The Definitive Cyber Security Guide for Small to Medium Businesses
Cyber Security in a Nutshell
On the surface, cyber security has a pretty clear definition. It is the practice of building, and maintaining the protection of your networks, devices, or data from cyber attack. Fairly self-explanatory, right? However, one of the problematic factors of cyber security, is that the risks and attacks are forever changing. Cyber attacks are evolving at such a rapid rate, therefore the elements of your cyber security also have to evolve to keep pace. So cyber security itself is always changing and growing.
Cyber security means not relying on Windows Defender to catch everything for you. It means controlling physical access to hardware and systems, not just network access. It’s a myriad of elements from understanding the nature of attacks, to rolling out a framework for cyber security management. Cyber security is no longer simply the domain of your sysadmin. It falls on every employee’s shoulders to uphold and maintain the integrity and security of your organisation.
Why Should I Care About Cyber Security?
Cyber security has existed in some form or another as long as computers, networks and the Internet have been around. In this advancing technological age, cyber security has become increasingly critical and relevant. We have smart devices galore, and cloud services holding all of our data. The Internet of Things has our fridges talking to our cars, and our phones talking to our TVs. Without cyber security, we subject ourselves to attack; compromising critical information, or crashing critical systems.
Many businesses are now conducted entirely in the digital sphere. This means financial transactions, identity management and life-saving data are all subject to attack. Our society has more or less progressed to managing our entire lives online in some form or another. Consequently, the need for high level cyber security is greater than ever.
It Could Happen to You!
You may fall into the trap of dismissing the need for cyber security in your own corner of the cloud. However, cyber security is not merely a tool for the Pentagon to protect national secrets. Cyber crime has grown at an enormously fast rate in the last few years and continues to grow. This is partly due to the difficulty in policing cyber criminals, and the enticing financial gain to be had. The Australian Cyber Security Centre (ACSC) released a Threat Report 2017 that they had identified 47,000 cyber incidents over the previous financial year, marking a 15% increase in cyber crime in one year alone.
Most importantly, 56% of all reported cyber incidents in the private sector were due to a compromised system. Make no mistake; everyone is at risk of data breaches. Most data breaches, or attacks can be traced back to a flaw in your cyber security system.
Fallout of a Cyber Attack
Falling prey to a cyber attack is a significant blow to any business. Such a blow constitutes not just a real financial cost, but also hits your integrity and reputation. The following days and weeks will be slammed with a loss of continuity and productivity. All while you try to deal with the breach caused by the attack. Let’s break down the different ways in which your business is impacted by a cyber attack.
Business owners find it easy to fall into a trap of ignoring the real financial cost of a virtual data breach. You may not frame the damage in terms of an actual monetary cost, due to the intangible nature of it. However, there is a very real cost to cyber attacks like these. Consider that in the aftermath of an attack, you have to pay for investigation and security audits. There are PR and legal costs to consider, and managing your public image. You’re paying for staff to write time-consuming correspondence to affected parties, reinforce your security perimeter, addressing any exploited vulnerabilities.
Furthermore, in Australia, the total average cost of a data breach is approximately $2.51 million! This is a hugely significant number to take into account when considering your cyber security needs.
When your system is breached, you risk breaking your carefully crafted public image. You send that sheepish email notifying your client base that their private data has been stolen. Their private, financial, personally identifying information that is. They trusted you, and now their information is compromised. You may take every step at that point to turn your network into Fort Knox, but the damage has been done. Even more, why should they continue to put trust in your business at this point? You’ll need to pour a significant amount of time and money into this disaster in order to recover your reputation. You should think of your data as a shoebox full of embarrassing photos and love notes from your teenage years. Protect it at all costs, and never let its contents see the light of day.
An obvious impact to take into account with any cyber attack is the loss of productivity. You will experience a significant drop in productivity, due to heavy disruptions in normal business activity. To determine the extent of the breach, you’re looking at halting sales, shipments, and performing ongoing investigations. Because of this time taken away from the business, you now have a significant loss in productivity and momentum. Not to mention lost profits during this time as well. Once you factor in the ramp up back to optimal productivity, you’re looking at a critical impact on your business.
