The terms ‘data breach’ and ‘cybersecurity’ have become commonplace in business conversations in recent times, with Australia experiencing two of the largest data breaches in our nation’s history in 2022.
The wide-scale theft of sensitive customer data from corporate giants Optus and Medibank has impacted millions of Australians, and undermined trust in two of our country’s most recognisable consumer brands.
The question is: could it happen to your business?
The Optus and Medibank incidents, among a multitude of others, have brought into sharp focus the need for all businesses to improve their cybersecurity regimen. If large corporate enterprises can be hacked, then it stands to reason that smaller businesses, with thinner organisational resources and IT capabilities, are also vulnerable to attack.
Cyber attacks are really bad for business, often resulting in serious legal, financial, and reputational consequences — in some cases, cyber attacks can threaten the very existence of the business. Accordingly, it is incumbent on all business owners and operators to mitigate the risks of a cyber attack, and implement appropriate measures to secure their digital and information technology assets.
One of the best frameworks for mitigating cyber threats is called the ‘Essential Eight’ — a set of practical guidelines developed by the Australian Cyber Security Centre. In this article, we’ll introduce you to the ‘Essential Eight’ and provide some advice about the actions you should take in each of the eight focus areas.
Applications are the software programs that you use in your business every day to perform standard functions, tasks and actions — Microsoft Word, MYOB, Adobe Photoshop and Google Chrome are all ‘applications’. Controlling who can access, install, and modify these programs on your computer networks is at the heart of application control. If a staff member can download a potentially-malicious executable file from the internet, and install it on the network without any processes or approvals, then this represents an ‘application control’ issue for your business. It’s important that you have full control of the executable applications that reside on your networks and systems.
Check with your IT team/provider to make sure that appropriate network settings and controls are in place so that activity is restricted to approved applications only.
Create a ‘whitelist’ of approved software applications for the business so that application use is documented and widely-understood.
Educate your staff about the dangers of introducing unauthorised applications to your computer networks
These days, we’re all used to getting app updates on our mobile devices at regular intervals. Software applications on computer networks operate in much the same way with new versions, bug fixes, patches and enhancements released by the software vendor. Often these updates address security vulnerabilities in the software that can be exploited by hackers if they’re not ‘patched’. For that reason, it’s important that new patches are applied in a timely fashion to avoid exploitation. Security holes discovered in internet-facing applications can be exploited by hackers within a matter of hours, so critical software updates should be applied immediately.
Check with your IT team/provider to make sure they’re actively updating applications when patches become available (particularly ‘critical’ updates)
Be cognisant of applications that are operating on older versions and make sure that you are aware of any security vulnerabilities that this may cause.
Users who are granted administrative privileges for software applications and operating systems are typically able to make significant changes to the configuration and usage of the software. Hackers love to get their hands on ‘admin’ accounts because they provide unfettered access to the system, allow them to elevate their own privileges, to hide their existence on the network, to obtain sensitive information, and to resist removal efforts. The bottom line is: the fewer ‘admins’ there are, the fewer exploitation opportunities available to hackers.
Do an audit of users that have ‘admin’ privileges for software on your network. Where possible, limit ‘admin’ privileges to a small number of trusted users only.
Identify and remove any ‘admin’ accounts that have shared access — it’s not good practice to have an ‘admin’ account that can be accessed by multiple users, as it undermines accountability.
Make sure that departing staff members have their accounts disabled when they leave, particularly if they’re an ‘admin’.
This focus area is similar to #2, but pertains specifically to the underlying ‘operating systems’ (or OS) that power our computers and networks. Common operating systems include Microsoft Windows (the OS that powers PCs), MacOS (the OS that powers Apple Mac computers), Linux, Unix, and mobile device operating systems, Android and Apple iOS. Like applications, operating systems may have ‘bugs’ and these can sometimes be exploited by a cyber attack, so make sure that they’re patched regularly.
