It’s only a matter of time before malicious actors figure out a way to get around whatever new technology cybersecurity professionals come up with.
According to the Australia Cyber Security Center, ransomware cybercrime reports increased by 15 per cent in the 2020-2021 fiscal year, with Australian businesses losing more than AU$33 billion to cybercrime during this period. While Australian businesses take precautions to combat these activities, ransomware attacks evolve faster than the security controls required to combat them.
For this week’s Let’s Talk, we asked our experts to discuss easy ways to protect the business from cyber threats without breaking the bank.
“In today’s evolving cyberthreat landscape, small businesses are just as vulnerable to cyber-attacks as large enterprises – if not more so. BlackBerry’s Annual Threat Report 2022 found that SMBs face upwards of 11 cyber threats per device each day. Simultaneously, Australia’s skills shortage disproportionately affects SMBs, which often lack the resources (such as staff, licenses or infrastructure) to maintain a Security Operations Centre (SOC).
“Automated cybersecurity solutions that leverage the predictive advantage of Artificial Intelligence (AI) can support SMBs in overcoming these challenges, without blowing the budget. To help keep costs down, businesses can also engage a Managed Security Service Provider (MSSP) to deploy endpoint protection solutions or subscribe to a 24/7 externally monitored service called XDR (Extended Detection and Response). By securing endpoint and network security systems through a managed XDR service, SMBs have access to enterprise-grade solutions and round-the-clock cyber experts at a fraction of the cost.
“The great news is – SMBs don’t have to do it all themselves. With access to intelligent AI tools and security staff on-tap, any Australian business can conduct continuous monitoring and regular assessments to protect their assets and prevent attackers from exploiting vulnerabilities.”
“Most Australian businesses secure their devices and networks by updating security software and setting up firewalls; these are generally known as an organisation’s first line of defence. However, your companies’ best line of defence, is your staff.
“95 per cent of Australian companies surveyed in Sophos’ ‘The Future of Cybersecurity in APJ’ believe their biggest security challenge in the next 24 months will be the awareness and education of employees and leadership.
“Staff not only need to know how to spot threats, but how to react to them and what to do during an attack.
“There are several ways to increase employee awareness without breaking the bank. Policies can be put in place to guide staff through cyber-attacks, and organisations should implement cybersecurity education programs to improve awareness and understanding of the threat landscape.
“As cyber criminals continue to find different tactics to outsmart businesses’ security measures, ongoing employee cyber awareness education is critical to protect businesses against attacks.”
“With the hybrid workplace now established as the ‘new normal’, cybercriminals have been given more opportunities to wreak havoc, throwing open a host of cybersecurity challenges for companies. To stand a chance of tackling potential cyber-attacks, businesses need a new holistic way of building defences.
“However, having the proper system in place is not dependent on the amount of money spent. Instead, businesses can begin by educating employees on effective password hygiene habits to reduce the risk of compromised credentials. For many businesses, this is the most budget-friendly and low complexity solution – and one that is most often overlooked!
“Basic password hygiene habits means that organisations can minimise vulnerabilities and create new cybersecurity protections that facilitate the new working world without adding significant expenses to the business. This, alongside enabling readily available multi-factor authentication (MFA) can greatly reduce the risks of compromised passwords, adding another much-needed layer of protection from attacks that could cost companies millions.”
“Even small businesses have cyber exposure – in fact, over 60 per cent of cyber attacks target SMEs.
“Rather than focusing their entire budget on protection, ‘cyber ready’ businesses are incorporating recovery into their planning. They have appropriate advisors to help urgently and a plan (or cyber insurance policy) to manage the costs associated with getting the business back up and running ASAP, as well as managing cyber incident response activities such as data breach reporting, crisis communications, and investigations.
“If your business depends on tech to operate, it doesn’t matter what you have done to protect yourself – you need to know that you won’t be sitting on hold when a cyber attack happens – ideally you’ll know you have cyber incident specialists on hand 24-7 to help you if a crisis strikes (and know you’re not going to be left insolvent in order to pay them).”
“There are some simple and effective steps companies can take to dramatically reduce risk and proactively protect against cyberattack in today’s ‘everywhere workplace’.
