So you’ve been breached: how to avoid the same security mistakes

Suffering a data breach has almost become a rite of passage for many organisations. With such a complex and dynamic array of threats across the digital landscape, it has become nearly impossible to prevent 100 per cent of security incidents and data breaches from occurring. 

For those organisations who have suffered a data breach, the first question is normally: how did this happen? Finding the answer to that question helps to answer an even more important one: how do we prevent this from happening again? 

Unfortunately, the sheer variety of security threats means that protection from one doesn’t necessarily mean protection from another. There are some steps, however, that can help you emerge from a security incident with a more robust and mature security posture. 

Step 1 – Finding out what happened 

Beyond helping you to prevent a similar data breach, your organisation is likely required to report the details of a data breach to regulators. For organisations that hold data on EU citizens, the EU’s General Data Protection Regulations (GDPR) require a breached entity to provide full details of the breach within 72 hours. While New Zealand currently has voluntary notification, the government is pushing forward with legislation that resembles Australia’s Notifiable Data Breaches scheme. 

Of course, this easier said than done when Ponemon research reveals that it takes an average of 197 days to discover a data breach in the first place. In the event of a data breach, your incident response team should set out to understand: 

  • Which datasets were breached? 
  • Who is affected? 
  • Who has access to those datasets? 
  • What protection is in place currently? 

Step 2 – Measuring your current security posture 

Before you can begin implementing new security measures, you need to understand exactly what needs protection. By conducting thorough data discovery and classification processes, you can establish exactly where and how your most sensitive data is being stored. 

From this point, you can begin assessing your current security tools in relation to the level of risk that each data set carries. Some lower risk data won’t require the same level of protection as sensitive customer data for example. 

Step 3  Create an incident response team 

Your ability to recover and respond to a data breach or security incident is almost as important as your ability to prevent a breach. Creating an incident response team will allow you to assign roles and establish a careful process for limiting the damage of future breaches. 

Part of the will involve assessing the necessary skill sets of your current team and identifying skill gaps for recruitment, or for engaging with a managed security services provider. Once assembled, your incident response team can routinely test your incident response plans for a variety of scenarios, enabling you to greatly reduce the fallout from a breach or attack. 

Step 4 – Adopt a zero-trust security posture 

If a breach is inevitable, a zero-trust security posture allows you to assume that no one with data access is 100% trustworthy. Although it may sound draconian, this approach ensures you have security solutions that segment and monitor use access and protect data itself. 

Part of a zero-trust security approach is the need to focus on endpoint security so that every device connecting to your network and applications is protected. While user awareness training is vital for limiting social engineering attacks such as phishing, having inbuilt security features on each device is the only way to stay completely secure. 

For organisations who want to ensure their end users are always secure, particularly with a large remote workforce, HP EliteBooks, powered by Intel® processors, are equipped with the most advanced device security on the market.  

  • HP Sure Sense – Harnesses the power of deep-learning AI to identify and quarantine never-before-seen attacks
  • HP Sure Click – Protect from websites and attachments with malware, with hardware-enforced security
  • HP Sure Start Gen5 – Firmware attacks can completely devastate your PC – stay protected with this self-healing BIOS. 

To understand the full cost of a data breach, download our infographic which is designed to quickly and easily guide you through the key facts and figures around the implications of a breach.

The 5 w’s of phishing

It’s known as one of the oldest and still one of the most prevalent forms of cyberattack. This is because phishing largely relies on a vulnerability we can never completely get rid of: human error.

It deploys the same basic tactic that scammers have been using for decades – faking the identity of an individual or business to get victims to divulge sensitive information, or to send money. Phishing has evolved since the early days of the internet and is now a catch-all term for a variety of attacks.

For you to understand these attacks in all their forms, here is the ‘who, what, where, why and when’ of phishing to help you protect your business.

Who is usually targeted in a phishing attack?

The targets of phishing attacks vary, but the traditional model was to spam as many people with the same scam email and see who took the bait. This has become less effective over the years as we’ve all grown accustomed to spotting scam emails when they appear.

