STOP and follow these 4 steps to increase your cybersecurity
Now is a critical time to address cybersecurity. Large-scale businesses in Australia are becoming the target of cyber attacks with notable breaches from Optus, Medibank and Latitude impacting millions of Australians.
At Cyber Aware, we’ve developed a four-point program to help kick off your security efforts. If you aren’t sure of where to begin in protecting yourself and your business, our STOP policy is a fantastic place to start:
Safe
Two-factor authentication
Open with caution
Password etiquette
In this article, I’ll detail how you can use the four points of the STOP policy to tackle your cybersecurity in a holistic and accessible way. A common struggle of leaders who have decided to protect their business is finding an entry point or firm ground on which they can initiate cybersecurity efforts.
Safe
An important step in protecting your business is acknowledging your limits. As a business, you are only able to invest so much into your cybersecurity. Your time and resources can be limited, and protecting your business can seem an impossible and overwhelming task when you don’t know where to begin.
When you consider that over 60% of cyber attack victims go out of business within 6 months, you can see why this issue is critical for you to get on top of. Whilst these failed businesses may collapse due to financial losses, it’s also very often due to the reputational damages in the aftermath of the breach that a business is unable to recover from.
Imagine having to go to all of your customers, suppliers, and/or stakeholders with the news that their personal information has been stolen from your systems, and is now in the hands of criminals. Regaining their trust can be an impossible task.
To prevent this, you don’t need to shield every little aspect of your business. Your cybersecurity primarily needs to cover a small portion of your key assets and can be efficiently developed around them without feeling like you’re being worn thin.
With this in mind, ask yourself this question: What are your most valuable digital assets?
Generally speaking, it is much easier to protect your most valuable items. Recognise that having every asset in your business completely protected may not be realistic for you, but you can focus on protecting what matters most.
For example, you have physical valuables at home such as your T.V. or furniture. In the event of a burglary it’d be awful to lose these, but you aren’t going to bolt them to the floor and rig them with alarm systems to prevent this. It’s unrealistic to think you can triple-down the security on every little thing in your house. But let’s say you’ve got some priceless jewellery, or a unique family recipe that you simply cannot afford to lose. For these items you’d take the extra step and get a safe installed.
The same approach to home security can be applied to your business. Think of the digital assets in your business that deserve an extra level of protection, and in the same vein that you’d store your Crown Jewels in a physical safe, we want to build a “Digital Safe” to protect these.
Using the following steps, you can build your own Digital Safe:
- Think of what your most valuable digital assets are and write them down. These assets might include any of the following:
- your bank accounts and company funds
- the personal data or payment information of your clients
- intellectual property and business plans
- Take this list of items and label it “20XX Digital Safe” (where XX is the current year). This will be your personal reminder of the Crown Jewels that you are going to protect.
- Put a checkbox next to each item. Once you’ve run through the rest of the STOP Policy and have applied STOP measures to each item, tick these off.
With these three steps and your digital safe, you’ll have the key assets and a baseline security plan to help keep your valuables safe.
Businesses fall victim when they don’t know what needs to be protected. You don’t need to cover every facet of your business in steel barricades and tripwires.
The best thing that you can do for your cyber safety is take the time to work out the critical items that need protecting above all else. Sort these out and put them in your Digital Safe, and you’ll gain a better understanding of how to protect your business in line with the remaining STOP policy.
Two-Factor Authentication
Having identified the crown jewels of your organisation, the next step is to apply some practical measures to protect them.
Most of your crown jewels are locked behind a login area of some kind, so it makes sense to strengthen your login procedures.
However, no matter how strong the password(s) you are using to protect your accounts are, any password is inevitably crackable if given enough time. Hacked passwords cause 81% of data breaches alone, and are no longer adequate security measures on their own.
Using only a password to protect your login is the same as using only a locked screen door to protect your home. Sure, you can’t get in unless you have the key, but in the event of an actual robbery that screen door quickly becomes nothing more than a courtesy measure.