“Get complete visibility of all devices and software connected to your network and context into how these assets are used is essential to enable IT and security teams to protect and secure them.
“Choose a unified endpoint management (UEM) solution for device management supports bring-your-own-device (BYOD) initiatives while maximising user privacy and securing corporate data in remote and hybrid workplaces.
“Establishing good device hygiene is extremely important, ensuring that only devices meeting defined security requirements are allowed to access business resources. Companies should look to combat device vulnerabilities, network vulnerabilities such as unsecured Wi-Fi and hotspots and application vulnerabilities. For an extra layer of protection consider passwordless authentication via zero sign-on multifactor authentication.
“Solutions that are comprehensive, integrated and easy to continuously monitor and update will reduce pressure on IT staff, and create a productive, intuitive user experience no matter where, when or how your employees work.”
“Whilst there are good software solutions to mitigate cyberattacks, maintaining secure access to IT systems can be economically achieved through strong multi-factor authentication (MFA).
“Username and password combinations are vulnerable to account takeovers and other attacks however MFA is a cost effective way to protect your data.
“MFA requires two or more proofs of identity to grant account holders access and works by using a combination of something the user knows (pin), something they have (hardware security key) or something they are (fingerprint). Many apps and programs already support MFA too, so there are no software setup costs involved.
“Phishing resistant MFA via hardware security keys significantly reduces the cybercriminal’s ability to attack as the authentication action occurs between the user’s device and the site being accessed.
“Hardware security keys are affordable, don’t need network connections, battery power, and don’t store data, making them an ideal option for strong phishing resistant authentication.”
“Cybersecurity shouldn’t be viewed as an expense, it’s an investment in the future of your business. Powerful customers want to do business with organisations that can demonstrate a solid security posture. So, the first step is reconsidering your allocated cyber budget against the bigger picture of your growth plans.
“Don’t be tempted to approach informational risks on a piecemeal basis. Sharing the odd reminder about using a VPN on public WiFi or not opening suspicious emails isn’t going to cut it. Approach your cybersecurity around a framework designed by experts. Australia has The Essential Eight, but if you’ve got designs on global business or Australian government contracts, the internationally recognised information security standard ISO 27001 is a must have. There are a number of cloud software solutions designed to help small businesses easily manage their compliance with these frameworks.
“There was great news for small business cybersecurity budgets in the Government’s budget announcement on 29th March. The Technology Investment Boost means more than 3.6 million small businesses with an annual turnover of less than $50 million can claim a bonus 20 per cent tax concession on investments in digital, and that includes cybersecurity. That means being able to claim back $120 on every $100 invested in digital tech, which includes cloud systems that support governance, risk management and compliance in the areas of information security and cybersecurity.
“This is a huge opportunity for nimble organisations to invest in systems that guide them through the management of best-in-class cybersecurity practices – gaining valuable certifications like ISO 27001 – and will help them embed the security behaviours as BAU into their business. Plus, they will enjoy the added benefit of easily maintaining their security posture without the need for expensive consultants.”
“Businesses are at greater risk than ever from data loss. The following data backup and recovery practices safeguard your valuable data, your revenue and reputation:
“Digital transformation has resulted in increased cyber threats and data issues. As organisations ramp up efforts to defend against external cybersecurity threats, some of the greatest risks come from those inside the company.
“Businesses can prevent ongoing security threats through education and being transparent on the organisation’s threat program; clearly communicating with employees will deter far more internal risks to data than a covert program will.
“Classifying data assigned to risk areas like personal identifying information (passports, credit cards, personal identifiers, etc.) can also help protect against these ongoing threats.
“Organisations should use solutions that enable them to grant limited access to important materials based on employee role and responsibility.
“Finally, adopting a strong end user password management solution will further help to control user access and mitigate the risk of breach.”
“Cyber safety is high on the list of priorities for all businesses, regardless of their size. With threats on the rise, and an ongoing struggle for skills and talent locally, a smart investment in cyber security technology and education is critical to help take the strain off your IT team.
“Endpoint Detection solutions are important, and most companies will have these in place, but taking this one step further to Extended Detection and Response (XDR) could protect your business before an attack has even landed. Consolidating both tools and data to provide a business with extended visibility, analysis and response across networks and clouds as well as apps and endpoints will help prevent attacks or quickly contain them should they occur.
