The Definitive Cyber Security Guide for Small to Medium Businesses
On the surface, cyber security has a pretty obvious definition: the practice of building, maintaining and ensuring the protection of your network, device, software or data (or all of the above) from cyber attack. Fairly self-explanatory, right? However, one of the problematic factors of cyber security, is that the risks and attacks are forever evolving and changing at such a rapid rate that the fundamental elements of your cyber security also have to evolve and update and keep in pace with the potential cyber attacks. So cyber security itself is always changing and growing. Cyber security means not relying on Windows Defender to catch everything for you, it means controlling physical access to hardware and systems, not just network access. It’s a whole myriad of elements from personally understanding the nature of cyber attacks, to identifying your specific vulnerabilities, to rolling out a framework for cyber security management. Cyber security is no longer simply the domain of your sysadmin, it falls on every employee’s shoulders to uphold and maintain the integrity and security of your organisation.
Why Does It Matter?
As long as computers, networks and the Internet have been around, cyber security has existed to some degree. However, in this advancing technological age, with iPhones galore, cloud services holding all of our data and the fast-growing Internet of Things (IoT) that has our fridges talking to our cars, cyber security has become more critical and increasingly relevant. Without cyber security, we subject ourselves to attack; compromising critical information, or crashing critical systems. Businesses are now conducted entirely in the digital sphere, financial transactions, identity registration, and any kind of sensitive world-changing, life-saving data you can imagine is all subject to attack. Our society has more or less progressed to managing our entire lives online in some form or another, meaning that the need for high level cyber security is greater than ever.
You may fall into the trap of dismissing the need for cyber security in your own corner of the cloud, but cyber security is not merely a tool for the Pentagon to protect national secrets. Given the difficulty in policing cyber criminals, and the enticing financial gain to be had (hint: attackers aren’t doing this for a little bit of pocket money), cybercrime has grown at an enormously fast rate in the last few years and continues to grow. The Australian Cyber Security Centre (ACSC) released a Threat Report 2017 that they had identified 47,000 cyber incidents over the previous financial year, marking a 15% increase in cyber crime in one year alone.
More to the point, 56% of all reported cyber incidents in the private sector were due to a compromised system. This is all to hammer it in; everyone is at risk, a cyber attack will eventually come, and when it does, it is most often due to a flaw in one’s cyber security system.
Fallout of a Cyber Attack
Falling prey to a cyber attack is a significant blow to any business, a blow that constitutes not just a real financial cost, but also a hit to your integrity and reputation. The following days and weeks will be slammed with a loss of continuity and productivity in the business, as you deal with the breach caused by the attack. Let’s break down the different ways in which your business is impacted by a cyber attack.
Financial Loss: Due to the nature of something like a virtual data breach, it’s easy to fall in the trap of not framing the cost in real financial terms. However, there is a very tangible cost to cyber attacks like these, when you consider that in the aftermath of an attack, you are paying for investigation and security audits, possible PR and legal costs to manage your customer base, issue statements and manage your public image. You’re paying for staff to write time-consuming correspondence to all affected parties, and to reinforce your security perimeter, addressing any exploited vulnerabilities.
All said, in Australia, the total average cost of a data breach is approximately $2.51 million! This is a hugely significant number to take into account when considering your cyber security needs.
Reputation Damage: When your system is breached, and you send that sheepish email notifying your client base that their private data has been stolen (their private, financial, personally identifying information that is), your carefully crafted image is broken. Your integrity is shot, and you know it doesn’t matter that it wasn’t your fault. They trusted you, and now their information is compromised. You may take every possible step at that point to bolster your security like Fort Knox, but the damage has been done. Why should they continue to put trust in your business at this point? The answer is that they simply may no longer choose to do so. To recover your reputation at this point is going to cost you a significant amount of time and money. Best to think of your business as a shoebox full of incredibly embarrassing photos and love notes from your teenage years; protect it at all costs, and never let its contents see the light of day.
