With Cyber-Attacks now the #1 threat to business globally (World Economic Forum), recent reports reveal an unprecedented increase in the number of Australian SMEs being actively targeted by cyber criminals, regardless of size or industry. These criminals (referred to as ‘threat actors’) view many Australian SMEs as easy targets and ‘honey pots’, primarily due to the vast amount of highly valuable client information and data they store or have access to, facilitated by an extremely common attitude by many SMEs that they are too small to be subject to such attacks.
With so much confusing information and a lack of understanding or knowledge around practical and affordable solutions for SMEs, CAT has compiled the below FAQs to assist your business in identifying your own areas of exposure, whilst providing practical solutions to address your company’s cybersecurity risk and challenges.
The questions and answers below may help raise awareness about cybersecurity risks within your company.
This is not a definitive or exhaustive list however, it may assist your business in developing practical and affordable solutions to address your own cybersecurity risks, ensuring that your business is operating in a safe, secure and compliant cybersecurity environment.
In relation to cybersecurity, what are some of the most common issues facing SMEs?
- Lack of awareness around the current real-world cybersecurity risks
- False sense of security, with a heavy reliance and dependence on internal IT Manager or external IT third-party provider
- Lack of cybersecurity knowledge, understanding, ownership and leadership
- Poor cybersecurity maturity and posture within their businesses
- Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility
- Lack of allocated budget. Cybersecurity is now an integral cost of doing business for us all
If a company has an IT Manager or Third-Party IT Provider, isn’t this their area of expertise and responsibility?
- Unfortunately, not. This is one of the most common misconceptions that many boards, directors and senior managers display. Cybersecurity is not an IT or Technology issue, it’s a whole of business risk. That risk sits with the board and the business owners/directors and whilst a company can rely on IT teams or outsource the technology requirements, they can’t outsource their responsibility
- Blindly delegating this responsibility, without independent verification has proved catastrophic for numerous businesses of all sizes, across all industries.
- IT security and cybersecurity are very different disciplines, and whilst there is a symbiotic relationship between the two, traditional IT security methods, such as firewalls, anti-virus and anti-malware software, whilst still essential, are no longer enough to keep threat actors at bay.
- Many IT Managers or Third-Party Providers often lack the in-depth cybersecurity expertise or knowledge required to protect businesses today. Many confuse IT security with cybersecurity and can inadvertently provide a false sense of security to their clients that their businesses are protected. Many simply do not have the bandwidth to keep up with the daily advances in cyber risks and attacks.
- Information security and cybersecurity have very broad landscapes and no software or hardware will protect your business from techniques such as social engineering, loss of physical files, pretexting, voice solicitation (vishing), or incorrect disposal of paper documents.
So, if this is not an IT or Technology issue, where should businesses focus their resources and efforts when assessing their company’s cybersecurity posture?
- The simplest and most effective way to assess your company’s information security and cybersecurity risk exposure is not through an IT Audit or Penetration Test, but through a whole of business, independent Cyber Resilience Assessment (CRA). After all, you don’t know what you don’t know.
- An independent assessment will assist you, your business and your IT Team/external IT provider in identifying areas of risk, gaps in polices or procedures, exposure or non-compliance throughout your organisation.
- With the tangible information discovered in the CRA, you and your teams can determine where to focus your time and resources, based on the severity of the issues identified, together with your company’s risk appetite and budget
How can companies raise awareness about cybersecurity, and the associated risks, within their businesses?
- There are some very simple and affordable solutions for businesses of all sizes and across all industries. The first is education. Start at the top, with the board. Remember, cybersecurity is not an IT or Technology issue, it’s a whole of business risk and is a journey of discovery that requires a fundamental change in mindset and culture. Build a security culture that encompasses all departments and operations since cybersecurity is everyone’s responsibility.
- Establish ongoing training – Incorporating cybersecurity awareness training for all employees is critical to your business security infrastructure. It is the most effective way to combat social engineering, poor password practices, successful phishing attempts and other cyber threats that could put your business at risk.
- Review your policies, processes and procedures and ensure that all staff are aware of theses polices and are trained appropriately. Then test them to ensure they are effective and work. It’s simply not enough, or acceptable, to require a new employee or existing employee to sign an “I have read and understand company IT and cybersecurity policies.” Basic training for all staff on how to spot, manage and report the vast nefarious social engineering techniques, such as phishing, spear phishing, business email compromise, pretexting, spoofing and vishing could be vital to the survival of your business.
- Develop a Data Breach Incident Response Plan. This is a simple plan for all staff to follow in the event of a data breach, incident or attack. Again, test it to measure its effectiveness and amend where necessary.
- Establish governance – Ensure that the board appoints someone to take ownership of updating the board on a regular basis in relation to the company’s cybersecurity posture. Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organisation and to regulatory agencies and industry organisations.
- Advance your knowledge – Stay up to date with cybersecurity legislation, standards, frameworks, reporting and leading practices such as:
- Australian Notifiable Data Breach Scheme (NDB)
- European Union General Data Protection Regulation (EU GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
- International Organisation for Standardisation ISO 27001
- Australian Cybercrime Online Reporting Network (ACORN)
- Australian Cyber Security Centre (ACSC)
- Australian Signals Directorate (ASD)
- National Institute for Standards and Technology (NIST)
So, we’ve raised awareness in our company, what other practical measures should we be thinking about?