“On top of the technology, it’s important to invest resources into training employees on potential attacks and what to watch out for. The human factor can be the weakest point in any organisation if left unprepared and unaware of risks, so, educating your people can help prevent an attack or make rectifying a breach much faster.”
“Without ongoing relevant and engaging training and awareness employees are the easiest target for a cyber attack. A phishing email (malicious email) is the most effective method used to achieve that.
“Educating employees to stop and think before they act on any incoming communication that sparks an emotional response such as urgency or fear to click on a malicious link, open a dodgy attachment or share login credentials is more important than ever.
“And it’s not just phishing emails we all need to be aware of. Be on the lookout for smishing (malicious SMSs), vishing (malicious voice calls) and qishing (malicious QR Codes) all of which can lead you into a trap.
“If you do receive incoming communication requesting personal information, login credentials or an offer of something ‘too good to be true’ – STOP. It’s recommended that you make direct outgoing contact via official channels (phone or app or website) to your bank, telco, healthcare provider etc. the verification process is safer as you have contacted them (not the other way around).”
“Cybersecurity can appear to be a daunting investment for SMEs that have limited resources and knowledge of where to start. However, there are a number of best practices businesses can follow to greatly enhance their cybersecurity.
“First, invest in the best monitoring, detection and response systems your budget can afford. This might include implementing back-to-base security alarm systems to identify if there are intruders in your office and homes.
“Next, vulnerability management involves keeping your computers and network safe from known exploitations by regular running security scans and upgrading your networks.
“Multi-factor authentication (MFA) ensures your email, social media, and critical applications such as accounting and CRMs are safe. MFA provides a second layer of security aside from username and password alone.
“Finally, remember: security starts with you and your team. Building knowledge and awareness are critical to fighting cyber threats, making training and staff education key.”
“Rising cybersecurity costs are tightly linked to the rising use of cloud. The more data in the cloud, the more complex and costly to monitor and protect.
“The challenge is to not lose visibility into the traffic, or control over the cloud environment.
“Firewalls should only allow what is necessary to operate the business, and guardrails such as multi-factor authentication need to be incorporated when teams set up cloud accounts. Free native cloud tools exist that businesses can take advantage of.
“Setting up sandbox environments can also allow teams to experiment without adding risks and while balancing costs.
“Finally, priority should be put on protecting the data itself, for example via encryption. You can spend millions on different levels of protection, but if your data gets stolen these protections won’t be of any help. Focus on securing the data first so it’s unusable should it be hacked or leaked.”
“With the majority of business operations now occurring online, it’s imperative to have robust measures in place to protect against cyber attacks. Small businesses are most at risk because some protection methods are expensive; however, here are three cost-effective ways to protect your business.
“Cyber security remains one of the most serious economic challenges for businesses of all sizes. Exacerbated by the pandemic, Australians saw a 60 per cent increase in ransomware attacks in the past year alone.
“It’s vital to secure your website to protect sensitive information and customers alike. While no system is 100 per cent hack-proof, there are proactive measures you can take to secure your WordPress site.
“It’s important to update continuously, this includes removing unused plugins and themes, and avoiding untrusted plugins altogether.
“Nearly 80 per cent of security threats are caused by outdated software and passwords. Ensure that passwords and usernames are strong, install plugins to enable Two-Factor Authentication (2FA) and limit login attempts to add an extra layer of security.
“For further assurance, consider investing in a secure hosting provider, such as WP Engine, to address security risks and implement daily backups, automatic software updates, 2FA, etc. A hosting provider enables small businesses to focus on providing an optimal digital customer experience, while maintaining a secure site, seamlessly.”
“According to Check Point’s Threat Intelligence Report, Australian organisations were attacked 768 times per week in the last six months. When it comes to security, second best is not enough. Rethinking your approach is urgent and can be cost-effective.
“Your first line of defence is your team. It’s essential to educate and engage employees to be aware and vigilant. Regularly updating and patching software is another simple measure that goes a long way. Further consider a solution to simplify cybersecurity controls in a consolidated architecture, which can protect your company from every endpoint across your network, cloud, mobile and IoT in real-time. This type of system can be multi-layered, as is the case of Check Point’s Infinity.
