The duties that fall on the shoulders of CIOs and their IT organisations – even modestly sized IT organisations, can be very challenging.
They range from:
- keeping pace with the digital innovations of global leaders, delivering the IT-enabled services customers have come to expect
- maintaining corporate environments comprised of legacy on-premise infrastructure and perhaps private cloud and public cloud instances
- supporting a mix of company-owned and employee-owned (BYOD) desktops, laptops, tablets and smartphones
All that, plus reacting to digital predators who could be located anywhere in the world, using data analytics, swarm-bots and AI (Artificial Intelligence); just looking for vulnerabilities such as unprotected endpoints, poor password protocols,
Notifiable Data Breaches legislation
We have started seeing the early results of the new Notifiable Data Breach legislation enacted in our neighbour, Australia. Note that, while these are Australian observations, and no such legislation exists in New Zealand yet, the very troubling results so far in Australia should be seen as likely indicators for similar legislation in NZ.
The first quarterly report of the Notifiable Data Breaches scheme by the Office of the Australian Information Commissioner (OAIC) noted that 8 data breaches were reported in the scheme’s first week – with an additional 55 incidents reported during the month of March 2018 alone.
Human error was the single biggest factor named in the breaches, accounting for 50.7%. Malicious and criminal attacks were a further 44.4%.
Personal contact details were compromised in 78% of incidents.
What are the consequences of data breaches?
- In Australia, the average cost is $139 per compromised record – with 41% of companies which had more than 1000 records impacted
- For publically listed companies, research shows that stock prices drop 5% in the aftermath of a breach disclosure
- Failure to comply with the NDB scheme can attract fines of $2.1million
- Of the $139 cost per compromised records, $60 is the cost of containment and assessment – that means more than half the cost comes from managing customer churn.
- Marketing campaigns, media management and rebuilding customer trust take time and money
Prevention is the best strategy. And cyber criminals don’t discriminate by business size.
Quoting from a recent article in New Zealand’s Reseller News, the Privacy Commissioner John Edwards expects data breach notification to become mandatory in New Zealand as part of changes to the Privacy Act now being drafted by the Ministry of Justice.
In the wake of a huge 2016 hack of Yahoo email accounts, a service then used by Spark locally, Edwards again pushed the case for mandatory reporting & has expressed a warning that the country’s competitive trade advantage overseas is at risk because current privacy laws have fallen behind international standards.
What can we do?
There are some fairly complex tasks that can be performed that can reduce security risk. One is to perform a data classification exercise – defining all instances of data that include personal information about employees and customers. Each instance of these data transactions is a potential attack.
- How secure are these instances?
- Who gains access to these data transactions?
- What devices have access to them?
Another is to identify and map so-called “attack surface.”
Wikipedia describes “attack surface” in the following way.
The attack surface of a software environment is the sum of the different points (the “attack vectors“) where an unauthorised user (the “attacker”) can try to enter data to or extract data from an environment.
Keeping the attack surface as small as possible is a basic security measure.
iT360 has qualified engineers who are experienced in the area of IT security and can perform and provide for you a holistic security audit.
Cyber Security in 2022: Preventing Data Breaches in Your Organisation
Use security software and keep it updated
Device security is critical. Mobility has enabled devices to be anywhere, anytime.
How protected are your devices, including BYOD devices?
iT360 sells & sets-up commercial HP EliteBook laptops that offer security protection against visual hacking with Sure View, against infected PDFs with Sure Click, and against hacking of lost or stolen devices with up to 3-factor authentications, using Intel Authenticate technology.
Whatever devices you use, think about how to provide these levels of protection.
And don’t forget any IoT endpoints you may have at the far corners of your organisation.
Still speaking of devices, what are your policies and processes for keeping devices at the latest levels of operating system and applications?
And what about patching?
Prioritise security patches over bug fixes and new features.
Put regular actions into place to identify which vulnerabilities cyber criminals are currently exploiting and understand how well (or not) your OS levels and how patches deal with them.
Monitor and track which employees have what devices and what level of OS and patching they currently use.
Don’t open suspicious emails or click on links
Ransomware, along with other phishing scams and malware, often comes through emails. Email security, along with continuous training (see below) will greatly reduce your risks.
Train your people – early and often
“People can be the weakest links in your defenses – if people don’t understand how ransomware works, they’re not going to look for them.” —Peter Bailey
“It’s really hard for firewalls to block all these if they come through and someone clicks on a link or an attachment and releases the ransomware on to the system. It then locks up their files and they have to get a key to unlock it, and the hackers charge a ransom for the key,” Bailey said.
If an employee touches a computer, they need cyber security training.
Train employees about how to handle emails, embedded URLs in emails, and phishing scams, whether by email or phone. But remember, 91% of cyber attacks start with an email. Train early and train often.
Back up your data
“Everyone should back their data up off site on a regular basis. Then if you get hacked, you can just get rid of the locked-up files, flush your system then restore it from the backup server, so you don’t have to deal with the ransomware at all.”
Don’t pay ransoms
“We never recommend paying the ransom. You don’t know if you will get the key and the hacker may see you as a good source of cash and target you again. And some of them don’t write very good code so even if you get the key, it is likely it won’t work.”
Guard your personal information
“Hackers are after data they can sell online. Computer records that include dates of birth, addresses, and things like that, these guys grab that stuff and resell it on the Dark Web.”
Standardise a corporate protocol for passwords.
Set a minimum number of characters. Establish what mix of upper case and lower case, numbers and special characters you want. Consider implementing two-factor authentication. Create processes that force employees to update their passwords on a regular schedule. Do not permit recycling of a previous password.
If you want to learn more about how you can protect your passwords, you can enroll in our free email series on passwords.
Security is difficult and highly complex. Device management can easily consume large amounts of your IT bandwidth and resources.
Consider engaging a managed services provider such as iT360 to manage your fleet for you. This can be done with a simple fee per device per month.
For more information, and to find out how iT360 can help you with firewall managed services, security consulting or managed servers, please contact us.