Tag Archives: Cyber Security

Cybersecurity, Essential Eight, Strategy, Technology

Why you should implement Application Control within your business

Why you should implement Application Control within your business

In today’s digital world, businesses of all sizes are increasingly reliant on software applications to streamline their operations, enhance productivity and interact with customers. This dependence on so many applications, however, also exposes organisations to various Cyber Security risks.

To help mitigate these risks, a powerful tool to protect businesses from cyber threats is application control. This provides direct control over the applications running on an organisation’s networks.

What is Application Control?

Application Control is only allowing approved applications to run on systems to prevent malicious software from running. Unlike traditional antivirus software which focuses on identifying and blocking malware, application control software takes a proactive approach by explicitly only allowing authorised applications to run. By enforcing strict control policies, this software ensures that only approved applications can be executed, reducing the possibility of attacks and minimising the risk of unauthorised access, data breaches and malware infections.

Essential Eight is a list of eight security strategies that the Australian Cyber Security Centre (ACSC) believes will provide a strong foundation for Cyber Security, and the framework is highly recommended by the government for businesses to implement. The first measure listed in Essential Eight is application control, showing just how effective it can be in protecting your business from cyberattacks. Keep in mind, though, that application control should not be the only Essential Eight strategy your business implements, and along those lines, Essential Eight should not be used in isolation to protect your organisation.

Key Benefits for Businesses

Preventing Unauthorised Software

One of the primary advantages of application control is its ability to prevent unauthorised software from being installed and used. By creating whitelists of approved applications, businesses can restrict employees from running potentially harmful or unverified software. This proactive approach reduced the risk of introducing malware or malicious code into the network, safeguarding sensitive data and intellectual property.

Minimising Vulnerabilities

Cybercriminals often exploit vulnerabilities in outdated or unpatched applications to gain unauthorised access to systems. Application control software can help businesses by monitoring and managing application versions and updates. By ensuring that all applications are up to date, businesses can reduce the likelihood of successful attacks through known vulnerabilities.

Enhancing Compliance

In highly regulated industries, like finance and healthcare, compliance with industry standards and data protection regulation is critical. Application control helps businesses meet these requirements by enforcing security policies and restricting the use of non-compliant applications. By maintaining a secure and compliant software environment, organisations can avoid hefty fines, legal implications and reputational damage.

Streamlining Incident Response

In the event of a security incident or breach, application control plays a vital role in incident response. By controlling the software environment, organisations can quickly identify and isolate compromised applications, limiting the impact of the incident and preventing its movement within the network. The ability to enforce restrictions and block unauthorised applications aids in containing the breach and restoring normal operations promptly.

Challenges of Implementing Application Control

While application control software offers several benefits for enhancing Cyber Security, there are some potential inconveniences associated with its implementation. It is important to consider these factors to ensure that businesses can strike a balance between security and operational efficiency.

Administrative Burden: Implementing application control software requires significant effort and ongoing maintenance. Creating and managing whitelists of approved applications can be time-consuming, especially for large organisations with a wide range of software dependencies. Regular updates and adjustments to application control policies may also require extensive coordination among IT teams and various business departments.

Compatibility and Integration Challenges: The software used for application control must be compatible with the diverse range of applications used within an organisation. Ensuring seamless integration with existing systems and workflows can be complex, particularly when dealing with legacy applications or custom-built software. Compatibility issues may require additional configuration or customisation, leading to delays and potential disruptions.

False Positives and False Negatives: Application control software relies on accurate identification and classification of applications to determine their status (allowed or blocked). However, false positives (legitimate applications mistakenly identified as unauthorised) and false negatives (potentially malicious applications not identified) can occur. False positives can disrupt operations, while false negatives may lead to security breaches. Regular monitoring and fine-tuning of application control policies are necessary to minimise these issues.

User Experience and Productivity Impact: Overly restrictive application control policies can result in reduced user productivity and frustration. If legitimate applications are mistakenly blocked or unauthorised applications are allowed to run, employees may encounter obstacles in performing their tasks efficiently. Striking a balance between security controls and user experience is crucial to maintain productivity while ensuring a secure security posture.

Impact on Innovation and Flexibility: Application control may sometimes get in the way of trialling new or emerging technologies within an organisation. Strict control policies may limit the ability to experiment with new applications or tools, potentially hindering innovation and agility.

Increased Dependency on Updates and Patching: Application control software relies on accurate information about application versions and updates to maintain security. Businesses need to stay vigilant in ensuring that they promptly apply patches and updates to both the application control software itself and the applications it monitors. Not doing this can introduce vulnerabilities or can prevent the control measures from functioning properly.

Sandboxing

One of the biggest concerns with application control is the need to test any updates or new applications through what is called, sandboxing, before it can be installed on the organisation’s systems. This generally takes about 24 to 48 hours, but you might find that some enterprise organisations, like banks, sandbox for up to a month to test for any threats before verifying the application.

Sandboxing each new application and update before using them in a business environment, while inconvenient for both staff and your managed service provider that needs to do this, is a critical practice that offers several benefits in terms of security, stability and risk mitigation.

Security Testing: Sandboxing allows you to test applications and updates in a controlled environment before installing them on your production systems. By isolating the software in a sandbox, you can observe its behaviour for potential security risks without putting your network and sensitive data at immediate risk. This helps identify and mitigate any vulnerabilities, malware or malicious activities associated with the application or update.

Risk Mitigation: Applications and updates can introduce unforeseen issues or conflicts with existing software or configurations. By sandboxing, you can assess the impact of these changes without jeopardising the stability and performance of your systems. Sandboxing enables you to identify and resolve compatibility issues, system conflicts or unexpected behaviour before implementing the software.

Protection against Malware: Malicious software, such as viruses, ransomware or Trojans, can infiltrate your network through compromised applications or updates. By sandboxing, you can run these potentially malicious software packages in an isolated environment, preventing them from infecting your actual systems.

Testing Application Performance: Sandboxing allows you to assess the performance and resource requirements of applications and updates. By monitoring their behaviour in an isolated environment, you can determine the impact on system resources, such as CPU, memory or disk usage. This evaluation helps you understand the application’s performance characteristics and ensure that it meets your business requirements without negatively impacting your production systems.

Compliance and Regulatory Requirements: Many industries have specific compliance and regulatory requirements that require thorough testing and validation of applications and updates. By sandboxing and evaluating software in a controlled environment, you can ensure that it meets the necessary security and compliance standards before introducing it into your production systems. This helps maintain data privacy, protect sensitive information and adhere to industry regulations.

What is ThreatLocker?

At Pronet, a software we implement within our clients’ systems to whitelist applications is ThreatLocker. It offers advanced features and capabilities to help organisations effectively manage and control the applications running on their networks. As a base, it employs a strong application whitelisting approach, allowing businesses to create a list of approved applications.

It also follows a zero-trust security model, meaning that it treats all applications as potentially untrusted until they are explicitly approved. This approach enhances security by ensuring that every application is thoroughly evaluated and authorised before execution, mitigating the risk of introducing malicious or unauthorised software.

ThreatLocker provides granular control over how applications interact with other areas of your IT systems, such as networks, files, folders and registries. This level of control allows businesses to fine-tune their security policies based on specific requirements. It allows organisations to enforce different access permissions and restrictions for different user groups or departments, enhancing security without impacting productivity.

The software also offers comprehensive reporting and auditing capabilities, providing visibility into application usage and security events. It allows businesses to generate detailed reports on application activities, policy violations and security incidents. ThreatLocker can integrate with other security solutions, such as antivirus software, firewalls and intrusion detection systems, to provide a layered defence strategy. This integration enables organisations to leverage multiple security measures and strengthen their overall Cyber Security framework.

