The federal government has begun the process of introducing Notifiable Data Breach legislation, which will require many businesses and organisations to notify customers at risk of serious harm due to “unauthorised access” to personal and financial information.
It is a small step in the right direction and is sure to increase the exposure and discussion of security and privacy breaches.
Unfortunately, the new legislation will catch many small businesses and organisations flat-footed; hands up if you already have a good security policy in place. I didn’t think so
Good clear policies are the cornerstone of developing a strong and secure business
So, let's take a moment to talk about cyber security: Why it’s important; how it affects everyday businesses; government departments; and organisations. More importantly, we’ll take a look at what positive steps you can take to improve your own security, reduce your risk of cyber attacks and protect yourself from data breaches.
In this two-part series we are going to take a look at the foundations of good cyber security: Business rules and security policies.
Part one will examine the background of security issues and the changing tide of privacy and information security.
In part two, we’ll help guide your security policy development by providing you with a simple framework for thinking about your organisational needs and how you can mitigate risks.
While mass data breaches are a serious problem, they’re not necessarily any more destructive than a small breach of private user data
By the end of these articles, you should understand why security matters, why there’s no such thing as a “small breach”, why every breach needs to be handled with due care and responsibility, and some non-technical tips for developing, improving and implementing your own business security policies.
These articles will also help you facilitate your own security discussions. I also hope to provide a resource that you can bookmark, and check back with from time to time (a security health-check so to speak).
How did we get here?Every day, it seems that yet another big government department or huge technology firm has been hit by a hack or data breach. This has resulted in many smaller businesses and corporate info-tech teams adopting one of two positions on security:
1) We’re too small so we won’t get targeted.
2) We’re going to get hit anyway, there’s not much we can do about it.
For many it seems that cyber security problems are insurmountable, and attacks inevitable. This type of thinking is dangerous and plays in to the hands of hackers and malware authors. The reality is that there’s plenty you can do to raise the security bar, and protect your business and your reputation.
Step back and think about all of your information technology concerns: Chances are you’re running servers that are under capacity; operating systems that haven’t been updated; systems that have been developed in house but are no longer supported; unmaintained websites; a mess of shared folders used for ad-hoc file sharing; shared administrative logins and passwords.
Perhaps you recognise some of these issues; maybe you recognise all of them. These issues create an environment primed and ready for a cyber security breach.
IT isn’t the strong suit of most businesses. Furthermore, IT resources are often stretched, so allocation of resources to anything other than a crisis just doesn’t happen.
Identify your information assets, access requirements and security capabilities
The lack of security focus in businesses and organisations is a real problem. At the moment, we seem to be happy to turn a blind eye to security breaches.
We collectively allow incidents to occur, and apologise for the consequences later. This lackadaisical acceptance of mediocre security feeds back on itself by reducing security through inaction and rewarding hackers with easy targets.
So, with no momentum, and no imperative, it seems many have adopted a strategy of doing nothing — why waste resources and effort improving the security of your organisation?
With limited security capital, even motivated businesses are often paralysed, wondering how to begin addressing their security issues.
The tide is turningThe security and privacy landscape is changing. It’s clear from the negative public reaction to the Australian 2016 Census that privacy isn't dead. Furthermore, the new reporting requirements will at the very least provide a platform for highlighting the prevalence of data breaches in Australia.Cyber security problems (and our reactions to them) have been developing for decades. The early days of the Internet were like the wild west of computer networks. Tech enthusiasts emerged from modem dial-up bulletin boards, to explore the new digital frontier, hacking and cracking their way through university and government systems alike.
Clifford Stoll weaves a fantastic tale in The Cuckoo’s Egg, in which he tracks a hacker through the computer systems of Berkeley University. Much of the book talks about the openness of computer systems. Easy access and an open door policy were widely regarded as a virtue by system administrators and academics alike.
Over time, the calibre of hackers increased, and the motives of some hackers changed: From curious research, to espionage and malicious damage. The easy accessibility and connectivity of these Internet connected computers turned from virtue to liability, almost overnight.
So, while the most recent network and data breaches seem to be zero-consequence events, public perception and regulators are starting to catch up.
The tide is turning, and unless all organisations step-up to protect themselves and their clients, they could soon find themselves on the rocks — facing either a PR nightmare, or in breach of our new privacy laws.
An ‘insignificant’ breachPicture this: you receive an email from a company you trust. What if that email comes to you as the result of a breach of their systems? It may seem like a trivial concern, but even small fragments of information, or implied relationships improve the success rate of malware and phishing attacks.While mass data breaches are a serious problem, they’re not necessarily any more destructive than a small breach of private user data. Small breaches may be more personal in nature and allow more targeted and bespoke scams.All breaches need to be handled with the appropriate level of care and sensitivity.An attacker that knows your email address and relationships can craft a realistic email urging you to click a link, or open an infected (fake) invoice file or resume. Unlike the ‘dragnet’ approach used by many scammers, these more targeted attacks have a higher rate of success.