Productivity: An obvious impact to take into account with any cyber attack is the loss of productivity. With heavy disruptions to normal business activity, your business would see a significant drop in productivity. Halting sales, shipments, and performing ongoing investigations to determine the extent of the breach and how to lock down the security perimeter, this is all time and money taken away from the business, creating a significant loss in productivity and momentum. Consider what profit margins would have been in that time that is now spent managing the fallout, and the general ramp up back to optimal productivity and you’re looking another critical impact on your business.
Business Continuity: Business continuity is a critical part of minimising the impact of a data breach. Having real business continuity management in place is proven to reduce the time taken to identify and contain a breach and therefore reduce the overall cost to the business. A business continuity management plan ensures you have all the framework in place to immediately respond to an attack and contain the breach, making the overall fallout to you and your business much less severe and costly than it would otherwise be. You have everything backed up, and are able to retrieve any destroyed data in the case of something like a ransomware attack.
What type of ways can your business be vulnerable to cyber attack? It’s important to familiarise yourself with the potential ways in which you could be exposed. A cyber vulnerability is where you have the intersection of three factors: a weakness in the system, an attacker’s access to said weakness, and their ability to exploit it. There are so many ways in which your system could be vulnerable, but for the sake of succinctness, we’ll stick with the five most common weaknesses:
This type of weakness has a very high success rate of exploitation despite the relative simplicity of detecting it. An injection vulnerability can occur in any application that allows the user to input a query that communicates with a back-end database, SQL being the most common. This essentially allows the attacker to bypass the intended functionality of the application, and execute a malicious query to access sensitive information. Sensitive data in this way can easily be compromised once the attacker gains access. This type of weakness/attack is well known and understood, but analysing the code to find an obscure exploitative command can be difficult; the needle in the proverbial haystack so to speak. In the example of an SQL injection, the attacker can input a malicious command or query that essentially alters the course of execution and could cause the program to retrieve and dump sensitive data into the unauthorised hands of the attacker.
A buffer overflow vulnerability is a common weakness that exists in many applications. It is frequently present in operating system code for example. While buffer space and memory layout is generally well-defined, sometimes anomalies occur where you have too much data input into the buffer space causing the ‘overflow’- it is in this overflow space that an attacker has an opportunity to enter malicious executable code and potentially gain access and privileges to the computer resources. In the case of an attack, the attacker will deliberately submit input to a program where that data input will most certainly be too large for the buffer space, triggering the overflow flaw. Modern operating systems have techniques now to minimise these buffer overflow attacks, notably by randomising the memory layout and creating additional space between buffers.
Sensitive Data Exposure
This one is a little more self-explanatory. Sensitive Data Exposure occurs when an application does not sufficiently protect sensitive information from being disclosed to attackers. The attacker could, for example, intercept the data between a server and a browser with what is creatively known as a Man-In-The-Middle attack. The biggest flaws that create this susceptibility is the lack of encryption, as well as weak key generation and algorithms. 68% of of the top 100 apps in the Google Play store don’t check server certificates and 77% would ignore SSL errors (https://www.kb.cert.org/vuls/id/1680209). This is a vulnerability that can be pro-actively minimised by locking down security procedures and encrypting data. A well-known example of this type is the Ashley Madison attack, where millions of adulterous users had their names and information exposed.
Broken Authentication & Session Management
Remember me? That little check box you tick when logging in, to save you the hassle of trying to remember the password for each site you use? This function is affected by this type of vulnerability, along with password management, timeouts, secret questions and logouts. This type of flaw is difficult to eliminate due to the variety and number of authentication methods employed by each user and the multiple ways an attacker can bypass authentication mechanisms. They could, for example, use the aforementioned injection attack to retrieve a session identifier, or reuse an already used session token and then say, access your online banking, because they’ve tricked the server into thinking you never logged out. Yikes.