Since ThreatLocker is a software Pronet uses, we know just how powerful it is and therefore, can recommend it.

In an era where cyber threats are a constant concern, businesses must prioritise Cyber Security measures to protect their assets, data and reputation. Application control software serves as a critical component in the overall Cyber Security strategy of businesses by allowing direct control over the software applications running on the network. By preventing unauthorised or potentially malicious applications from running, businesses can significantly reduce the risk of cyberattacks, data breaches and operational disruptions.

Cybersecurity, MSP, Technology

What is Malware?

What is Malware?

Malware is an umbrella term for malicious software that is designed to harm, damage or steal information from your computer, mobile device, service or network without your knowledge or consent.

Malware can wreak havoc on your computer or device and can infect your computer like a disease, and just like a disease, it can be difficult to detect and eradicate.

Just think about it: you work hard to keep your device safe and secure, but then some twisted individual creates a piece of code that can infiltrate your system and wreak havoc. Malware can steal your personal information, such as passwords, credit card numbers and banking details, and use it for criminal purposes. It can encrypt your files and demand a ransom to unlock them, leaving you helpless and vulnerable. It can also slow down your computer, crash your system and even render it useless.

Malware comes in many different forms, and it can be disguised as innocent-looking files or programs. You might unknowingly download it from a sketchy website or receive it in an email attachment from a seemingly trustworthy source. Once it’s on your system, it can quietly and quickly spread throughout your files and folders, infecting everything in its path. You can be hit by malware through email attachments, malicious advertising on popular sites — called malvertising, — through fake software installations, infected USB drives, infected apps, text messages and most commonly, phishing emails.

Malware is constantly evolving and becoming more sophisticated. Hackers and cybercriminals are always looking for new ways to exploit vulnerabilities in computer systems and software. Even with antivirus software installed on your computer, you must be vigilant and cautious when downloading files and opening emails and if you deal with sensitive or personal data, antivirus software is not enough.

When did malware start being used?

The history of modern viruses begins in 1982 with a program called Elk Cloner, which started infecting Apple II systems. It was spread by infected floppy disks which spread to all disks attached to a system.

Viruses developed as they began to be specifically written for Microsoft’s Windows Operating System in the 90s, particularly through infectious code written in the micro language of Microsoft Word. The viruses infected documents rather than actual applications.

Worms began to develop and spread across popular instant messaging networks in the early 2000s, such as through MSN Messenger and Yahoo Messenger and they used social engineering along with a link to a malicious download for people to click. These would then infect your system and send the malicious link to everyone on your contact list.

In the late 2000s, adware attacks grew through unwanted pop-ups that could not be closed, sometimes exploiting legitimate software to spread. Around 2008, software publishers began suing adware companies for fraud and shut most of them down. Tech support scams these days employ similar tactics to these old adware attacks. After this, malware scammers began turning to social networking sites like Myspace to send fake advertisements, links to phishing pages and malicious applications. Scammers now do the same with Facebook and Twitter.

Between 2013 and 2014, a form of ransomware called CryptoLocker began targeting Windows computers, forcing victims to pay to regain access to their systems. This gave rise to the current era of ransomware attacks.

Trojans, exploits — malware that takes advantage of bugs and vulnerabilities in systems — and malvertising became popular forms of ransomware with huge outbreaks in 2017, such as the worldwide cyberattack now known as the WannaCry ransomware attack.

Crypojacking, or using someone’s device to mine cryptocurrency with the victim’s resources, became prominent in 2017, with ransomware making a comeback in 2018 when criminals began targeting large businesses.

What are the different types of malware?

There are a lot, but here are some of the most common types:

  • Viruses: Often comes in an attachment through an email or attached to an online download that holds the part of the malware that performs the malicious action. Once the file is opened, the device is infected.
  • Ransomware: Installs itself onto a machine, encrypts files or locks the entire device and then demands a ransom to return the data to the user. This is a particularly nefarious tactic, as it preys on people’s fear of losing their valuable files and data.
  • Scareware: When messages pop up while you’re browsing the web, such as, ‘Warning: your computer is infected with a virus,’ which then scares you into clicking the link or into purchasing a fake application.
  • Worms: Can copy themselves from machine to machine through weak security in software or the operating system.
  • Spyware: A program installed on your device without your knowledge that collects personal information, browsing habits and details of the user. Spyware is used by government agencies, law enforcement and IT security organisations but is also available to consumers to spy on their partners, children and employees.
  • Trojans: These pretend to be harmless or legitimate applications that trick users into downloading and using them which then steal personal data, crash devices, spy on the user or launch attacks.
  • Adware: Unwanted and annoying advertisements that flash on the screen or come through as a new pop-up window.
  • Fileless Malware: These use legitimate programs to infect devices and are difficult to detect and remove as they don’t rely on files and leave no footprint.

There are a range of signs to inform you that your computer has been compromised. Read here to learn what these are.

How to protect yourself from Malware?

Even though there is a magnitude of different types of intricate malware being used by cybercriminals, there are also an array of ways to protect yourself from them.

These can be as simple as protecting your devices by keeping your operating systems and applications updated, never clicking links in pop-ups, limiting the number of apps on devices, being selective about which sites you visit, being wary of emails asking for personal information, not opening email attachments from unknown sources and checking your bank accounts regularly.

Contrary to popular belief, Macs also get malware, although not as often as Windows operating systems. Mac’s built-in protection doesn’t block all adware, spyware, trojans and keyloggers —where malware records all the user’s keystrokes on the keyboard. Mobile devices are also targets for cybercriminals, from adware, Trojans, spyware, worms and ransomware all able to be used, especially as most people don’t protect their phones as diligently as they do their computers. These days, phishing attacks through clicking on links, and scam calls are common phone cyber threats.

For businesses, protection can become a bit more complicated as your entire team is generally using and reliant on technology, so there are many avenues for human error. Protecting yourself at a business level means using strategies like two-factor authentication, application control and performing daily backups as an infiltration can be incredibly detrimental, costing large sums of money, possibly breaching The Privacy Act and losing customer trust.

For this reason, the Australian Government has highly recommended that businesses implement Essential Eight, a Cyber Security framework that businesses can measure their Cyber Security maturity against. Click here to read more about the framework and how your business can implement it.

Implementing Cyber Security measures can be costly and, at times, inconvenient, but when the integrity and longevity of your business are at risk, businesses must improve their security measures.

Malware is a serious threat to your computer and personal information. It’s important to take steps to protect yourself against malware by using antivirus software, being cautious when downloading files and opening emails and seeking help if you suspect that your computer has been infected. Don’t let malware destroy your digital life — stay vigilant and take action to keep your computer safe and secure.

Cybersecurity, IT Support, Technology

The difference between scam emails

The difference between scam emails

Have you ever received an email that seemed too good to be true or one that left you feeling confused or concerned? If so, you may have been the target of a scam email. Scammers use a variety of tactics to try to trick you into giving them money, personal information or access to your computer.

Social Engineeringis a term describing how cybercriminals research both your business and employees. Employees not in the IT field often aren’t as aware of cyber threats as those that are, so criminals target these employees through human vulnerabilities or social engineering.

These days there are so many different types of scams that it can be hard to keep track of all of them. This article will try to explain some of the most common ones you might encounter, both personally and as a business.

Spam: spam is an unsolicited email, text or social media message which is fairly easy to spot but can be damaging if you open them or respond. Think of spam like junk mail, it’s about sending unsolicited emails about products and services to bulk lists. Common types of spam include coupons, adult content, donation solicitations and unwanted newsletters. They are usually commercial in nature and not inherently malicious, just a nuisance.

