27 Mar 2023, by Slade Baylis
When it comes to cyber-security, the old proverb that it’s better to “hope for the best, but plan for the worst” is still relevant today. Even though the literary use of the phrase has been traced back to the 1800s, where it was used in the book “The Wondrous Tale of Alroy” by Benjamin Disraeli, it’s still important for the security of the digital front of your business in the modern day. When it comes to protecting your business from cyber-crime, it’s imperative to take steps to make sure that you’re protected from the worst-case scenarios - as even though they may be unlikely, the costs of being vulnerable could be astronomical.
From cyber-attacks that could cause you to lose your data (including confidential business or sensitive customer information) to cyber-attacks that could take your essential systems offline, each of these scenarios will likely cause massive damage to your business. When these sorts of attacks occur, customers are usually concerned (and rightfully so) about the privacy of their confidential information, and usually begin to reconsider doing business with those organisations in the future. Not only can these attacks cause material damage in the moment, but they can also impact the financial viability of your business in the future.
It’s for these reasons that we’ll be going over some of our top recommendations for how to best protect your business from today’s leading cyber-security threats. Each recommendation has been chosen to improve your security posture – not only to protect your own organisation, but also to protect your customers.
Due to the serious consequences that arise if someone gains unauthorised access to your systems, it’s integral to your digital security to make sure that your systems adequately verify the identity of your users before granting access to them. The good news is that there is a now near-ubiquitous option for doing this, which is called MFA (Multi-Factor Authentication).
The rise of multi-factor authentication is something that took a while to become a standard feature for most online services. Originally developed in the late 1990s and early 2000s, it took the form of 2FA (Two-Factor Authentication) wherein certain large organisations - such as AT&T - required their staff to verify their identities via two methods before being granted access to restricted systems. At the time, due to the cost in implementing these techniques, they were largely only an option for the large corporates. However, with the development of smart-phones and the ever-increasing usage of them, most online services now allow for some form of MFA through either SMS or smart-phone apps. So what exactly is 2FA and MFA and how do they work?
In large part, the name itself is the answer – both 2FA and MFA are authentication techniques that aim to only authenticate legitimate users through requiring two or more pieces of evidence (called “factors”) that prove they are who they say they are. The only difference between 2FA and MFA is that with 2FA, users have to authenticate using two different factors, whereas MFA allows two or more. In one of the most common implementations, these take the form of requiring a user to provide a code which is SMS'd through to that user’s registered phone number. The idea is that the SMS message should only be able to be received by the legitimate user who possesses the phone, thus if they are able to provide the code, it increases the likelihood that they are who they say they are.
Some other forms of 2FA and MFA include: the service sending an email to the user requiring them to click on a link in that email to authenticate the request or login; the service requiring the user to insert a dedicated USB device called a YubiKey and press a button on that device; or alternatively, the user having to confirm the request on an authentication app or pop-up that appears on their phone.
In the recent Medibank data breach that occurred in late 2022, it was the lack of two-factor authentication that allowed malicious third-parties to use stolen staff credentials to gain access to their systems. As reported in our Optus, Medibank, and now Harcourts – If they can be breached, what can you do to prevent it? article at the time, Medibank revealed that the criminals were able to steal the login credentials for a single support desk worker at the health insurer and used that to gain access to their systems.
Earlier this month, Latitude Financial – a company that issues consumer loans and runs a “buy now pay later” scheme that’s used by major retailers – was also hit by a similar attack. As reported at the time by ABC News1, Latitude Financial revealed that the personal information of more than 300,000 customers were stolen, including driver’s licences. They also revealed that the source of the attack was stolen login details of a Latitude employee, which were then used to steal the identity documents from two service providers used by Latitude.
Since then however, ABC News2 has reported that it's now been confirmed by Latitude that 7.9 million Australian and New Zealand drivers licences, 53,000 passport numbers and just under 100 monthly financial statements had been stolen in the attack - making this cyber-attack on Latitude Financial the largest-known data breach on an Australian financial institution.
In this case in particular, it seems that the unnessasary long-term storing of customer data left them vulnerable to this sort of attack. Of the information stolen during the attack, 6.1 million of those customer records were actually provided prior to 2013, with some records dating all the way back to 2005 which were retained when Latitude took over from GE Finance. For those watching, this should prove as a warning about what customer data is stored within your systems, especially if that data is no longer required. Whilst properly destroying customer data can be a costly exercise in some circumstances, failing to do so raises questions around corporate and data governance, as well as data security.
However, in each of these cases, had they had 2FA (or better yet MFA) measures in place, these credentials alone would not have been enough to gain access. Not only that, any attempted logins without the successful 2FA/MFA checks being completed could have potentially given their cyber-security team enough time to detect and prevent the intrusions from occurring in the first place.
With these additional validation methods being available for nearly every online service, we highly recommend you make it required for all staff as part of your standard security policies.
Whilst it’s always been true that it’s important to have backups of your IT infrastructure - so that you can restore those systems back to full functionality in the event of a disaster - it’s even more imperative in a world with an ever-increasing risk of ransomware.
As reported in our Dangerous cyber-threats to look out for leading into 2023 article, the Australian Cyber Security Centre (ACSC) advised Australian organisations to urgently adopt an “enhanced cyber-security posture” in response to the reportedly near 50% increase in cyber-attacks since Q4 2021. With ransomware being one of the most frequent types of attacks targeting organisations due to their unfortunately lucrative nature, it’s important that you don’t find yourself in the position of feeling required to pay their demanded ransom to retrieve your own data.
By making sure you have frequent backups, you can rest assured that even in these circumstances you are able to restore systems to full functionality and retrieve your data, all without incentivising further cyber-crime against others - or even yourself in the future!
