Doctor Digital, I’m super worried about cyber security, it sounds totally overwhelming! what can I do to stop attacks? And do they even care about my little venture in Tasmania?

doctor-digital-question
Doctor Digital

Doctor Digital Says:

Cyber security does sound overwhelming, and normally associated with stories of faceless scary hackers and organized crime. What we hear about on the news are the big issues and data breaches, but a significant amount of disruption can happen to small and medium size business, which are often the ones who don’t have an active cyber strategy in place because they think they are too small to bother with.

Unless you are a large branded target organisation generally cyber criminals aren’t specifically going after you or your business. Imagine the digital equivalent of a bunch of teens walking along and testing every car door along the street until they find an open one, then stealing all your loose change. (Sorry for that blanket stereotype teens.) Cyber criminals are looking for an open door, then grabbing everything they can in the hope that it will be of some use, or alternately just to cause disruption because they can.

I talked to Tasmanian cyber security expert Andrew Quill from AQ Advisory to get his top issues for Tasmanian businesses. He spends all his time auditing and securing systems in Australia and beyond and I figured he would have some great visibility on the common mistakes businesses make. He didn’t disappoint, and the good news is that there are lots of ways you can take control over your cyber security in a small to medium business. These are practical steps to make sure you are protected, and the key thing that seems to be missing for most businesses is awareness, application and consistency. Here are some of Andrew’s key tips to getting your business secure:

MFA/2FA – Multi-factor or two-factor authentication – with the increasing use of “cloud” and “accessible anywhere” service this critical to protect your sensitive transactions. Two factor authentication is where you use two sources to identify you are who you say you are. If you use services like Xero or MyGov or banking online you will be familiar with this. Enable it wherever it is offered to ensure that you and you alone are accessing your sensitive data.

Password/access security – ABC123, mypetname sound familiar? You would be shocked at the amount of people that have thoroughly predictable passwords on their critical devices. These are easily hacked and broken, and you need to step up and make it hard. Using an online password generator to protect like LastPass is one option so you don’t have to remember all those different passwords. Importantly you need complex password/passcodes/biometric identification like face recognition on all devices - especially phones. Passwords need to be regularly changed at least bi annually if not quarterly. Disgruntled staff are a common source of security breaches, so avoid sharing passwords and ensure that all are changed when you terminate someone or even if they leave amicably. All your devices are vulnerable, so for each one make sure any additional security features are enabled, esp for laptops, phones and tablets. Oh and – lock your screens with the shortest possible idle time.

Update and Patch - Regularly apply security, software and firmware patches\updates when they are issued, put a reminder in your calendar if you don’t have automatic notifications set up.

Backups, Business Continuity and Disaster Recovery – the 2019 fires in Tasmania and floods in Queensland should be a graphic reminder that disasters happen, they happen to us, and when they do there is often not time to do anymore than save the things that matter the most like people and pets. You don’t want to double the devastation of business disruption by not able to access any of your business data.

Likewise if you are subject of a cyber attack and your business systems get locked down or hijacked, you want business continuity. Maintain and where possible automate backup of locally stored or portable data - phones/laptops etc. This is the fastest and most reliable recovery from attacks such as crypto lockers, blocked access and theft. You must test the arrangements you have in place regularly to ensure they work and think about what the critical documentation is you would need for business continuity. If you use cloud services for storage these too have their outages, and a regular backup makes sure you are covered and in control.

It doesn’t have to be a disaster to be disasteros – what if the internet goes down for a few hours and you have no other means of transacting with your customers, this can severely disrupt many small businesses, so plan for the worst, and be ready to be your best. Andrew also reminds us that physical security is as important as electronic security – it’s not going to help if your backup storage gets stolen right, so be mindful of where your data is stored and keep your premises tight when you aren’t there.

People, Process and Technology – Additional tips to secure your digital footprint include restrict admin rights on devices so users can’t install dodgy software or apps, secure your WiFi and provide a separate network for guests, contractors and staff. Staff need to be trained and made aware of how to be part of the vigilance, what they need to look out for, and how to deal with anything suspicious.The biggest impediment to being secure is being human. Most of us know we need to take these actions, and most of us ignore it because of the day to day pressure of our businesses or internal resistance to technology or whatever it is. When everyone is involved, you have a ready-made security team watching out for you business. Keep in mind that 80% of security breaches occur through trusted sources and your supply chain. Take the time to keep up to date, to regularly audit your processes, make it part of your staff on-boarding and make sure that the strongest link in your business is you.

For more details on cyber security for your small, medium and large business, there is a cyber security factsheet or listen to our podcast chat with Andrew here.