According to Guardian Digital, spam email accounted for 54 per cent of global email traffic in 2020. Even though, on average, spammers only receive one reply for every 12,500,000 emails sent, spam emails are seen as highly profitable due to the sheer number of emails sent per day and the fact that the expense of these emails is borne mainly by recipients.

Phishing: phishing is an email sent from a cybercriminal that is disguised as an email from a legitimate and trustworthy source, like a telco, bank or the ATO. The message is designed to lure you into clicking a link that installs malware onto your computer that then captures any personal information/login-in credentials you input somewhere, or into directly revealing sensitive or confidential information on the site they send you to. Phishing scams are often used to target specific individuals who have access to valuable data, such as HR or finance employees. They use social engineering to create highly convincing emails. Identity theft often results from being a victim of phishing. Similarly, Vishing is a process through voice, like phone calls, and Smishing is this process through SMS chats.  

According to Astra, 92 per cent of Australian organisations suffered a successful phishing attack in 2022, showing a 53 per cent increase from 2021. As phishing is one of the most common types of email scams, there is a range of clues to help you recognise one.

  • Messages requesting your username and/or password
  • Time-sensitive threats like how something will happen if you don’t respond immediately
  • Spelling and grammar mistakes throughout the email
  • Vague or missing information in the ‘from’ field or email signature
  • Vague, impersonal or awkward greetings
  • Any unexpected files within the email or automatically downloading
  • Links that don’t refer to the sender/organisation
  • Emails about accounts you don’t have
  • Emails ‘from’ celebrities
  • Asks you to reply to opt out of a service
  • Highly emotional or charged language
  • If you’re unsure if an email is legitimate, always head to the sender’s website on a webpage, not through a link in the email, or call the sender.

Spear Phishing: this occurs when criminals find information about you from websites or social media and then customise a phishing scheme for you.

Spoofing: when criminals impersonate another individual or organisation with the intent to gather personal or business information.

Pharming: when a malicious website impersonates a legitimate website to gather usernames and passwords. This can happen by creating websites with similar URLs or by covering up QR codes with codes linked to malicious websites.

Other Scams

419 Scam: also known as the Nigerian Prince scam. In this type of email, the sender will claim to be a wealthy individual or a government official who needs your help transferring large sums of money out of their country. They will offer you a percentage of the money in exchange for your assistance, but in reality, they are just trying to trick you into giving them your personal information or money.

Lottery/Prize Scam: these emails will claim that you have won a large sum of money or a prize, but to claim it, you need to pay a fee or provide your personal information. Of course, there is no prize, and the scammers are just trying to trick you into giving them your money or personal information.

PayPal/PayID Scam: this one originates from selling products online, such as through Facebook Marketplace and while not directly related to your business, it might be beneficial to inform your employees of it. Essentially, when you list an item to sell, you will often receive a message from someone wanting to immediately purchase the item without wanting to see it. They often try to garner sympathy, explaining how their family member will pick it up, and then ask for your email connected to your PayPal or PayID account. They then explain how they’ve tried to send the money, but have received an email telling them that they need to send $500 more to expand your transfer limit. When you look at your email, you find you have this email too and they demand your promise that you will send the $500 back if they send it through. The entire operation is a scam, with the email being one that they created and you will never receive any money.

Unknowingly falling for any one of these attacks can cause your business’ data to be stolen, and can cause financial loss, reputational damage, significant business downtime and even permanent business closure.

As a business owner or decision-maker, it is your responsibility to build a culture of Cyber Security awareness in your company and fill in the gaps in your team’s Cyber Security knowledge and understanding. If you need tips on how, contact your MSP for help.

You can mitigate spam and phishing attempts by implementing a layered cloud email security solution with the help of your MSP.

It’s important to be vigilant when it comes to scam emails. By understanding the different types of scams, you can better protect yourself and your personal information. Remember, if an email seems too good to be true or makes you feel uncomfortable, it’s probably a scam. Be sure to never give out your personal information, click on suspicious links or attachments or send money to someone you don’t know. By staying informed and cautious, you can help protect yourself from scam emails.

Cybersecurity, Essential Eight, MSP, Technology

Why you’re never too small to be hit by a cyberattack

Why you’re never too small to be hit by a cyberattack

Hearing about the recent cyberattacks on large companies like Optus, Medibank, Latitude, Crown and Meriton, it’s easy to think that such attacks only happen to large companies or organisations, but the truth is that cybercriminals are targeting small businesses more than ever before. In fact, small businesses are the target of 43 per cent of cyberattacks, and the frequency of these attacks is only increasing.

Unfortunately, many small business owners have the misconception that they are too small to be a target of cyberattacks. They assume that hackers only go after the ‘big fish’ — this is not the case. The truth is that cybercriminals view small businesses as low-hanging fruit because they typically have fewer resources and less sophisticated Cyber Security measures in place.

Another common misconception is that only businesses that handle sensitive information such as credit card details or personal information are at risk of being targeted. While it is true that businesses that handle sensitive information are a prime target, cybercriminals can attack any type of business and can cause significant damage to a company’s reputation, finances and operations. Your business might be just one stage of a supply chain and if yours or another within that chain becomes compromised, the rest are at risk of being affected.

Who could be a threat to your business?

Threats can come from anywhere, not just random internet criminals mass spamming email addresses. Criminals come in all shapes and sizes, such as an individual or even an organisation that looks and runs as a legitimate business. Threats can come from:

  • Cybercriminals: those who are illegally trying to access your hardware, software and data, to disrupt your business or to obtain information or money.
  • Current clients: disgruntled clients could try to compromise your information.
  • Competitors: business competitors could try to gain access to your clients or data to gain an advantage over your business.
  • Current or former employees: this could be through an accidental or intentional compromise of your business’ information.

How can an SME become a target of a cyberattack?

Small and medium-sized businesses can fall victim to various types of cyberattacks. This could be through theft or unauthorised access of your company’s hardware, computers and mobile devices, through infecting devices with malware like viruses, ransomware and spyware, by attacking your tech or website, by attacking third-party systems or companies you do business with or by sending socially engineered phishing emails and texts containing malware. These attacks can lead to data breaches, financial losses, business disruption and damage to a company’s reputation.

While at the outset, your business might not be directly targeted as your data is not seen as valuable as another’s, your business is still going to be hit by indirect cyberattacks. These predominantly come in the form of phishing emails, where scammers send an email masquerading as a legitimate and reputable company with the aim of getting you to click a malware link or insert your personal or login details. According to Astra, 92 per cent of Australian organisations suffered a successful phishing attack in 2022, showing a 53 per cent increase from 2021. If your staff are unaware of what these look like, no matter how personalised they are for your business, your business will get infiltrated and voila, you’ve just been hit by a cyberattack.

According to a study by IBM, the main cause of 95 per cent of Cyber Security breaches is human error. Human error in a security context means unintentional actions, or lack of action, by employees that cause, spread or allow a security breach to occur. This could be something as simple as accidentally clicking a link that downloads and installs malware or failing to use a strong password. With work environments becoming more nuanced, such as working from home, in multiple offices or needing to use a diverse range of applications to complete day-to-day tasks, it can be difficult to keep up with each user’s activities, the number of usernames and passwords needing to be remembered and all the inconvenient security measures that the company puts in place, like two-factor authentication.

While people make mistakes, this presents a simple starting point for businesses to protect themselves from cyberattacks: train employees on IT risks and how to recognise scams and phishing schemes.