Business continuity is a critical part of minimising the impact of a data breach. Having business continuity management in place is proven to reduce the time taken to identify and contain a breach. A business continuity management plan ensures you have all the framework in place to immediately respond to an attack and contain the breach. This makes the overall fallout to you and your business much less severe and costly than it would otherwise be. You have everything backed up, and are able to retrieve any destroyed data in the case of something like a ransomware attack.
What type of ways can your business be vulnerable to cyber attack? It’s important to familiarise yourself with the potential ways in which you could be exposed. A cyber vulnerability is where you have the intersection of three factors. First of all, a weakness in the system. Second, an attacker’s access to said weakness. And third, their ability to exploit it. There are so many ways in which your system could be vulnerable, and we could populate an article on that alone. For the sake of being succinct, however, we’ll just look at the five most common weaknesses:
This type of vulnerability is frequently exploited, despite the relative simplicity of detecting it. Simple, but tedious. An injection vulnerability can occur in any application that allows a query input that communicates with a back-end database. SQL is probably the most common example of this. This essentially allows the attacker to bypass the intended functionality of the application, and execute a malicious query. Sensitive data can now be accessed and compromised through this ‘injection’. This type of attack is well understood, but analysing the code to find an obscure exploitative command can be difficult. The needle in the proverbial haystack so to speak! Using the SQL example, the attacker can input a malicious command that alters the course of execution. This can cause the program to retrieve and dump sensitive data into the unauthorised hands of the attacker.
A buffer overflow vulnerability is a common weakness that exists in many applications. It is frequently present in operating system code for example. While buffer space and memory layout is generally well-defined, sometimes anomalies occur where you have too much data input. This causes the buffer space to ‘overflow’. It is in this overflow space that an attacker can enter malicious executable code and potentially gain access and privileges. In such an attack, the attacker will deliberately submit input to a program that will most certainly be too large for the buffer space, triggering the overflow flaw. Modern operating systems are designed to minimise these buffer overflow attacks. They do so by randomising the memory layout and creating additional space between buffers.
Sensitive Data Exposure
This one is a little more self-explanatory. Sensitive Data Exposure occurs when an application does not sufficiently protect sensitive information from being disclosed to attackers. The attacker could, for example, intercept the data between a server and a browser. This is creatively known as a Man-In-The-Middle attack. The biggest cause of this weakness is a lack of encryption, weak key generation and algorithms. 68% of of the top 100 apps in the Google Play store don’t check server certificates and 77% would ignore SSL errors! You can pro-actively minimise this type of weakness by enforcing security procedures and encrypting data. A well-known example of this type is the Ashley Madison attack, where millions of adulterous users had their names and information exposed.
Broken Authentication & Session Management
Remember me? That check box you tick when logging in, to save you the hassle of remembering every single password you use? This function is affected by this type of vulnerability, along with password management, timeouts, secret questions and logouts. This type of flaw is difficult to eliminate due to the variety and number of authentication methods. Each user can employ different methods, and there are multiple ways an attacker can bypass these mechanisms. They could for example, use the aforementioned injection attack to retrieve a session identifier, or reuse an old session token. With that, they could access your online banking, because they’ve tricked the server into thinking you never logged out. Yikes.
This type of flaw is possibly the most common and dangerous of all. Some examples include: running outdated software, applications running in debug mode, running unnecessary services on the system, not changing factory settings (e.g default passwords), and incorrect exception management that allows system information to be disclosed to attackers. Thanks to some ethically-dubious products on the market, an attacker is easily able to identify systems that are not properly configured. Not to mention, with the advent of the Internet of Things, you have appliances running connections using default keys. These allow an attacker the ability to establish an unauthorised connection to the device and get in from there.
Now that we’ve covered the common type of cyber vulnerabilities, the next issue is, how do you identify them? How do you assess if you are exposed in this way? Luckily, there are software tools created for exactly this purpose (thank you Symantec, Trend Micro, and NetIQ amongst others). But bear in mind that it’s unwise to simply rely on a piece of software to handle all your risk assessment for you. A truly thorough risk assessment should involve a comprehensive protocol alongside specialised software. This software doesn’t just identify, but also analyses, evaluates and manages all vulnerabilities in a structured manner.
