Protecting Australian Business from Cyber Crime, easy title to write and a topic beyond complex to implement for many small to mid sized businesses in 2022, Australia.
The secret is that it is not complex to get started on a cyber security journey, it is easy to do the basics and reduce the risk of cyber crime affecting your business immeasurably. This applies to any sized organisation, it is simply getting to a point where the benefits outweigh the costs (both financial and reputation).
“You just need to do it. Start small. Start anywhere. It just doesn’t matter. You just take the first step.”John Kindervag, creator of zero trust
Just as the quote above states, do something, anything, because anything is better than where you are now.
Two weeks ago I was involved in a case of Business email Compromise (BEC) where a finance officers credentials had been compromised and this organisation did not have Multi factor authentication (MFA) enabled, the criminal with the stolen credentials impersonated the finance officer and sent an email to procurement for a $33k AUD payment to be made.
Procurement made the payment and this organisation lost $33k in an instant, while the criminal had access they also removed all traces of the email communications making it even more difficult to track down exactly what had happened until it was too late to reverse the payment.
Lessening your risk of a successful compromise against your business does not require much planning or cost, it simply requires time and effort as well as a small amount of understanding from your employees that there are some extra oops that they may have to jump through to perform their jobs, though the advantage of these extra ‘hoops’ is that they still have a job to come to, a $33k loss would be fatal to many small businesses in Australia, Period.
Please look at the Australian Signals Directorate Essential 8 mitigations as a first step, use the ACSC website to learn more here.
Next, use this handy Victorian Government Cyber security guide, provided by the Victorian government but with very good guidance on where to get started – Doing Something is better than doing nothing, I wrote about this recently here.
Victorian Government Office 365 Security Guidance
The Australian State of Victoria has built a great resource for securing organisations, the recommendation for any organisation should be to achieve a Microsoft Secure Score of 75% and for secure orgs to reach a secure score of 85%.
Above is the Vic government linked document in PDF format.
Then use a scorecard such as I have created below for building a program of activities around along with descriptions of activities, based on Microsoft 365 capabilities but applicable in general as well.
ACSC 38 mitigations
Start by applying security across the parts of your business:
Zero trust network architecture
If the ASD essential 8 is not your thing then follow the Zero Trust Network Architecture framework, not the Vendor versions but the actual Zero trust principles here, my break down of these is presented below:
Zero trust works on business alignment, automation where possible along with guardrails to simplify before looking to technology.
Zero trust gives us a sliding scale towards securing your business, it is less prescriptive than the Essential 8 but may suit organisations as an alternative.
Basically though ZTNA is about defence in depth, the more layers that an attacker needs to go through to complete their task, the more likely it is that they will give up and target someone else, but in addition to this is the fact that if an attack takes longer then it is more likely that anomalies would be detected and the cyber attacker noticed.
Cyber security frameworks give you the control over what is best for your business, rather than a mass of messaging from the cyber security industry about what you “must” do, leveraging a framework puts you in the drivers seat to question how and why capability xyz fits your strategy, educating and informing both yourself and the industry.
To do something to improve your security is easy, doing nothing is in fact more difficult because management of incidents and the new focus on inadequate security controls that is going to hit Australian businesses hard in the next 2-5 years with penalties and director liability for a cyber attack where the director should have known what mitigations needed to be in place, the term used is “reasonableness”, a director of an Australian company with more than $10 million in turn over must have reasonable knowledge of cyber security and the controls that they must have in place to protect their customers data.
Finally, by starting now your business will be ahead of the curve and you will build an acceptable level of security posture management into your business to ensure that you are not the next target where $30k is stolen.
Speak with your MSP, Systems integrator or myself if you need assistance with planning a more secure posture for your organisation.
Please …… DO NOT DO NOTHING