The consequences of a cyberattack can be devastating for small businesses. Many small businesses lack the resources to protect their websites, accounts and networks or to recover from a cyberattack, and as a result, many of them go out of business within six months of the attack.

How can I protect my business from cyberattacks?

Small businesses need to take Cyber Security seriously and implement measures to protect themselves against cyberattacks. These measures can include installing firewalls, antivirus software and security patches, implementing strong password policies, providing regular staff training and conducting regular Cyber Security risk assessments.

We have many other posts about how to protect your company such as how to restrict administrative privileges (here) and by conducting a Cyber Security risk assessment (here) but for now, here are some simple ways to protect your company:

  • As mentioned, train employees on IT risks. This creates a Cyber Security culture within your business that encourages discussion around security and allows staff to ask questions if they ever are unsure.
  • Reduce opportunities for human error. Implement privilege control so that employees only have access to the data and software they need to perform their roles.
  • Create a clear policy on technology, such as employees using devices on company networks and having strong passwords, and then ensure these are being followed.
  • Have someone in charge of IT and security. If you’re heavily reliant on technology, it might be best to work with a managed service provider (MSP) to proactively monitor your systems and remove threats as they occur. They also ensure everything is backed up and can help your business by recommending IT systems that suit your unique business as well as grow your systems alongside your company growth.
  • Work with your IT service provider to implement the Essential Eight Cyber Security framework that the Australian Government recommends all businesses adopt. 

How an MSP can help with your IT systems

Managed service providers monitor your IT systems to stop threats in their tracks. By handing the responsibility of your systems off to someone else, it allows you as a business owner or decision-maker within your company to get on with the other daily tasks you need to complete. In business, you wear many hats and are often an expert in your field, so it’s time to hire a business that’s an expert in IT systems.

Even better, try to work with an MSP that is also an expert in Cyber Security. Oftentimes, these are two separate businesses, either you working with both an MSP and a Cyber Security company or the MSP working with the Cyber Security company.

At Pronet Technology, we are both. About six years ago, we began to learn more about and specialise in Cyber Security so that we could adequately protect our clients and their systems, as well as our own because a breach on either end could infect the other.

Did you know, according to IBM, the average time to identify and contain a data breach is 280 days? Working with Cyber Security professionals means that threats and data breaches can be detected, contained and fixed promptly and that your systems are constantly monitored. They will implement a range of strategies to protect your business, like testing new software and updates on isolated machines for any potential holes in security before then installing these on your devices as well as informing your business of any security risks and weaknesses in your defences.

No business is too small to be a target of cyberattacks. Small businesses are particularly vulnerable because they often lack the resources to implement sophisticated Cyber Security measures. Cyber Security should be taken seriously by all businesses, regardless of their size, to protect themselves against potential cyberattacks and minimise the risk of damage to their reputation, finances and operations. Your business, its customers and your suppliers are too important for you to believe that you’re never going to be hit by a cyberattack because you’re ‘too small’. You must be properly protected and prepared for when an attack happens.

Cybersecurity, MSP, Technology

How does my computer get hacked?

How does my computer get hacked?

The thought of our computers being hacked is a scary one. Unfortunately, it’s a very real threat in today’s digital age, so it’s a good idea to learn of some of the common ways that computers get hacked.

Phishing

Phishing attacks are one of the most common ways that computers get hacked. Cybercriminals use emails, text messages or phone calls that contain urgent messages to trick people into giving away their personal and financial information. These emails often look like they come from legitimate sources, such as banks or online retailers, and contain links or attachments that install malware on your computer. Unsuspecting staff can be unprepared for the sophistication of attacks so they should be up-to-date with the latest scam trends.  

Malware and other viruses

Malware is a type of software that is designed to harm your device. It can be installed on your computer through phishing attacks or by downloading and installing software from untrusted sources. Once installed, malware can do a variety of things, such as steal your personal information or take control of your computer. If a phishing attempt works and the link is clicked, your device gets infected and allows hackers access to the device, even to spy on you in the background.

Unsecured Networks

When you connect to an unsecured Wi-Fi network, you’re putting your computer at risk and cybercriminals can intercept your internet traffic and steal your information. It’s important to avoid unsecured networks and to use a virtual private network (VPN) when you need to connect to public Wi-Fi. Cybercriminals can also hack into your personal or work Wi-Fi network through weak passwords, outdated firmware and missed software updates in your router’s settings. Gaining access to your work or personal devices can be as easy as connecting to an unsecured or weak Wi-Fi network.

Weak Passwords

Weak passwords are an easy target for hackers. They use automated programs to guess passwords and gain access to your computer. It’s important to use strong, unique passwords for each of your accounts and to enable Two-Factor Authentication (2FA) for added security. Your passwords could have also been unknowingly stolen and sold on the Dark Web due to a data breach, making all your private accounts up for grabs. Hackers can then demand large amounts of money in exchange for the sensitive personal information they stole.

Software Vulnerabilities

Software vulnerabilities are weaknesses in software that can be exploited by hackers. When software companies become aware of these vulnerabilities, they release updates to patch them. It’s important to keep your software up to date to avoid falling victim to these attacks.

Social Engineering

Social engineering is the practice of tricking people into giving away their personal and financial information. Cybercriminals use social engineering tactics, such as pretending to be someone else or creating fake online profiles, to gain your trust and extract information from you.

Tech support scams

Another way for your computer to get hacked is when hackers contact you via email or pop-ups where they claim that your device has been compromised. They pose as reputable security companies and get you to call their tech support number to then ask for access to your computer to fix the ‘problem’, but then take control instead.

How can you tell if your computer has been hacked?

While your IT service provider should be constantly monitoring your systems for signs of hacking, here are some signs to look out for:

  • You receive emails about sign-in attempts that you never made
  • Your device becomes slow, overheated and starts to lag
  • You receive multiple pop-ups with messages claiming your device is infected with a virus
  • Actions happen on your computer on their own, like new tabs opening and apps launching
  • Your log-in attempts to accounts are unsuccessful
  • People around you mention they’ve received strange messages from you
  • You start receiving an influx of spam emails
  • You have suspicious banks account activity
  • Your browser has unfamiliar extensions and ad-ons
  • You keep getting redirected to unwanted websites while on the internet

What can you do now?

Unfortunately, protecting yourself is not enough, especially when everything is so interconnected these days. If your password was leaked in a company-wide breach, hackers can easily access your private accounts, computer or smartphone. Use a free leaked password scanner to scan the internet and check if any of your sensitive information is available to scammers.

If you believe your computer has been hacked, contact your MSP. Otherwise, here are some steps you can take:

  • Disconnect from your Wi-Fi network
  • Use antivirus software to scan for malware
  • Delete any suspicious apps
  • Update all your apps and operating systems
  • Changes all your passwords and start using Two-Factor Authentication
  • Wipe your device
  • Freeze your credit card
  • Check your financial statements
  • Warn those around you about the hack
  • Tighten security settings on your online accounts

As a business that has multiple devices and deals with a magnitude of important data, it might be time to have your IT systems managed by a Managed Service Provider. The IT Security and Cyber Security measures they implement and their constant monitoring of your systems will save you money in the long run and help the longevity of your business, among other great benefits. While you cannot 100 per cent prevent hackers from gaining access to your devices, your aim is to not be an easy target. Unless your business deals with high-value data or has connections to ones that do, if cybercriminals view your business as too difficult to attack, they will stop their pursuit.

