Nexttech

Nexttech
Creating Generational Legacies

Tuesday, January 23, 2024

8 ESSENTIAL CYBER SECURITY PRACTICES – IN DEPTH


Exxatech has written an excellent article on the 8 essential cybersecurity practices needed to secure your organisation - and CYBER AWARENESS TRAINING is up there. BSI Learning provides your learning needs when it comes to CYBER AWARENESS TRAINING. 
The government is providing funding to help upskill your team in cybersecurity - if you are interested feel free to connect with me or comment below and I’ll refer you to Kala Philip at BSI Learning 



1. Endpoint Security

Endpoint Security is a pretty broad term so let’s clarify.

 

Firewalls
Firewalls are essential both at the individual device level and the company office level. Windows, MacOS and Linux all come with Firewalls built in but you need to make sure they are configured properly and more importantly turned on! By default they are preconfigured with rules to help you stay safe. Many Anti-virus software that you install come with firewalls by default and do a better job of enforcing compliance than Operating Systems.

 

Office Perimeter Firewalls
The classic office firewall still definitely has its place despite the move to the cloud and should always be the first line of defence for any sized business. Decent hardware Firewalls from the big security vendors are not expensive for smaller use cases and should definitely be deployed before anything else in your office network. By default no rules / access should be allowed into or out of the office network unless specifically configured by your Network / Systems Administrator. If your firewall has Intrusion Detection Systems, even better – make sure your definitions and rules are updated regularly to protect against new threats.

 

Cloud Based Firewalls / Cloud Security Groups 
Cloud based firewalls, sometimes called Security Groups by the big Cloud vendors (AWS, Azure) need to be configured with Least Privilege access. Only open the very minimum of network ports to access your infrastructure.

 

Email Spam Protection Controls
Your Office 365 and G-Suite Mail service come with basic Anti-Malware and Antivirus controls but should definitely be further hardened to limit malicious emails from getting through. A better solution is to use an Email Gateway Solution as G-Suite and Office 365 use basic Whitelisting / Blacklisting rules whereas some of the more advanced Email Gateway use machine learning, URL rewriting, etc to keep you safe.

Antivirus and Anti-Malware Software
You can get some fantastic Antivirus and Anti-Malware Software for free – Bitdefender Free Antivirus and Malwarebytes Free come to mind, so there is no excuse for not having these in place.
Both Windows AND MacOS require these products. Unfortunately gone are the days where Mac’s don’t get viruses – although rarer than Windows they are still essential to have.

 
 

2. STRONG AUTHENTICATION

Passwords
Unbelievably, The most popular password worldwide for last year was 123456!
Passwords should be as long as possible – minimum 10 characters, surprisingly numbers, non-alpha numeric characters are that important.
Articles:

 
https://www.esquire.com/lifestyle/a25570880/top-passwords-2018/

https://blog.fleetsmith.com/password-security-guide/

 

Multi Factor Authentication
All your accounts, both work and personal should be secured by Multi Factor Authentication where possible. In 2019 this is essential to protect your data. SMS is inherently far less secure than Authenticators like Google and Microsoft Authenticator as SMS numbers can be ported by a determined enough hacker.
For work, MFA on Administrator Accounts is absolutely a must if you decide not to apply it to normal user accounts (which you should). A compromised Administrator account can create havoc and destroy businesses.

 

3. DATA PROTECTION

Mobile Device Management
Company Data no longer resides in the office network on your file share, it is accessible through the cloud on any device, anywhere. BYOD (Bring your own Device) adoption means company data is likely on your tablet, phone, toaster. No seriously, but you get what I mean.
As a consequence of this companies need to secure their data wherever it sits, on personal devices or company owned laptops. This is where MDM (Mobile Device Management) comes in. You can setup software and policies to enforce data protection and allow remote wiping secure company data. Office 365 and G-Suite already have built in MDM you can configure and of course there are hundreds of third party solutions.

 

Encryption
Data should be encrypted in transit and at rest. For in transit encryption think VPN connections and HTTPS / SSL with strong encryption ciphers to access your data in the cloud and in the office network. Data at rest should be encrypted disks. Both Windows and MacOs now have this built in – Bitlocker and Filevault so it shouldn’t cost anything to implement it.

 

4. PATCH MANAGEMENT

It is essential to ensure that your servers, computers and devices are patched regularly to prevent against hacking of zero day exploits, and a good Patch Management system is essential to automate this process.
Good Patch Management systems don’t have to cost much any more and once installed and implemented are set and forget. A small price to pay for peace of mind.

