The increasing need to implement rigorous IT security measures has become part of life for Australian SME businesses.
With many staff working remotely and clients preferring to use digital channels, keeping core infrastructure secure has never been more important.
However, it’s important to remember that achieving effective security is not a set-and-forget exercise. Constant review is necessary to ensure that the measures in place are providing sufficient levels of protection.
A changing landscape
Much of the challenge of maintaining effective cybersecurity is caused by the constant evolution of threats. Attack techniques that have proved successful in the past are being reworked by cybercriminals to make them even more effective.
For example, social media is being increasingly used to mine personal details which are then used to design highly targeted phishing attacks. An employee is much more likely to open a message if it appears to have come from a colleague or friend. If the subject line is something like ‘photos from Friday’s party’, the chances will be even higher.
So-called business email compromise (BEC) attacks are also increasing. In these attacks, cybercriminals are obtaining copies of organisational directories to gain insight into management structures and reporting lines. This then allows them to produce phishing emails that appear to have come from a senior manager, vendor, or supplier which are more likely to be opened. Fake invoice scams are another risk from compromised business email accounts, and often lead to large financial losses for organisations.
The way in which ransomware attacks are being mounted is also changing. Focus is shifting away from relying on encrypting data to force a ransom payment to blackmailing organisations - threatening to release sensitive data to the public unless payment is made.
This shift has been caused by the fact that many organisations now have solid backup and disaster recovery procedures in place which can be used to restore encrypted data should an attack occur. A release of intellectual property or customer data publicly instead can cause significant reputational damage and loss.
A phased approach to security
To be as resilient as possible to these new types of threats, organisations should undertake a four-stage process. These stages are:
This initial stage involves a careful assessment of an organisation’s core purpose. This could be financial services, manufacturing, or retail for example.
The current security posture is then evaluated against that core purpose to ensure it provides sufficient protection against risks. This evaluation considers risks associated with people, processes, and technology. The security risks are then managed in the same way as other risks to business continuity such as power outages, supply chain disruptions, or extreme weather events.
A decision may be taken to cease some activities that cause unnecessary risks. Other options could be to outsource for cyber security activities to a third party or to take out cyber insurance.
The second stage involves implementing preventative controls to mitigate identified cyber security risks so they are within risk appetite. This might involve technical controls such as hardening systems and implementing robust authentication mechanisms.
Security teams may also opt to implement network segmentation or make changes to business processes through better governance controls. Each initiative will work with what is already in place and further strengthen security – also known as defence in depth.
This stage involves maintaining the desired risk posture that was achieved in the second phase. It involves periodic monitoring and staying aware of emerging threats. Day-to-day vulnerability checks and ongoing monitoring for suspicious behaviour also form part of this phase.
The final stage involves investigating any security alerts that occur and determining which are false positives. If actual threats are identified, the security team then undertakes the steps required for remediation.
Using an external security consultant
While these steps can be undertaken by a proficient internal IT team, there are advantages in using an independent external consultant.
It can be beneficial to source a security consultancy that take an agnostic view of security techniques and technologies so they can provide an unbiased recommendation. They are also very good as ensuring security is always closely aligned with business strategy and goals.
A consultant can also determine whether an organisation already has in place all the tools required to achieve effective security. Rather than replacing them, it could more be a case of reconfiguring or augmenting them.
As 2022 unfolds, it’s worth taking a fresh look at your organisation’s security posture to determine what changes might be required. Taking this step now can significantly reduce the likelihood of falling victim to an attack in the future.