As you’ve learned, computers can get hacked in many ways, from phishing attacks and malware to unsecured networks and weak passwords. It’s important to be vigilant and take steps to protect your computer from these threats. By using strong passwords, avoiding unsecured networks, keeping your software up to date and being wary of suspicious emails and messages, you can help keep your computer safe from hackers. So, take the time to implement these simple measures and protect your computer and your personal information from cybercriminals.

Cybersecurity, MSP, Technology

How does encryption work?

How does encryption work?

Did you know that by 2025, globally, the amount of data generated in the cloud or connected servers will reach around 463 exabytes, each day? One exabyte is one billion gigabytes!

This figure from SeedScientific highlights just how much data businesses collect and store and is the reason why data must be kept safe from breaches and other cyberattacks. One of the ways to do this is through encryption which is already used in many of our daily online activities without you thinking about it, like in our online banking, shopping and browsing.

Encryption is the digital equivalent of an unsolvable jigsaw puzzle. It’s a way of scrambling information so that only the intended recipient can understand it. Encryption is an essential part of modern communication and commerce, allowing us to send sensitive, confidential or personal information over the internet without fear of it falling into the wrong hands.

With businesses storing their information in the cloud or on servers with an ongoing connection to the Internet, your data is most likely going to end up on another organisation’s systems, so it’s important to keep this data private.

What is encryption?

At its most basic level, encryption involves taking a message or piece of data and scrambling it using a mathematical algorithm. This algorithm is designed to be extremely difficult to reverse, meaning that anyone who intercepts the message will not be able to read it without the encryption key, which the recipient has, which then unscrambles it back into plain, readable text.

Encryption protects the data you send, receive and store on devices, whether it be text messages, running logs saved on your Apple Watch or banking information sent through your online account.

How does encryption work?

Think of encryption as a secret language between two people, the language being called, cipher text. Imagine you and a friend agree to use a secret code where each letter of the alphabet is represented by a number. You can use this code to send messages back and forth without anyone else being able to read them, as long as they don’t know the code.

In the digital world, encryption works in much the same way. When you send a message or data over the internet, it’s first encrypted using an algorithm that generates a unique key. This key is a long string of random numbers and letters that is used to scramble and unscramble the data in a process called decryption. Without the key, the encrypted data is unreadable.

This key can be generated through a couple of methods. Through Bit Sequence, or key space, where it specifies the units for the number of possible key combinations, with the bigger the key space, the stronger the encryption; as well as through Password-Based Key Derivation Function 2 (PBKDF2) which creates keys from a random string of passwords which then goes through Bit Sequence.

Types of encryption

There are two main types of encryption:

Symmetric encryption: where the same key is used to encrypt and decrypt the data. With symmetric, both the sender and receiver must have access to the same key.

Asymmetric encryption: this uses a pair of keys, one public key and one private key. The public key can be shared with anyone, while the private key is kept secret. When someone wants to send a message to you, they encrypt it using your public key. Only you can decrypt the message using your private key.

Encryption is used in a wide range of applications, from online banking and shopping to secure messaging and file storage. It’s also used by governments and military organisations to protect sensitive information.

There are different types of encryption algorithms, such as the now-obsolete Data Encryption Standard (DES) established by the U.S. government in 1977; Triple DES strengthens the DES through encryption, decryption and another round of encryption; RSA is popular for its key length; Advanced Encryption Standard (AES) was developed as the U.S. government standard in 2002 and is used worldwide; TwoFish is one of the fastest algorithms used both in hardware and software and is free to use.

One of the most common encryption protocols used on the internet by reputable websites is SSL or Secure Sockets Layer. This protocol is used to secure connections between web browsers and servers, allowing you to safely enter sensitive information like credit card numbers and passwords. SSL works by establishing a secure connection between your browser and the server using a combination of symmetric and asymmetric encryption. You can tell a website is using this technology by looking for the padlock icon in the URL bar and the ‘s’ in the ‘https://.’

Ensure you and your staff are only using sites using SSL when you’re storing or sending sensitive data, like purchasing something, filing taxes or doing other business-related tasks. Most email clients also come with an encryption option in the setting menu, so check that this is available so that your emails are being sent over an encrypted connection and that each email is then encrypted.

Encryption and Cybercrime

Encryption can also be used by cybercriminals to attack you, such as in ransomware attacks. Other than ransomware breaches that steal your organisation’s data and demand a ransom to prevent them from releasing that data, another attack involves hackers encrypting computers and servers of businesses and then demanding a ransom to provide the key to decrypt the data.

To protect yourself and your business from ransomware attacks, install and use security software on all your devices and make sure these are up to date. Update your operating system and other software you use as these often patch vulnerabilities found by the vendor. Be incredibly wary about email attachments, never opening any you’re not specifically waiting for. If an email tells you to enable macro settings to open attachments, doing so can cause macro malware to infect your files. Make sure your data is backed up in multiple locations, such as on the cloud, so that you can simply go back to the unencrypted form if in a ransom attack and above all else, don’t pay the ransom. The Australian Government states not to as there is no guarantee the criminal will release your data back to you.  

Why is encryption important?

In our digital age, encryption matters. The internet comes with a magnitude of privacy concerns, both nationally and globally, and encryption is another layer of online privacy you can use to send your personal information securely. Government regulations also require industries to implement security measures that protect customers’ information, such as healthcare providers protecting patients’ sensitive information that is stored online and higher education institutions protecting student records. Any breach can cause an organisation to violate The Privacy Act 1988 and can see businesses facing hefty fines, data loss and loss of trust and reputation.  

Encryption is an essential part of modern communication and commerce. It allows us to send sensitive information over the internet without fear of it falling into the wrong hands. Whether you’re shopping online, sending emails or storing files in the cloud, encryption is there to keep your data safe. So, the next time you use the internet, take a moment to appreciate the technology that’s working behind the scenes to protect your privacy and security.

Cybersecurity, Essential Eight, Strategy

Does my business need to implement every aspect of Essential Eight?

Does my business need to implement every aspect of Essential Eight?

Essential Eight aims to get organisations to achieve a varied Cyber Security framework that spans the eight strategies so that they can improve their maturity of whichever strategy they are lagging. It’s an initiative that helps businesses understand the importance of Cyber Security within their organisation and gives them a framework on how to improve.

As the strategies are varied and quite specific, a business will not reach the maturity level it needs without any dedicated effort. We understand it can be a struggle to navigate the challenges of Cyber Security, especially since the higher the maturity level you reach, the more costs involved and the inconvenience it can be on yourself and your staff. It’s necessary though, as any cyberattack that occurs can be detrimental to your business, including unproductive staff, downtime, data breaches, ransom attacks, lost customer trust and reputation, high expenses plus any legal fees that may occur, and potentially could even see the closure of your company.

Does my business need to implement all eight strategies?

If you’re unsure what the eight strategies are, read this article here to learn.

Originally when Essential Eight was introduced by the Australian Cyber Security Centre (ACSC), now part of the Australian Signals Directorate (ADS), it suggested all organisations should aim to reach Maturity Level three. Businesses had to implement only four of the strategies — application control, patch applications, restrict administrative privileges and configure Microsoft Office macro settings — with the remainder being optional, and they were also able to self-assess their compliance.

With the updated version released in 2023, it aims for businesses to reach the same maturity level across the strategies before moving up to the next. What this means is that each of the eight strategies needs to be improved and lifted to your needed level. If seven of the strategies are at Level Two and one is at Level One, then your organisation’s Maturity Level is One. The newer version also introduces audits to check proper compliance.

For that reason, yes, your business needs to implement every strategy in Essential Eight. It’s the target level that determines how intensely you then implement these strategies.