 

5. LEAST PRIVILEGE

Least Privilege / RBAC (Role Based Access Controls) are a set of principals which dictate that a user who needs to complete a task much have the absolute minimum amount of permission required to complete that task. For Cloud services such as AWS / Azure or Office 365 / G-Suite this means only the least number of administrators possible.
The higher the number of administrators the higher the chance of getting hacked.
RBAC means that instead of creating single users or groups with certain permissions, create a role with the requisite permissions and apply it to that user. Therefore, if the user leaves or changes job, you can remove the role without affecting anyone else.

 

6. BACKUP

A good backup is essential to protect against attacks and loss of company data. It should be point in time and offsite so you can have some level of BCP (Business Continuity Planning) in case you have main site loss. There are a lot of excellent, reasonably priced cloud based backup solutions.
You should also have a backup of your configuration and a backup of all your documentation and processes of site as well to protect your intellectual property.

 

7. SUPPLY CHAIN SECURITY

Having the most secure environment in the world is useless if your suppliers have no controls and you have your or your customer data stored with them. Hold your suppliers accountable for your data as if it was on your own onsite servers. The big Cloud vendors have whole sections of their portals dedicated to all of regulations they are compliant to – PCI DSS, ISO 27001, HPIAA – the list goes on an on.

For smaller vendors, make them fill out an annual audit.
It should be pointed out that despite the regulations the big providers comply with, it is a Shared responsibility model – I.E. once you use the infrastructure you are responsible to ensure it is secure. Spinning up an AWS EC2 instance, putting a website on it without SSL / HTTPS, it is NOT PCI DSS compliant! 

 

8. CYBER INSURANCE / CYBER AWARENESS TRAINING

Increasingly important in the current landscape and two sides of the same coin, Cyber Awareness Training for your employees and good Cyber Insurance is essential.
Training your employees to properly assess potential hacking situations is vital. There are great solutions out there to help train your users.
Cyber Insurance is also becoming increasingly important but Awareness comes first because thoughtless employee actions can mean your insurance is voided and you don’t get paid out if a breach occurs.
 
https://www.wombatsecurity.com/security-education/security-awareness-training-videos-materials
 




 

References / Guides

https://www.itnews.com.au/news/one-in-ten-aussie-businesses-suffered-it-breaches-last-year-527306?eid=1&edate=20190627&
 
https://exxa.azurewebsites.net/security/security-the-new-data-breach-laws
 
https://www.techrepublic.com/article/how-to-turn-on-the-microsoft-windows-10-firewall-and-modify-its-configuration-settings/
 
https://www.maketecheasier.com/configure-mac-firewall-correctly
 
https://support.office.com/en-gb/article/set-up-mobile-device-management-mdm-in-office-365-dd892318-bc44-4eb1-af00-9db5430be3cd
 
https://support.google.com/a/answer/7400753?hl=en
 
https://www.beyondtrust.com/blog/entry/what-is-least-privilege
 
https://azure.microsoft.com/en-au/overview/trusted-cloud/compliance/
 
https://aws.amazon.com/compliance/programs/
 

With multiple certifications in Cyber Resillience, AWS and Azure, we can help you implement all of these best practices to ensure the safety and security of your business. 


Related Articles


BSI Future Learning series - In this first episode, we’re diving into the realm of cybersecurity— Join Simon Dewar from BSI Digital Learning and Kala Philip (MAICD, GAICD) from BSI Learning and the incredibly knowledgeable Damien Cantelo from Apollo Secure, who has worked closely with enterprises of all sizes to understand the cyber-threat landscape and guide them to ensure their systems, processes and, most importantly, people are cyber-ready.


https://www.linkedin.com/posts/business-strategies_bsi-learning-bsi-learnings-podcast-era-activity-7155424384407552000-DFHU?utm_source=share&utm_medium=member_ios


Australian sanctions Russian man over Cybersecurity attack 

https://www.linkedin.com/posts/aucyberseccoord_the-impact-of-the-2022-medibank-private-cyber-activity-7155436955315421184-O_iQ?utm_source=share&utm_medium=member_ios



Cybersecurity - get qualified - build cyber governance skills 

https://www.linkedin.com/posts/kphilip_cybersecurity-knowledge-and-skills-are-much-activity-7153168524805394432-gbja?utm_source=share&utm_medium=member_ios



Spotlight on cyber By AsIC 


https://www.linkedin.com/posts/kphilip_findings-and-insights-from-the-cyber-pulse-activity-7129736287481171969-L-dJ?utm_source=share&utm_medium=member_ios






Monday, January 22, 2024

Providing a learning environment around AI and Soft Skills are key to recruit and retain your team




In Australian  and global businesses businesses there are 2 areas of focus that Organisations  need to nail to recruit and retain their team - says Matt Tindale, Country Manager of LinkedIn Australia and New Zealand

AI and Soft Skills 

AI 

The demand and supply for workers with AI skills has increased. 