“Finally, we recommend partnering with experts that will support you in emergencies. Our dedicated Incident Response team works to strengthen cybersecurity controls through multi-threat analysis and real-time remediation, protecting against cyberattacks and threats.”
“To protect your business from cyber attacks, you must understand your technology, applications and data that make up your IT, and the different points of entry that could be used to access your information. By determining your biggest vulnerabilities and ensuring the right processes are in place to secure these systems, you can easily prevent possible infrastructure attacks without blowing the budget.
“Despite hesitations regarding the security of cloud technology, in fact migrating to the cloud is necessary for businesses to adequately protect themselves against cyber threats. With the deluge of data taking place and the scale of potential threats, businesses can configure cloud computing to their exact needs, which in turn, improves overall security and long-term costs.
“It is also important to think about information security in general – traditionally, this would have covered physical access to your building, but today this will include remote working and hybrid work patterns that have been adopted following the pandemic. Investing in reliable and secure cloud native apps will help empower your business and protect against sophisticated threats that can cause shutdowns and hinder work or staff anywhere.”
“Ransomware is a real threat, even for small and medium-sized companies. However, a few steps can significantly reduce the risk of ransomware attacks and the risk of damage in the event of an attack:
“Cyber security is a critical aspect for businesses, and there are various methods to safeguard your organisation from cyber attacks without breaking the bank.It starts with enabling security measures throughout the ecosystem that most businesses would already have in place.
“Enabling network encryption on your wifi network and activating your router’s built-in firewall are great places to start. Establishing minimum password requirements and activating two-factor authentication (2FA) for your applications and document repository are examples that will strengthen your security posture. It is also critical to stay updated on software releases by upgrading and patching third-party software utilised within your stack – this will remediate known cyber vulnerabilities.”
“Cloud-based working is here to stay, and with that comes new threats in addition to the obvious opportunities it brings. Our traditional approach to cybersecurity is no longer fit for purpose when applied as a point solution at a given moment in time. Leading organisations are now adopting an ‘always on’ Zero Trust strategy, which is the concept that no person, device, object, or connection, should be trusted until it is proven that it should be, combined with a modern approach to security that enables the business on their technology journey.
“Whilst moving to a full Zero Trust posture is an ongoing project, the good news is that organisations can start to employ a lot of the tactics with minimal investment and speed. This can include offering secure cloud storage or collaboration solutions that are easy to use so that employees don’t turn to ‘shadow applications’ or even re-thinking password management. For example, passwords shouldn’t be set to expire – instead, stick to high minimum character limits without all the complicated symbols to encourage strong, yet easy to remember passwords that staff don’t need to write down and can keep forever.”
“Recent research shows that Australians lost over $300 million to scams in 2021, and almost half of all cyber attacks target SME businesses. It is critical for business leaders to recognise cyber attacks can happen to any business, as cybercriminals and crime syndicates are incredibly well-resourced. It is unrealistic to think a single business of any size can consistently stay two steps ahead of their attackers without expert support. Consequently, the best defence against cyber attacks is a measured and proactive offence. Business leaders should understand that identity theft, phishing, financial fraud, and money laundering are just some of the many outcomes cybercriminals are trying to achieve through cyber attacks. Businesses need a technology-driven and end-to-end approach to preventing attacks before they happen. While there is inevitably an initial investment required to protect your business, it is likely to more than pay itself off in the long-run.”
“While businesses are less at risk of encountering a threat than consumers, they often have more to lose if they do fall victim. Digital threats put businesses’ productivity, profits, and their reputation on the line. Avast threat labs have found that on average, Australian businesses have a 12.78 per cent chance of encountering a threat.
“Some immediate steps businesses can take to protect themselves against cyberthreats is review their access permissions, back-up data, train staff on security best practices, make sure all software is up to date and importantly, have the appropriate digital security, like Avast Business Antivirus which includes a firewall, to provide a barrier between your network and cyberattack, and antivirus software, to minimise the impact of threats such as ransomware and phishing attacks.
“Understanding the precautionary measures you can put in place to protect your business is critical – and it doesn’t have to be a difficult and costly task.”