Your business may not need to reach Level Three. This will be determined in your initial risk audit and assessments that you complete alongside a Cyber Security audit. Business owners and stakeholders must understand the risks that your business faces, as well as the costs associated with these and the consequences if they happen.

Is Essential Eight enough to protect my business?

Other than Essential Eight, your business should also have other Cyber Security practices in effect, including proactive monitoring of your networks and devices for malicious activity and regularly testing data recovery solutions so that when a cyberattack occurs, you can get your business back up and running. Essential Eight also doesn’t approach the task of the initial risk assessment that your business must undergo before implementing any Cyber Security strategy.

Essential Eight is simply a starting point for businesses to protect their digital assets. At current, the framework is about to become compulsory for all non-corporate Commonwealth Entities (NCCEs) so that Australia conducts business securely in the future to protect the country and its citizens. Now that so much of our lives and information is online, action needs to take place to protect this information. The government will be auditing NCCEs for compliance and, as part of their contracts, the NCCEs may require businesses they work with to also comply, meaning businesses may lose opportunities if they do not comply.

The framework is also highly recommended by the Australian Government for all other businesses, but we believe this will change soon to become mandated. Cyber Security attacks are growing, both in number and complexity. Criminals are using social engineering to trick staff into believing they are legitimate actors which then leads to disaster for businesses. Your business needs to aim to decrease as many of these opportunities, plus other complex threats, from reaching your staff, which Essential Eight can help achieve.

The ACSC themselves mention that:

While no single mitigation strategy is guaranteed to prevent Cyber Security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the essential eight, makes it much harder for adversaries to compromise systems.”

What now?

Implementing Essential Eight is something we, as an MSP specialising in Cyber Security, have been working with our clients to do and is something we do with every new client we take on board. Cyber Security can ruin businesses, so it’s something that must be applied.

The maturity level your business requires depends on your business and circumstances, so during the assessment, make sure to ask questions like ‘What is the risk of an attack’ and ‘What does my business have to lose.’ Once you’ve determined the level, it’s then time to achieve this through implementation, reviewing and monitoring.

If you’re unsure where to go from here, we can help you along the journey. In addition, Pronet Technology can also help with broader and stronger Cyber Security strategies and offer services with advanced threat protection and detection.

Contact Pronet Technology today to learn how prepared your business is for Essential Eight and how we can improve your Cyber Security.

Cybersecurity, Essential Eight, MSP, Technology

Essential Eight and why your business needs to Integrate Cyber Security

Essential Eight and why your business needs to Integrate Cyber Security

In today’s world, IT systems are an essential part of any organisation. They help in improving efficiency, communication and productivity. However, with the increasing use of technology, the risks associated with IT systems have also increased.

You must know what Essential Eight is if you’re an Australian organisation. It’s a cyber self-assessment security maturity tool to help organisations reduce Cyber Security incidents caused by cyber threats

The government currently recommends that organisations implement the eight essential mitigations as a baseline but we believe this will change in the future to be mandated so it is something we advise our clients and prospects to implement.

Developed by the Australian Cyber Security Centre (ACSC) to protect Microsoft Windows-based internet-connected networks, the framework has four maturity levels for each business’ risk category.

  • Level Zero: not aligned with strategic objectives.
  • Level One: partially aligned with the objectives.
  • Level Two: mostly aligned with the mitigation strategy objectives.
  • Level Three: fully aligned with objectives.

The levels depend on your business’ risk status and data sensitivity. Level One businesses, for example, are not commonly targeted specifically, so they just receive the typical mass scam emails. Level Two has the potential to be targeted but criminals will often move on if they find the security systems to be too hard to breach. Level Three are where attackers primarily focus as they have high dollar value data, such as banks and telecommunication companies.

Why should your business measure against Essential Eight?

Essentially, Essential Eight is all about Cyber Security and can be seen as a baseline for businesses to measure their maturity against, but it should be just one part of a wider framework that you should have in place. Cyber threats are constantly evolving, so businesses need to adapt to disruptions caused by Cyber Security incidents so that they can maintain business operations. This includes detecting, managing and recovering from incidents. We have other articles on our blog relating to these, so please read those to understand what your business should be doing to protect itself.

By measuring your business against the framework, your business can increase its knowledge of Cyber Security in business and identify company risks and how to control them. It allows your business to create a roadmap going forward that you can tick off to know that your company is becoming secure, and it gives you something to assess your service provider with to ensure they are integrating the Cyber Security processes within your business.

Limitations of Essential Eight

As mentioned, Essential Eight should not be used in isolation to protect your organisation. It’s not a fully-fledged Cyber Security framework and will not protect you from ever having cyber threats. For example, if you’re at Maturity level Three, this will not stop adversaries with the time, money and effort to compromise your business.

The Essential Eight is currently just a loose framework for your business to get started with implementing Cyber Security strategies to protect your businesses. When data leaks can cause your business to be in breach of laws such as The Privacy Act, you need to ensure that you are adequately covered.

The framework is also primarily designed for Microsoft Windows-based businesses, which represent the majority of public sector organisations’ corporate environments, hence why it was introduced by the government. So, while it’s not specifically designed for other operating systems like Mac, Cloud, Operational Technology (OT) or Linux, you can still use it to support your organisation’s Cyber Security development.

So, what are the Essential Eight strategies?

The Essential Eight strategies are designed to address the most common types of cyberattacks that businesses face. They are practical, actionable and cost-effective. Here’s a brief overview of each of the Essential Eight strategies:

  1. Application control: This strategy involves creating a list of approved applications that can be executed on a system. By doing this, organisations can prevent malicious software from running on their systems.
  2. Patch applications: Regularly patching applications can help businesses fix vulnerabilities in their software. This reduces the likelihood of cyberattacks that exploit these vulnerabilities.
  3. Configure Microsoft Office macro settings: Cybercriminals often use Microsoft Office macros to deliver malware. Configuring the macro settings in Microsoft Office can help SMEs prevent this type of attack.
  4. User application hardening: Blocks or removes common software used to download or run malicious software and prevents malicious software from running on business’ networks.
  5. Restrict administrative privileges: Limiting administrative privileges can help businesses prevent malicious actors from gaining access to critical systems.
  6. Patch operating systems: Similarly, regularly patching operating systems can help organizations fix vulnerabilities in the underlying software. This reduces the likelihood of cyberattacks that exploit these vulnerabilities.
  7. Multi-factor authentication: Using multi-factor authentication can help organisations prevent unauthorised access to their systems. It involves requiring two or more forms of authentication before granting access.
  8. Daily backups: Regularly backing up data can help businesses recover from cyberattacks. In the event of a ransomware attack, for example, businesses can restore their data from a backup rather than paying the ransom.

While you might not understand the technical processes of each of the Essential Eight, your IT service provider should be implementing these strategies to help your organisation protect itself against cyber threats. Talk with your MSP to see how and if they’re implementing these into your business.

Does my business need to implement Essential Eight?

While it is not mandated to do so, the framework is highly recommended by the government for Australian businesses to follow. At Pronet Technology, we recommend your company start integrating the framework as soon as possible. Even though we’re an MSP, over the last five so years, we’ve been doing all we can to learn more about and specialise in Cyber Security as we believe it plays an integral role in the longevity of businesses.

While ACSC recommends all businesses be at maturity level 3, each organisation’s Cyber Security level depends on its business need, size and complexity. As a business, conduct a risk assessment alongside your IT service provider to determine, analyse and prioritise the gaps in your business that can be strengthened and then act on those.

