3 simple things you can do today to protect your business (and yourself) from cyber risks

Cyber risk is a complex issue that we all wish didn’t exist.

60% of businesses experienced a disruptive security breach in 2016 and there’s a global shortage of cyber security experts.

So surely the Government will have the answers! And we all love reading Government reports… right?

Here’s the most important one you’ll never read from ASIC:

• Report 555 Cyber resilience of firms in Australia’s financial markets

Off the back of their 2015 snoozefest:

• REP 429 Cyber resilience: Health check.

And it’s a snooze-fest for a simple reason: there’s a lack of actionable information.

Sure – you might understand the challenge and size of the problem you face, but good luck actually knowing how to do any of it.

To make things worse, Report 429 (snoozefest above) contains a tonne of contradictions that are difficult to follow.

How is the average business owner meant to make sense of this?

Simple answer is they can’t and therefore put their business at risk.

How many breaches are caused by human error? Over 50%.

So here’s the top 3 things you can do TODAY to improve your cyber resilience:

1. Make your passwords stronger
2. Install updates when they become available
3. Backup. Backup. Backup. AND TEST!

1. How to create a strong password

The US-based National Institute of Standards and Technology (NIST) is a government agency, producing guidelines that Australia’s own Australian Securities and Investments Commission (ASIC) tends to recommend. Check out a summary of their password guidelines here.

Of importance in 2017 are the NIST password recommendations. The salient point is below:

What does this means for password selecting?

Make it random.

Make it long.

But long & random passwords are hard to remember!

And here’s a trick

Source: Above image is xkcd’s famous Password Strength cartoon

Another trick is to make it rhyme, such as:

• Doyouliketea443 (15 characters)

Or make it funny:

• Mykidsdontletmesleep! (22 characters)

Key takeaways:

Go for password length & pass phrases

• a minimum of 16 characters
• make sure your password hints aren’t guessable
• No single or permutations of dictionary words i.e. password or passw0rd

Passwords to change only when forgotten

• Providing they are long & hard to guess

Use unique passwords for every account

• If you use the same password, it will only take one data breach for your long, random password to be used against you
• Use a password manager (do your own due diligence to select a provider)

Use Multi-factor Authentication (MFA)

• Such as the Google Authenticator
• Except for SMS which is not secure

2. Installing updates

Software has been buggy from the beginning of time – hence software patches are released.

Most apps/programs that have updates (Windows, phone etc.) will alert you to an update. Hooray – new features! Most of the time you’ll see security fixes included in updates too.

Key takeaways:

Install updates and reboot. Simple.

3. Backup

Backup is insurance for your hard work.

I’m sure you don’t like buying insurance, but you’ll be glad you did if you ever need to use it.

Don’t assume that your cloud app provider is backing up your data

Considering most cloud providers won’t give you the specifics of their backup regimes, you are completely in the hands of your providers. Think it can’t happen? It happened to Google in 2015.

Backup your backups

The current best-practice is the 3-2-1 approach.

• 3 copies of your data
• 2 of which are local but on different mediums (i.e. your computer and an external drive)
• 1 copy offsite

Test your backups!

This is the most important part of backing up – testing that it’s working!

We’ve taken over the management of backup systems that haven’t been working for months. Tapes were being shipped off each day, but the tapes were empty!

Don’t trust a report telling you that backups were successful.

The only way you can know for sure if your backup is working is by performing regular test restores.

Ask to see the test results with your own eyes.

Conclusion

It’s tough to be safe out there.

The bad guys are trying to trick you so don’t be an easy target.

1. Have good password hygiene (don’t make it easy to guess and consider using a password manager)
2. Install updates for all of your devices (they contain security updates)
3. Backup your data (it’s the best way to get yourself out of a pickle)

Practical Guides

In the coming weeks I’ll be publishing practical guides on these topics (and more) to help you and your business be safer online.

Don’t want to do it yourself?

Then find an expert who will… such as these guys – www.rockit.cloud – they’re pretty good from what I hear.