In the past, it was true that one of the easiest ways of implementing basic security for a user’s device was to install an anti-virus application. However, with the ever-increasing sophistication of cyber-crime, this unfortunately isn’t enough anymore. Whilst anti-virus applications were always treated as only a single technique among many, in the modern day - in which AI and fileless malware are becoming much more common - better solutions, such as endpoint protection solutions that utilise behavioural-based detection, are now required instead.
As reported in our With 80% of malware evading antivirus applications, signature-based protection isn’t enough anymore article last month, behaviour-based and heuristic-based detection methods allow these security solutions to detect malware that evades traditional anti-virus applications. Not only that, but due to not relying on knowing what the code looks like, they’re even able to catch brand new threats, called “zero day attacks”. It’s for this reason that we recommend our clients look at utilising these technologies to increase the overall security posture of their business.
Protecting endpoints from security threats using software is only one piece of the puzzle though, as having visibility over your system and the devices that your staff use to access them is also a critical part of any security policy.
In a world where remote work is becoming an ever-increasing part of work life – with that shift, in no small part, being triggered by the lockdown policies put in place in response to COVID-19 – the devices used by those staff are now the edge of your company’s network. Each device is a potential entry point for a malicious actor into your systems - so ensuring that they are monitored, up-to-date, and protected using security software - needs to be a part of every organisation’s security strategy.
However, with this being a requirement for maintaining the security of your infrastructure, important questions arise from this regarding privacy and the boundaries between work and home life. Staff are likely to be concerned by such software being installed onto personal devices, which is why we recommend that staff only perform work on devices supplied by their work place. Providing devices to staff – such as phones and laptops - who are required to work remotely means that they are able to have a clear separation from their own personal devices, easing concerns regarding privacy. It also allows for the deployment of security suite software that allows IT departments to ensure that these devices are secure and not an exploitable entry-point into your infrastructure.
It’s through these types of approaches that organisations will be able to maintain a strengthened security posture in the face of increased remote-work policies and the ever-growing sophistication of cyber-attacks.
With regards to IT security, the saying “you can’t improve what you can’t measure” holds true - if you don’t know how your organisation is vulnerable to cyber-security threats, then there’s no way that you can protect yourself against them.
Within any organisation there are always going to be different threats that they are vulnerable to. Security policies help reduce risks, but they can’t be reduced to zero. In addition, the technologies, services, and hardware used to mitigate against those threats aren’t free, so the decision to use them is necessarily going to need to be informed by a business-case that takes these costs into account. It would be great if every business could implement every security service to reduce their exposure, but fiscal realities that every business contends with often stand in the way! However, before a business-case can be made, each organisation needs to know how they are exposed and what options there are for mitigating those risks - and this is where security audits come in.
In the same way that it can be hard for an artist to look at their own work with an unbiased eye and see what needs to be improved, for organisations it can be hard to know where your own weak points are. It’s due to this that we recommend that each organisation looks to engage with external cyber-security professionals for conducting audits of their overall organisational security posture.
Whether it’s through implementing policies in line with those detailed in the Australian Cyber Security Centre’s (ACSC) Essential Eight Maturity Model, or implementing something more unique and tailored - these forms of external assessment services can help you identify where your biggest weak points are, help you formulate or improve on your internal security policies, as well as develop long-term strategies for pre-empting any new security threats that may be around the corner.
Here at Micron21, we practice what we preach. Even though we are an industry leader and help our clients with their own security, such as through auditing their security posture, we too have external organisations accredit and access our security policies, procedures, and technology – we do all this to ensure that we stay ahead of modern threats. For example, we are ISO 27001, 27002 and 27018 compliant and accredited, which are all standards surrounding information security and protecting both our own and our customer’s private information.
One of the most prevalent forms of cyber-attacks are attacks that focus on misleading and exploiting staff directly, primarily in the form of phishing attacks. With that being the case, one of the most important ways of protecting yourself from cyber-crime is to make sure that staff are trained in and knowledgeable on what to be on the lookout for.
Through regular staff training, having clear internal security policies, and potentially even additional security services to prevent these types of attacks reaching you in the first place (such as email filtering), you can dramatically reduce the likelihood that these human-focused types of attacks will succeed. Importantly, clear and easy-to-follow internal security policies – as well as having communication channels open for feedback - will allow your staff to comply with those rules, avoid confusion, and help you identify pain points and help you improve those policies for the future.
For those interested, we went into detail about phishing attacks - including the history of how it developed, how it works, as well as how you can protect yourself from it – in our recent Deep Dive – What is phishing, where did it come from, and how can you avoid it? article last month.
If you have any questions about your own infrastructure and how it can be improved and made more secure, you can reach out to us on 1300 769 972 (Option #1) or email us at sales@micron21.com and we’ll be able to discuss your unique situation and the best ways to enhance the security of your systems and organisation.
In fact, for those interested and within the Bayswater Business Precinct, we also currently have a FREE one-hour consultation available. During this assessment we can help you assess your organisation’s cyber-security position, as well as help you find any vulnerabilities using an external vulnerability scan of your IT infrastructure!
1, ABC News, “Latitude Financial hit by cyber attack, more than 300,000 identity documents stolen”, <https://www.abc.net.au/news/2023-03-16/latitude-hack-300000-identity-documents-stolen/102104424>
2, ABC News, “Latitude Financial customers frustrated at lack of communication after millions of personal records stolen in cyber attack”, <https://www.abc.net.au/news/2023-03-28/latitude-financial-customers-frustrated-lack-of-communication/102151166>