There are always going to be some challenges to improving Cyber Security within your business. It could be that you lack the staff and funding or that you don’t have the knowledge to successfully implement Cyber Security. You could have other organisational priorities or believe ad-hoc security is enough. Some people in the business might not yet be on board or you just don’t know how to improve. Cyber Security runs throughout the business so it’s something that everyone needs to understand and come on board with.

Most companies these days outsource their IT systems to service providers. Make sure you know the cyber maturity of your MSP in relation to Essential Eight so that you can build a strong working relationship with the MSP to ensure your business is protected.

By implementing these strategies, SMEs can significantly reduce their risk of cyberattacks. Essential Eight is not a silver bullet, but it’s a great starting point for any organisation looking to improve its Cyber Security posture. It’s important to note that Cyber Security is an ongoing process, and businesses should continually assess and improve their security measures.

Cybersecurity, Essential Eight, IT Support

Who is a Cyber Security Risk Assessment for?

Who is a Cyber Security Risk Assessment for?

As we move towards a more digitised world, the importance of Cyber Security continues to increase. Cyberattacks have become more frequent, sophisticated and damaging over the years. It’s essential to ensure the safety and security of your organisation’s information and technology assets. One of the best ways to achieve this is by conducting a Cyber Security Risk Assessment.

A Cyber Security Risk Assessment is a process of identifying, analysing and evaluating potential risks and vulnerabilities in an organisation’s digital environment. It involves evaluating the security measures in place and identifying any weaknesses that can lead to data breaches, cyberattacks or other security incidents. The ultimate goal of a Cyber Security Risk Assessment is to develop a comprehensive security plan that minimises risks and protects an organisation’s digital assets.

Why is a Cyber Security Risk Assessment important?

The world is witnessing a surge in cybercrime activities. Hackers and cybercriminals are always looking for ways to infiltrate an organisation’s digital environment and exploit vulnerabilities. A Cyber Security Risk Assessment helps organisations identify potential risks and vulnerabilities in their digital environment, enabling them to take proactive measures to mitigate such risks.

A Risk Assessment also helps organisations to comply with various regulatory requirements such as The Privacy Act 1988. Compliance with such regulations is crucial, as non-compliance can lead to hefty fines, legal liabilities and reputational damage.

Who is a Cyber Security Risk Assessment for?

A Cyber Security Risk Assessment is for everyone, irrespective of the size or nature of the organisation. Any organisation that stores, processes or interacts with information over the internet is at risk of cyberattacks. Therefore, every organisation needs to conduct a Risk Assessment to identify potential risks and vulnerabilities and develop a comprehensive security plan.

Small and Medium-sized businesses (SMBs)

Small and medium-sized businesses (SMBs) often assume that they are not at risk of cyberattacks because they are small or don’t have much valuable information. However, this is not true. Hackers often target SMBs because they have weaker security measures in place, making them easy targets. Another fact that SMBs should be aware of is that most cyberattacks are non-targeted. It is likened to a fisherman casting a wider net to catch as many fish as possible instead of spending the time and resources to catch the ideal fish. Also, some criminals would prefer not to target high-profile companies for fear of being the centre of an investigation by government enforcement agencies like the Australian Federal Police. A Cyber Security Risk Assessment can help SMBs identify potential risks and vulnerabilities and take proactive measures to mitigate such risks.

Enterprises

Enterprises often have a complex digital environment, making it challenging to identify potential risks and vulnerabilities. A Cyber Security Risk Assessment can help enterprises assess their security posture and identify potential risks and vulnerabilities across their entire digital environment.

Government Agencies

Government agencies often store sensitive information such as citizens’ personal information, national security secrets and confidential data. A Cyber Security Risk Assessment can help identify potential risks and vulnerabilities in government agencies’ digital environment, enabling them to take proactive measures to protect sensitive information.

Healthcare Industry

The healthcare industry is one of the most targeted industries by cybercriminals. Electronic Health Records (EHR) and other digital healthcare information are extremely valuable to hackers. A Cyber Security Risk Assessment can help healthcare organisations identify potential risks and vulnerabilities and take proactive measures to secure their digital environment.

How is a Cyber Security Risk Assessment conducted?

A Cyber Security Risk Assessment typically involves the following steps:

  1. Scope Definition: Defining the scope of the assessment, including the digital assets to be evaluated, the assessment methodology and the expected outcomes.
  2. Asset Identification: Identifying all the digital assets within the scope of the assessment.
  3. Threat Identification: Identifying all potential threats and vulnerabilities to digital assets.
  4. Risk Analysis: Analysing the likelihood and impact of potential risks and vulnerabilities.
  5. Risk Evaluation: Evaluate the risks and vulnerabilities to determine the most critical ones.
  6. Risk Treatment: Developing and implementing a plan to mitigate identified risks and vulnerabilities.
  7. Risk Monitoring: Continuously monitoring the digital environment to identify any new potential risks and vulnerabilities.

It’s important to note that conducting a Cyber Security Risk Assessment is not a one-time process. The digital environment is continually changing and new threats and vulnerabilities can emerge at any time. Therefore, it’s essential to conduct regular assessments to ensure the digital environment remains secure.

A Cyber Security Risk Assessment is a critical process that every organisation must undertake to protect its digital assets. It helps identify potential risks and vulnerabilities, enabling organisations to take proactive measures to mitigate such risks. It also helps organisations comply with regulatory requirements, minimise legal liabilities and protect their reputation.

No organisation is immune to cyberattacks and the consequences can be devastating. Therefore, it’s essential to conduct regular Cyber Security Risk Assessments to ensure the digital environment remains secure. Don’t wait until it’s too late; conduct a Cyber Security Risk Assessment today and protect your organisation’s digital assets.

FAQs

  • What are the benefits of conducting a Cyber Security Risk Assessment?

Conducting a Cyber Security Risk Assessment helps organisations identify potential risks and vulnerabilities, enabling them to take proactive measures to mitigate such risks. It also helps organisations comply with regulatory requirements, minimise legal liabilities and protect their reputation.

  • What happens if an organisation doesn’t conduct a Cyber Security Risk Assessment?

An organisation that doesn’t conduct a Cyber Security Risk Assessment is at risk of cyberattacks, data breaches, legal liabilities and reputational damage. It can also face hefty fines for non-compliance with regulatory requirements.

  • Can small businesses benefit from conducting a Cyber Security Risk Assessment?

Yes, small businesses can benefit significantly from conducting a Cyber Security Risk Assessment. Hackers often target small businesses because they have weaker security measures in place, making them easy targets. Conducting a Cyber Security Risk Assessment can help small businesses identify potential risks and vulnerabilities and take proactive measures to mitigate such risks.

  • How often should an organisation conduct a Cyber Security Risk Assessment?

An organisation should conduct a Cyber Security Risk Assessment at least once a year or whenever there is a significant change in the digital environment.

  • What are the steps involved in conducting a Cyber Security Risk Assessment?

The steps involved in conducting a Cyber Security Risk Assessment include scope definition, asset identification, threat identification, risk analysis, risk evaluation, risk treatment and risk monitoring.

  • How long does a Cyber Security Risk Assessment take?

The duration of a Cyber Security Risk Assessment depends on the size and complexity of the digital environment being assessed. However, it typically takes anywhere from a few weeks to several months to complete.

Cybersecurity, Essential Eight, MSP, Technology

Using Two-Factor Authentication in your business

Using Two-Factor Authentication in your business

Multi or Two-Factor Authentication (2FA) is an incredibly effective way to prevent cybercriminals from accessing your business’ systems, services or applications. We’re all accustomed to the standard username and password model, but 2FA requires users to present two or more different pieces of evidence when logging into their accounts.

