Everyone knows that cyber crime is a serious and growing problem. We hear of incidents regularly in the news, in which data and systems have been irretrievably damaged or private information stolen. The theft and sale or ransom of information, the opening of security loopholes and installation of destructive malware etc. all result in enormous financial losses, disruption and reputational damage for organisations across the globe, not to mention personal impacts on both workers and private individuals. However, an attitude of “it won’t happen to me” tends to prevail, especially in small to medium enterprises.
This is partly due to the fact that organisations falling victim to cyber crime tend not to be willing to own up to the incident, especially if the attack was potentially the result of their own inadequate IT security practices.
Rather than hoping for the best, all organisations (and individuals) should manage their cyber crime risks and put in place protections against the worst, by adopting a handful of relatively straightforward controls:
- Data back ups – use multiple back-up methods to keep copies of all data, including websites and email, so that you can restore anything that’s lost or damaged during an attack. Using multiple methods means all is not lost when one fails. Make a regular copy to an external drive or portable device which is not connected to the organisation’s network or the internet.
- Device security – install security software including anti-virus, anti-spy ware and anti-spam filters on all servers, computers, portable devices (mobile phones and tablets etc.) and make sure these are set to update automatically.
- Device protection – ensure devices are physically secure as well (locked away, with passwords installed) and that employees are aware of security protocols for portable devices such as not connecting to free public wi-fi with a device that contains sensitive data or log in credentials.
- Protect critical data – add encryption to sensitive data, especially when stored or sent online. Limit employee access to sensitive files on a need-to-know basis. Encrypt storage devices that are taken out of secure areas.
- Control admin passwords – ensure passwords for administrator level accounts are unique, strong, and regularly changed.
- Strengthen passwords – use long passwords (at minimum 10 characters) that include a mix of upper and lower case, numerals and symbols and update them regularly. Don’t use the same password in more than one place. This seems daunting to many, but a long and complex password need not be difficult to remember:
- Choose a string of words that mean something to you, begin each one with an upper case letter, and add some nonsense to the end. For example, EasyToRemember123xyz% or My$Bank$Account456abc&
- Choose a song title or lyric and replace some letters with similar looking characters, e.g. 1$tillCallAu$traliaHom3
- Introduce spam filters – clicking on links in emails or responding to apparently legitimate but actually bogus emails are the most common ways for criminals to get information or damage your systems. Use spam filters to reduce the numbers of spam and phishing emails that can get through.
- Systems and procedures – adopt policies and processes around cyber security so that employees understand what is expected.
- Training – cyber security is only as strong as the weakest human link. Ensure employees (and managers!) are educated about the risks and about company policies/controls, and regularly reminded about passwords, browser and software updates, freeware risks, social media risks, online shopping risks, suspicious emails and links etc.
- Information Security Management – To ensure there is a system to manage all these requirements (and more) implement, even if only in part, the requirements of ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements.
In additional to the above good cyber security housekeeping, a collective effort is required from all organisations not to maintain a silence that effectively colludes with the criminals. Sharing information about incidents can help to prevent the spread of attacks and destroys the criminals’ business model.
Organisations can report to ACORN (Australian Cybercrime Online Reporting Network).
Another useful resource is the government website Stay Smart Online which provides advice and a subscription to an Alert Service.
Please contact QRMC for more information.