If you missed the debut of our podcast, “The Tech Factor”, don’t worry—here’s everything you need to know about cyber security, including our top five measures to protect your company against cyber criminals:
A recent news story revealed that Austal, the ASX-listed shipbuilder and defence contractor for the Australian government, was compromised in late 2018 by an attacker who used login credentials purchased from the dark web. It was eventually discovered that 40 different versions of “Password123” and “Austal123” were used throughout the Austal business, some of them even after the break-in.
Moral of the story: the weak link in any system, no matter how secure it may otherwise be, is often its users. That’s why it doesn’t matter how big your business or its budget is. If there’s one thing you can immediately implement for the sake of your cybersecurity, it’s the use of complex passwords.
Cybercriminals aren’t kids guessing passwords in their bedroom; on the contrary, they know what they’re doing. This can even include utilizing algorithms that input company names and generate basic combinations of common password elements.
Even having a password methodology is a risk, because if it’s too formulaic, then just one breach can mean your whole system becoming vulnerable to attack. If you must adhere to an internal methodology when choosing your passwords, keep that methodology internal. Never share your company’s password requirements!
When it comes to password security, the trick is to make it easy for you to remember and hard for others to guess. If you can’t memorize a random series of letters and numbers without risking writing it down, then use keywords that have nothing to do with your industry coupled with numbers that have no significance to you. The more nonsensical, the better. For example, if you work in IT, choose a password like, “Dolphin234!” It’s got numbers, special characters, and a mix of upper and lowercase letters. More importantly, it’s both easy to remember and impossible to guess. Without a decent password, it’s not a matter of whether you’ll be compromised—it’s just a matter of when.
When you log into a system that uses a two-factor mechanism, it’ll send you a numerical code via text message or email, which you must then type into the application before you can proceed. Its purpose is to verify your identity quickly and securely.
Two-factor authentication is a staple of cyber security, and there’s no real reason not to use it. In fact, Google statistics from May 2019 showed that an SMS code sent to a recovery phone number helped block 100% of automated bot attacks, 96% of bulk phishing attacks, and 76% of target attacks. Adding simple measures like this to your security strategy can truly make all the difference in the world.
Further food for thought: the cloud can be as dangerous as it is beneficial. You can access it from anywhere—so can a cyber criminal. Therefore, at the bare minimum, anything accessed in the cloud needs to have two-factor authentication in place. Even though some platforms, such as Office 365, don’t require it at set-up, you should always enable this feature. Do everything in your power to keep your data safe.
Aside from accounting software and the usual, your personal life can benefit from two-factor authentication as well. When you can strengthen your weakest link and augment your security level with such a simple, single solution like this one, there’s just no excuse not to use it.
Cyber security culture in the workplace means the promotion and encouragement of safe practices as the logical and right thing to do—not only for the individual, but for the good of the group. It’s about making employees cognizant of potential threats so that they’ll amend their own behaviors in order to mitigate those risks. Therefore, in your interactions within your organization, keep in mind the following goals:
As long as you show that you take company security seriously, your employees are likely to follow. For the few who may be more apathetic, you’ll want to tackle the problem as early in the hiring process as possible. Introduce cyber security as a core value of your company from the outset, if possible. In a moment, we’ll discuss exactly how to embed it into the very culture of your organization.
Through training, we distill culture. If you want to really tighten your step number three, remember that it’s tied together with step four (and vice-versa). Culture and training go hand-in-hand.
There is a surprising variety of different forms of cyber security training. It can even be hands-on, audience-involved, and take place interactively in front of a group of people.
It’s also important to know that one-off training isn’t sufficient. Regular training sessions can seriously help, especially where employee turnaround is concerned. It’s great to reinforce this subject at least once a year, but hitting it every six months or so is going to be even better for your safety in the long-run.
Most people have heard of the dark web, but don’t quite have a picture of what it is or what it means for cyber security.
The visible internet is the tip of an iceberg—only a small fraction of what’s present online. It’s what you can’t access just by typing a URL or even by using search engines. Beneath the surface of the water, however, is a deep layer of computers, devices, and servers that all communicate with each other, and most of its activities are inherently illicit. Here, cyber criminals often collaborate to steal people’s data in mass-scale attacks. Some of them are wholesalers who will sell your information, along with other people’s, in bulk to other criminals.
If you weren’t fully aware of this situation before, don’t panic. Nowadays, you can use different tools to scan the dark web and see what, if any, of your sensitive information can be purchased. These software then notify you or your company exactly what data is available on the dark web.
Travelex is the largest multinational foreign exchange company. On the first day of December, 2019, the company’s entire system went offline when a ransomware gang gained access to their network and downloaded 5GBs of customer data, including birthdays, credit card information, and national insurance numbers. The hackers threatened to sell this data unless Travelex paid them $2.3 million in bitcoin.
Travelex did pay the ransom—but there’s no guarantee that that data won’t be sold, if it hasn’t been already.
At the end of the day, we are dealing with very large, sophisticated cybercriminal networks that require money to join, because of course, there is money to be made with them—at your expense. The bottom line: they will eventually find a way in, and they’ll try to do whatever they can to ruthlessly extract funds from your organization.
Make use of the options at your disposal. Tools like Dark Web ID allow you to monitor whether any of your clients’ credentials are exposed on the dark web, and in this example, it’s actually pretty affordable. Everyone’s cyber security has been compromised on some level at some point in time, but the proper preparation can help you attack the problem at its roots before it has a chance to grow.