In just 3 months there were over 13,000 cybercrime incidents reported to the Australia Centre for Cyber Security (ACSC). This equates to one case every 10 minutes. Cyber-attacks are an extremely lucrative form of criminal activity, which is fueling a dramatic increase in the number of attacks on Australian businesses of all sizes.
Prevention is the best form of defence. Below we cover 10 risk management tips to protect your business and limit the collateral damage of a cyber-attack.
1. Assess the risk environment
When formulating your cyber security strategy, it’s essential to start with an IT risk assessment. Assessing the risk involves collating a list of all potential threats that could impact your business e.g. malware, scams, human error. You will also need to evaluate how well your IT networks withstand real-world threats with a penetration test.
After assessing your risks, you will be in a position to:
- know your weak points
- create a risk management action plan to address weak points and strengthen network security, and
- reduce your cyber security risk.
This can be a complex process. Engaging an IT specialist to assist can be highly valuable. (Source: EmpowerIT Solutions)
2. Network security
There are several basic security steps to help reduce the risk of your IT network being compromised, and business operations disrupted.
Make sure your operating systems and security software update automatically. This will help ensure important security upgrades for recent viruses and attacks are protecting your systems. Updates often fix major security failings.
Prevent security compromises by installing security software on business IT networks and all connected devices. Make sure the software includes anti-virus, anti-spyware and anti-spam filters.
Set up a firewall to shield internal networks from invasion in a cyber-attack. A firewall acts as a gatekeeper between your IT infrastructure and the internet. It must be installed on all portable company devices to be effective.
Ensure you have a strong spam filter to minimise the number of ‘phishing’ emails your business receives. Phishing emails come from unknown sources and often contain links or files that when clicked, give the sender unauthorised access into your IT network. A spam-filter can reduce the number of malicious emails that come through, along with the risk of you or an employee opening them.
a) Set a company protocol for strong passwords
Make sure strong passwords of letters, numbers and special characters are used to protect all devices that hold or provide access to important business assets.
– Make it long – nothing shorter than 15 characters if possible
– Use a mix of characters – uppercase and lowercase letters, symbols
– Change passwords periodically
For more password tips click here: https://www.business.gov.au/Risk-management/Cyber-security/Make-sure-your-passwords-are-secure
b) Use Two-factor authentication (2FA)
2FA is a two-step verification process users need to pass before accessing network accounts. Examples include entering a password, as well as a unique code sent to your mobile phone, or your fingerprint. 2FA adds an additional layer of security over a single password.
c) Admin account privileges
Administrative privileges allow specific individuals to carry out more sensitive tasks than a ‘normal’ system user. Admin account holders can install new programs, create new accounts or change network settings. Cyber criminals will often seek admin privileges to gain high level network access and elicit control over your business.
Reduce the risk by:
- restricting use of accounts with admin privileges
- restricting access to accounts with admin privileges
- disabling admin access entirely
- Only use accounts with admin privileges when necessary, and never read emails or use the internet when working in an admin account
Monitor use of computer equipment and systems
Keep an inventory of all devices, IT equipment and software your business uses, and who is using them. Ensure they are all secure with appropriate upgrades, password settings, 2FA etc.
If equipment is no longer required, it’s important to wipe any sensitive information before disposing.
Make sure access is removed for any past employees – this is a common security hole.
Working from different locations
With COVID-19 causing long-term changes to the way we work, it is essential to ensure security measures apply whether you and your employees are working from the office, home, or any other remote location.
3. Backup your data
Make sure your website, business records and essential data are backed up in case they become compromised in a cyber-attack. This can help place your business recover quickly and with minimal impact to operations following an attack.
Make sure backups are performed regularly and using multiple backup methods should one or more of your data storage systems be compromised. A quality backup system can include:
- Daily and hourly incremental backups to a portable device and or cloud storage
- End of week server back-ups
- Quarterly server backups
- Yearly server backups
- Perform regular tests to ensure you can restore data from backups.
- Store portable backup devices separately offsite – this will ensure your data is preserved if the physical premises are damaged or robbed.
- Do not leave physical backup devices connected to the network as they can become infected in an attack.