Spear phishing involves targeting individuals with specific content related to them, such as an unrequested ‘forgotten password’ email from their favourite online retailer. Attackers may work for weeks in advance to learn as much as they can about their targets before then sending personalised scam emails to trick the individual into revealing confidential information. The most famous spear phishing attack was the targeting of Hillary Clinton’s campaign officials during the 2016 US presidential election.

Whaling takes the fishing puns to its logical conclusion. The ‘whales’ in a phishing context are senior executives and even CEOs. However, the difference here is that the scam emails appear to come from the CEO. This is an effective form of social engineering as employees are incredibly unlikely to deny a request for information from their boss.

What do attackers want?

In the majority of cases, attackers are after financial gains, either directly or indirectly. They may just head straight for credit card details, or they might use access to servers and mail to gather information that can be sold. According to Verizon’s 2019 Data Breach Investigation Report, 88 per cent of phishing attacks are financially motivated and 10 per cent are espionage efforts.

Where do phishing attacks come from?

This is difficult to say definitively. In the early days of phishing emails, they were easy to spot due to their relatively poor use of grammar. Phishing attacks these days are much more sophisticated, and when we consider the enormous budgets behind state-based espionage, an attack can come from literally anywhere in the world. The introduction of phishing kits has also lowered the skill barrier for attackers to spoof website domains for capturing credentials.

Why are phishing attacks still so effective?

Phishing attacks are the most common form of what are broadly known as social engineering attacks. All of these attacks use our own psychology against us, as is the case with baiting, which involves tempting us to click on malware infected media, or scareware, which bombards users with fake threats and alerts until they hand over their credentials. Each scenario is difficult to prevent because people aren’t robots and we’ll always respond to stimuli in very human ways.

When will we ever learn to spot phishing attacks?

The good news is that our awareness is far better than it was in the early days of the internet, when mysterious foreign princes could fool us into handing over our life savings for a lucrative diamond investment opportunity. But there is still a long way to go, particularly when we consider phishing attacks are still the first-choice method of cyber attackers.

All of this demonstrates that cybersecurity awareness training is more essential than ever if we want to keep our organisation’s sensitive data secure, especially our customer data. If our employees don’t have the knowledge or awareness on how to prevent phishing attacks, then no amount of money spent on enterprise security software will change how vulnerable businesses remain.

Datacom can partner with you to help you avoid the potentially catastrophic costs of a phishing attack. Our experienced team is here to help you evolve your people and processes through both targeted and organisation-wide cybersecurity awareness training modules. Speak to us today to discuss how we can help you become more resilient against a growing array of threats.

The A to Z of cybersecurity

New Zealand businesses recorded over four thousand cybersecurity incidents last year, including 53 per cent more scams and fraud reports compared to 2018. This resulted in businesses losing NZ$16.7m.

Cybersecurity is more important than ever. With new forms of attacks appearing every year, and so many security solutions on the market, it can be difficult to keep up with all of the different terms in play.

If you need to know your malware from your ransomware, we’ve put together a glossary of essential terms you need to understand in order to protect your organisation.

Antivirus – A good introduction to both our glossary and the world of cybersecurity. Antivirus software is designed to prevent, detect and remove malware. If your computers aren’t running reputable antivirus software already, then you’ve got real problems.

Botnet – A group of computers or internet-connected devices that are collectively compromised and used to perpetuate DDoS attacks (see below), or to steal data and generally wreak havoc.

Cybersecurity awareness – These are vital training modules that ensure your employees are aware of the many cyber threats to your business, including phishing (see below) and other social engineering attacks.

DDoS (Distributed Denial of Service) – In a DDoS attack, a botnet inundates an application, system, or website with internet traffic, making it impossible to stop the attack simply by blocking a single source. These devastating attacks can bring down even the most well-protected banking and government services.

Encryption key – An assortment of letters, number and symbols that is purposefully created by algorithms to disarrange and rearrange data, so that each key is random and distinctive.