Linked published  a Global Talent Trends Report showing that job posts mentioning AI grew by 10% . 

You need to create  an environment and culture of continuous learning - that enables your team to upskill - through continuous learning - which Matt calls a “skills first approach” - to expand your talent pools - upskill your current employees, and build agility into your workforce.
 
AI can help with this this in an exponential way! 

Technical Skills will change over the years  …. Focus on people who have the ability to learn how to learn .

Employees are looking  to gain AI-related skills because they know it will benefit them in the future. 

Soft skills will be key

The significance of distinctly human skills and leadership skills - or soft skills are key. 

These skills include problem-solving, communication, people skills, leadership ,  critical thinking. time management, adaptability & resilience, and strategic thinking.

While technical skills change constantly, soft skills and your core values will remain with you throughout your career.

Soft skills are key in the future world of work, with 94% of business executives in Australia recognising their significance.

The Gen Zers and Millennials have different priorities when it comes to work and are digital natives. They want career mobility so they can make work, work for them.

They understand the power of AI and it’s powers and would be open to learn more.

Being a lifelong learner  provides greater job mobility for professionals across a wider array of industries as their knowledge and skills become more transferable, accelerating a trend of professionals pivoting roles.

The goal for you to recruit and retain your team is to shape work in the age of AI to be more human and more fulfilling. 

How do you engage , excite and enthuse teams to be part of your organisation? 

We are in a period of exciting times 

Onwards and upwards!!

Thursday, October 5, 2023

The power of effective , transparent communication



What was one of the key success factors for making Alexander the Great - great? 


We have just spent the day in Thessaloniki (2nd biggest city in Greece )- visiting a tomb of his family! 


Communication - in my view was key!!


Sun Tzu's "The Art of War" shares the importance of effective good communication . 


He emphasises the need of being given explicit instructions -  and following them. 


If orders are unclear, it is the leaders  problem and the soldiers  are at blame if they are given explicit instructions and still fail to carry them out. 


This  concept has s not only relevant on the battlefield - but also on the sports field, government , at school , at home and especially   in business 


Leaders need to make sure their teams are on the same page by communicating their vision, mission, strategies , goals , tasks and expectations.


Effective Feedback


When goals aren't accomplished, leaders need  to see if their instructions were understood and that the team understands the game plan and their role clearly! The use of feedback mechanisms to learn what worked or didn’t - 

Where was the breakdown? Was it because of ambiguous instructions or lack of execution?


Reviewing past games analysis can reveal what was good or bad - what worked or didn’t— what could be improved - was failure as a result of strategy muddled tactics or execution  or both? 


Effective open communication  promotes an atmosphere of trust a key quality and value vital to the success of any group! 


Allen Pathmarajah shares one of the most important tools in communication - which is the

L in leadership!


Listen - listen and silent - have the same letters, he says !


Once you know what works -  Practice , practice practice is essential  until processes  become second nature, leaving little room for error! (Read Malcolm Gladwell the tipping point and blink ) 


Identify what can be improved - pivot , iterate , practice until perfect 


Ways to communicate 


Through regular forums town halls , team meetings, one-on-one chats, digital channels.


Continuity is key!!


Whether you are at home , in business, government or the battlefield - Conflicts can be greatly reduced if clear standards for tasks, responsibilities, and behaviour are established with clear ways to communicate them ! 


When people don't play by the rules, or don’t follow the game plan - having an open conversation about what went wrong can help bring everyone closer together and improve future compliance.


The power  of effective , transparent communication is key 

 

Of course - Learning and effective training is a key part of the communication process - (www.bsilearning.com.au)


Leaders in any field can benefit from internalising and using Sun Tzu's concepts through building stronger, more cohesive, and more accountable teams.

Wednesday, September 20, 2023

The gap between Strategy and a execution cannot be underestimated




A picture is a thousand words. Why is it that this one echoes so strongly when we see it?



DEFINING A STRATEGY THAT WILL ACTUALLY WORK IS HARD:


We have just spent a year getting our entire team engaged in determining our 5 year strategy .