This type of flaw is possibly the most common and dangerous of all. Some examples of security misconfiguration flaws include: running outdated software, applications running in debug mode, running unnecessary services on the system, not changing factory settings (e.g default passwords), and incorrect exception management that allows system information to be disclosed to attackers. An attacker is easily able to identify systems that are not using properly configured or updated software thanks to some ethically-dubious products available on the market, and now with the advent of the Internet of Things, you have appliances that are running connections using default keys that allow an attacker the ability to establish an unauthorised connection to the device and go from there.
Now that we’ve covered the common type of cyber vulnerabilities, the next issue is, how do you identify them? How do you assess if you are exposed in this way? Luckily, there are software tools created for exactly this purpose (thank you Symantec, Trend Micro, and NetIQ amoungst others). But bear in mind that it’s unwise to simply rely on a piece of software to handle all your risk assessment for you. A truly thorough risk assessment should involve a comprehensive protocol alongside the specialised software that doesn’t just identify, but also analyses, evaluates and manages all vulnerabilities in a structured manner.
When we think of cyber security and data breaches, we think of some basement-dwelling troll hacking into our system using some kind of worm injection attack, but it’s critical to acknowledge possibly the biggest cause of a data breach or compromised system: human error. Whether its a trusted insider, a third-party contractor, vendor, or temporary worker, you’ve always got plenty of privileged users with access to your data, who are not infallible and who need to understand the seriousness of locking down the cyber security perimeter. It’s not just a matter for the IT department, it’s something that all members of an organisation can contribute to. Research shows that many senior ranking members of organisations (board members and senior executives) are almost completely unaware of security necessities and lack a fundamental understanding of the importance of securing data. For all the technical risks and threat assessments, it’s all for naught if your Senior VP doesn’t bother to secure any sensitive information, right?
Regardless of your current cyber security status, the best thing you can always do for yourself and your business is to be involved. Learn about and understand the current state of security, actively screen potential vendors or third-parties, be engaged with the whole process of protecting your business. Following that, these steps are a great guide to follow for identifying cyber vulnerabilities and consequently resolving them:
- Understand the actual business process. Where does sensitive information enter into it? Which parts require regulation compliance? Are you managing customer privacy?
- Once you’ve got a handle on the business process, determine what programs, software or applications are processing these functions. Where is the information being entered or passed through? You can see how this aspect presents a potential vulnerability!
- Don’t forget to include all mobile devices, laptops, tablets, and desktop PCs that all interact with the system or program that funnels your data. For example, if you’re using a system like Office 365, employees are able to access private information on their device anywhere, anytime.
- Dig down a level now, and see what’s happening underneath that. What sort of hardware is supporting these devices and programs? We’re talking stuff like servers and data storage devices.
- What is the network infrastructure connecting it all? What sort of routers and network devices are being used to transmit this data between servers and users?
- What are the existing security controls in place? What are your cyber security policies, do you have firewalls, do you use VPNs, what about encryption? Understand what these all are and in what ways they protect your business.
- Once you’ve got a handle on all of the above, it’s time to run vulnerability scans using a specialised cyber security program. At this point you should have a good understanding of your current security status, where your potential weak points are going to be, and what points you want to reinforce. This allows the vulnerability scanning and security patching to be much more effective. Skipping these previous steps is like asking your doctor to just diagnose why you don’t feel good without providing him the information about what, when, or how it hurts. Your understanding and outline will provide important information to help security specialists identify exactly what needs doing.
- Results in Context. Is it highlighting vulnerabilities you have already reinforced? Or is it a minor outlying weakness that is not terribly urgent? Triage the points highlighted by the scan and determine your priorities. Can you do this yourself, or is it time to bring in someone to review and fix the issues you’ve now highlighted?
