As someone who has been involved with technology for over 30 years, I have had my fair share of exposure to cybersecurity. I have to admit that I have always tried to avoid it. The whole subject didn’t really interest me and seemed to involve overly technical and dramatic conversations intent on exaggerated fear-mongering.
Now I have to admit that I was wrong. In the last few years, cybersecurity issues have been inescapable and will only continue to take further prominence.
Personally, I am a customer of both Medibank and Optus (gulp) – I hate to think what data about me is out there. An elderly relative was victim to a scam that cleared their bank account and still doesn’t know how it happened.
From a business point of view, over 42% of businesses have said they have been “hacked” and over 40% of cyber-attacks are aimed at SME’s. One in six of these result in a ransomware situation. Six hundred thousand Facebook accounts are hacked a day (in the US alone). The US President, Joe Biden, has personally launched the US Cybersecurity Strategy – since when do US Presidents care less about technology issues?
It is now a US$150 billion-dollar industry, and it will only grow.
So here I am being dramatic and fear-mongering.
We all hear the big headlines but what can we do as individuals, small business owners, CIO’s, executives and managers to safeguard our systems and businesses? There is a lot to do, but here are some simple tips to start with.
1. Mindset Matters
Traditionally, the cybersecurity approach can be summed up as “everything must be OK because nothing is going wrong”. This reactive mindset of waiting for something to go wrong is not going to cut it. The mindset for you and your team is to be proactive about cybersecurity.
Either something has already happened and you don’t know it yet, or it will happen shortly. Most hacks do not result in red lights flashing on your computer – malware can be dormant for months in your systems, a bit like a thief who breaks into your house on a daily basis, just to see if you’ve left anything valuable lying around.
2. Give your apps a nip and tuck
Most businesses, and individuals, have collected many different software applications over the years. Many like the strategy of having “best of breed” applications for each specific business or personal purpose. However, each application from each different software vendor brings in a set of security vulnerabilities (or in other words, headaches).
Hackers have recently targeted software vendors such as Solarwinds, ChatGPT and Lastpass as it is an easy way for them to get access to millions of other users, in a totally uncontrollable manner. (In late 2022, over 100 million users downloaded ChatGPT in 2 months…)
If you have apps in your systems that are no longer being used frequently or do not have a clear purpose, consider removing the apps entirely. You may also want to review your software acquisition strategy and look at platforms from a single vendor, even if they are not best of breed.
3. Stand up for your (admin) rights
Most businesses I have consulted with over the years, do not have the resources, or simply cannot be bothered with properly specifying user privileges to software applications. Everyone just becomes an administrator.
That is the easy path but unfortunately the least secure. Often it is individual’s computers that are hacked and if they are admins to software, then so is the hacker. What’s more they can then get into the software setup and give their mates access!
You don’t want admin rights unless you absolutely need them.
4. Insure to be sure
We think of the typical stereotype of a hacker being a lonely earnest young man on a grubby couch with an axe to grind with the world. Unfortunately, this is not true! Many cyber-criminals are sophisticated organisations who know exactly what they are doing. Some even have call centres and customer service representatives.
If you have a business that stores or transacts with any sensitive data about other people, think about what would happen if this data got into the wrong hands. You need to review your cybersecurity insurance strategy – talk to your insurance broker and understand what is available to you.
5. What was the plan again?
Lastly, if an incident does happen, and you know about it, the natural reaction is to try and pretend it didn’t. It may be someone that has had a big night and clicked on an email link by mistake. Or a weird message on the screen that you just ignore. IT teams and service providers may gloss over security issues for fear of recrimination.
Build a culture that either you or your team can feel it is OK to admit to a mistake, or at least to report immediately anything that looks suspicious. As we said in tip 1, it is not a question of if something will happen, it is when.
So, what will you do when you have a cybersecurity breach? What is your Incident Response Plan? Who will take charge? Who needs to know what? Do we need to shut everything down and go to manual operations? Do we have a proper backup that we can go back to?
All of these questions need a calm and measured response, not a mad panic.
Yes, Cybersecurity may be something we want to avoid, but it is an essential part of our lives now. It is not just the domain of IT tech-heads around the world. I’ve taken my head out of the sand – do you need to join me?