These can be things like a username and password (something you know), authorisation through a multi-factor authentication application (something you have) or a fingerprint (something you are). In an everyday scenario, while PayPass has made it obsolete, except for withdrawing money, when making a purchase, you used to need a bank card (something you have) and a pin (something you know).

While there is some highly advanced new tech that can overcome 2FA, by requiring two factors for authentication, 2FA makes it much more difficult for cybercriminals to gain unauthorised access to sensitive data and systems, even if they have obtained the user’s password through a phishing attack or other means.

Other than 2FA software that your business can use on your network, like Windows Hello, oftentimes, third-party vendors also have an option for this service to be used. Make sure to go into settings to set this up or contact the vendor to ask how.

When should Multi-Factor Authentication be implemented?

As an SME, you may not think that you have valuable data or assets that are worth protecting. However, any business that collects customer data, such as names, addresses and credit card information, is at risk of a data breach. In addition, if your business has any proprietary information or trade secrets, such as manufacturing processes or customer lists, you could be at risk of industrial espionage. Even if you don’t believe your data is worth protecting, the mere risk of a cyberattack interrupting your business operations is worth considering.

Some older, legacy systems may not support multi-factor authentication and even though it adds another step for employees and therefore, an added inconvenience, 2FA must be added to your business’ operations, even more so since it’s one of the Essential Eight Cyber Security strategies. It becomes important when performing work-related activities like remote access solutions, users performing privileged actions and when staff access important data. As mentioned, it provides a way to securely authenticate the user. If the first form of defence is breached, like a PIN (personal identification number), password or passphrase, then the attacker is unable to progress further as they don’t have the second.

Depending on what maturity level of Essential Eight your business is aiming for, how you implement two-factor authentication can differ.

At Maturity Level One, the authentication methods used must not be of the same class — something staff know, something they have or something they are — and one doesn’t have to be a memorised secret. If you’re only now implementing multi-factor authentication and need to be at a higher maturity level, it might be easier to simply use a higher form of 2FA as mentioned below.

At Maturity Level Two, the authentication methods that can be used, and in what combination, are restricted. Some acceptable multi-factor authentication implementations can include something users have (like a single-factor one-time PIN device or a single-factor cryptographic (a way of protecting information and communications through codes) software/device) or something staff have that is unlocked by something they know or are (multi-factor OTP device or multi-factor cryptographic software/device). Biometrics, like fingerprint or retina scanning, are not acceptable at this level. At this level, event logs for multi-factor authentication should also be collected and stored to help with incident response.

At Maturity Level Three, all staff accessing important data must be using multi-factor authentication. The types and combinations of 2FA are restricted, such as through cryptographically verifying what they are authenticating. Cybercriminals try to get around multi-factor authentication by stealing authentication requirements to impersonate staff, so organisations are to use multi-factor authentication solutions that are resistant to phishing, like security keys, smartcards or a Trusted Platform Module. Businesses are not to use push notifications or SMS codes as authentication methods as these are often used by adversaries.

How to Implement Two-Factor Authentication for SMEs

Implementing 2FA may sound complicated, but it is actually a straightforward process. Here are the steps you can take to implement 2FA for your SME:

  1. Choose a 2FA solution: There are many 2FA solutions available, including hardware tokens, mobile apps, and SMS-based solutions. Choose a solution that fits your budget and needs.
  2. Configure your 2FA solution: Once you have chosen a solution, you will need to configure it for your business. This typically involves setting up user accounts and configuring the authentication factors.
  3. Train your employees: It is important to train your employees on how to use the 2FA solution and why it is important. This will help ensure that they understand the process and are more likely to use it consistently.
  4. Test your 2FA solution: Before deploying 2FA to all users, it is important to test the solution to ensure that it is working correctly and does not cause any compatibility issues with your existing systems.
  5. Roll out 2FA to all users: Once you have tested the solution, you can roll it out to all users. This typically involves providing instructions on how to use the solution and ensuring that all users are using it correctly.

To test if these measures are working, try logging on to a system or software that has the authentication set up and see if the request for two or more authentication factors, such as a password or a one-time PIN, is shown. For high levels, watch as an employee that has administrative privileges authenticates to log into a system or software to see if they are required to use multi-factor authentication. Make sure to monitor the log-ins of multiple services, as, for example, a cloud service may have a different implementation of 2FA than an on-premise service. Also, for Level Three, ask staff members to send through lists of the important data repositories in the business’ network as well as screenshots of attempting to log in to these, including the multiple forms of authentication it should be requesting. Ensure event logs of multi-factor authentication are also protected and monitored for signs of compromise and modification.

Some tips

If you’re not aiming for Maturity Level Three, then select a multi-factor authentication solution that impedes less on user functionality. Make sure to also turn off and replace old and redundant authentication systems. If you’re receiving pushback for 2FA methods, introduce policies or implement the authentication in stages across the company, starting with high-risk users. Also, have a support plan to handle failed logins and account lockouts.

Keep in mind though that Cyber Security should be a part of your business’ culture. Everyone must be on board with implementing security measures, as multi-factor authentication is just one of the eight strategies and businesses need to implement them all to a certain degree.

Types of Two-Factor Authentication

SMS Token: Sends the user a unique token, usually a 5–10-digit code, via text message after entering their username and password, and this pin is then entered to allow them access. While user-friendly and available to pretty much everyone, text messages can easily get intercepted by 3rd parties and this method relies on people having a charged phone.

Email Token: Similar to SMS Token, this method sends a 5–10 alpha-numeric token or asks you to click a link provided in the email. Once again, these are user-friendly, cheap to set up and maintain and offer both a link or token if one doesn’t work. Sometimes, emails can go to spam or fail to be delivered and these can be intercepted by criminals.

Hardware Token: A user is given a physical device, such as a key fob, USB dongle or another device that generates a token for the staff member. These tokens are usually valid for only a short time. Hardware tokens don’t require reception or internet connectivity and is reliable and secure. They can be a bit expensive to set up though, and can be misplaced and can be a bit user-unfriendly when having one for service. Examples include:

  • Yubico YubiKey 5
  • Kensington VeriMark USB
  • Google Titan Security Key

Software Token: Where users download and install an application on their computer or device that generates tokens for the user. These are only available for short periods before changing. These are more user-friendly, updates when needed and can be customised with different features. Some can be expensive, though, and requires users to download and install software that might be compromised without knowledge. Two-Factor Authentication is available on most applications today for no additional cost and should be enforced across these applications. A firewall can also help by enforcing 2FA for remote connections. Examples of 2FA software include:

  • Google Authenticator
  • Microsoft Authenticator
  • LastPass Authenticator
  • andOTP
  • Authy

Phone Call: The employee receives a phone call once logged in, which provides them with the token. This method is both easy and inconvenient but is cheap and reliable due to requiring less bandwidth than data. Some negatives of this service are that phone calls can be intercepted or your voicemails can be hacked, and reception is required, as well as actually needing a phone.

Biometric Verification: Relies on the user being the token through fingerprints, retina scans and voice and facial recognition. It’s also user-friendly. This does, however, raise questions about the storage of biometric data and privacy concerns, and storage locations can be compromised. It also requires specific hardware, like cameras and scanners.

Implementing two-factor authentication is a simple and effective way to improve your SME’s Cyber Security posture. By requiring two authentication factors, 2FA makes it much more difficult for cybercriminals to gain unauthorised access to your sensitive data and systems.

If you have any questions or would like help implementing 2FA for your SME, please don’t hesitate to contact us. Our team of expert technicians specialising in Cyber Security can help you choose the right solution and ensure that it is configured correctly for your business.