It’s been a slow and often painful process getting ideas from all stakeholders, meeting, arguing, planning, revising, getting input, changing , taking into account current events , changing again…. 


I believe we have come up with a strategy that the entire team is excited about - and is keen to execute really well.


This article below by Jakob Bovin has really hit a chord


 - the importance of alignment and buying cannot be overestimated! 



The gap between strategy and execution is very real, and the challenge of going from a great strategy to great execution of it, is often spectacularly underestimated.

 

Here are some of the reasons why:


The pyramid of ignorance (Sidney Yoshida) suggests that only 4% of an organisations front line problems are understood by top management. 

 

Therein lies the challenge of understanding the difficulties a new strategy may face when different parts of an organisation try to adopt it. 

 

To find true alignment, strategy definition must be dynamic and involve a broad range of stakeholders at all levels to have a chance to be successful.

 

If we don't make that effort, the strategy will eventually face too much resistance.

 

 

IT MUST BE "THEIR" STRATEGY, NOT "YOURS"

 

If a strategy comes from the top in a form of a waterfall of slides (I've seen plenty of examples of 200 slide presentations in my career) there's a good chance it will be forgotten pretty quickly.

 

It's much more important to set a clear direction for the organisation, then let every part of it say how they will contribute to taking the organisation there.

 

By taking this approach, it becomes everyone's strategy not just that of a select few privileged people at the top.

 

 

WE UNDERESTIMATE THE POWER OF EMOTIONS

 

A leader of a multi billion $ business recently said to me, "You know Jakob, we often underestimate the emotional attachment people have to the way things are done today".

 

It struck a chord.

 

We don't like change because there's comfort in how we do things today. Change doesn't just affect what we do, but also our working relationships with others which can have a profound impact on every individual.

 

This will create natural resistance to change. People will feel some degree of "loss" when embarking on a new strategy - as strange as that may sound.

 

Ultimately success will depend on individuals having the opportunity to connect to the strategy and understand how they will contribute to it at their level & create success for the organisation.

 

 

WE'RE OFTEN ASSESSING STRATEGY ADOPTION BY LOOKING IN THE REAR-VIEW MIRROR

 

Last but not least, lack of visibility on whether or not we are moving in the direction we want is often the achilles heel when it comes to going from strategy to execution to results.

 

If we focus on "lag metrics" (i.e. looking at what has already happened), we're too late.

 

Clear real-time visibility of progress is critical to be able to course-correct and ensure execution happens to deliver the results we want. Unless we have a common system and methodology to do so, it's very hard to accomplish.

 


The above isn't an exhaustive view & I'm keen to hear your take on the strategy to execution challenge!

 

 

#strategy #execution #results

Monte Pedersen Wayne Nelsen Jeroen Kraaijenbrink


https://www.linkedin.com/posts/jakobbovin_strategy-execution-results-activity-7109755488396832769-OD_V?utm_source=share&utm_medium=member_ios



Monday, September 11, 2023

Aeroplane or phone



I saw this at LaX star alliance lounge - and it stuck with me  
The Wright  brother’s created the single l greatest cultural  force since the invention of writing .. The aeroplane became the first World Wide Web. Bringing people languages and cultures and values  closer  together 

And then there was the phone!!

Saturday, September 9, 2023

Partnership between BsI Learning and Cyber Peace Foundation




The countdown has begun for our highly anticipated transnational program launch in collaboration with our esteemed partners, BSI Learning. Join us on September 21, 2023, the International Day of Peace, in the vibrant city of New Delhi, India. 🇮🇳🇦🇺

This grand launch will be graced by the presence of top tech industry leaders, distinguished Indian government representatives, and officials from the Australian Trade and Investment Commission. Together, we will embark on a journey to deliver globally recognised cybersecurity education in India.

Stay tuned for updates as we prepare to make history in the world of #cybersecurity.

Kala Philip Scott Wesley Vipul Rastogi Simon Dewar Arushi Gaur Ivan Kaye Scott Henderson Dylan Chan Craig Saphin Tony Surtees Michael Lynch

#CyberPeace☮️  #CyberSecurityProgram #CyberEducation #India #Australia #GlobalSynergy #GlobalPartnerships #EducationPrograms #CyberSecurityCourse #G20India #InternationalDayofPeace #G20India2023 #G20Bharat #G20Summit #G20SummitDelhi 

Tuesday, September 5, 2023

Another Blockchain cyber heist - Stake , the billion dollar heist and cybercrime




Stake.com -  co-founded by Young Rich Lister Ed Craven in 2017 and one of the world’s largest online casinos - has been hacked with more  than $US40 million taken from the exchange’s online wallets. 