Firewall – A firewall acts as a defence for your device. Depending on your security settings, firewalls manage and assess what information your device receives, and filters and blocks suspicious attempts from other users through apps to access your device.

Hacktivist – These are attackers who hack or force their way into computers and networks, often for political or disruptive reasons. ‘Anonymous’ is the most well-known hacktivist group for their DDoS attacks on governments and other large organisations.

Insider threats – Whether your employees intend to be or not, from the CEO all the way down, each member of staff can be considered an insider threat to your organisation’s security. Cybersecurity awareness and user monitoring are essential to maintain your company’s safety.

Keylogger – A malicious tool that records what is typed (a keystroke) on a keyboard. Keyloggers are used to capture passwords, secret question responses, and any other sensitive information.

Logic bomb – This is a nasty piece of code in a virus or piece of malware that will set off a malicious function in software when certain conditions are met, such as beginning to delete important files.

Malware – A catch-all term for any type of code that has been designed specifically to cause harm in a system. This includes viruses, spyware, trojan horses, logic bombs and ransomware, among many others.

NIST framework – The US Government’s National Institute of Standards and Technology. The NIST framework is considered cybersecurity best-practice, including its model which promotes the need to ‘identify, detect, protect, respond and recover’.

Phishing – One of the oldest tricks in the cybersecurity handbook. Phishing involves fraudulently claiming to be an individual or business in order to gain sensitive information or financial gain. These attacks are a common form of social engineering and are usually carried out via phishing emails.

Quarantine – A function of your antivirus software that involves storing files that may contain malware in isolation for either further examination or deletion.

Ransomware – An increasingly popular form of malware that holds data or applications hostage on computers through advanced encryption. A demand for payment is then sent before attackers will release control of the captured data.

SIEM (Security Information and Event Management) – A group of systems, software and managed services that provide real-time analysis of security alerts generated by applications and network hardware, while automatically identifying systems that are out of compliance with security policies.

Trojan horse – A common form of malware where a malicious payload is imbedded inside a seemingly normal file. When this file is opened, the malicious threat is automatically unleashed into the system.

UEBA – User and entity behaviour analytics is a growing field of software that monitors user activity data and analyses using threat intelligence to identify behaviours that could be malicious. These applications are implemented to lower the risk of insider threats.

Virus – A well-known form of malware that attaches itself to a host file as a parasite. When this file is accessed, the virus is activated and it begins to infect other objects. The majority are engineered to infect the Windows operating system (OS), and some viruses are also designed to ensure they are impossible to detect 

Worm – Similar to viruses in that they’re a form of malware that focuses on replication and distribution, however worms are different as they’re a self-contained malicious program. While not necessarily malicious themselves, a worm can be designed to spread other types of malware.

Zero-day vulnerability – These are previously unknown bugs or flaws in software that provide a potential backdoor entrance for attackers. By targeting these flaws, attackers can release devastating malware before the flaw can be patched.

With so much to learn about cybersecurity, you need a partner to help you stay one step ahead of the threats your organisation faces. Datacom can help you create a robust cybersecurity strategy that includes security management (via SIEM), phishing solutions, cybersecurity awareness training, and vulnerability assessments. Contact us today to learn how we can help you evolve your people, processes and technology to become more resilient.

Parliament is out – so what does the virtual parliament look like during COVID-19?

At 5pm on Wednesday 25 March, Parliament adjourned for the next five weeks.

Although it is due to open again on 28 April, it will not do so until the national alert status has been lowered. Standing Orders say select committees can continue to work remotely on bills in the meantime but in the absence of a physical parliament, the House cannot pass legislation without changing, or at least meeting to decide to change, the rules.

Seamless collaboration or virtual disconnection

There are three basic processes that must be managed remotely during this period – cabinet meetings, select committee meetings and parliamentary debates. Remote working causes issues for each one.

Cabinet meetings and select committee meetings are the easiest to resolve – they’re very similar to normal video conferences (VC) in the business world.

