Cyber-proof your business: 8 steps to better internet security

Businesses are increasingly dependent on IT, how has their vulnerability to cyber attacks increased?

As organisations use more IT systems, they become more dependent, this means that their dependency becomes a vulnerability. The reason for this is organisations have no alternative manual systems to use, we have seen examples of airline checking systems and bank failures that cause major impact to customers. The vulnerability increases as the complexity and reliance on systems increases.

Many organisations are now looking at the concept of cyber resilience. This is the ability of an organisation to deliver the intended online services despite adverse cyber events. Cyber resilience is an evolving perspective that is rapidly gaining recognition and is directly linked to cyber security.

We have witnessed a rise in email scams that are becoming very difficult to distinguish from genuine emails. What should businesses look out for?

The issue is around awareness.

Be aware of the following:

• Generic greetings, such as “Dear customer”;
• A sense of urgency: “Ensure your invoice is paid by the due date to avoid unnecessary fees”;
• Bad grammar or misuse of punctuation and poor-quality or distorted graphics;
• An instruction to click a link to perform an action;
• Obscure sending addresses that don’t match the real company’s domain URL.

If in doubt, type the web address (URL) directly into your browser rather than clicking the link, or better still, phone the company.

Can cyber security issues destroy a business?

Yes, cyber security can seriously impact organisations. Organisations can lose customers, market share etc, in larger companies they are more resilient to recover from an attack. For SMEs the impact can be dramatic, e.g. they have a smaller customer base so any decrease on their customer base will have a dramatic impact, from which they cannot recover.

A key issue that I mentioned before was cyber resilience; an organisation that has good cyber resilience should be able to quickly recover from a cyber incident and minimise the impact that it will have on customers.

What should businesses do to protect themselves?

The Australian Cyber Security Centre proposed that while no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline.

This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.

The eight steps are:

      1. Application whitelisting

Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.

Why: All non-approved applications (including malicious code) are prevented from executing.

      2. Patch applications

Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.

Why: Security vulnerabilities in applications can be used to execute malicious code.

      3. Configure Microsoft Office macro settings to block macros

Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.

Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.

      4. User application hardening

Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.

Why: Flash, ads and Java are popular ways to deliver and execute malicious code on systems

      5. Restrict administrative privileges to operating systems and applications

Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. 

Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.

      6. Patch up operating systems

Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.

Why: Security vulnerabilities in operating systems can be used to further compromise systems.

      7. Multi-factor authentication

Multi-factor authentication, including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.

Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems.

      8. Daily backup

Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

Why: To ensure information can be accessed again following a cyber security incident (e.g. a ransomware incident).

Is cyber proofing costly for businesses?

Yes - the issue is that there is no return on investment, e.g. investing in cyber does not increase profit or lower operating costs. Cyber proofing protects an organisation so that they can operate, so it could be considered as insurance.

In large organisations, cyber security is now considered a board issue and often discussed at the board level, but with SMEs it is harder for those discussions to occur.

Late last year, the government announced a $10 million cyber security initiative, how important is it for the government to get involved in helping SMEs navigate this issue?

Federal and state governments have a key role to play in protecting SMEs. For SMEs, the issue relates to awareness and access to resources that can help them to improve their security.

It has been recognised that SMEs are the weakest link in the Australian cyber security chain, so more has to be done to help and support SMEs.