Check with your IT team/provider to make sure they’re actively updating operating systems when patches become available.
Ensure that operating system updates are centrally deployed across the network, rather than relying on individuals to manually update their own computers.
This is a seemingly obscure focus area, but one which is very important if you use Microsoft Office in your business. A macro is a sequential batch of commands that can be set up within Microsoft Office files — eg. Word, Excel, Powerpoint — to automate repetitive tasks. A macro can be ‘recorded’ and then ‘played’ over and over to complete a series of actions in sequence — it’s much easier than doing these actions manually with individual mouse clicks. Macros can be really powerful productivity tools and they’re quite easy for novice users to create. The problem is that an adversary can create malicious macros to gain unauthorised access to information and systems.
Check with your IT team/provider to see how macros are handled on your network.
If you’re not using macros in your business, then disable them completely. Simple!
If you are using macros, the aim is to disable untrusted macros and to selectively trust those macros that are useful.
For your trusted macros, ask your IT team/provider to have them ‘digitally signed’ for authentication.
There are a multitude of things that you can do to ‘harden’ (the equivalent of putting a suit of armour on) your applications so that they cannot be exploited by hackers. Eliminate default usernames and passwords, enforce password complexity (nobody should have ‘password1’ as their password), remove anonymous access to applications, eliminate shared accounts, uninstall unused components, modules and plug-ins, and lock down unused network ports, among other things.
Check with your IT team/provider to ensure that password policies are strong and cannot be exploited.
Make sure your organisational firewall is configured correctly. Firewalls are critical to secure your network perimeter and block unauthorised access.
Make sure you have appropriate anti-virus software in place. This software is essential to protect against malware and viruses that can compromise the security of your systems.
Remove any old user accounts from your software applications — particularly those people who may no longer be at your organisation!
Consider a commercially-available vulnerability scanning tool to identify potential security holes.
Multi-factor authentication is commonplace today and we’ve all used it with our Google, Apple and Facebook accounts. It’s when you are sent a code via SMS or email to authenticate your identity when logging in to a system: your username/password is the first ‘factor’, and the SMS/email code is the second ‘factor’. The multiple layers of authentication (think of it like a bank’s 100-point identity check) greatly reduces the prospect of somebody getting unauthorised access to your accounts. Most modern, internet-facing software applications have multi-factor authentication as standard. Sometimes it is ‘optional’ and needs to be turned on by an administrator. Multi-factor authentication now also routinely incorporates biometric checks — fingerprints, retina scans and facial recognition.
Turn on multi-factor authentication as standard for ALL internet-facing applications
If you use applications that are connected to the internet, but they do not have a multi-factor authentication capability, consider the security ramifications if a username/password is compromised.
This is not a new thing. Backing up your data is paramount, because there will invariably come a time when you need to rely on that backed-up data — servers crash, hard disks fail, laptops get lost, and humans make errors. Backups are also extremely important should your business fall victim to a ‘ransomware’ attack — this is when a cyber attacker steals your data and requires the payment of a ransom to give it back. Whether it’s a cyber attack by a nefarious actor, or the accidental mass deletion of files by a staff member, the fact remains that you MUST have a backup copy of your important data. There are no excuses.
Speak to your IT team/provider about your data backup regimen. Make sure that all important data is backed up regularly in an appropriate location (eg. an offsite data centre is better than on a ZIP drive in your top drawer)
Document your backup/recovery plan including the processes required to get your business back up and running should data be lost.
Consider encryption for sensitive data that is held in the cloud.
In 2023, all businesses — irrespective of size — need to mitigate the risks associated with a cyber attack, and implement measures to secure their digital and information technology assets.
The ‘Essential Eight’ provides a practical framework that business owners can follow to protect their systems and data. By following these guidelines, businesses can reduce their risk of cyber attacks and protect their sensitive data from falling into the wrong hands.
Don’t be like Optus and Medibank.