It is widely accepted that enabling 2-factor authentication on your systems is the most effective way to prevent a breach. Two-factor works as a second line of defence in the event that your password fails you, and if we’re going by the statistics, it eventually will fail you!
So how does it work?
Have you ever logged in to your Gmail account from a new device or asked for a password reset on an account, and were then sent a verification code via email or SMS?
That’s a common example of 2-factor authentication. When you log in, the 2-factor system will prompt you for a unique and randomly generated code that is only accessible via SMS or Email. Without this code, it is impossible to log in.
When 2-factor is enabled, an attacker would not only need to access your password and login, but also need the uniquely generated code that is only accessible via your phone or email account.
The setup for 2-factor is uncomplicated and inexpensive. Look at programs like Authy or even Google Authenticator for some easy-to-use and quick set-up 2-factor solutions. If you have an I.T. team in your business and you aren’t already using 2-factor, it should become their absolute priority to enable it.
This small addition alone is enough to prevent countless data breaches, and can easily be the deciding factor in your business becoming the victim of a cyber attack.
Open with Caution
Malicious attachments and fake links are 2 of the oldest and most successful cyber attacks in the book. They’re also 2 of the most preventable.
Let’s say your doorbell rings, and you answer to find an unexpected parcel on your doorstep. It’s addressed to you from someone that you’ve never heard of and you weren’t expecting anything in the mail. For your own safety, the sensible thing to do would be to treat the parcel with a level of caution and find out where it came from before opening it.
That same level of caution applies whenever you receive an unanticipated attachment in an email or open a link.
The problem with links & attachments is that while they’re convenient, they’re also very exploitable. They can contain an array of different threatening contents, some of the most common being:
- Malware and spyware used to gain control of or monitor your systems
- Fraudulent bank details that can be used to steal mass amounts of money
- Phishing forms used to acquire your logins or bank details and cause massive damage
Before you open any email attachment or link, there are a few things that you need to verify:
- Are you familiar with the person that has sent you this email?
- Is the email address that sent the attachment actually legitimate?
- Were you expecting the email from the sender before it arrived?
To verify if an email attachment is legitimate, simply call the person that sent it to you and ask them whether it was intentional.
To determine if a link is unsafe, simply hover the mouse over it and have a look at the URL. If it doesn’t begin with https, or if it leads to somewhere other than advertised, do not open it. Even one small typo in a URL indicates a big difference in where you’ll end up by clicking it.
Here’s an example of an email with a link posing as a Google Doc. We hovered our mouse over the URL to see where this attacker was really trying to send us:
Password Etiquette
I tore apart the benefits of password security pretty harshly earlier in this article, but by no means do I mean to belittle their importance.
While I’d still equate a business without 2-factor authentication to having the same level of security as a house with only a screen door, a weak password is still like having a house with a massive hole in the wall.
If your password isn’t up to scratch, you’re wide open.
Again, hacked passwords cause 81% of all data breaches, and can be compromised by brute force, hacks, phishing and general weakness. What it takes to keep your password safe is a general awareness of where you keep your password, how frequently you change your password, and how strong your password is.
The standard “One Upper Case Letter, One Number, One Symbol” trick is no longer enough. We recommend instead moving into something like passphrases.
Take a phrase that you’re likely to remember and use the first letter of each word to create a new password, alternating between upper and lower close.
For example: “Collingwood followers Are sophisticated People” would make CfAsP
Add a few numbers to the end, and you’ve got a strong and memorable password! So you could add the year of their last premiership, to end up with CfAsP2010.
If you then change this password every 6 months, you’ll be far less likely to experience a breach on account of poor password etiquette.
It’s these small steps, like being conscious of the password that you use every day, or cautious of the attachments and links that you click on, that prevent your becoming a cyber incident statistic.
Use the four STOP principles to both identify your crown jewels and protect them.
For more information about STOP and Cyber Aware, visit cyberaware.com