In 2022, the Federal Court of Australia found RI Advice breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.
In the case of ASIC v RI Advice Group, the court did not provide a definition of adequate risk management in relation to cyber security. It took the view that ‘the assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person’. The court did, take a view on what was not adequate:
- computer systems that did not have up-to-date antivirus software installed and operating
- no filtering or quarantining of emails
- no backup systems in place, or backups not being performed
- poor password practices, including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.
What this means in 2023
As cyber attacks continue to increase in scale and frequency, businesses will be expected to take a more proactive approach to their cyber security and resilience.
Businesses, regardless of size, don’t need cyber security consultants to define what is considered adequate in all cases. Cyber security is not new; it has merely been thrust to the forefront of our minds as we become more and more digitally connected across almost everything that we do, highlighting the risks we face as a connected society. Akin to knowing how to secure your home, which we all know how to do, enacting some basic cyber security measures is not a complex task for your business or even your personal life. It is, however. a must.
Many experts will correctly tell you to ‘conduct a risk assessment’ to determine what controls you need to mitigate identified risks. However, just as you implement basic physical security measures in your home without a detailed risk assessment, there is a common sense set of adequate cyber security measures that all business, regardless of size, can employ in their day-to-day business operations.
Practical security measures you can rely on
Through our Digital Forensics and Incident Response practice, ParaFlare regularly engages with businesses that have fallen victim to a cyber-attack. Too often, businesses do not have the following common, baseline set of measures implemented to safeguard their organisation. These measures aid in detecting a cyber security incident, slowing down or stopping the threat, and resuming normal business operations:
1. Multi-Factor Authentication (MFA)
With the number of breaches that result in compromised credentials, implementing MFA on your systems can stop a threat from breaching you. You should consider implementing MFA on systems including:
- Office 365 or any other email platform, including Gmail and Apple Mail.
- SalesForce and other sales platforms
- Online stores, banking, or websites used for your business
- Remote access gateways.
Find out more: Protect Yourself: Multi-Factor Authentication | Cyber.gov.au
A unique, strong passphrase is stronger than a simple password, for example ‘red house sky train’, along with special characters. A passphrase should be unique for each individual website or service that you use, and for this reason, ParaFlare recommends using a password manager.
Find out more: Creating Strong Passphrases | Cyber.gov.au
3. Backup and restoration
In case your data is stolen or rendered unusable (following a ransomware attack that encrypts all your data to a non-readable format), it is important to maintain regular backups. These backups should be held at a separate physical location, such as a cloud service or on separate devices (ranging from hard drives to dedicated storage solutions) that are not routinely connected to your computer or main network. Restoring from these backups should be regularly tested to ensure that your business is ready to bounce back in the event of an incident.
Find out more: https://www.cyber.gov.au/backups
4. Anti-Virus Software and Firewall Settings
If your organisation uses Windows, then Microsoft has an in-built firewall that will help protect you from known threats and common attacks. You’ll want to ensure this has been enabled on each device, by following the instructions for the firewall and Microsoft Defender. Similarly, anti-virus software will provide an additional layer of protection. Look for products that have malware and ransomware prevention/detection built in.
5. Browsing the Internet
When using the Internet, there are several ways that you can stay secure and promote safe practices amongst your staff.
- Make sure your web browser is updated to the latest version.
- Do not reuse the same passwords across multiple websites.
- Visit websites that have HTTPS enabled (look for the padlock icon in your browser).
- Only download files if you trust the source, or if it is from the official website.
- Do not click on any links that look suspicious. Either hover over the link to see the name of the actual website, and search for the website in a search engine such as Google.
6. Using and Opening Emails
The most common method used by threat actors to gain access to your systems is via email. It is imperative that the staff within your organisation stay vigilant when it comes to the emails they open, attachments they download, or links that they click. If something doesn’t look right or you are suspicious, your employees should raise it with someone else or flag it with IT. Getting a second opinion may just save the organisation a big headache.
While most people can implement these simple controls, managing your cyber security when you’re crossing that small to medium enterprise gap can become problematic. Especially if you don’t have your own inhouse IT team. Luckily, large technology providers are now offering enterprise grade security to small and medium business for a fraction of the historical cost.
Microsoft, a ParaFlare partner, offers several combined productivity and security solutions for businesses across various packages. While larger enterprise often use “E” series licensing, small and medium enterprise without a sophisticated IT overhead can benefit from Microsoft’s decades of IT and security experience through their Microsoft 365 Business tier. This is a licensing tier designed to address both productivity and basic security needs in one payment. The good news is, it combines all the controls discussed above, and can empower your small IT team to secure your business in a quicker and simpler fashion.
With the ability for most people to control their own cyber-security postures, and large vendors finally providing security solutions that are easily obtainable for small and medium enterprise, we’re likely to see regulators start to enforce standards.
Don’t become a victim of a cyber-attack. Take a step back, grab a cup of coffee, and think through your cyber security measures… in much the same way you protect your home!