Big name breaches are making the headlines week after week. Some of the most notable ones include BUPA, Zomato, River City Media, Verizon and HipChat, in addition, more and more Australian companies are being impersonated by cyber-criminals in large-scale malware campaigns including MYOB and Energy Australia.
It's important for security specialists to stay on top of the latest threat vectors. They need to be able to identify security weaknesses, vulnerabilities, risks and exposures for organisations of all sizes, from all industries. Despite the differences in their core businesses, there’s one subset of organisations that have one thing in common, and that is the SMEs.
The myth that SMEs tend to believe is that they aren't a target for cyber-crime or that the risks that apply to large businesses / enterprises don't apply to them.
Well the bad news is cyber-crime doesn't discriminate and all organisations, no matter what the size, are exposed to the same threats.
A recent survey conducted by the Australian Cyber Security Centre (ACSC) has revealed that 90% of Australian organisations have faced some sort of cybersecurity compromise. And, as noted with Petya and Wannacry, the same cyber risks and exposures apply to businesses of all sizes, regardless of their industry. In fact, as the larger organisations get better at protecting themselves, SMEs are fast becoming the new target for cyber-crimes.
And while the myths are being debunked, don't think that malicious cyber-attacks are only launched by sophisticated cyber-criminal groups. The reality is that with modern hacking tools and YouTube, you don't need to be a specialist to cause severe damage in an unsecured network. A security breach could be initiated by a disgruntled ex-employee, a bored teenager, or someone trying to gain information on one of your clients via your systems. Hacking tools are widely accessible and are designed to cause maximum destruction or breach networks, covertly.
If that isn't enough to get you thinking about cyber-security, as of February 2018, new laws will dictate that organisations will need to notify the Privacy Commissioner and customers if they have experienced a data breach. Failure to comply can attract fines of up to $360,000 for individuals and $1.8 million for organisations. So start taking action and be in the pool of organisations that don't have anything to report!
In a world where cyber-crime is inevitable, how do you protect yourself?
The team at Kiandra often talk about the layers of security for business - the more layers you have the more security and protection you have in place, thus, a multi-layer approach to mitigate security breaches is advised. At a minimum, the base level preventative measures an organisation has in place should include:
- Staff awareness training and regular testing (do your staff know what common attacks look like - would they have been fooled by the MYOB or Energy Australia emails? Do they know the latest threats, are they exercising common sense?)
- Making sure that your IT team put in place the necessary security controls (intrusion prevention systems, end-point protection, whitelisting and lockdown, networking and email protection, firewalls etc.)
- Documented and tested incident response policies and procedures for cyber-attacks
- Penetration testing (a trained professional attacks your systems from a malicious hacker's perspective, to uncover security vulnerabilities and weaknesses within an environment)
You can't stop a hacker but you can make it as hard for them as possible. By combining a couple of the more traditional security measures such as firewalls, intrusion prevention systems, web filtering, email filtering and virus protection alongside penetration testing and staff awareness training, and appropriate insurance, you can keep a business on stable financial footing should a significant security event occur.
Daniel Weis is the Lead Penetration Tester and Head of Security Services at Kiandra IT. Dan has over 22 years' experience in IT, in a range of different industries, and was one of the first 10 people in the world to become a Certified Ethical Hacker.
Dan heads up Kiandra's team of Cyber Security Experts, proactively assessing company and government networks to increase their security posture and not become the next 'headline'.
Earning the nickname "The General" as a result of his multitude of industry qualifications, Daniel also holds an additional 22 industry certifications.
In his spare time Daniel undertakes research on the cybercrime underground, facilitates training sessions for budding ethical hackers, is a regular on the speaker circuit and is an active participant in a variety of renowned security and industry programs. For more information, visit kiandra.com.au.