“Cybersecurity is gaining awareness which is encouraging and necessary given the increase in threats. For example, the 2022 CrowdStrike Global Threat Report highlighted an 82 per cent increase in ransomware-related data leaks. It also flagged how adversaries were moving beyond malware with 62 per cent of recent detections being malware-free. Given this, businesses need to ensure their cybersecurity posture is fit to defend against attacks, so how can they do this?
“Here are some practical steps:
“Creating good cyber hygiene for your business starts with educating your employees. Cybersecurity is about people and by incorporating regular training programs into your business, it strengthens your first defence against cyber breaches.
“Phishing is a key driver for cyber threats, yet the Australian Cyber Security Centre found 20 per cent of SMBs didn’t know what the term means. Phishing, when hackers send an email with a suspicious link pretending to be someone they aren’t, can easily be mitigated as simply as strengthening a password. Cyber awareness programs are an investment, and an effective way to establish a strong layer of cybersecurity without blowing the budget.”
“Cyber resilience requires investment and businesses need to understand the financial risks of not having a strong cybersecurity plan in place, but it doesn’t mean blowing the budget. Educating employees should be a priority regardless of a business’ size. In Mimecast’s recent State of Email Security (SOES) report, more than 8/10 Australian respondents believe their company is at risk due to inadvertent data leaks by careless or negligent employees, with 52 per cent saying their cyber resilience has been impaired by lack of investment in cybersecurity training for existing staff. Employees are a business’s biggest strength, but when it comes to cyber security, they can be the biggest weakness.
“Using artificial intelligence (AI) and machine learning (ML) is another approach in protecting businesses against cyber threats, saving time, skills, and resources. Our cyber security
report also found that only half (49 per cent) of respondents are making use of some combination of AI and ML, and 1/10 have no plans to use it. These statistics reveal organisations are falling short when it comes to using technology, and employee training needs to be improved to make it effective.”
“Businesses are shifting their operations to be digital-first as customers utilise more online services, and cyber incidents are continuing to rise. In fact, 56 per cent of Asia Pacific SMBs experienced a cyber incident in 2021. These incidents can cripple business infrastructure and shut down operations. It’s never been more important to invest in better cybersecurity measures to protect business data and employee identity.
“Businesses must go beyond standard login and password measures to add a new layer of enhanced protection. Multi-factor authentication (MFA) methods are one option for this. MFA provides an affordable way for businesses to create easy-to-use, sophisticated and safe means for their employees to log into their systems securely. MFA systems like security keys, secondary authenticator platforms, or face, fingerprint and other biometric security options offer secure ways to build more advanced logins beyond login usernames and passwords.
“MFA makes users a part of login processes in real time, reducing the risk of compromised credentials leading to a cyber attack.”
“77 per cent of all digital attacks are bots-driven, and mitigating attacks from sophisticated bots helps to reduce risk and more effectively protect business threat surfaces. Every company is a target for attack and the impact can be greater than one might think. Bots are becoming more sophisticated, automated and more human-like, easily bypassing fraud and security tools. Fighting sophisticated bots with legacy or manual methods is no match for these advanced threats. If you can stop the bots you can significantly reduce attacks.
“Another simple and cost-effective way for organisations to strengthen the last line of defence is through employee cybersecurity training. Regularly communicating data security policies, updating employees on the latest threats and tactics, and educating them on how to detect and navigate malicious acts can build resiliency across the business.”
“When it comes to defending your business against cyber threats, security basics are always more important than shiny new security toys. Good IT hygiene dramatically reduces risk at a much lower cost than silver-bullet solutions.
“Here are some ways you can practice keeping your business safe online with good IT hygiene without blowing the budget:
“From simple phone scams to sophisticated phishing emails, businesses are being tasked with implementing innovative approaches to secure valuable data. Robust and responsive cybersecurity is a must have, and they can work in conjunction with tools that help your workflows and offer cost savings.
“Intelligent Automation (IA) can add layers of protection and make your staff’s life easier. For instance, switching to e-invoicing means suppliers can upload their invoices to your portal directly, allowing them to bypass email entirely so employees no longer need make the call on whether to click on an “invoice” email attachment. Automating accounts processing also means information can be validated, only requiring human oversight in the event of a vetting issue, eliminating fraudulent documents.”