When we think of cyber security and data breaches, we think of some basement-dwelling troll hacking into our system, but lets acknowledge the biggest cause of data breaches shall we? Human error. Whether its a trusted insider, a third-party contractor, or vendor, there are always additional users with access to your data. These people are not infallible and need to understand the seriousness of following cyber security protocol. It’s not just a matter for the IT department, it’s something that all members of an organisation can contribute to.
8 Step Guide for Assessing Your System
The best thing you can always do for yourself and your business is to be involved, regardless of your current cyber security status. You need to learn about and understand the current state of security. Take part in actively screening potential vendors or third-parties, and be engaged with the whole process of protecting your business. Following that, these steps are a great guide to follow for identifying cyber vulnerabilities and consequently resolving them:
Understand the actual business process
Firstly, where does sensitive information enter into it? Which parts require regulation compliance? Are you managing customer privacy?
What tools are involved?
Once you’ve got a handle on the business process, determine what programs, software or applications are processing these functions. Where is the information being entered or passed through? You can see how this aspect presents a potential vulnerability!
What devices are involved?
Don’t forget to include all mobile devices, laptops, tablets, and desktop PCs that all interact with the system or program that funnels your data. For example, if you’re using a system like Office 365, employees are able to access private information on their device anywhere, anytime.
Dig down a level now, and see what’s happening underneath that. What sort of hardware is supporting these devices and programs? We’re talking stuff like servers and data storage devices.
What does the network look like?
What is the network infrastructure connecting it all? This covers the sort of routers and network devices that are used to transmit this data between servers and users?
Do you have any existing security controls?
What are the existing security controls in place? What are your cyber security policies, do you have firewalls, do you use VPNs, what about encryption? Understand what these all are and in what ways they protect your business.
Run Vulnerability Scans
Once you’ve got a handle on all of the above, it’s time to run vulnerability scans using a specialised cyber security program. At this point you should have a good understanding of your current security status, where your potential weak points are going to be, and what points you want to reinforce. As a result, the vulnerability scanning and security patching will be much more effective. Skipping these previous steps is like asking your doctor to just diagnose why you don’t feel good without providing him the information about what, when, or how it hurts. Your understanding and outline will provide important information to help security specialists identify exactly what needs doing.
Results in Context
Finally, determine if it’s highlighting vulnerabilities you have already reinforced? Or is it a minor outlying weakness that is not terribly urgent? Triage the points highlighted by the scan and determine your priorities. Can you do this yourself, or is it time to bring in someone to review and fix the issues you’ve now highlighted?
Strategies For Resolution
After you’ve identified your cyber vulnerabilities, you need to form a strategic approach to handling the weakness(es) and reinforcing your security perimeter. As mentioned above, you need to review the results of your security scan within the context of your business. Perhaps you identified a vulnerability within a sensitive process, so you’ll want to address it immediately. However, it could identify some vulnerabilities in parts of your system that are not frequently accessed. Perhaps they are already part of a protected infrastructure, so you may push this down the priority ladder.
At this point, you’ll want to hire an external service to review your security, and conduct penetration testing. This type of service will test your security measures and attempt to access the weak points that an attacker would hypothetically exploit. Yes, you’ve predetermined your weaknesses, and areas that need shoring up. Now the penetration tester will really put these assumptions to the test and determine if your existing security measures are enough.
Being part of the security process of your own business is critical, but at this point in the examination process, you are too close to give it the objective eye it needs. Security testers will conduct the evaluation you need to consider all aspects of your security, possible weak points you hadn’t considered, and what parts you would need to focus on in the future.
Types of Cyber Attacks
What type of threats should you anticipate with regards to these weaknesses? Attacks can come in several different forms and this information can be overwhelming. However, as long as you address your vulnerable points, you’ve already done the important part. Another part of taking a proactive role in the security of your business does mean understanding the types of attacks you could be subject to. Arming yourself with this information means you’ll be more likely to recognise phishing scams, or the signs of malware in your system. The following types of cyber attacks are among the most common:
Malware is somewhat of an umbrella term that includes trojans, worms, spyware, ransomware and viruses. Its basically defined as a malicious code or software with the intent to corrupt or steal something on your system. Malware usually gets introduced to the system through an email attachment or an unsafe download. Sometimes its attached to a frequently used and trusted website so you’ll allow the malware through your anti-virus software.
