Pages

Tuesday, January 23, 2024

8 ESSENTIAL CYBER SECURITY PRACTICES – IN DEPTH


Exxatech has written an excellent article on the 8 essential cybersecurity practices needed to secure your organisation - and CYBER AWARENESS TRAINING is up there. BSI Learning provides your learning needs when it comes to CYBER AWARENESS TRAINING. 
The government is providing funding to help upskill your team in cybersecurity - if you are interested feel free to connect with me or comment below and I’ll refer you to Kala Philip at BSI Learning 



1. Endpoint Security

Endpoint Security is a pretty broad term so let’s clarify.

 

Firewalls
Firewalls are essential both at the individual device level and the company office level. Windows, MacOS and Linux all come with Firewalls built in but you need to make sure they are configured properly and more importantly turned on! By default they are preconfigured with rules to help you stay safe. Many Anti-virus software that you install come with firewalls by default and do a better job of enforcing compliance than Operating Systems.

 

Office Perimeter Firewalls
The classic office firewall still definitely has its place despite the move to the cloud and should always be the first line of defence for any sized business. Decent hardware Firewalls from the big security vendors are not expensive for smaller use cases and should definitely be deployed before anything else in your office network. By default no rules / access should be allowed into or out of the office network unless specifically configured by your Network / Systems Administrator. If your firewall has Intrusion Detection Systems, even better – make sure your definitions and rules are updated regularly to protect against new threats.

 

Cloud Based Firewalls / Cloud Security Groups 
Cloud based firewalls, sometimes called Security Groups by the big Cloud vendors (AWS, Azure) need to be configured with Least Privilege access. Only open the very minimum of network ports to access your infrastructure.

 

Email Spam Protection Controls
Your Office 365 and G-Suite Mail service come with basic Anti-Malware and Antivirus controls but should definitely be further hardened to limit malicious emails from getting through. A better solution is to use an Email Gateway Solution as G-Suite and Office 365 use basic Whitelisting / Blacklisting rules whereas some of the more advanced Email Gateway use machine learning, URL rewriting, etc to keep you safe.

Antivirus and Anti-Malware Software
You can get some fantastic Antivirus and Anti-Malware Software for free – Bitdefender Free Antivirus and Malwarebytes Free come to mind, so there is no excuse for not having these in place.
Both Windows AND MacOS require these products. Unfortunately gone are the days where Mac’s don’t get viruses – although rarer than Windows they are still essential to have.

 
 

2. STRONG AUTHENTICATION

Passwords
Unbelievably, The most popular password worldwide for last year was 123456!
Passwords should be as long as possible – minimum 10 characters, surprisingly numbers, non-alpha numeric characters are that important.
Articles:

 
https://www.esquire.com/lifestyle/a25570880/top-passwords-2018/

https://blog.fleetsmith.com/password-security-guide/

 

Multi Factor Authentication
All your accounts, both work and personal should be secured by Multi Factor Authentication where possible. In 2019 this is essential to protect your data. SMS is inherently far less secure than Authenticators like Google and Microsoft Authenticator as SMS numbers can be ported by a determined enough hacker.
For work, MFA on Administrator Accounts is absolutely a must if you decide not to apply it to normal user accounts (which you should). A compromised Administrator account can create havoc and destroy businesses.

 

3. DATA PROTECTION

Mobile Device Management
Company Data no longer resides in the office network on your file share, it is accessible through the cloud on any device, anywhere. BYOD (Bring your own Device) adoption means company data is likely on your tablet, phone, toaster. No seriously, but you get what I mean.
As a consequence of this companies need to secure their data wherever it sits, on personal devices or company owned laptops. This is where MDM (Mobile Device Management) comes in. You can setup software and policies to enforce data protection and allow remote wiping secure company data. Office 365 and G-Suite already have built in MDM you can configure and of course there are hundreds of third party solutions.

 

Encryption
Data should be encrypted in transit and at rest. For in transit encryption think VPN connections and HTTPS / SSL with strong encryption ciphers to access your data in the cloud and in the office network. Data at rest should be encrypted disks. Both Windows and MacOs now have this built in – Bitlocker and Filevault so it shouldn’t cost anything to implement it.

 

4. PATCH MANAGEMENT

It is essential to ensure that your servers, computers and devices are patched regularly to prevent against hacking of zero day exploits, and a good Patch Management system is essential to automate this process.
Good Patch Management systems don’t have to cost much any more and once installed and implemented are set and forget. A small price to pay for peace of mind.

 

5. LEAST PRIVILEGE

Least Privilege / RBAC (Role Based Access Controls) are a set of principals which dictate that a user who needs to complete a task much have the absolute minimum amount of permission required to complete that task. For Cloud services such as AWS / Azure or Office 365 / G-Suite this means only the least number of administrators possible.
The higher the number of administrators the higher the chance of getting hacked.
RBAC means that instead of creating single users or groups with certain permissions, create a role with the requisite permissions and apply it to that user. Therefore, if the user leaves or changes job, you can remove the role without affecting anyone else.

 

6. BACKUP

A good backup is essential to protect against attacks and loss of company data. It should be point in time and offsite so you can have some level of BCP (Business Continuity Planning) in case you have main site loss. There are a lot of excellent, reasonably priced cloud based backup solutions.
You should also have a backup of your configuration and a backup of all your documentation and processes of site as well to protect your intellectual property.