But how would a virtual debating chamber session function on a conference call? Assuming the Speaker (currently the Right Honourable Trevor Mallard) sets up and hosts a VC, would he have the power to mute an MP during a debate, and does he have the legal right to do so?

Does the opposition have the power to challenge/mute the prime minister?

Will question time be streamed on the live chat in the sidebar and if so, can they add in GIFs to the reaction of some of the statements made?

With the growing uncertainty of how long our country will be on lockdown, one must wonder how government services can proceed in a virtual world and about the practicalities of a digital parliament. In addition, how do the rules change for those who would normally attend in the lobby, chamber or gallery?

Securing a future virtual state

Due to the nature of the organisation, Parliament must maintain the highest trust and security for the people who keep it running. With select committee meetings being held via video conference, how can we ensure that these virtual meetings are kept secure, especially when some VC platforms like Zoom appear to not be encrypted end-to-end.

It’s important to note these quick facts:

  • The average cost of a breach to public sector costs A$1.7m
  • Breaches from system glitches and human error account for 49 per cent of attacks today
  • The chance of experiencing a breach in the next two years is 29.6 per cent.

(source: https://databreachcalculator.mybluemix.net/executive-summary)

While the impact to public sector is significantly lower in comparison to other industries, in times of crisis and extreme circumstance, the risk becomes greater and our government becomes a more likely target.

In New Zealand, government bodies participate in information threat sharing, and recognise the value and necessity of leveraging third party consultants, such as managed service providers, to better prepare for an attack. In many instances, there is a top-down approach to embodying the importance of embarking on a risk-first strategy. These are just a couple of the many tactics that can aid in mitigating the associated risks and costs.

It’s easy to say we don’t really need parliamentary oversight of the government during this time, but when there’s a crisis, that’s precisely the time when such oversight is so very important. Fortunately, today we have the tools to enable parliament to do its work whether they meet in person or not.

5 tips to staying safe and secure when video conferencing from home

As the New Zealand Herald reported, Zoom has some serious security issues in its Windows client that can be “used for limited remote code execution and, worse.”

And for many of us this means about the same as E=MC2. What does this mean for us non-cybersecurity folks working from home during the COVID-19 lockdown? And how can you explain that to your mum, eh?

Here are our top five tips about working from home, video conferencing and staying safe.

1. Don’t talk to strangers

Businesses tend to use video conferencing solutions that allow anyone with a valid company email to join freely. If this sounds like your place of work, then stick to that. It means anyone from outside the company can’t join your discussions.

Some video conference solutions allow you to dial in from a mobile phone number as an alternative way in – if you see an unknown number pop-up on your chat, challenge them to make sure there aren’t any lurkers.

But for the rest of us, make sure the platform you’re using has an option to set an entry password that you can share separately with all attendees. That way you won’t have any random stranger suddenly pop-up in the middle of a shared lunch. Take advantage of the waiting room feature if it exists. You can vet and approve unexpected attendees prior to them potentially wreaking havoc.

Of course, there are those platforms that actively encourage people to drop in – Houseparty is one good example where you can issue an open invitation to anyone in your address book. If you are using these services, be aware that people you might not want on the call can join in. While that is unlikely to be problematic for your children’s schooling, Aunty Jean might think she’s joining a family dinner and a boozy flat game of virtual Truth or Dare might not be her cup of tea.

2. Do you even know what a .bz2 file is?

It’s simple. If you don’t know what a file is and if you don’t know how or what to use to view it, do not click on it, do not open it, and do not share it. If someone sends you a weird link over a video conference session, double-check that it is a real thing they’ve actually sent to you and not something that will hijack your computer. If you think dealing with tech support is hard work in the office, when you’re working remotely it’s doubly difficult. If the person is known to you, but there are attachments, check with them first – and not by email! Their account might have been hacked.

And of course, if you do need to share a file with your colleagues, then use file encryption, encrypted email, or whatever your company uses for secure file sharing. Emailing databases about the place is not considered smart, and certainly is not good practice.

