How to keep your business safe from cyber crime

How to keep your business safe from cyber crime

In IBM’s 2017 Cost of Data Breach Study, it was revealed that the average cost of a data breach for Aussie businesses is declining. While that is good news, businesses that are affected by cyber crime are still looking at an average cost of around $2.51 million per incident. When you consider the costs involved in investigating the incident, notifying the victims, the loss of customers and the loss of the data itself, it’s easy to see how that would add up to millions.

So what exactly is cyber crime and what can businesses do to protect themselves against it? Security Specialist, Nikolai Hampton, from Impression Research and Engineering Manager, Marc Dergacz from RedEye are here to answer all of our cyber security questions.

What you’ll learn in this article:

Marc (left) and Nikolai (right)

What is cyber crime?

Cyber crime is when a person or group accesses a device or an online account illegally for profit or for other malicious reasons. It includes holding data for ransom, stealing funds from bank accounts, corporate or personal identity theft or selling stolen information. Cyber crime can be highly lucrative and is fairly easy for criminals who target businesses with little or no cyber security measures in place. Some common types of cyber crime include:

Malware

Short for “malicious software”, a general term for software installed on a device that intentionally causes damage to it, including spyware, viruses, trojan horses, and more.

Adware

Software that is installed on a device without the user knowing, that presents pop-up ads to the user within programs they are using.

Phishing

Emails or websites that appear genuine but are designed to obtain information including personal details and bank accounts.

Scam

Cleverly worded content in the form of an email or website designed to trick users into downloading malware or giving out personal information.

Ransomware

Software that blocks or encrypts data on a device until the user pays a fee. This is extortion and paying the fee almost never solves the problem.

Spyware

Software installed on a device without the user knowing in order to steal information.

Trojan Horse

Software that is disguised as a genuine and useful file but contains hidden code designed to install when the fake “trojan horse” file is installed.

Virus

Software installed without a user’s consent that corrupts and duplicates itself across multiple programs within a device, much like a contagious biological virus.

Cyber crime in Australia

Cyber crime is out there and can have a real impact on your business. Let’s look at some quick stats for Aussie businesses from StaySmartOnline:

43% of cyber crime
is aimed at small businesses

80% of malicious data breaches
involve stolen or weak passwords

59% of Australian organisations
experience some level of cyber crime each month

Businesses open themselves up to cyber crime by using weak passwords, having poorly maintained servers and limited cyber security processes.

The average time taken to resolve a cyber attack is 23 days – can you afford the business disruption, lost revenue and information/productivity loss?

How to reduce the risk of cyber crime

There are simple steps you can take to protect your business and your customers. It only takes a day or two to plan, an hour each week to manage and maintain and a few hours each quarter to review.

Step 1: Don’t panic! Form a working group to make plan for cyber security

It’s important that you have senior management approval driven by a desire to make things better. The working group should represent a cross section of your business activities – people from HR, finance, customer support, sales, IT, security etc. Security doesn’t exist in a vacuum. It needs to support the objectives and functions of the business. This team might also form the basis of your very own SIRT (Security Incident Response Team), who can spring in to action to respond effectively to security events. 

Step 2: Make sure your plan is policy-driven

You’re going to need a security policy whether you do it proactively or reactively (after a threat has occurred) so the sooner the better! The policy might include a description, goals, controls, remedies, responsibilities, document ownership and a review date.

Building a policy generally starts with understanding your business assets, from computers and network equipment, to your bank accounts, customer data and staff. The policies you develop will implement controls that reduce risks to these assets. For example, if your asset is a customer email list, your controls might include things like:

  • Emails to the customer list must always be sent BCC
  • The correct use of the BCC field should be cross-checked by another member of the comms team
  • Only Barry and Susan are permitted to send bulk emails
  • The mailing list should only be accessible from authorised comm’s team computers

The actual assets, risks and controls you chose to focus on will depend entirely on how your business operates.

For most organisations, identifying and assessing risk to assets is the most complicated part of the process. It takes some technical understanding of current security threats and likelihood in order to make informed risk decisions. You should be able to identify many risks and threats yourself, and then engage with security experts to review your work and further identify risk management concerns.

Step 3: Implement the plan

Many parts of the plan can be implemented without any security expertise. For example, your security policy may require that staff don’t reuse passwords between work and social sites.  Implementing the policy would involve communicating the new password policy, its reasons and what staff are expected to do.

Other policies will require input from technical, IT, or even finance resources. Maybe the plan needs someone to ensure the VPN software is running the latest version, configure network firewall rules, or perhaps the finance team is responsible for regular changes to the online banking password.

Step 4: Make cyber security a team activity

Your policies also need continual monitoring (or assurance) – the policies aren’t worth anything if people ignore them. Make sure your teams all understand what is happening and why. You can also involve your SIRT (from Step 1).

Step 5: Maintenance and review

Because your business needs change and security threats always evolve, it is important that you regularly review your security policies. You should schedule a regular meeting to at least ‘glance’ over your existing policies and identify what sections are still appropriate, what sections need review, and any new threats that have been identified. The security incident response team should also review and adjust security policies following a security breach, or a newly discovered threat.

Tips

Legislation

Australia has a Notifiable Data Breaches (NDB) scheme, which means businesses must notify individuals whose personal information is involved in a data breach which is likely to result in serious harm. Government and organisations with a $3m+ annual turnover, private sector health service providers and other businesses must be across the scheme.

About Nikolai and Marc

Marc is RedEye’s Engineering Manager and has almost twenty years’ experience in software development, infrastructure and information security. Marc is an information security expert and ensures RedEye clients are covered for information security and privacy. He is dog-Dad to Casper who is also a RedEye security expert and office dog.

Nikolai is a trusted security policy and technical specialist with more than twenty years’ experience in security systems analysis, policy development, DFIR, security project management and implementation. Nikolai holds a Master’s degree in cyber security and has co-authored several peer-reviewed academic and industry research papers. He has presented at Australian and international security conferences and covers a wide range of security topics including policy, digital forensics and reverse engineering.

Marc, Casper and Nikolai (left to right)

 

Do NOT follow this link or you will be banned from the site!