 

7. SUPPLY CHAIN SECURITY

Having the most secure environment in the world is useless if your suppliers have no controls and you have your or your customer data stored with them. Hold your suppliers accountable for your data as if it was on your own onsite servers. The big Cloud vendors have whole sections of their portals dedicated to all of regulations they are compliant to – PCI DSS, ISO 27001, HPIAA – the list goes on an on.

For smaller vendors, make them fill out an annual audit.
It should be pointed out that despite the regulations the big providers comply with, it is a Shared responsibility model – I.E. once you use the infrastructure you are responsible to ensure it is secure. Spinning up an AWS EC2 instance, putting a website on it without SSL / HTTPS, it is NOT PCI DSS compliant! 

 

8. CYBER INSURANCE / CYBER AWARENESS TRAINING

Increasingly important in the current landscape and two sides of the same coin, Cyber Awareness Training for your employees and good Cyber Insurance is essential.
Training your employees to properly assess potential hacking situations is vital. There are great solutions out there to help train your users.
Cyber Insurance is also becoming increasingly important but Awareness comes first because thoughtless employee actions can mean your insurance is voided and you don’t get paid out if a breach occurs.
 
https://www.wombatsecurity.com/security-education/security-awareness-training-videos-materials
 




 

References / Guides

https://www.itnews.com.au/news/one-in-ten-aussie-businesses-suffered-it-breaches-last-year-527306?eid=1&edate=20190627&
 
https://exxa.azurewebsites.net/security/security-the-new-data-breach-laws
 
https://www.techrepublic.com/article/how-to-turn-on-the-microsoft-windows-10-firewall-and-modify-its-configuration-settings/
 
https://www.maketecheasier.com/configure-mac-firewall-correctly
 
https://support.office.com/en-gb/article/set-up-mobile-device-management-mdm-in-office-365-dd892318-bc44-4eb1-af00-9db5430be3cd
 
https://support.google.com/a/answer/7400753?hl=en
 
https://www.beyondtrust.com/blog/entry/what-is-least-privilege
 
https://azure.microsoft.com/en-au/overview/trusted-cloud/compliance/
 
https://aws.amazon.com/compliance/programs/
 

With multiple certifications in Cyber Resillience, AWS and Azure, we can help you implement all of these best practices to ensure the safety and security of your business. 


Related Articles


BSI Future Learning series - In this first episode, we’re diving into the realm of cybersecurity— Join Simon Dewar from BSI Digital Learning and Kala Philip (MAICD, GAICD) from BSI Learning and the incredibly knowledgeable Damien Cantelo from Apollo Secure, who has worked closely with enterprises of all sizes to understand the cyber-threat landscape and guide them to ensure their systems, processes and, most importantly, people are cyber-ready.


https://www.linkedin.com/posts/business-strategies_bsi-learning-bsi-learnings-podcast-era-activity-7155424384407552000-DFHU?utm_source=share&utm_medium=member_ios


Australian sanctions Russian man over Cybersecurity attack 

https://www.linkedin.com/posts/aucyberseccoord_the-impact-of-the-2022-medibank-private-cyber-activity-7155436955315421184-O_iQ?utm_source=share&utm_medium=member_ios



Cybersecurity - get qualified - build cyber governance skills 

https://www.linkedin.com/posts/kphilip_cybersecurity-knowledge-and-skills-are-much-activity-7153168524805394432-gbja?utm_source=share&utm_medium=member_ios



Spotlight on cyber By AsIC 


https://www.linkedin.com/posts/kphilip_findings-and-insights-from-the-cyber-pulse-activity-7129736287481171969-L-dJ?utm_source=share&utm_medium=member_ios






Monday, January 22, 2024

Providing a learning environment around AI and Soft Skills are key to recruit and retain your team




In Australian  and global businesses businesses there are 2 areas of focus that Organisations  need to nail to recruit and retain their team - says Matt Tindale, Country Manager of LinkedIn Australia and New Zealand

AI and Soft Skills 

AI 

The demand and supply for workers with AI skills has increased. 

Linked published  a Global Talent Trends Report showing that job posts mentioning AI grew by 10% . 

You need to create  an environment and culture of continuous learning - that enables your team to upskill - through continuous learning - which Matt calls a “skills first approach” - to expand your talent pools - upskill your current employees, and build agility into your workforce.
 
AI can help with this this in an exponential way! 

Technical Skills will change over the years  …. Focus on people who have the ability to learn how to learn .

Employees are looking  to gain AI-related skills because they know it will benefit them in the future. 

Soft skills will be key

The significance of distinctly human skills and leadership skills - or soft skills are key. 

These skills include problem-solving, communication, people skills, leadership ,  critical thinking. time management, adaptability & resilience, and strategic thinking.

While technical skills change constantly, soft skills and your core values will remain with you throughout your career.

Soft skills are key in the future world of work, with 94% of business executives in Australia recognising their significance.

The Gen Zers and Millennials have different priorities when it comes to work and are digital natives. They want career mobility so they can make work, work for them.

They understand the power of AI and it’s powers and would be open to learn more.

Being a lifelong learner  provides greater job mobility for professionals across a wider array of industries as their knowledge and skills become more transferable, accelerating a trend of professionals pivoting roles.

The goal for you to recruit and retain your team is to shape work in the age of AI to be more human and more fulfilling. 

How do you engage , excite and enthuse teams to be part of your organisation? 

We are in a period of exciting times 

Onwards and upwards!!