Strategies For Resolution
After you’ve identified your cyber vulnerabilities, or are at risk of a data breach, it’s important to have a strategic approach to handling the weakness(es) and locking down your security perimeter to avoid any incidents. As mentioned above, you need to review the results of your security scan within the context of your business. Your scanner may identify a vulnerability within some fairly critical and sensitive processes, which indicates you need to address it immediately. However, it could identify some vulnerabilities in parts of your system that are not frequently accessed, or already part of a protected infrastructure, you may push this down the priority ladder.
This is the point at which it is recommended to hire an external service to review your security, and conduct penetration testing. This type of service will test your security measures and attempt to access the weak points that an attacker would hypothetically exploit. While you’ve already predetermined your weaknesses, and areas that need shoring up, the penetration tester will really put these assumptions to the test and determine your existing security measures are enough.
Being part of the security process of your own business is critical, but at this point in the examination process, you are too close to give it the objective eye it needs. Security testers will conduct the evaluation you need to consider all aspects of your security, possible weak points you hadn’t considered, and what parts you would need to focus on in the future.
Types of Cyber Attacks
What type of threats should you anticipate with regards to these weaknesses? Attacks can come in several different forms and while this information can be overwhelming, as long as your vulnerable points are addressed, you’ve already done the important part. Part of taking a proactive role in the security of your business does mean being somewhat knowledgeable about the types of attacks you could be subject to, however. Arming yourself with this information means you’ll be more likely to recognise phishing scams, or the signs of malware in your system. The following types of cyber attacks are among the most common:
- Malware: Malware is somewhat of an umbrella term that includes trojans, worms, spyware, ransomware and viruses. It can basically be defined as a malicious code or software with the intent to corrupt or steal something on your system. It is often introduced to the system through an email attachment or an unsafe download, sometimes attached to a frequently used and trusted website to get you to allow the malware through your anti-virus software.
- Phishing: Phishing attacks are often sent by email, appearing to be a trusted source that will usually get you to click a link and then enter or “confirm” some personal information. It could be posing as your bank, and asking you to ‘verify’ your password by clicking on a link. These are usually pretty easy to spot, but they have definitely grown more sophisticated in recent years and closely resemble official emails from parties like Apple or Paypal. A tried and true method for avoiding these traps is to remember that your bank or any other trusted site will never make such requests via email and never click the link. If in doubt, go directly to the website in your browser and log in from the trusted site address. A great security measure to counter phishing attacks, is to ensure your system has two-factor authentication for log ons, meaning that a username and password will never be enough to gain access to the system. Checkmate, phisherman.
- Distributed Denial of Service (DDos): This attack is focused around disrupting service to your network. Attackers send high volumes of data or traffic through the network until the network becomes too congested and can no longer function. Attackers will usually use multiple computers to send the traffic or data (hence distributed) and in many cases, a user may not even realise that their computer has been hijacked to participate in a DDoS attack. These attacks primarily target huge companies, often in protest towards governments or individuals.
- Man in the Middle: We briefly mentioned this one earlier when discussing Sensitive Data Exposure. The way this works is by impersonating the endpoints in an online data exchange, for example from your computer to your online banking website. The ‘man in the middle’ impersonates the bank to communicate with you, and impersonates you to communicate with the bank, and therefore receives all the information traveling between the two and gaining access to sensitive information. If you’re using an encrypted wireless access point, and ensuring the websites you connect to have a HTTPS connection, you’re far less likely to be targeted by this attack.
- Rogue Software: Rogue software is another type of malware, but has a key difference that is important to note. Rogue Software will disguise itself as critical security software that will keep your system safe. By creating legitimate looking pop-ups and alerts, often masquerading as updates to existing security software, or terms of service agreements, users are tricked into allowing the software to download and gain access to their system.
- Brute Force Attack: This could also be classed as a password attack. The brute force attack is fairly self-explanatory in nature. Instead of attempting to trick the user into allowing the malware through, or finding a backdoor into the system, the brute force method employs an algorithm or software that will literally try to deduce the password. The algorithm will run hundreds of thousands of different word and number combinations, sometimes even comparing against a dictionary for potential words. This is why it’s so important to create a strong password, including upper and lower-case letters, numbers, and symbols, as well as change it on a regular basis.