4. Encrypt important information
Make sure your ‘network encryption’ settings are switched on. This helps ensure important data is encrypted into a secret code when stored or sent online, minimising the risk of data theft, destruction and tampering.
5. Set a company Cyber Security Policy
Part of cyber risk management is creating a company culture that promotes good cyber security practices. A structured Cyber Security Policy can go a long way to ingrain this as company culture, and protect your organisation from online threat actors.
A Cyber security policy should outline:
- Key business assets requiring protection
- Potential threats to those business assets
- A strategic plan to protect your business’s assets
A Cyber Security Policy is particularly important if you employ staff. It can help communicate the role each employee has in protecting technology and data assets. A cyber policy should set out the following to guide your team:
- the type of business information they can share and where
- acceptable use of devices and online materials
- handling and storage of sensitive information
For more information on developing a Cyber Security Policy for your business visit: https://www.business.gov.au/risk-management/cyber-security/how-to-create-a-cyber-security-policy
6. Incident Response Plan / Crisis Management
Unfortunately no IT system is 100% impenetrable. This is demonstrated by the number of reputable companies like Yahoo, Toll, BlueScope as well as various government agencies that have recently experienced cyber-attacks and data breaches. Therefore, no matter how well-protected your systems are, it is vital to have a well thought out Cyber-Attack Response Plan.
- Assign a response team responsible for identifying, containing and analysing a breach
- Back up files in onsite servers and the cloud for maximum data redundancy
- Create a contact plan so all employees know the procedure of what to do and who to tell in a cyber incident
- Test the plan regularly and ensure data recovery works as intended
7. Protect your customers
It is essential to protect your customer’s personal information. This is for their wellbeing, as well as for your company reputation and compliance with Australian legal obligations.
- Provide a secure online environment for all transactions
- Make sure any customer information is stored in a secure system
- Find out how your payment gateway provider works to prevent fraud
- Make sure your business complies with the Australian Privacy Principles
For more information click here: https://www.business.gov.au/Risk-management/Cyber-security/How-to-protect-your-customers-information
8. Education and awareness: Train your staff
Several reports by the Office of the Australian Information Commissioner have revealed that human error and phishing attacks are one of the leading causes of data breaches. Based on this, it is essential to educate and train your staff on:
- The different types of threats they can face online
- How to recognise a malicious cyber threat e.g. a phishing email
- How to safely report an incident and quash the threat
Well trained staff can be your first line of defence.
9. Protect yourself with Cyber Insurance
Cyber-attacks can cause serious financial losses to businesses who are impacted. This is where Cyber Insurance comes in.
Cyber Insurance is designed to help protect your business from the financial impact of a computer hacking or a data breach. This risk exposure is not covered by a traditional business insurance policy. Cyber Insurance assists in coordinating a cyber-attack incident response and recovery, engaging specialists to help your business return to normal as soon as possible.
Cover generally includes protection for:
First party losses
- Business interruption losses, for the business and external suppliers
- Electronic data replacement
Third party losses
- Security and privacy liability
- Legal defence costs
- Regulatory breach liability
- Electronic media liability
- Crisis management expenses
- Notification and monitoring expenses
10. Monitor threats and stay informed on the latest cyber risks
The cyber security environment is continually evolving. In order to stay on top of new cyber threats and ensure your business is poised with strategies to protect itself, make you are monitoring the trends.
Subscribe to the Australian Cyber Security Centre’s Alert Service for up-to-date information on cyber security issues and how to manage them: https://www.cyber.gov.au/acsc/register/small-and-medium-businesses
For professional insurance advice, connect with a CBN Authorised Broker.
This article provides information rather than financial product or other advice. The content of this article, including any information contained in it, has been prepared without taking into account your objectives, financial situation or needs. You should consider the appropriateness of the information, taking these matters into account, before you act on any information. In particular, you should review the product disclosure statement for any product that the information relates to it before acquiring the product.
Information is current as at the date the article is written as specified within it but is subject to change. Community Broker Network Pty Ltd and Community Broker Network Authorised Brokers make no representation as to the accuracy or completeness of the information. Various third parties have contributed to the production of this content. All information is subject to copyright and may not be reproduced without the prior written consent of Community Broker Network Pty Ltd.