Phishing attacks are almost always sent by email. They’ll appear to be a trusted source that will ask you to click a link and enter some personal information. It could be posing as your bank, and asking you to ‘verify’ your password by clicking on a link. These are usually pretty easy to spot, but they have definitely grown more sophisticated in recent years. They can closely resemble official emails from parties like Apple or Paypal. A tried and true method for avoiding these traps is to remember that your bank or any other trusted site will never make such requests via email. If in doubt, log in directly through a secure link on your browser. Furthermore, a great security measure to counter phishing attacks is to use two-factor authentication. This means that a username and password will never be enough to gain access to the system. Checkmate, phisherman.
Distributed Denial of Service (DDoS)
DDoS is an attack that focuses on disrupting service to your network. Attackers send high volumes of traffic through the network until it becomes too congested and can no longer function. Attackers often use multiple computers to send the traffic or data; hence distributed. Users often won’t even realise that their computer has been hijacked to participate in a DDoS attack. These attacks primarily target huge companies, often in protest towards governments or individuals.
Man in the Middle
We briefly mentioned this one earlier when discussing Sensitive Data Exposure. The way this works is by impersonating the endpoints in an online data exchange. From your computer to your online banking website, for example. The ‘man in the middle’ impersonates the bank to communicate with you, while also impersonating you to communicate with the bank. Therefore they receive all the information traveling between the two and gain access to sensitive information. Use an encrypted wireless access point, and always look for a HTTPS connection. Take these simple precautions, and you are less likely to be targeted by this attack.
Rogue software is another type of malware, but has a key difference that is important to note. It will disguise itself as critical security software that will keep your system safe. They create legitimate looking pop-ups and alerts, often masquerading as updates to existing security software, or terms of service agreements. Through these pop-ups users are tricked into allowing the software to access their system.
Brute Force Attack
The brute force attack can also be called a password attack. The brute force attack is fairly self-explanatory in nature. Previous methods attempt to trick the user into allowing the malware through, or find a backdoor into the system. However, the brute force method employs an algorithm or software that will literally try to deduce the password. The algorithm will run thousands of word and number combinations, sometimes even comparing against a dictionary for potential words. Hence, it’s so important to create a strong password, including upper and lower-case letters, numbers, and symbols, as well as change it on a regular basis.
Watering Hole Attack
This is a strategy for delivering malware in which the victim is a particular group (like an organisation or an industry). Watering Hole attacks happen when the attacker targets a website or websites that are frequently used by members of the group. They infect these websites with malware as a trap. Eventually, a member of the group will fall prey to the malware and from there gain access to the whole network. Given the large number or users exposed to the infected site, this type of attack is extremely difficult to trace. The name comes from real-world predators who often lurk by watering holes where large groups of prey tend to congregate in order to make a successful attack.
This type of malware is self-explanatory. Ransomware is a type of malicious software that will effectively hold the victim’s data hostage in exchange for a ransom. Your data becomes encrypted and completely inaccessible without the decryption key. The attacker will usually threaten to completely destroy the data if their ransom demands are not met. Most perpetrators are not prosecuted, since ransoms are almost always paid in cryptocurrency (which is nearly impossible to trace). Ransomware attacks are typically carried out by exploiting a vulnerability with a trojan.
Social Media Threats
Not even our beloved Facebook is safe from cybercrime. Now social media platforms like Facebook, Twitter, or LinkedIn are being used to deliver cyber attacks. They often achieve this by exploiting broken authentication and stealing login credentials, or phishing attacks. Once logged into Facebook, you could receive a download link, or a rogue friend request and you should absolutely be wary. Users must take extra caution due to the fact that Facebook is integrated so thoroughly into all aspects of online life. It’s incredibly common to use your Facebook login for an infinite number of sites and apps, so giving up your social media security could mean so much more than just access to your friends’ list.
Unpatched applications and programs present a real vulnerability that can be exploited for attack. Consider browser add-ons and programs like Adobe Reader or Flash. You frequently use these to make your online experience smoother, without so much as a second thought. These programs often have regular updates, so it’s important to ensure you apply them to reduce your risk of attack.