- Watering Hole Attack: This is a strategy for delivering malware in which the victim is a particular group (like an organisation or an industry). In this type of attack, the attacker will predict or deduce a website or websites that are frequently used by members of the group and infects them with malware. Eventually, a member of the group will fall prey to the malware and from there gain access to the whole network. The nature of this type of attack makes it extremely difficult to trace, given the large number of users who were exposed to the infected site. The name is derived from real-world predators who often lurk by watering holes where large groups of prey tend to congregate in order to make a successful attack.
- Ransomware: This type of malware is self-explanatory. Ransomware is a type of malicious software that will effectively hold the victim’s data hostage in exchange for a ransom. The data is encrypted and completely inaccessible without the decryption key, and the attacker may threaten to completely destroy the data if their ransom demands are not met. Ransoms are paid in cryptocurrency, which is incredibly difficult to trace, meaning most perpetrators are not prosecuted. Ransomware attacks are often carried out using a trojan, exploiting a cyber vulnerability, proving yet again that ensuring your cyber security is critical for your business.
- Social Media Threats: Not even our beloved Facebook is safe from cybercrime. Social media platforms like Facebook, Twitter, or LinkedIn are being used to deliver cyber attacks, often by exploiting broken authentication and stealing login credentials, or phishing attacks. Once logged into Facebook, you could be offered an application download, or a rogue friend request and you should absolutely be wary of them. Facebook is integrated so thoroughly into all aspects of our online life; it’s incredibly common to use your Facebook login for an infinite number of sites and apps, so giving up your social media security could mean so much more than just access to your friends’ list.
- Unpatched Software: Unpatched applications and programs present a real vulnerability that can be exploited for attack. Consider browser add-ons and programs like Adobe Reader or Flash, that you frequently use without thinking about to make your online experience smoother. These programs often have regular updates, it’s important to ensure you apply them to reduce your risk of attack.
Check out The 5 Most Common Cyber Security Threats
Cyber Security Best Practice
While we’ve covered ways to identify key vulnerabilities, and ways in which you could be targeted for an attack, there are a few key practices you should be employing to proactively minimise your risk of an attack. The Australian Signals Directorate has published a list of strategies to follow that will help mitigate any chance of an incident. They call these the ‘Essential Eight’:
- Application Whitelisting: By white-listing your approved applications and programs, you automatically prevent the execution of untrustworthy or potentially malicious programs that don’t make the cut.
- Patching Applications: Keep your applications up to date (e.g. Flash, browsers, Java, MS Office and PDF viewers). Programs that are not kept totally up to date present a security vulnerability that can be exploited for attack.
- Configuring Microsoft Office macro settings: Configure these settings to block macros from being executed from the internet, barring the ones you have vetted to be safe (usually with a trusted certificate). These macros are able to deliver malware.
- Application Hardening: Configure your web browsers to block applications like Flash, ads, and Java. You can also disable unnecessary features in MS Office like OLE (embedded links in documents). These applications are popular ways to deliver and execute malicious code.
- Restricting administration privileges: Control access and privileges based on user duties . Frequently revise and update privileges as roles evolve and change. Don’t use privileged accounts for accessing email or web browsing. If an attacker manages to infiltrate a system via the user’s browser (e.g. through Flash), it won’t be any privileged accounts being compromised as their usage is restricted from browser activity.
- Patching operating systems: Same concept as patching applications, it is vital to keep your operating systems up to date, including network devices. Always use the latest operating system version, many updates are made to patch security vulnerabilities that you don’t want yourself exposed to.
- Multi-factor authentication: We covered this briefly in Phishing attacks, but using strong, two (or multi) factor authentication will make it incredibly difficult for any attackers to access sensitive information or accounts. Even if they gain hold of a password, it’s useless without the additional verification. Apply the secure authentication any time a user has to gain access to privileged data, accounts, VPNs and remote access.
