on external threats is a trap for naive players – including naïve IT consultants.
2. NO – OUTSIDERS ARE NOT THE ONLY THREAT TO YOUR CYBER-SECURITY.
The fact is, while there is a litany of external threats to a businesses’ cyber-security, there are many accidental and deliberate internal threats, some of which are all too often ignored by IT consultants. Research undertaken by IBM in 2019 suggested that 24% of cyber-security breaches and 36% of employees lacked the training needed to protect against threats adequately.
Most IT consultants focus on the EXTERNAL THREATS to cyber-security, but INTERNAL THREATS are equally concerning 2021.
FIVE COMMON CYBER-SECURITY THREATS
The threats to the cyber-security of a business are too numerous to list here. There are, however, five categories of threat that will be most concerning for businesses in Australia, in 2021.
We have all heard news reports about ransomware – where businesses have been locked out of their systems until they pay a ransom – a form of extortion costing businesses billions.
What would it cost you, in lost productivity if you and your people could not access your systems? This is now an even more important question in Australia given that paying a ransom is a crime under federal law. And even if you did pay a ransom – what certainty would you have that your data is intact when you can access it again.
There is of-course a simple solution to ransomware threats – ensure that your systems are adequately backed up. In most cases, if your systems are adequately backed up, you can restart your systems with limited impact on productivity and without paying a ransom. Are your systems backed up well enough to avoid paying a ransom?
What is your strategy to ensure you are not one of the thousands of businesses held to RANSOM by cyber-criminals in 2021?
A type of cyber-attack often used to steal data, including login credentials and credit card numbers – phishing involves – an attacker enticing a victim to open an email, instant message, or text message.
Unfortunately, phishing is prevalent indeed. We have all seen bogus emails in our inbox. Unfortunately, all too many of these bogus emails are opened, giving criminals access to your system and therefore the capacity to steal data or create mayhem. This is all too easy to do.
There are several strategies that can be put in place to limit this threat, including those involving email filters. Perhaps the most important strategy involves having in place clear protocols and security awareness training? The best strategy almost certainly involves a combination of filters, protocols and training addressing both email and your websites.
Do you have the filters, protocols, and training to limit it, or will your business be one of the thousands hit by PHISHING in 2021?
Hacking is so prevalent it has been the subject of movies. At the same time, systems – private and public, government and commercial – are hacked so often in 2021, it is barely newsworthy.
Hacking involves the unauthorized access to, or control over, computer network security systems, enabling those entering to destroy, steal or even prevent authorized users from accessing the system. This can, but need not, involve malware or ransomware. It can be malicious or ‘sport.’
There are several strategies that businesses need to be implemented to prevent hacking, including those relevant to protecting against malware and ransomware. Among the more effective methods being used in 2021 is ‘multi-factor authorization,’ ‘secure single sign-on’, refining the ‘password construction policy’, using a ‘random passphrase generator’ and changing passwords regularly.
Most businesses will be subject to a HACKING attempt in 2021. What policies do you have in place to protect your systems?
Any system connected to the internet, including any system with an IP address or hostname resolving publicly in DNS is exposed to vulnerabilities.
Remote workers using a virtual private network, remote desktop protocol, are at risk as businesses expand their internet presence through increased use of interconnected internet-accessible systems. In 2021, criminals will increasingly focus on compromising internet-facing infrastructure and exploiting vulnerabilities in unpatched servers and exploit the trend to work from home.
Many businesses don’t have a vulnerability management program in place. They should ensure regular vulnerability scanning, strict password controls and multi-factor authentication while enabling network-level authentication and disabling server message block.
Working from home may have exposed your NETWORK. What strategies do you have in place to secure your network in 2021?
5. BRUTE FORCE ATTACK
Many executives and business owners may not have heard of a ‘brute force attack’. Yes, it is more of that IT jargon we love to hate. In 2021 it is also a real and present danger.
A brute-force attack involves submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. These attacks might use hybrid, dictionary, rainbow or a similar strategy to take advantage of weaknesses in an encryption system, putting data at risk of access.
Strategies for preventing a ‘brute force attack’ include restricting access to authentication URLs, limiting login attempts, updating administration account security, enabling CAPTCHA, activating security scanning, and utilizing multi-factor authentication.
In 2021, a ‘BRUTE FORCE ATTACK’ on your business is increasingly likely. Are you prepared to repel such an attack?
This post addresses two of the myths about, and five of the biggest threats to, businesses’ cyber-security. It’s one thing to know about the threats but it’s another to defend yourself appropriately against them. In part 2 of this series, I will address just five of the strategies that need to be implemented to ensure your business is as secure as it can be and that you are protected in the event of a breach. Fortunately, these strategies need not be expensive, and the right IT Consultant can work with you to put in place a cost-effective programme to ensure your systems are secure.
In closing, it is important to highlight again, that your business will almost certainly be targeted in some way by cyber-criminals at some stage. Protection against breaches of your cyber-security is nothing more or less than prudent risk management.
Please look out for Part 2 of this mini-series next week.
If you want to know more, please give me a call or email me.
1 300 958 923