There was a time when cyber security was a term familiar only to technology professionals. That time has long gone. Today, cyber security is a real issue for everyone, regardless of whether you are an individual or a large multi-national company. Alarmingly, experience is telling us that cybercrime will continue to be a permanent risk to our personal security and looks to be a long term issue facing modern society.
Carbon Black  has estimated that in 2016/17 alone there has been a 2,500% increase in the sale of cybercrime tools. Perhaps most shockingly, their data shows that the average price for a DIY ransomware kit is approximately USD$10.50. Easily available and affordable tools are allowing even an amateur cybercriminal easy access, or in the case of ransomware the ability to restrict access, to your data.
During the last year we have seen three major ransomware attacks, in the form of WannaCry, Petya and Bad Rabbit, infecting more than 230,000 computers worldwide. The Australian Computer Society has estimated that, on average, cybercrime attacks cost each Australian business more than $400,000 per year. Cyber security is an issue that is not going away.
How do you protect yourself? It’s about people…
There is one aspect of IT security that is often dangerously overlooked when designing security measures – the human aspect. Human error and a lack of knowledge are two of the top contributors for cyber security breaches. The post incident analysis for many previous cybercrime incidents has led to a similar conclusion; cyber incidents have been caused by an unknowing individual clicking on phishing emails and/or links.
First and foremost, protection against cybersecurity is about bolstering awareness. Regardless of whether you are an individual or a company, it is critical that your users are aware of and understand their cyber risk and how to manage potential threats.
Using password security to access computers, not sharing passwords or personal information, and updating password protections all seem like basic rules to manage cyber security. But many of us fail to adhere to these basic rules each day. How many of us have clicked on an email and then thought maybe we shouldn’t have done that? How many have been tempted by email offers that just seem too good to be true?
All organisations need to ensure their people are well trained and aware of the threat of cybercrime. To ensure people are aware of the risk, organisations must ask themselves, ‘What data and information do we have and what level of protection should we put in place to secure this data?’ Training and education programs need to address this question for each organisation.
…and yes, it’s also about technology.
There are a number of strategies that organisations can adopt to establish a baseline that makes it much harder for unauthorised parties to compromise a system. A number of these strategies are set out in the “Strategies to Mitigate Cyber Security Incidents,” issued by the Australian Signals Directorate.
These strategies include:
- Understand your applications (whitelisting): categorise your applications to identify ones that are safe and consider blocking or disabling the rest.
- Keep your applications up to date: Software companies continuously provide updates to their software to address known security issues and bugs. Ensuring that you have the latest updates assists in heightening your cyber security.
- Disabling untrusted macros: Automations within applications (for example Microsoft Office) can be used to download ransomware or other unauthorised applications and should be disabled.
- User application hardening: Involves removing, or limiting the permissions of web-browser plug-ins (for example disabling Adobe Flash Player).
- Restricting administrative privileges: Involves reducing the amount of users with administrative access to only those who require it for their day-to-day tasks.
- Updating your operating system: This is a strategy that is a step deeper than keeping your application up to date and involves updating your operating system (for example Windows) to ensure it has the latest security patches installed.
- Multi-factor authentication: Involves utilising multiple, separate pieces of credentials to authenticate a user. An example of this may be the use of a combination of passwords, biometric data and a physical security token (like an electronic key) for login.
- Daily backup of your data: By backing up your data frequently, you ensure that critical information and data can be restored in a timely manner in the event of loss from a cyber security incident.
Where do we come in?
We have Risk Specialists who specialise in cyber security of differing complexity and scale. We offer services designed to provide organisations with a risk assessments of their environments to assess resilience to cyber risks.
Our key service offerings include –
IT Strategy and Risk Assessment: We can assist you in understanding your plan to address your cyber security risk, including processes to continually increase the level of cyber security risk awareness within your organisation.
Data Governance: Designed to identify your processes to catalogue, categorise and secure information you hold in accordance with your policies, procedures and privacy obligations.
Cyber Strategy and Controls: Designed to assist management in understanding their cyber security risks and the adequacy of the security measures in place. Whereas Data Governance focussed on the management of your data, this review is intended to provide an initial evaluation of risks and to assist in identifying actions that are undertaken now or considered in future management plans.
To find out more about how we can help you, speak to a Crowe Horwath Risk Consulting adviser.
By Robin Rajadhyaksha
Partner – Audit & Assurance