- Daily Backups: By keeping your system frequently and securely backed-up, you’re insuring yourself against any cyber attacks where your system or data becomes compromised or destroyed. Back-ups should include any new or changed data, software and configuration settings, it should be stored disconnected from your system, and kept on hold for at least three months. Test it regularly to ensure you are able to successfully restore system information after an incident.
Cyber Security Framework & Guidelines
Things get a bit technical here but we’ll try not to get too bogged down in the jargon. There are set frameworks and guidelines in place you can follow to maintain cyber security compliance, like a checklist for hitting all the right steps to secure your network. Bear in mind that many of these frameworks are developed and used in the US but can assist you to develop the right approach for your website. On this side of the pond however, we have the Australian Cyber Security Centre (ACSC). The ACSC is a fairly new collaborative organisation the Australian Government has pieced together from existing federal agencies with the sole aim of bolstering the security of Australian networks. The ACSC has put out multiple documents outlining important cyber strategies and threats to watch out for, though their Cyber Strategy document refers to the overall Government strategy and action plan for strengthening Australian cyber security in general. Not super helpful for the individual or business, but overall it’s good news for everyone as it means our government is committed to providing better support and increasing resources to combat cyber attacks.
What is a Cyber Security Framework?
Frameworks are simply a set of documented processes used to define policies and procedures around the implementation and ongoing management of information security. Think of it as a template for your organisation’s cyber security. There are multiple organisations that publish and maintain different frameworks as well, though when you first start digging, you’ll mostly find US-based guidelines that aren’t recognised in Australia. Not so helpful, but we’ll steer you in the direction of some more useful framework resources. Here are a few resources and guidelines out there for Australian businesses and individuals to refer to:
Information Security Manual by ASD
This manual is divided into multiple parts, but you can mostly benefit from referring to Principles and Controls. This set of guidelines describes the compliance standards expected of Australian government agencies, but much of it is non-specific in its approach, meaning it can be applied to private business and websites as well. It’s broken down into manageable sections and is a useful guide for understanding Australian expected standards of cyber security management. This guide is based on a risk-management approach, which allows for flexibility with regard to different environments and priorities. Overall, this means that you apply fundamental risk management principles to your information security, and adopt a proper risk management process.
FIRST (Forum of Incident Response and Security Teams) is a collective organisation of response teams that handle computer security incidents and promote incident prevention programs. They have their own publication of standards, and a Best Practice Guide which details all the steps recommended to best protect your website from any incidents. FIRST contributes to external standards bodies like ISO, which lends a great deal of credibility to their organisation, and they have a clear layout of their own created standards that are easy to find and follow.
NIST (National Institute of Standards and Technology) is a U.S. agency established to provide industry standardisation and measurement solutions. Their cyber security framework also adopts a risk-management approach, comprised of three parts. Between them all, these parts cover industry standards, guidelines, cyber security activities as well as the greater context for how an organisation should view cyber security risks. Remember, this is a U.S. based framework, but there is no reason the steps and guidelines in it cannot be useful to an Australian-based business.
RACGP, you may be surprised to discover, stands for none other than the Royal Australian College of General Practitioners. They have published a set of standards that are applicable to all general practices, and other office-based practices. This is probably not where you expected to find a comprehensive set of cyber security standards, but it makes sense really. Doctors have to protect patient information, especially in this era of electronic practice management, where patient files are no longer stored in an ancient metallic filing cabinet, but everything is done on the computer. This set of standards doesn’t only focus on risk assessment, but also managing availability of information, with backup processes, business continuity and recovery planning, and access management.
