Learn about our newest HR Today member, Whānau Whanake. An exceptional Canterbury-based business helping NZ whānau (family) to thrive.
Have that Cyber Security Conversation now.
The following article was written by one of our HR Today members - Business IT. It is important that you have cyber security measures in place to protect your intellectual property and sensitive information from theft and damage. All too often do we see hackers who have stolen sensitive information from organisations and they are plastered across media outlets; meanwhile, they're on damage control trying to retrieve their data. See the full article below:
"Think back to over 20 years ago to the phenonium known as Y2K or commonly known as ‘the millennium bug’ and the chaos that was slatted to occur then due to the anticipated disruption in our then somewhat, antiquated computer systems, due to a potential issue with formatting and storage of calendar data for dates after the year 2000. The fear that was created left some with the view that electronic devices would just stop working .…… now the cyber world faces threats that are more malicious in nature and driven by people. These hackers are in it for financial gain and can completely devastate a business to the point of rendering it unable to operate.
Who would ever have thought 30 years ago that the cyber world would become so important in the function of our everyday lives? Relevant to that comes the security risks associated with the technology and systems that we use to perform even the simplest of daily digital tasks in both our professional and personal lives.
Covid-19 has ultimately fast-tracked the surge in ‘remote workforces’, and the use of cloud technologies and collaboration tools, like Zoom and Microsoft teams and has transformed the way in which we work and access the tools that we need from wherever we are. How safe our data, privacy and infrastructure is against attacks and breaches, depends entirely on the level at which we decide to protect ourselves and involves some serious consideration. This can sometimes be a complete unknown for many businesses, where do you start? Taking the time now to understand and educate yourself about the risks, threats and vulnerabilities in your system infrastructure could mean avoiding a catastrophic breach in the future and help you build a resilient cyber protection plan.
Typically, Small to medium enterprises would outsource the management of their cyber security to a proactive IT Managed Services provider. A good cyber conscious IT provider will deliver a comprehensive Risk management plan to mitigate any breaches along with a Disaster recovery plan should an attack infiltrate your systems.
Many companies can be deterred by the additional cost to their already stretched IT budgets, but put in perspective the cost of not doing it can cost thousands per hour in downtime and bring an entire company to its knees. Take the recent cyber attack on the Waikato DHB, where staff were forced to record notes and important information on paper, making information not only difficult for other health professionals to access but will mean a clean-up to input all that missed data during the system downtime, that will take months and most likely cost the DHB a pretty penny or two!
Costing models for a Cyber security package have evolved over time, and gone are the days where an up front price to purchase the security application apply - tapping into your capex budgets. Subscription based security applications allow you to turn on and off as needed month by month allowing for full scalability as your business grows or changes, making this really appealing to most SME’s.
Keeping abreast of changing risks and security best practices is so vital and your Managed Service Provider will monitor these, however it is important that as a Business Owner or Manger you understand and educate your own team about the risks associated with your digital environment as an alarming statistic is that around 90% of breaches are due to human error. Creating a ‘security first’ mentality within your own businesses digital culture is a great start. A Security awareness training programme is a common way to do this. Part of this training involves a simulated phishing or CEO impersonation attack which is generated and emailed to your team. Upon opening or clicking on the malicious email they will be taken to a training page that will educate them about how to detect any future potential dangers, and all this training is done in a safe environment with full visibility to IT mangers to identify any patterns in behaviour in their team. Your Managed service provider can set up a champaign mimicking the most relevant examples and covertly send out to your people.
Password strength is another area that you can create greater security awareness around. Passwords must be long and strong. Short passwords take only hours for an attacker to guess, long and strong passwords can take thousands or millions of years to crack. Having a unique password that is not used any of your other accounts is important, so if you do have a breach, it is contained to that one account. Phrases make perfect passwords, not only are they easy to remember but can be unique to you. Ensure that you use four or more random words in your passphrase or look around and pick four random items for example sanitiserplantchairphone. Avoid using family names, birth dates or addresses. Keeping your passwords safe is important and a password manager application is a good way to do this and it’s a bit like a digital vault, keeping all your passwords safe and encrypted. Your Managed services Provider can discuss options for your business to implement this.
A good cyber security package will offer a multi-layered protection package. This includes;
- A reliable antivirus at both an endpoint and DNS level. A reputable antivirus product will actively be uncovering new threats, crawling the internet several times a day to look for these threats and analysis real data to identify any potential cyber threats.
- Secondly, your cyber security package should include advanced malware protection, which fights threats that antivirus software isn’t advanced enough to stop. Malware, if infiltrated on your system, has the ability to infect entire organisations and contacts of an organisation.
- Important also is email content security filtering using a trusted detection and email filtering application. This will help block external phishing or fraudulent messages reaching the intended victim.
- Dark web monitoring will add another layer of protection by scanning the dark web in real time to identify if there are any breaches due to compromised employee credentials and alert when its time to change passwords because to their credentials are up for sale on the Dark Web.
- 2-Factor Authentication is an extremely and highly effective tool to verify that your users are who they say they are. A two-factor authentication strengthens access security by requiring two methods to verify your identity. For instance, something you know – like a username and password – plus something you have – like a smartphone to approve authentication requests.
- An endpoint remote management application, will detect and automatically notify your Managed service provider should a cyber breach occur on your system and allow quick action to be taken to mitigate any further disruption.
All of these cyber security tools can be deployed to almost any infrastructure combination, whether your systems are hosted on-premise in the cloud or in a hybrid environment.
That covers off how to best reduce the risk of becoming a victim of a cyber attack. But what happens if a nasty virus or malware does infect your system? How do you recover? The best answer to that is having a comprehensive backup that allows for easy spin up to prevent data loss and minimise the cost of non-productivity while this occurs. A good Business Continuity Disaster Recovery plan will detail the processes and procedures to recover data in the event of a disaster or security breach. Also, to consider is the importance of backing up the Microsoft 365 suite. While SaaS (Software as a Service) applications like Microsoft 365, have built in redundancy that protects against data loss in their cloud servers, this doesn’t protect against user error, accidental and malicious deletion or ransomware attacks. So for instance if you have a rouge employee who deletes all their emails and your discover this after a period of time, you have no way of recovering those unless you have a SaaS Microsoft 365 Backup to do this with. Microsoft does not take responsibility for restoring data if you lose it and call this their ‘Shared Responsibility Model’ for data protection. That is why they recommend a third-party SaaS backup in its user agreement.
It seems like a no-brainer, right? You’d be surprised how many businesses are completely under prepared and unaware of the intrinsic risks of the digital world. Your first and best step is to have an honest conversation with your Managed Service provider and identify if there are any gaps in your Cyber security armour and how best to engage your team to embrace a digital safety awareness approach to keep your business safe."