- Cybercriminals view SMEs as easy targets and ‘honey pots’, primarily because SME defences are often not as advanced as those of larger businesses. According to a recent Ponemon Institute report, the average time for a business to identify a breach is 191 days, with the average time to contain a breach is currently sitting at 66 days. More alarmingly, according to the Australian Cyber Security Centre, over 58% of businesses that were breached in 2018, were alerted to the breach by external parties before detecting the breach themselves. A recent IBM report identified that over 60% of all breaches occur from within a business.
- To protect themselves, companies should consider additional layers of cybersecurity (Defence in Depth), such as Managed Detection and Response services. The application of action-based insights from real-time analysis of your network data can drastically improve the time to detect and respond to a potential security threat and prevent data theft.
- Engage external specialist assistance to assist your business in the areas where your IT manager or Third-Party provider can’t. Remember, they’re probably already overstretched, may not have the required knowledge or experience, and some may think that they can take care of this themselves. Many cybersecurity companies will actually work in partnership with your IT to support and educate them along the way.
What exercises can be performed to gain a feel for how my organisation would handle suspicious activity or identified breaches?
- While no single mitigation strategy is guaranteed to prevent cybersecurity incidents, according to the Australian Signals Directorate, at least 85% or more of the adversary techniques used in cyber intrusions could be mitigated through cost-effective frameworks and mechanisms.
- After training your staff, test their susceptibility to common cybersecurity threats such as phishing emails and business email compromise (BEC) and re-educate those who may require additional training.
- Perform social engineering exercises attempting to trick employees into giving up sensitive information or access to systems.
- Conduct a breach response exercise and go through the steps of your plan to evaluate its effectiveness.
What can I do to strengthen my organisation’s cybersecurity program with limited resources?
Get the Cybersecurity basics in order. To enhance your company’s odds of mitigating a catastrophic data breach, ensure you have employed the basic cybersecurity measures. As a bare minimum, these would include:
- Next-generation Firewalls
- Intrusion Detection Systems (IDS)
- Managed Detection & Response services (MDR)
- Security Incident and Event Management (SIEM) systems
- Spam filters/Anti-Phishing
- Access control – both Identity and Access Management (IAM) and Privileged Access Management (PAM) for back-end administrative access
- Password Manager to prevent staff from forgetting or losing their passwords, using poor password hygiene or reusing passwords
- Enforced Multi/Universal Factor Authentication everywhere possible
- Encryption of sensitive data – at rest and in transit, as required by regulation and policies
- Mobile Device Management for all relevant devices such as tablet and smartphones
Engage external specialist assistance to evaluate your program, identify risk areas, assist you in addressing the risks and provide you with independent and objective perspectives and recommendations.
What are some of the key components of an effective cybersecurity management program?
- Cyber Resilience Assessment (CRA) – A CRA will assist in identifying your company’s gaps, areas of exposure, risk and non-compliance, and will enable you to put practical and affordable measures in place to mitigate these risks.
- Security Control Implementation – Establish a control framework (such as ISO 27001, ASD 37 Scorecard, NIST, SANS Critical Security Controls) to standardise protection for your data and systems.
- Regular Review of Security Control Performance – Periodically evaluate security controls to determine whether the cybersecurity controls are operating as intended.
- Governance – Good governance is achieved through the management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources and monitoring and accountability
- Data Classification – Identify high risk or regulated data and establish data handling procedures.
- Collaborate with Internal Stakeholders – In the event of a cybersecurity breach, personnel and teams in the company’s IT, HR, finance, legal, and other departments should be ready at a moment’s notice and be aware of their roles and responsibilities following an attack.
- Employ Managed Detection and Response (MDR) services – Without real-time monitoring of your digital environment and endpoints, your company will only learn about an attack or data breach after the fact.
- Be Aware of Active Threat Intelligence – The more informed decisions you can make during a cyber-attack, the better off you may be. Active threat intelligence will assist your company in identifying and recognising the signs of an attack, often before it occurs.
- Understand Regulatory Factors and General Liability – A response to a data breach should consider regulatory compliance and procedures. You risk fines and other penalties if personal information is exposed and your response is considered non-compliant.
- Undertake Data Incident Response Planning – Despite best efforts, a security breach is always a possibility. Cybersecurity threats are evolving daily and it is vital to be proactive and ready. Develop a Data Breach Incident Response Plan and test it regularly.
- Third-Party Service Provider and Vendor Risk Management – Many of the most recent data breaches have originated from third-party providers. Regardless of size, all businesses should employ basic vendor management best practices to understand and control third-party risk.
- Risk Acceptance and Risk Transfer – As recent, high-profile breaches demonstrate, even with robust security processes in place, businesses can still suffer a data breach. Companies should evaluate the overall effectiveness of their cybersecurity processes and decide whether to accept that risk or transfer that risk through a cyber-liability policy. Insurance carriers are quickly evolving cyber policies and underwriters are taking a closer look at how companies assess and manage their cybersecurity risks. By implementing effective cybersecurity management programs, companies may be able to receive reduced premiums or more favourable policy limits.
Our team are here to assist and support you and your company along your own information security/cybersecurity maturity journey.
Contact us today to speak to one of our specialists.