Yes, that CPA, is also extremely on board with information security for obvious reasons. They have published an array of articles and even webinars focusing on the best ways to secure and protect your information. Their document IT Checklist covers the whole range of topics on IT system management and cyber security, focusing on a similar approach to the ACSC’s ‘Essential Eight’ steps for security management. Not as technical as the former frameworks perhaps, but this is an excellent starting point for any small business looking into making a solid cyber security foundation.
The International Organisation of Standards does seem to be the place to go when looking for a set of cyber security standards for your business. ISO 27001 focuses on information security management systems, and is an extremely detailed document covering all aspects of information security from establishing a management system, through implementation, maintenance and improvement. This ISO document advocates for the same holistic approach we discussed earlier, where cyber security is a duty integrated into all aspects of an organisation, not just the IT department.
CERT Australia is the national computer emergency response team. They primarily provide advice and support on cyber threats and vulnerabilities, offering guidelines and advice on how to mitigate cyber threats, as well as monitoring cyber incidents. They have developed a remote access protocol that can be implemented into your cyber security framework, a guide to developing an incident response plan and a document on the top control systems tips that can be cheaply and easily implemented.
The Protective Security Policy Framework is a dedicated set of policies and protocols providing guidance to protect assets and information. This covers all types of security protocol, but they do have a dedicated document for information security management check here. This set of protocols is developed by the Australian government for governmental agencies but again, can provide the tools and guidelines that can be used by a private organisation.
Notifiable Data Breaches Scheme
The Notifiable Data Breaches Scheme is a governmental legislation that only just came into effect on February 22, 2018. The NDB Scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must also include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner must also be notified of eligible data breaches.
The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. This includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others. Check here if your organisation falls under this scheme.
The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. You can see here what breaches are considered eligible under this act.
Let’s say the worst comes to pass, and despite all your best efforts to secure your information and networks, some malicious troll gains access and compromises the security of your data. Enter: Cyber insurance. Cyber insurance can provide your business with an added layer of assurance in the case of a cyber incident. It can’t protect you from a cyber attack, but the insurance can cover the costs of investigations, customer notification, credit monitoring, public relations, legal costs, compensation, loss of revenue and more. It’s best to investigate the type of risks that are covered, and determine what risks apply to your organisation to find a fit for you. Realise also that while insurance is great to help manage the financial cost of an attack, it cannot recover the loss of intellectual property or prevent any reputation damage incurred as a result of a data breach. Cyber insurance is still a new type of coverage offered by third-party insurers, so coverage and premiums are not exactly flexible. Your best bet is still to minimise the risk of any incidents from the inside and hope you never actually need the insurance.
It’s not just small businesses that are affected by cybercrime, though it’s natural to feel that mainly large corporations are targeted by attacks. But to a hacker, any data is valuable, and a smaller business may be easier to target, making smaller organisations just as much of a target for cyber attack. According to the Ponemon Institute study on the Cost of Data Breaches, an Australian business will have to foot an average cost of close to $50,000 for a data breach! For a smaller business, this kind of cost can be devastating, so it’s worth researching and considering if a cyber insurance policy could be right for you.
Case Study: PageUp
PageUp is a medium-sized Australian company that provides a cloud-based HR management software, and currently serves clients all over the world. Recently they suffered a security breach and we have been able to watch this play out in almost real-time due to PageUp’s transparency and responsiveness.
What Happened: On May 23, PageUp detected unusual, unauthorised activity on their IT infrastructure, and immediately took the initiative to launch a forensic investigation. It appeared that a malicious code was executed within PageUp’s systems.
First Response: PageUp’s response was to launch an investigation immediately with the assistance of a third-party cyber security organisation, as well as advise Australian regulatory bodies in keeping with the Notifiable Data Breaches Scheme. By May 28, they were able to locate indications that client data had been compromised. On June 5, the CEO released an announcement advising of the potential breach and ensuing investigation. PageUp was very proactive and forthcoming with information with all regulatory bodies, but most importantly, with their clients.
