The threats to Australia’s businesses are on the rise. The Australian Government has identified that businesses that cannot afford dedicated IT support are most at risk of being exploited or held to ransom.
But there are some straightforward things businesses and individuals can do (or not do) to protect themselves.
Here are five bad cyber habits businesses should break right now to help secure their digital world.
1. Not having an incident response policy in place
A strong cyber security strategy is essential to protecting your business, and the building blocks for this is planning ahead and have a response policy in place should the worst happen.
The first step in making any business cyber resilient is to understand your risks and have an incident response plan and process in place. This will ensure you know how to quickly and effectively respond to a breach by having some processes in place. This does not need to be an expensive or an onerous exercise. It can be as simple as having policies and processes in place for when something happens.
This would include knowing who your advisors are in the event of a breach and their contact details, and having a process in place to communicate to your customers.
Australia has notifiable data breach legislation for when a data breach is likely to result in serious harm to an individual whose personal information is involved. Understanding your obligations for reporting both to regulators, law enforcement and your customers is important, as well as having a process in place before anything happens.
2. Skipping staff awareness and training
We all know the proverb ‘a chain is only as strong as its weakest link’. Never is this truer than in cyber security, particularly with pandemic and lockdowns seeing people increasingly work from home full time.
Staff should undertake awareness training, which includes sending them sample ‘phishing emails’ every month to keep them aware of the issue and on the lookout for those indicators.
Training should be regular, practical, and baked into daily systems and processes. By integrating cyber security awareness into your staff’s day-to-day, you’re enabling up your business’ frontline defences. This is an effective (and cost effective) way to reduce your ’ overall risk profile, and to keep staff educated and alert to cybersecurity threats.
3. Overlooking Endpoint Protection on all computers and mobile devices
With the trend and need to work from home, businesses need to consider what they doing to safeguard their data and customers data.
With data being accessed from anywhere at any time, via the cloud, the whole concept of a protected corporate network with a known perimeter has changed – as have the security methods. Because of this, it’s important to ask: have I fully secured my business endpoints – PCs, laptops and mobile devices staff are using? Endpoints need to be secured as they can provide access to your network and confidential data at any time. This includes any BYO technology that people are using in the workplace or increasingly their own equipment when working from home.
Network security policies for endpoint devices should be in place before they are granted access to network or cloud resources, which might also include restrictions for certain devices and users.
This can be as simple as making sure multi-factor authentication is enabled for users outside of the corporate network to having anti-virus, encryption and VPNs and ensuring your staff are undertaking awareness training every month
4. Not doing your due diligence on your IT provider
Most businesses rely on an IT service provider for everything from setting up emails and maintaining their website to network security and troubleshooting when anything goes wrong.
On the security front this includes things like backups, endpoint protection, cloud security, network security, and detection and response. What options does your IT provider have to provide a comprehensive security monitoring solution? Would they even know if you were hacked?
All businesses should ask their IT providers what options they have to further protect their data. What systems are they have to put in place? What’s their security experience and do they have the skills to deal with the situation if your business were to be hacked tomorrow? Can your IT provider help you if the worst happens? Or will you have to go somewhere else?
5. Inadequate Cyber Insurance Coverage
All businesses should have cyber insurance coverage in place.
Once cover is in place, businesses should also assess if the amount of cover is suitable. Quantifying risk and understanding the implications of a data breach will help determine the amount of coverage you need. If needs be, seek legal advice or an experienced cyber security specialist to determine whether your policy is sufficient.
Hacks happen, and when they do, cyber insurance provides businesses with access to expensive industry professionals, cost-free as part of their coverage, to put in place a plan of attack and recover the situation.
When recovering from a security breach, it is also important to close those vulnerability loops moving forward, by identifying specific security controls required and optimising against known attack methods
When it comes to cyber security, businesses need to remain eternally vigilant to detect and prevent threats, reduce vulnerabilities and maintain visibility and control of their operational environment and data.
Identifying risk and vulnerabilities and putting in place the necessary tools you need to control potential threats is an invaluable investment in your business. Reducing your risk profile and having a plan for when things go wrong provides peace of mind and the ability to bounce back from disruptions and retain customer confidence.
Where to from here?
If the above has raised any concerns about the security of your business, learn more about Nexon’s unique approach to managed cyber security