3. Big brother may not be watching, but your housemate might be listening

Chances are your partner or flatmates find your work calls boring but you might not realise that your voice carries to the neighbours. Always consider who else is around when you’re on that conference call, especially if you’re working with sensitive information. Someone might be recording the call without your knowledge or just interested to find out about that big company deal you’re helping put together.

The lesson here is watch what you say. Check the participant list. Consider alternative communication channels for highly confidential conversations. The same applies for screensharing. Close your documents and shut down any irrelevant applications. And in the interests of not driving your family and flatmates nuts with your calls, get a good quality headset rather than shouting at your laptop. Trust me on that one.

4. You know what they say about repetition…

It might be boring, but it pays off. And so does accessing any system or application with more than one type of login.

Hopefully, your company has already introduced multi-factor authentication (MFA), which will require you to check your phone for a code before logging in to any vital system. But in case they haven’t, many platforms allow you to enable MFA yourself. This reduces the chances of someone using your stolen credentials to hack your account and again, wreak havoc. Again, if you think having to change all your credit card details and passwords is a pain when you’re able to move about the city, it’s doubly difficult when we’re all in lockdown, so avoid giving the bad guys access to your details.

5. If it smells funny, don’t sniff

Just because we are talking about video conferencing, doesn’t mean emails suddenly aren’t relevant. If you receive any unexpected emails or an expected email that seems ever so slightly off, don’t click on any links or open any files. Notify your IT team and delete the email. Always check before following those important orders you received from ‘YourCEO@gmail.com’, or similar that arrived in the dead of night, and need you to urgently pay an invoice or similar. It might be from your boss, but equally it might not.

Most importantly, remember to strike a balance between risk and benefit.  Good cybersecurity is not about stopping business activity, but about using appropriate tools for appropriate tasks.  Houseparty is a great tool for remote classrooms, but not for executive communications. And finally, find a way to incorporate the norm into the new norm. Have fun with your calls, be kind to your colleagues, and screenshot the awkwardly frozen faces. Most certainly report back to your entire team when a colleague spontaneously decides to flash during your team catch up call. When we all get to back to the office, it’ll be good to have a little something up your sleeve for your next performance review.

Follow David Eaton, Associate Director, Cybersecurity at Datacom, on LinkedIn.

The weakest link

You may never find yourself exchanging phone numbers with a Saudi prince, but CEOs and business leaders swap contact details all the time. For Jeff Bezos at Amazon, this was just another routine step along the path that led to a massive breach of his security.  After a personal connection, what is more natural than accepting social media contacts?

Today, companies are under ever increasing pressure to ensure their business processes are robust enough to withstand a cyberattack. Firewalls and anti-virus software are installed, patches applied and staff required to change their passwords on a regular basis. Access to files is restricted to those who need them for particular aspects of their work, processes are put in place for staff who leave and user access to the computers they use is restricted to ensure they don’t do something stupid.

Yet at the same time, we see a rise in the number of possible attack vectors open to the criminals. Social media channels offer new ways to get past the watchdogs and security measures in place. Staff are making great use of cloud-based storage to share documents and larger files. Everyone in your business has a smartphone that’s capable of wreaking havoc yet we regularly let staff ‘bring their own device’ and companies like it because there’s more appeal for staff to work late or on weekends if they do so remotely.

All of this creates more opportunity for the bad guys and more risk for organisations, and especially for business leaders. Because while security restrictions are usually put in place vigorously across the company, the one person who should have extra layers of protection tends to demand fewer.

The boss tends to get the special treatment which allows him or her to have greater access to files and services. They may receive more leniency around passwords and security protocols, and have a hands-on role with their marketing team when it comes to a presence on social media including Twitter, Snapchat and WhatsApp, even if company rules prohibit such activity for others.

Jeff Bezos’s (and other high-profile business and political leaders) Twitter use demonstrates CEOs and organisational leaders are willing to live by a different rule to the rest of the team, and that leaves the organisation open to some serious challenges.

How do you tell the boss that he or she shouldn’t have admin rights on their laptop? That they shouldn’t give out their contact details to everyone they meet, no matter how royal? What about insisting they don’t use their work phones for personal use, such as social media, even when they use social media to talk with customers and represent the company?

