Cyber attacks: the things you can be doing to protect your business

Prime Minister Scott Morrison is right to say that a sophisticated, state-sponsored cyber attack on Australian government agencies and businesses is “not a surprise” and part of “the world that we live in.”

Statistics bear that out. Since Australia’s Notifiable Data Breaches Scheme came into effect in early 2018, more than 60 per cent of breaches have been the result of malicious or criminal activity, much of it perpetrated online.

The most recent release of NDBS statistics, covering six months from July to December of 2019, showed a total of 343 malicious breaches (64 per cent of all breaches). Of those, 230 incidents (67 per cent) were cyber-related.

Large-scale, well-organised cyber attacks are concerning because of their capacity to impact our everyday lives and cause damage to the reputation of companies. On a day-to-day basis, businesses may worry about their employees accidentally sending information to the wrong people or clicking on a rogue link – but they probably don’t spend too much time thinking about agents from another country trying to get into their systems.

The good news is that a series of simple and familiar steps provide a basic starting point for protecting your business against all manner of cyber attacks.

At the start of the COVID-19 pandemic, I wrote a story about the particular need for us all to stay cyber-safe as we transitioned to working en masse from home.

The tips in that story are as vital now as they were three months ago. To recap:

1. Internet connection – make sure it’s secure (ideally by using a VPN) and change the wifi router’s password from the one it came with.
2. Anti-virus and security software – don’t even think of operating without them, on any laptop or computer, whether it belongs to you personally or your business.
3. Back-up strategy – even if you can access your work server from home, it’s safer and more secure to have a back-up and restore plan.
4. Password protection – don’t ever send them via email. Use a password management system like LastPass instead.
5. Multi-factor authentication – using this means that even if someone gets your password, they would also need to access your mobile phone, which is unlikely, to complete a logon.

That final tip should come with a “last but definitely not least” disclaimer. It’s one of the first things Defence Minister Linda Reynolds mentioned when asked for advice on what steps we can take to protect ourselves. Last year I spoke to Perth cyber security expert and Diamond Cyber CEO Sven Ross who gave this advice:

“The most effective strategy to protect against credential theft is not resetting passwords or preventing re-use, it is multi-factor authentication,” Mr Ross said.

“A stolen password is useless if it must be paired with another factor of authentication: something you know (password), something you have (one-time token/passcode), something you are (biometrics).”

Minister Reynolds also advised businesses to partner with the Australian Cyber Security Centre to stay up to date with the latest warnings and advice, and to “patch your internet-facing devices promptly, ensuring that any web or email servers are fully updated with the latest software.”

One aspect of data breaches and cyber attacks that needs mentioning is that you can – and should – prepare in advance for them.

As Australian regulators have said publicly, it’s less a case of if your business will be breached and more a matter of when. This rings especially true when you consider how many data breaches have a human hand in them, like an employee clicking on a link in a phishing email.

I know from experience in managing them on behalf of clients that data breaches can be long and protracted affairs. Unlike a “normal” crisis, where an issue will often peak quickly and then slide away, a data breach can play out over months. The breach may initially look like it impacts only a few hundred people but it’s not uncommon for this to then grow into the tens of thousands or even more as additional information becomes available.

Businesses that cope best with these situations and limit damage to their reputations are the ones that prepare for it. This includes knowing how you will communicate with stakeholders about the scope of the breach and also what is being done about it.

Investing time and money now in developing that plan will make life significantly easier for your business when a breach does occur.

Purple Director of Design and Digital Jamie Wilkinson is an expert in proactively preparing communications strategies to respond to data breaches and managing communications during a data breach crisis. Email Jamie.

More Purple news:

• Utopia mothballed: what we can learn from Quayside Toronto
• Making in-house support work post COVID-19
• The 268 wins major international communications award

Main image by Mika Baumeister on Unsplash