January 29, 2019 | Jonathan Horne - Cyber Aware
Moving into 2019, now is a critical time to address cyber security. Australia saw reported losses of over $100m in 2018 alone, and that’s only accounting for scams that were noticed and reported by victims. At CyberAware.com we’ve developed a four-point program to help kick off your security efforts in the new year.
If you aren’t sure of where to begin in protecting yourself and your business, our STOP policy is a fantastic place to start:
Open with caution
In this article, I’ll detail how you can use the four points of the STOP policy to tackle your cyber security in a holistic and accessible way. A common struggle of leaders who have decided to protect their business is finding an entry point or firm ground on which they can initiate cyber security efforts. With this in mind, we’ve developed this first step:
An important step in protecting your business is acknowledging your limits. As a business, you are only able to invest so much into your cyber security. Your time and resources can be limited, and protecting your business can seem an impossible and overwhelming task when you don’t know where to begin.
When you consider that over 60% of cyber attack victims go out of business within 6 months, you can see why this issue is critical for you to get on top of. Whilst these failed businesses may collapse due to financial losses, it’s also very often due to the reputational damages in the aftermath of the breach that a business is unable to recover from.
Imagine having to go to all of your customers, suppliers, and/or stakeholders with the news that their personal information has been stolen from your systems, and is now in the hands of criminals. Regaining their trust can be an impossible task.
To prevent this, you don’t need to shield every little aspect of your business. Your cyber security primarily needs to cover a small portion of your key assets and can be efficiently developed around them without feeling like you’re being worn thin.
With this in mind, ask yourself this question: What are your most valuable digital assets?
Generally speaking, it is much easier to protect your most valuable items. Recognise that having full protection of every asset in your business may not be realistic for you, but you can focus on protecting what matters most.
For example, you have physical valuables at home such as your T.V. or furniture. In the event of a burglary it’d be awful to lose these, but you aren’t going to bolt them to the floor and rig them with alarm systems to prevent this. It’s unrealistic to think you can triple-down the security on every little thing in your house. But let’s say you’ve got some priceless jewellery, or a unique family recipe that you simply cannot afford to lose. For these items you’d take the extra step and get a safe installed.
The same approach to home security can be applied to your business. Think of the digital assets in your business that deserve an extra level of protection, and in the same vein that you’d store your Crown Jewels in a physical safe, we want to build a “Digital Safe” to protect these.
Using the following steps, you can build your own Digital Safe for 2019 right now:
With these three steps and your digital safe, you’re entering 2019 with an awareness of your key assets and a baseline security plan to help keep them safe.
Businesses fall victim when they don’t know what needs to be protected. You don’t need to cover every facet of your business in steel barricades and tripwires.
The best thing that you can do for your cyber safety in 2019 is just take the time to work out the critical items that need protecting above all else. Sort these out and put them in your Digital Safe, and you’ll gain a better understanding of how to protect your business in line with the remaining STOP policy.
Having identified the crown jewels of your organisation, the next step is to apply some practical measures to protect them.
Most of your crown jewels are locked behind a login area of some kind, so it makes sense as your first step to fortify your login procedures.
However, no matter how strong the password(s) you are using to protect your accounts are, any password is inevitably crackable if given enough time. Hacked passwords cause 81% of data breaches alone, and are no longer adequate security measures on their own.
Using only a password to protect your login is the same as using only a locked screen-door to protect your home. Sure, you can’t get in unless you have the key, but in the event of an actual robbery that screen-door quickly becomes nothing more than a courtesy measure.
It is widely accepted that enabling two-factor authentication on your systems is the most effective way to prevent a breach. Two-factor works as a second line of defense in the event that your password fails you, and if we’re going by the statistics, it eventually will fail you!
Have you ever logged in to your Gmail account from a new device or asked for a password reset on an account, and were then sent a verification code via email or SMS?
That’s a common example of two-factor authentication. When you log in, the two-factor system will prompt you for a unique and randomly generated code that is only accessible via SMS or Email. Without this code, it is impossible to log in.
When two-factor is enabled, an attacker would not only need to access your password and login, but also need the uniquely generated code that is only accessible via your phone or email account.
The setup for two-factor is uncomplicated and inexpensive. Look at programs like Authy or even Google Authenticator for some easy-to-use and quick set-up two-factor solutions. If you have an I.T. team in your business and you aren’t already using two-factor, it should become their absolute priority to enable it.
This small addition alone is enough to prevent countless data breaches, and can easily be the deciding factor in your business becoming the victim of a cyber attack.
Malicious attachments and fake links are two of the oldest and most successful cyber attacks in the book. They’re also two of the most preventable.
Let’s say your doorbell rings, and you answer to find an unexpected parcel on your doorstep. It’s addressed to you from someone that you’ve never heard of and you weren’t expecting anything in the mail. For your own safety, the sensible thing to do would be to treat the parcel with a level of caution and find out where it came from before opening it.
That same level of caution applies whenever you receive an unanticipated attachment in an email or open a link.
The problem with links & attachments is that while they’re convenient, they’re also very exploitable. They can contain an array of different threatening contents, some of the most common being:
Before you open any email attachment or link, there are a few things that you need to verify:
To verify if an email attachment is legitimate, simply call the person that sent it you and ask them whether it was intentional.
To determine if a link is unsafe, simply hover the mouse over it and have a look at the URL. If it doesn’t begin with https, or if it leads to somewhere other than advertised, do not open it. Even one small typo in a URL indicates a big difference in where you’ll end up by clicking it.
Here’s an example of an email with a link posing as a Google Doc. We hovered our mouse over the URL to see where this attacker was really trying to send us…
I tore apart the benefits of password security pretty harshly earlier in this article, but by no means do I mean to belittle their importance.
While I’d still equate a business without two-factor authentication to having the same level of security as a house with only a screen door, a weak password is still like having a house with a massive hole in the wall.
If you’re password isn’t up to scratch, you’re wide open.
Again, hacked passwords cause 81% of all data breaches, and can be compromised by brute force, hacks, phishing and general weakness. What it takes to keep your password safe is a general awareness of where you keep your password, how frequently you change your password, and how strong your password is.
Going in to 2019, the standard “One Upper Case Letter, One Number, One Symbol” trick just isn’t going to cut it. We recommend instead moving into something like passphrases.
Take a phrase that you’re likely to remember, and use the first letter of each word to create a new password, alternating between upper and lower close.
For example: “Collingwood followers Are sophisticated People” would make CfAsP
Add a few numbers to the end, and you’ve got a strong and memorable password! So you could add the year of their last premiership, to end up with CfAsP2010.
If you then change this password every 6 months, you’ll be far less likely to experience a breach on account of poor password etiquette.
It’s these small steps, like being conscious of the password that you use every day, or cautious of the attachments and links that you click on, that prevent your becoming a cyber incident statistic.
Going into 2019, use the four STOP principles to both identify your crown jewels and protect them.
For more information about STOP and Cyber Aware, visit sme.cyberaware.com
Jonathan Horne has been building, running and selling online businesses since he walked out of the school gate. Over the last 15 years he has built some of Australia’s most trusted brands, servicing small local businesses, right through to some of the biggest brands in the world. Seeing a multi-million dollar competitor go out of business due to a cyber incident gave him a sharp focus on making his business more secure and making cyber security easy for other businesses. From this experience grew CyberAware.com, which removes the technical jargon and complexity from cyber security and helps businesses navigate the daunting task of securing their business and educating staff.