Check out The 5 Most Common Cyber Security Threats
Cyber Security Best Practice
So far we’ve covered ways to identify key vulnerabilities, and ways in which you may be targeted for attack. However, there are a few key practices you should be employing to proactively minimise your risk of an attack. The Australian Signals Directorate has published a list of strategies to follow that will help mitigate any chance of an incident. They call these the ‘Essential Eight’:
1. Application Whitelisting
By white-listing your approved applications and programs, you automatically prevent the execution of untrustworthy or potentially malicious programs that don’t make the cut.
2. Patching Applications
Keep your applications up to date (e.g. Flash, browsers, Java, MS Office and PDF viewers). If a program is not kept totally up to date, it can present a serious security vulnerability.
3. Configuring Microsoft Office macro settings
You can configure these settings to block macros from being executed from the internet, barring the ones you vet to be safe (usually with a trusted certificate). These macros are able to deliver malware.
4. Application Hardening
Configure your web browsers to block applications like Flash, ads, and Java. You can also disable unnecessary features in MS Office like OLE (embedded links in documents). These applications are popular ways to deliver and execute malicious code.
5. Restricting administration privileges
Control access and privileges based on user duties . Frequently revise and update privileges as roles evolve and change. Don’t use privileged accounts for accessing email or web browsing. Without Internet access, privileged accounts are off limits to malware attacks.
6. Patching operating systems
Same concept as patching applications, it is vital to keep your operating systems up to date, including network devices. Many operating system updates are released in order to patch security vulnerabilities, so it’s important to always run the latest version to reduce your exposure.
7. Multi-factor authentication
We covered this briefly in Phishing attacks, but using strong, two (or multi) factor authentication will make it incredibly difficult for any attackers to access sensitive information or accounts. Even if they gain hold of a password, it’s useless without the additional verification. Apply the secure authentication any time a user has to gain access to privileged data, accounts, VPNs and remote access.
8. Daily Backups
By keeping your system frequently and securely backed-up, you’re insuring yourself against any cyber attacks where your system or data becomes compromised or destroyed. Your back-ups should include any new or changed data, software and configuration settings. Store these backups disconnected from your system, and keep on hold for at least three months. Test it regularly to ensure you are able to successfully restore system information after an incident.
Cyber Security Framework & Guidelines
Don’t stress if wording gets a bit technical here. We’ll try not to bog you down with too much jargon! There are set frameworks and guidelines in place you can follow to maintain cyber security compliance, like a checklist for hitting all the right steps to secure your network. While doing your research, just bear in mind that many of these frameworks originate in the US but can assist you to develop the right approach for your website.
On this side of the pond however, we have the Australian Cyber Security Centre (ACSC). The ACSC is a fairly new collaborative organisation the Australian Government has pieced together from existing federal agencies with the sole aim of bolstering the security of Australian networks. The ACSC has put out multiple documents outlining important cyber strategies and threats to watch out for, though their Cyber Strategy document refers to the overall Government strategy and action plan for strengthening Australian cyber security in general. At first glance, this appears unhelpful for the individual or business, but it is good news for everyone. It means our government is committed to providing better support and increasing resources to combat cyber attacks.
What is a Cyber Security Framework?
A Cyber Security Framework is a set of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security. Think of it as a template for your organisation’s cyber security. Many organisations publish and maintain different frameworks for general use, though when you first start digging, you’ll mostly find US-based guidelines that aren’t recognised in Australia. Not so helpful, but we’ll steer you in the direction of some more useful framework resources. Here are a few resources and guidelines out there for Australian businesses and individuals to refer to:
Information Security Manual by ASD
This manual is divided into multiple parts, but most of the relevant information for businesses is in Principles and Controls. This set of guidelines describes the compliance standards expected of Australian government agencies, but much of it is non-specific in its approach. Therefore, you can apply these guidelines to your private business or website as well. It’s broken down into manageable sections and is a useful guide for understanding Australian standards of cyber security management. This guide is based on a risk-management approach, which allows for flexibility with regard to different environments and priorities. As a result, this means that you apply fundamental risk management principles to your information security, and adopt a proper risk management process.
FIRST (Forum of Incident Response and Security Teams) is a collective organisation of response teams that handle computer security incidents and promote incident prevention programs. They have their own publication of standards, and a Best Practice Guide which details all the steps recommended to best protect your website from any incidents. FIRST contributes to external standards bodies like ISO, which lends a great deal of credibility to their organisation, and they have a clear layout of their own created standards that are easy to find and follow.