“As the hybrid work environment becomes increasingly popular, so too does the use of the hybrid cloud environment. As these developments proliferate, companies are making massive investments in maintaining the manageability, security and infrastructure of their IT environment.
“But technology alone cannot solve security concerns and it is important for businesses to realize that your organization is only as safe as your least security-savvy employee. The ‘human’ factor is just as critical when building a strong defence against cyberattacks.
“Companies must be educating their employees to recognise and respond to security threats hand-in-hand with your IT team. Regular security training for all employees is an essential and highly cost-effective way to protect your business and prevent attacks that could cost millions.”
“Security concerns have become the biggest issue holding businesses back from digital transformation and their ability to innovate in their industry. These fears can make employees apprehensive to integrate their own data with the rest of the business, creating data silos that contain valuable information that cannot be accessed by anyone else.
“By adopting an API-led composable business model, businesses can reduce the number of data silos and empower even non-technical users to share their data. APIs are infinitely reusable, meaning non-technical employees can integrate their data with confidence that it will be protected. This can dramatically reduce costs by relieving pressure on the IT team to create costly custom integrations whenever a new application is added to the IT ecosystem, giving them the time and resources back to focus on maintaining security. What’s more, APIs can be freely shared between third-parties, meaning you may not need to build your own API to start harnessing them for integration.”
“Businesses are contending with additional threats stemming from hybrid work environments, as the transformation of the workforce continues. In fact, approximately 40 per cent of the CISO community admits that their organisations cannot recover post ransomware without significant disruption.
“The best thing leaders can do is prepare, which doesn’t always need to be a costly endeavour, using the below tips:
“Ensuring cybersecurity has always been associated with huge costs. Mitigating cybersecurity risks and threats without costing a fortune is doable, and it starts with assessing your organisation’s security posture. To do this, you must understand your environment, set the right security objectives, and formulate a security strategy accordingly.
“Understanding your critical infrastructure, where your sensitive data resides (e.g., is it on a multi-cloud or on-premises network), and who has access to your data is the first step. The next step is to define a security objective while keeping in mind the infrastructure assessment. For instance, if your sensitive data resides in a multi-cloud environment, you need a cloud access security broker (CASB) solution to monitor cloud user activities and enforce the right policies. As an additional benefit, a CASB also sheds light on shadow IT and gives you insights into cloud usage. Tight coupling between the infrastructure assessment and the security strategy formulation helps you optimise your budget without compromising on cybersecurity.
“Another important aspect is to leverage already available security architectures and advanced technologies such as zero-trust architecture and risk-based authentication. These technologies reduce the risk of data exposure and tighten identity-based security, giving little to no room for intrusions based on credential misuse.
“The third important factor that contributes to optimising your security budget is to adopt managed detection and response (MDR) services. The cybersecurity landscape is highly dynamic. This leaves a large skills gap, which makes organisations lag behind in terms of defensive security. Adversaries exploit such gaps and launch sophisticated and persistent attacks at a large scale. An MDR service tries to bridge the skills gap and also help enterprises keep up with the dynamic dark web. With the sudden rise in remote work, hybrid networks, and cloud adoption, security professionals find it difficult to keep up with the new security challenges. Deciding how to respond to every detected security event is time-consuming and requires a lot of expertise. Organisations aren’t equipped with enough in-house security professionals who have relevant skills to overcome these challenges. MDR services fill these gaps and are more affordable than hiring and training a security professional.”
“When considering cyber security plans for a business, the decisions are usually influenced by comparing the cost of preventative measures against the cost of damages. However cyber security is imperative to the survival of businesses, and should always be prioritised. There are simple measures that companies can adopt to enhance their cyber security.
“Protect your business by investing in your staff. Educate your staff about cyber security and their role in fending off cyber threats. Keeping them informed and guiding them would reduce the chances of internal security breaches. A cyber security training course and regular refresher training would be a good start.
“It would also be beneficial to deploy internal guidelines that inform staff how to proceed when faced with a potential IT security risk.
“Finally, undertake due diligence by reporting incidents and ensuring that executives are informed about their legal obligations around data breach notifications and privacy.”
This post was aggregated from Dynamic Business (https://dynamicbusiness.com).