According to the 2019 Telstra Security Report, “83 per cent of organisations spend up to 20 per cent of their overall IT budget on security.” Respondents to the same report flagged their top two challenges as “the ability to timely detect and respond to incidents and the impact of new technologies.”
With this in mind, cyber security should continue to be a priority for your business, because no business is immune, whether big, small or somewhere in between.
Here phishy, phishy, phishy
One of the most pervasive, ongoing threats to your IT security in 2019 is phishing.
Michelle Drolet, CEO of data protection company Towerwall writes in Forbes that “unsuspecting users continue to fall prey, taking the bait from well-crafted business email compromise (BEC) attacks, phishing emails and malicious URLs.”
The Telstra Security Report 2019 also shows businesses are still falling prey, stating: “Among the subset of organisations that suffered business interruption due to a security breach, 35 per cent of Australian organisations reported phishing incidents on a weekly or monthly basis.”
Poorly thought out phishing emails – those emails that jump out as suspicious – are becoming less common. Today, phishing has become localised, personalised and geo-targeted, so it’s important to be extra vigilant. Tech podcast Reply All did an episode a little while ago on how phishing has changed, and can catch out even the most savvy of computer users.
Question: How should I front-up to phishing attacks?
Answer: For a phishing attack to be successful, and BEC (Business Email Compromise) in particular, it requires some response or input from the recipient, and that could be a member of your team. This is where the human element is vital. As Matthew Wilson of Penten says, “a fundamental, but overlooked, element in cyber security [is] training staff in what to look for and what not to look for.” Training your team on prominent threats, showing them what to look out for, will lessen the chances of them handing over the keys to your castle.
Securing all the ‘Things’
The ‘Internet of Things’ is almost becoming synonymous for ‘every single gadget’ we use in business these days. That’s right, if it connects to the internet it’s a member of the Internet of Things – and that’s pretty much everything.
With social media, cloud use, and the ever-growing power of mobile on 5G, the concept that a network is something physical, and difficult to penetrate, is outdated.
The change from physical to virtual has made it easier for hackers to spot weaknesses. And all these ‘Things’ are endpoints open to exploitation.
Why are the IoT devices more prone to being breached? Many IoT devices run on default passwords that the user has never changed. Combine this with the fact they are made to be available 24/7 and always connected and the risk only increases.
Question: How do you secure your devices in 2019, in the age of the Internet of Things?
Answer: Michelle Drolet recommends endpoint detection and response, proactive monitoring for incidents, zero-day protection like Telstra Internet Protection, and to keep all endpoint devices, whether mobile, tablet or some other ‘Thing’, up-to-date with patches.
Business, the NDB and the GDPR: What do they mean in 2019?
Europe’s GDPR, the General Data Protection Regulation, may be European-based but it has implications for Australian businesses via its influence on Australia’s Notifiable Data Breaches (NDB) scheme.
By now, you should be across your privacy law obligations as part of the NDB Broadly, it’s the need to notify the Office of the Information Commissioner of any data breaches that impact your business and take certain steps. But why are businesses from Australia, the US and elsewhere looking at the European-based GDPR compliance rules? The answer: the regulations still apply to many businesses outside of Europe, and the principles that underpin the law can be learned from and applied universally.
California might be a long way from Europe but the GDPR inspired legislative change there last year, a trend set to continue in 2019. California passed AB 375, the California Consumer Privacy Act of 2018, which will take effect at the start of 2020. Forbes recommends “businesses … think of GDPR as a journey to raise the bar in IT security and not the final destination.”
Question: What does my business need to do to keep up with the GDPR in 2019?
Answer: As Mumbrella suggests, look first at your supply chain. “The first thing to consider is that, while your business may not directly collect the personal information of individuals in the European Union, the GDPR may still affect you indirectly because of the agreements you have with customers or suppliers.”
If your business sells goods or services directly to people in the EU, or you collect personal information, then the GPDR might apply to you.
And more than that, it’s good business. If you deal with businesses in Europe, those affected by GDPR, they’ll want to know that you’re compliant to their rules to safeguard themselves.
Start by asking: “Do I deal with the personal information of EU customers or those in my supply chain?” This can be complicated – so seeking legal advice on this is advised.
Handling the mix of managed and unmanaged devices
The modern workplace is nothing like the workplace of yesteryear – no longer is it a case of ‘here’s your desk, here’s your computer’. Today’s workplace is a vast mix of devices and not all are provided by the business – especially in small-to-medium operators where there isn’t the same level of investment in tech infrastructure (as, say, a corporation) to draw from or pass around.
Question: What’s the best way to handle managed and unmanaged devices?
Answer: The State of Endpoint Security Risk Report by Ponemon Institute reports that the risk from endpoint devices has risen significantly in recent years and the trend looks to continue. The way to respond is with a combination of robust policies on the usage of devices at work and how they’re managed along with updated security, like Telstra’s Endpoint Security and Protection.
Stickman, an Australian cyber security design business, recommends starting with “strict multi-factor authentication (MFA) policies, that require staff to verify their identity on multiple devices when accessing organisational resources.”
The challenge that lurks in the shadows
Running parallel to the topic of managed versus unmanaged devices is the growing issue of what are known as shadow IT resources. These are the pieces of software and applications that make it onto business devices that aren’t supposed to be there – a common event when humans and tech interacts in the name of getting things done. With just a finger tap, a team member could be using non-approved applications in seconds.
Business and technology site Gartner predicts that in the lead up to 2020, up to one third cyber attacks will come through these ‘shadowy’ sources. As IBM recently found, one out of three company employees regularly use cloud-based software-as-a-service (SaaS) apps (like Google Docs, for example) that haven’t been explicitly approved by the business.
Users have become increasingly comfortable downloading and using apps and services from the cloud to assist them in their work.
While the intention is positive, the outcome can be negative.
Question: How do I solve the problem of shadow IT?
Answer: The answer is multi-faceted. Fostering a safe culture through policies and awareness is the first step to take. But if you want to bolster your security policies and education with a tech solution, cloud access security brokers (CASBs) can be deployed to provide visibility and control over these external apps, so you can see who is using what and block it if needed.
Ultimately, user awareness is the trend to embrace
All the tech in the world won’t help you if your team aren’t aware of the risks, so a secure culture is more important than ever in 2019.
Risk management specialists, Marsh, put culture at the top of their trends list for this year: “A strong cyber security culture should not only focus on the training of employees to build awareness of common forms of threats (phishing emails, social engineering scams) but should also empower individuals to understand their responsibility and the critical role they play in the success of their company’s cyber risk management framework.”
Question: How do I go about fostering the right kind of secure culture in my business?
Answer: Empower your team to know their role in the broader security picture. If an employee knows the ‘why’ behind keeping their eyes wide open for threats, they’re more likely to engage with secure processes.