NIST (National Institute of Standards and Technology) is a U.S. agency established to provide industry standardisation and measurement solutions. Their cyber security framework also adopts a risk-management approach, comprised of three parts. Between them all, these parts cover industry standards, guidelines, and cyber security activities. While this is a U.S. based framework, there is no reason the steps and guidelines in it cannot be useful to an Australian-based business.
It’s no surprise that RACGP stands for none other than the Royal Australian College of General Practitioners. They have published a set of standards that are applicable to all general practices, and other office-based practices. This is probably not where you expected to find a comprehensive set of cyber security standards, but it makes sense really. Doctors have a duty to protect confidential patient information. This set of standards doesn’t only focus on risk assessment, but also managing availability of information. Furthermore, it covers backup processes, business continuity and recovery planning, and access management.
Yes, that CPA, is also extremely on board with information security for obvious reasons. They have published an array of articles and webinars focusing on the best ways to secure your information. Their document IT Checklist covers the whole range of topics on IT system management and cyber security. They focus on a similar approach to the ACSC’s ‘Essential Eight’ steps for security management. Probably not as technical as the former frameworks perhaps, but this is an excellent starting point for any small business looking into making a solid cyber security foundation.
The International Organisation of Standards does seem to be the place to go when looking for cyber security standards. ISO 27001 focuses mainly on information security management systems. It’s an extremely detailed document covering all aspects of information security from establishing a management system, through implementation, maintenance and improvement. This ISO document advocates for the same holistic approach discussed earlier, where cyber security is a duty integrated into all aspects of an organisation.
CERT Australia is the national computer emergency response team. They primarily provide advice and support on cyber threats and vulnerabilities. They also offer guidelines and advice on how to mitigate cyber threats, as well as monitoring cyber incidents. CERT has developed several useful framework documents that can benefit your security:
– Remote access protocol that can be implemented into your cyber security framework.
– A guide to developing an incident response plan
– The top control systems tips that can be cheaply and easily implemented.
Protective Security Policy Framework
This framework is a dedicated set of policies and protocols that provide guidance for protecting assets and information. This covers all types of security protocol, but they do have a dedicated document for information security management check here. This set of protocols was developed by the Australian government for governmental agencies but again, can provide the tools and guidelines that can be used by a private organisation.
Notifiable Data Breaches Scheme
The Notifiable Data Breaches Scheme is a governmental legislation that only just came into effect on February 22, 2018. This scheme creates an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must also include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner must also be notified of eligible data breaches.
The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. Therefore this includes Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, health service providers, and TFN recipients, among others. Check here if your organisation falls under this scheme.
The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected.
So, let’s say the worst comes to pass, and despite all your best efforts to secure your information and networks, some malicious troll compromises your data. Enter: Cyber insurance. Cyber insurance can provide your business with an added layer of assurance in the case of a cyber incident. It can’t protect you from a cyber attack, but the insurance can cover many of the associated costs. Investigations, customer notification, credit monitoring, public relations, legal costs, compensation, loss of revenue and more.
In order to find a fit for you and your organisation, investigate what risks are covered by the policy. One thing cyber insurance cannot do though, is recover the loss of intellectual property or prevent any reputation damage incurred as a result of a data breach. Cyber insurance is still a pretty new type of policy, so coverage and premiums are may not be flexible or diverse. Your best bet is still to minimise the risk of any incidents from the inside and hope you never actually need the insurance.
As we know, it’s not just large corporations that need to worry about data breaches. To a hacker, any data is valuable. A smaller business is usually easier to target, while in contrast, a large corporation may go all out on defensive measures. So, the small business becomes a far more enticing prospect. According to the Ponemon Institute study on the Cost of Data Breaches, an Australian business will have to foot an average cost of close to $50,000 for a data breach! For a smaller business, this kind of cost can be devastating, so it’s worth researching and considering if a cyber insurance policy could be right for you.
Case Study: PageUp
PageUp is a medium-sized Australian company that provides a cloud-based HR management software, and currently serves clients all over the world. Recently they suffered a security breach and we have been able to watch this play out in almost real-time due to PageUp’s transparency and responsiveness.