All breaches need to be handled with the appropriate level of care and sensitivity.
I’ve personally seen the effects an ‘insignificant’ data breach can have on small businesses. What initially starts as the exposure of a mailing list can quickly open the door to malware, ransomware attacks, phishing and similar scams.
The Australian Competition and Consumer Commission’s Scam Watch website is a great resource for understanding the latest trends. Most of the ACCC’s Scam Watch recommendations break down to a combination of: awareness and education; protection of computers and networks from malware and viruses; and, most importantly, clearly defined business policies and procedures.
Implementing a few basic security safeguards and business rules can go a long way to help protect your business and your clients.
Learn from the pastBusinesses impacted by scams, hacks or malware, have a few common complaints. It’s not uncommon to hear teams lament: “Our backups didn’t work THIS time…” or, “We should have checked the account before making the transfer…” or, “We had the same password on my email as we did for our online banking”; or… or… or… (The list goes on.)Many security threats are relatively unsophisticated and rely on tried and tested techniques. They exploit unmaintained systems, social engineering, weak passwords, and poor business processes. These recurring themes should be a clue.The reality is that most cyber attacks aren’t new. Nearly all scams and hacks are simple variations on previous attacks. They continue to work because of poor business process and a lack of security policies.
If you’ve read about malware attacks, or know of businesses that have been hacked, try to learn about the types of problems they’ve had with their breach, and recovery.
The more you understand about the history of security breaches, the more prepared you’ll be to protect yourself and your organisation.
While technology failures such as ineffective virus scanners, or broken firewall rules certainly play a part in data breaches. If you have good security policies, then you’ll be well positioned to cope with cyber security threats.
How to begin?Firstly, relax!
Cyber security is an issue to be taken seriously, but what is needed is a deliberate, methodical approach — the sky isn’t falling (not today at least). Work to understand your business technology landscape. Identify your information assets, access requirements and security capabilities. This will show you what you have and what you need to protect.
Once you’ve identified what’s important to you then you’ll need to identify your problems. While there is a significant technical element to troubleshooting and securing networks and devices, many of the problems facing smaller businesses and organisations are due to lack of clearly defined policies.
Good clear policies are the cornerstone of developing a strong and secure business. This is because your policies will drive everything from what computers and devices you select, to how your servers and email are configured.
It’s important to get the balance between security and accessibility right. If your security policies are too strict, you’ll quickly find that your users (staff, management and even clients) will find ways to circumvent them.
Sometimes security policy failures are a sign that they’re restricting your business activities too much. Other times these failures are a sign that your users don’t share your security values.
Your goal: Raise the bar on securityBroadly, your goals should be:
- Understand your business environment. What data do you need to operate your business; what data do you need to protect; who should have access to the data; what technologies do you have at your disposal; what are the ramifications of a hack or malware infection; and, what budget (if any) is available to improve your security defences.
- Run non-technical “what if” scenarios. For each of your information assets and technologies, ask yourself. “What if this data is accidentally erased?”, “What if this data is stolen by a disgruntled employee?”, “What if this server is hit by lightning?”
- Develop and document security policies to address the most serious “what if” scenarios. Your policies should be written in short and easy to understand non-technical statements that capture your goals and requirements.
- Implement the policies using whatever technologies or expertise you have at your disposal. Working with your IT team, get them to find solutions that minimise the risks of these events.
- Rinse, and repeat on a regular basis.
Security is a process — start nowThe security policy development process is relatively straightforward. It’s about clearly stating how your business should operate and what tools and people you have at your disposal.By clearly defining and socialising security policies you will help to foster “security values” within your organisation; this will go a long way to helping secure all aspects of your business process.The first step is to look back at your business to understand your needs.In the words of the late Terry Pratchett:
If you don’t know where you come from, then you don’t know where you are, and if you don’t know where you are, then you don’t know where you’re going.For many, developing a security policy is a daunting task. That’s ok! There’s no need to do everything yourself, but only you know your business needs.Regardless of the IT and cyber security expertise you enlist, you will ultimately be responsible for the broad security policy decisions that underpin your business processes.Start now.Next: Read Security policy 101: How to develop security policies for your business and our Quick and dirty guide to security policy creation.
holds a Master's Degree in Cyber Security and is a director of
Impression Research. He consults on matters of privacy, security,
digital forensics, and incident response. His focus is on the correct
application of cryptography. He is passionate about educating business
on complex security issues. Follow Nikolai on Twitter: