In our last blog on cyber security, we looked at some of the results from our ‘Transforming Role of IT in Australian Mid-Market Organisations’ report, which showed alarming levels of unpreparedness for addressing a growing number of more determined crooks and more sophisticated threats.
On the bright side, respondents showed strong levels of awareness, with security coming in first on the list of priorities for IT managers in 2019.
The problem is that finding the time, resources and leadership from management remain major hurdles for many organisations despite mounting evidence that the costs of cyber breaches are increasing.
The risk and regulatory imperative
According to Cisco’s 2018 SMB Cybersecurity Report, 29% of US mid-market companies that reported security breaches in 2018 estimated the experience cost them between US$1m and US$2.5m, more than half incurred financial damages of over US$500k, and Australian estimates are in-line with those figures.
Last year’s introduction of Australia’s Notifiable Data Breach (NDB) laws added a new layer of risk, complexity and potential costs for all Australian organisations turning over more than AU$3m a year.
Failure to meet the data breach notification requirements of the Office of The Australian Information Commissioner (OAIC) can incur severe sanctions including fines of up to AU$2.1m for organisations at the moment – a figure that the Federal Government is looking to increase to AU$10m for repeat offenders. The OAIC also has powers to fine individuals for failures of duty.
Three quarters of all data breaches reported under the NDB last year were the result of ID theft (phished, lost/compromised credentials, or poor password strength/renewal procedures).
That’s a lot of cats for IT managers to herd while at the same time looking ahead at delivering on their primary strategic goals and, as our survey showed, many organisations are simply not prepared.
First thing’s first: establish your current security footing
At Brennan IT, we advocate following the Fun4, or the fundamental 4 actions that you need to complete in order to identify your current security posture and establish and grade the work needed to fill your security gaps:
Step 1: Conduct a vulnerability assessment
This is a review of your systems to define, identify, and then classify the security holes that you have in your computers, network, and communications infrastructure. During it, you should forecast how important they are to fix as well as what would need to be done to do so. The process involves an active analysis of your systems for any potential vulnerabilities that could result from poor or improper system configuration, known and unknown hardware or software flaws, or operational weaknesses.
WHY? Many cyber incidents involve the exploitation of vulnerabilities. Since Australia’s Notifiable Data Breaches Scheme began, there have been an average of 2.6 breaches reported every single day and 139 data breaches were the result of a malicious or criminal attack, and of these, 69% involved cyber incidents.
Step 2: Review your technical security configuration
Review and update your technical security configuration so as to harden your overall resilience and remove common exploits typically used during internal penetration testing. When your next internal penetration test is conducted, the tester will need to find other methods to exploit the network, resulting in increased value from the testing and an improved security posture.
WHY? Your security settings play an essential role in safeguarding your organisation against external threats. Yet many organisations are using dated or inappropriate settings, which can be easily exploited.
Step 3: Conduct a user-access review and password audit
Conduct an account review and password exposure audit against your active directory domain. The audit analyses active directory to look for different failure types which can leave your organisation vulnerable to an attack.
WHY? Unnecessary access rights and obsolete accounts are among the most common causes of security compromise. The issue and risks are amplified when combined with weak and poor password practices. Verizon’s recent Data Breach Report showed the use of stolen credentials (hacking) is the number one threat action in confirmed data breaches.
Step 4: Undertake a security maturity assessment
A fundamental requirement of the Australian Privacy Act is that you’re regularly assessing your organisation’s risk. Assess yourself against the latest security threats, understand your organisation’s overall security posture in multiple areas (including how well informed and trained your staff are), and then evaluate the associated risks that might come from them at any given time. You can use this as a roadmap for mitigating cyber security threats, as a blueprint for future assessments, and basis to develop a step-by-step plan on how you can improve your overall security level.
WHY? As IT environments become increasingly complex and technology changes constantly, it can be difficult to stay on top of your organisation’s security or even know where potential issues exist.
Managed Services Providers: sharing the load
An evolved Managed Service Provider (MSP) can help you to establish your current security footing and develop the right policies and deploy the correct technologies to keep your organisation secure.
Many have been evolving in recent years, building their in-house experience, expertise and solutions to ensure you’re safe from cyber criminals, safe from yourselves and operating within the law. Not only are they offering additional best-in-market security services outside of their traditional support offering, but they’re baking a security-first approach into everything that they do.
This last point is especially critical, as cyber security is often not about technology, but your people and what they do and it’s in this area that many Australian organisations are struggling. More than a third of respondents (37%) to our recent survey admitted that they don’t conduct any security training at all and 41% said it’s something they tend to less than once a year.
Managed Services Providers can do the tail-gunning for the IT team, paying attention to the policies and programmes that are in-place, evolving as and where necessary, monitoring staff and their approach – correcting and training where necessary.
Moving beyond basics, a good Managed Services Provider will be proactive around your security. It’s no longer good enough to address only critical weaknesses; look for a provider that is not only regularly documenting and sharing all weaknesses with you, but who are proactively patching them for you in real-time, so you never have to be concerned.
Don’t ever accept ‘medium-risk’ as a reason for complacency.
Australian organisations have entrusted Brennan IT to build, manage and secure their IT ecosystems for over 20 years. Talk to us today about how we can help create the security and data protection settings you need and must have in today’s complex digital landscape.