The theft was discovered in the early hours of Tuesday morning, when Cyvers, a blockchain security platform, detected $US16 million of “suspicious transactions”. Another blockchain analyst, ZACHXBT, confirmed the number plus an additional $US25.6 million.


Last year, more than $3.7 billion worth of crypto was lost to various hacks and exploits, (coindesk) 


What is Stake?


Stake is an Australian casino and sportsbook that allows users to deposit and play with cryptocurrencies. It made $2.6 billion in revenue in 2022, according to a Financial Times report.



Security Measures: 


Stake.com had a slew of security measures in place, from stringent password policies and 2FA to frequent security audits and encryption technologies. They even advised users on game choices to minimize risks.


What is at Stake? What does this mean to risk and vulnerability 

The hack reveals a sobering truth: even the most secure platforms are vulnerable to sophisticated cyber-attacks. It’s a wake-up call for not only the gambling industry - but online industry such as banks to beef up security protocols and for users to tread carefully.


No platform is entirely safe. It’s crucial for users and platforms alike to up their security game.


Other heists 

Blockchain security company CertiK estimates that approximately $1.3 billion worth of cryptocurrency was lost due to hacks and scams in 2021 alone, a 2,500 percent increase from 2020. 


https://www.theregister.com/AMP/2022/09/20/wintermute_hacked_160m/



Multichain 

Blockchain bridge Multichain has suspended operations and is missing up to USD120 million after seeing “unusual activity” coinciding with a major cyber heist . Before it paused transactions, it was holding a reported USD1.26 billion in crypto currencies.


https://australiancybersecuritymagazine.com.au/multichain-pauses-operations-after-usd120-million-cyber-heist/



 Several cybersecurity firms sounded the alarm on July 6 about an attack after observing abnormally high numbers of tokens transferring from Multichain’s bridging networks to unidentified addresses.


Multichain (formerly known as AnySwap) describes itself as an “enterprise blockchain that actually works,” allows clients to connect blockchains such as Bitcoin and Ethereum via a cross chain bridge.


Last week, hackers stole stablecoins, including Tether, Dai, and USDC, as well as tokens like Chainlink, wrapped Bitcoin, and wrapped Ether 


The funds were moved into six different addresses.


CyVers says Multichain is still uncertain about the exact nature of the incident, adding that in dollar terms, it is the second biggest cyberattack of 2023 to date.


With its CEO (and other senior team members) missing and delayed transactions before the attack, there is intense speculation that Multichain will not resume business.


Cybercrime is prevalent

It’s not only Crypto that is being hacked …. 
Banks are vulnerable 


The Billion Dollar Heist 

Great advertising for latest documentary by

Misha Glenny and director Daniel Gordon - Billion Dollar Heist - 


The doco  illustrates how sophisticated and prevalent cybercrime has become in recent years.


The story is about  how in 2016 , a group of security hackers managed to steal $81 million from the Bangladesh Bank while also accidentally letting a typo keep them from getting away with much more .


The hackers issued 35 fraudulent requests to illegally transfer close to US $1 billion from the Federal Reserve Bank of New York account belonging to the Bangladesh Bank to themselves.


Cybersecurity experts across the world on such high alert.


In 2017, the G20 warned that cyberattacks could “undermine the security and confidence and endanger financial stability.”


Is  this a threat to humanity at large as pandemics, weapons of mass destruction, and climate change ? 



https://study.uq.edu.au/stories/how-do-you-stop-cyber-bank-heist


If cyber security isn't done well, it’s as easy as walking into an unlocked vault. That’s where cyber security experts step in.


According to VMware’s fifth annual Modern Bank Heists Report, 63% of financial institutions admitted experiencing an increase in destructive attacks, with cybercriminals leveraging this method as a means to burn evidence as part of counter incident response. Additionally, 74% experienced at least one ransomware attack over the past year, with 63% paying the ransom.


“What exactly are these cybercrime cartels looking for? We’re witnessing an evolution from a bank heist to economic espionage, where cybercriminals target corporate information or strategies that can affect the share price of a company as soon as it becomes public,” wrote Tom Kellermann, head of the cybersecurity strategy at VMware in a blog post.


How can cybercrime be stopped?

How can you mitigate the risk?


Kala Philip of BSILearning says that it starts with education . 

Every professional and employee should be aware of the risks and strategies on how cybercrime can be mitigated .