IT News

On the back of the recent events that have been in the media surrounding the like of the Optus, AFP, Woolworths and Medibank data breaches, its now more concerning than ever we need to be aware of the not only the best practices to help minimise your risk but also what you can do and where you can get support and advice in the event of your data being compromised.

Best Practices - Security Safeguards you should consider

1. Implement Multi-factor Authentication (MFA)

- This would apply to Microsoft 365 (emails) and Dropbox (business data) and all web portals that support MFA

- This will enforce users to have to supply a code generated from either a mobile phone app or password manager as a 2nd form of authentication

- This ensures that if passwords are compromised hackers can't access emails without the 2nd code which makes it more difficult for hackers

- This process is a bit of a pain for staff however as it adds an extra step in authentication - this can be improved by using a password manager application that supports MFA to simplify the process

2. Implement a password policy supported by password manager like Bitwarden Teams Edition

- Allows organisation to have an effective password policy for staff.

Individual complex passwords for every login

No use of same or similar password for multiple sites
Complex passwords are 14+ characters and mixture of numbers, letters and characters – ideally staff should not know their passwords for each site
Ability to check passwords that have been compromised via dark web lookup

- Master Password recommendations – This is the key to unlock your password manager on all your devices and is critical. We recommend the use of a pass phrase (series of words) – the longer the better as this determines the level of encryption on your password manager and add symbols and numbers to increase its complexity.

- The teams edition also includes MFA which generates the MFA codes required and saves time for staff

3. Invest in additional tools to protect emails

- Microsoft 365 includes basic anti-spam protection as standard but there are additional products available to allow for higher levels of spam and phishing email protection

- This requires additional cost though of upgrading Microsoft 365 licensing to premium edition to get access to the extra security tools

4. Invest in staff cyber-security training (human risk management)

- We have a web-based staff training solution that is recommended to apply to the organisation so everyone gets regular training on cyber security threats

- Phish Threat Testing – fake phishing emails sent out periodically to test staff

- 10 min videos and questionnaire – 80% pass mark recommended – monthly or every 2 weeks scheduled

- Management reports

5. Develop and enforce IT security policies

- This ties in with cyber security training but is also for regulatory and legal protection

- Requires development of multiple policies (we have templates that can be used as starting points) and organising staff to read and comply

6. Review cyber insurance options

- IT security reduces risk but with the high costs associated with cyber fraud it is definitely worth reviewing cyber insurance

What to Do in the Event of your Data being Compromised

Business Data Breach:

If you see anything suspicious or are concerned your business has been the victim of a Phishing Attack or a Data Breach, the first step should be to reach out to us immediately for advise and assistance so we can assist you in minimising the ongoing exposure and work with you on the steps necessary for recovery.

Personal Data Breach:

If your Personal Data has been breached in a Public Data Breach like the Optus or Medibank ones, there is a great website IDCARE that can be of great assistance to you.

IDCARE is Australia and New Zealand’s national identity and cyber support service. They are a not-for-profit charity that was formed to address a critical support gap for individuals confronting identity and cyber security concerns. This gap requires specialist Identity & Cyber Security Case Managers and Analysts that apply a human-centered approach to identity and cyber security. Their focus is on the concerns and needs of the individual, not the technology or process.

Look them up at www.idcare.org

Posted at 26 October 22