Ongoing Communication: PageUp continued to keep their clients and public informed with progress updates. On June 12, the CEO posted another update confirming that they had contained the breach and secured their site. They advised that their site had no further threats and was safe to continue using but that they had identified that some types of personal data had been accessed and listed specifically what information had been potentially compromised.
Further Action: Aside from launching a forensic investigation, PageUp contacted the Australian Cyber Security Centre (ACSC), the Australian Federal Police, and Australia’s Computer Emergency Response Team (CERT) to advise them of the incident and draw support. On June 17, they posted another update advising they have liaised with the Office of the Australian Information Commissioner (OAIC). PageUp offers steps and suggestions on what the individual can do from home to further insulate themselves from cyber risk, namely changing passwords, implementing multi-factor authentication, etc.
Resolution: Due to this incident being so recent, PageUp are still conducting their ongoing investigation to determine the extent of the breach and which records were affected. On June 19, they shared another update; the ACSC, the Office of the Australian Information Commissioner and IDCare released a joint statement on the issue.
Conclusion: PageUp is a business with several high profile clients (Telstra, Reserve Bank of Australia, Coles, ABC and Australia Post to name a few), so it’s highly likely they had a business continuity plan already in place, given how immediately they responded to the suspicious activity. They opted for a route of transparency, openness and consistent communication with all their clients, as well as the public, which goes a long way to easing concerns of skittish clients and preserving their reputation. The incident with PageUp demonstrates the need for a well-established response plan, and the benefit of being open about the incident, rather than sweeping it under the rug. This transparency and regular communication shows your clients that you have integrity and are committed to securing the information they’ve trusted you with. It shows that you are serious about cyber security and understand the negative impact that a data breach can have.
Cyber Security Essentials Questionnaire
Read the following questions in order to assess your current cyber security status at a glance, and determine if you have covered the following essential steps to protect your business.
- Does your organisation have cyber security policies and procedures in place?
- Does your organisation protect all sensitive information transmissions (ie with encryption, SSL)?
- Are all devices protected from the internet by a firewall?
- Does your organisation have designated cyber security personnel and/or a cyber incident response team?
- Does your organisation have a cyber security user education and awareness program?
- Does your organisation perform cyber security audits annually?
- Are all users with access to devices containing or processing sensitive information required to use a unique username and complex password to access these systems?
- Do all devices with access to sensitive information have access control configured? (ie users only have privileged access to the data they require)
- Do all devices with access to sensitive information get scanned for vulnerabilities on a regular basis?
- Are said vulnerabilities being treated in a risk-based priority? (ie more urgent vulnerabilities treated first)
- Are all laptop and mobile devices encrypted and password protected?
- Do all mobile devices with access to sensitive information have mobile device management with the ability to remotely wipe the device?
- Does your organisation require two-factor authentication for remote access?
- Does your organisation have a Business Continuity Plan, and if so, does it include back up and recovery procedures for all virtual systems?
- Are all administrative accounts only permitted to perform administrator activity, with no access to internet or external email?
If you can confirm your organisations have these fifteen steps covered, then you’ve definitely covered the basic essentials. Of course, this is not all you need to protect your business but it’s a good foundation. Further analyse and audit your systems regularly, and follow the investigative steps we listed earlier (LINK back here) to make sure you’ve got all your bases covered.
Other Cyber Security Resources
Australian Cybercrime Online Reporting Network
ACORN is a national policing initiative of the Commonwealth, State and Territory governments. It is a national online system that allows the public to securely report instances of cybercrime.
National Identity & Cyber Support
A not-for-profit Australian charity that was formed to address a critical support gap for individuals confronting identity and cyber security concerns.
Australian Cyber Security Centre
An important Australian Government initiative to ensure that Australian networks are amongst the hardest in the world to compromise.
Australian Signals Directorate
An intelligence agency in the Australian Government Department of Defence with a focus on information security.
Computer Emergency Response Team
CERT is the primary government contact point for major Australian businesses to receive and respond to cyber security incident reports.