On May 23, PageUp detected unusual, unauthorised activity on their IT infrastructure, and immediately took the initiative to launch a forensic investigation. Their initial investigation revealed that a malicious code was executed within PageUp’s systems.
PageUp’s response was to launch an investigation immediately with the assistance of a third-party cyber security organisation, as well as advise Australian regulatory bodies in keeping with the Notifiable Data Breaches Scheme. By May 28, they located indications that client data had been compromised. On June 5, the CEO released an announcement advising of the potential breach and ensuing investigation. PageUp was very proactive and forthcoming with information with all regulatory bodies, but most importantly, with their clients.
PageUp continued to keep their clients and public informed with progress updates. On June 12, the CEO posted another update confirming that they had contained the breach and secured their site. The organisation advised that their site had no further threats and was safe to continue using. They also made sure to announce that some types of personal data had been accessed and listed specifically what information had been potentially compromised.
Aside from launching a forensic investigation, PageUp contacted the Australian Cyber Security Centre (ACSC), the Australian Federal Police, and Australia’s Computer Emergency Response Team (CERT) to advise them of the incident and draw support. On June 17, they posted another update advising they have liaised with the Office of the Australian Information Commissioner (OAIC). PageUp offers steps and suggestions on what the individual can do from home to further insulate themselves from cyber risk, namely changing passwords, implementing multi-factor authentication, etc.
As of July 2018, the investigation is ongoing to determine the extent of the breach and which records were affected. On June 19, they shared another update; the ACSC, the Office of the Australian Information Commissioner and IDCare released a joint statement on the issue.
PageUp is a business with several high profile clients (Telstra, Reserve Bank, ABC and AusPost to name a few). It’s highly likely that PageUp already had a business continuity plan, given how promptly they took action. They opted for a route of transparency, and consistent communication with their clients, as well as the public. This goes a long way to easing concerns of skittish clients and preserving their reputation. Overall, this incident demonstrates the need for a well-established response plan, and the benefit of being open about the incident. Prove that you are committed to protecting your client information through transparency and communication (people love integrity). It shows that you are serious about cyber security and understand the negative impact that a data breach can have.
Cyber Security Essentials Questionnaire
Review the questions below to assess your current cyber security status. This is not an exhaustive list, but it’s an excellent starting point:
- Does your organisation have cyber security policies and procedures in place?
- Does your organisation protect all sensitive information transmissions (ie with encryption, SSL)?
- Are all devices protected from the internet by a firewall?
- Does your organisation have designated cyber security personnel and/or a cyber incident response team?
- Does your organisation have a cyber security user education and awareness program?
- Do you perform cyber security audits annually?
- Are all users with access to devices containing or processing sensitive information required to use a unique username and complex password to access these systems?
- Do all devices with access to sensitive information have access control configured? (ie users can only access the data they require)
- Do all devices with access to sensitive information get scanned for vulnerabilities on a regular basis?
- Are said vulnerabilities being treated in a risk-based priority? (ie more urgent vulnerabilities treated first)
- Are all laptop and mobile devices encrypted and password protected?
- Do all mobile devices with access to sensitive information have mobile device management with the ability to remotely wipe the device?
- Does your organisation require two-factor authentication for remote access?
- Does your organisation have a Business Continuity Plan, and if so, does it include back up and recovery procedures for all virtual systems?
- Are all administrative accounts only permitted to perform administrator activity, with no access to internet or external email?
Cover these steps, and you’ve covered the essentials. Of course, this is not all you need to protect your business. Make time in your schedule to further analyse and audit your systems regularly, and follow the investigative steps we listed earlier to make sure you’ve got all your bases covered.
Other Cyber Security Resources
Australian Cybercrime Online Reporting Network
ACORN is a national policing initiative of the Commonwealth, State and Territory governments. It is a national online system that allows the public to securely report instances of cybercrime.
National Identity & Cyber Support
IDCare is a not-for-profit Australian charity that addresses a critical support gap for individuals confronting identity and cyber security concerns.
Australian Cyber Security Centre
An important Australian Government initiative to ensure that Australian networks are amongst the hardest in the world to compromise.
Australian Signals Directorate
An intelligence agency in the Australian Government Department of Defence with a focus on information security.
Computer Emergency Response Team
CERT is the primary government contact point for major Australian businesses to receive and respond to cyber security incident reports.