It’s a minefield for the security team because, of all the staff in the organisation, those at the top are more likely to be targeted by criminals trying to harvest information and access sensitive information. ‘Spear phishing’, where criminals attempt to pass off communications as being from the CEO or financial department, is a growing area of concern. Having senior leaders who are active on social media, and use it interchangeably with email and other more formal channels of communication, makes life doubly difficult for the security team.

So in light of Jeff Bezos’s breach, here are five tips about cybersecurity for CEOs:

  1. Private vs company

If you do want to share your contact details, use a cut-out service. A phone number that you only use for those instances or an email address that your executive assistant (EA) manages. Keep some distance, and keep it ring-fenced so if there is a problem, it’s limited.

  1. Security isn’t optional

Boring but true. Talk to your cybersecurity leads about how best to handle your specific needs. Routine sweeps of your accounts and devices might be required – especially if you travel overseas a lot – so be prepared for some hassle and annoyance. It’s not their fault – it’s good that they nag.

  1. Set the boundaries for staff

Make it clear how you’ll communicate with the rest of the company. You might use a social media account to talk about the company publicly but you won’t use it to message the CFO at midnight to make an urgent transfer of money, for instance. That way if you are hacked it shouldn’t lead to the company running into financial strife.

  1. If in doubt, there is no doubt

Be suspicious of every communication you receive. If a competitor suddenly wants to share files with you, if a new supplier sends you something directly via an unusual channel, if someone offers to invest large amounts of money out of the blue, be suspicious and if in doubt, check in with your cybersecurity team.

  1. Less is more when travelling

Sure, you might need a laptop and a phone when you’re travelling but you’re also more vulnerable to an attack. Talk to your cybersecurity teams about risk mitigation when on the road and how best to handle that. You should back everything up before you go. You may also be advised to take a ‘travel-only’ laptop (and, depending on the country you are travelling to, perhaps a tablet only) and a phone that can be wiped when you return.

The best defence against cyberattacks is both preparation and planning. Consider the risks, and plan and anticipate the consequences of a breach in terms of your company, your business and you personally.  Doing these things means you’re in a better place to manage any potential attack. And remember that we all suffer from ‘optimism bias’ – “why would anyone target me?” Don’t rely on having never been attacked as proof that you won’t be. Just ask Jeff Bezos how that worked for him.

David Eaton is Associate Director of Cyber Security for Datacom.

Managed Services in 2014 – How is it Evolving?

Managed services as a topic in and of itself doesn’t always get the attention topics such as cloud and mobility do. That’s largely because managed services covers such a large umbrella of technology services that it can often be absent from conversations about specific solutions. It’s important to relate these single solutions back to managed services because it changes the way they are consumed, designed and supported. Take note of the following predicted managed services trends for 2014 and how you can use them to improve business.

Enterprise Content Management

More than 60 per cent of midsize businesses are using Microsoft SharePoint to organise and share information, according to Forrester. TechNavio anticipates the global enterprise content management (ECM) market to increase to $9.6 billion in 2014. ECM can help businesses improve records management, search and e-discovery and document capture. A managed services provider can help integrate organisations’ disparate data and management systems to improve content workflows and accessibility. And as Ovum expects mobility, social media and cloud computing to transform ECM in 2014, business can take advantage of a managed services provider to help incorporate these additional capabilities into a complete ECM solution that fully allows anytime, anywhere access to content of all types.

Managed security services

This year will be a particularly busy one for the managed security services — or MSS — market, according to Gartner. The research firm predicts the MSS market to grow from $12 billion in 2013 to more than $22.5 billion by 2017. Increasing security threats brought about by BYOD and mobile apps and advanced persistent threats (APTs) coupled with a lack of internal resources to manage all these threats is driving the MSS growth. Australia already suffers from a lack of skilled IT resources, and the IT security realm is no different — a major risk when threats are continuously becoming more numerous and complex. The result will be more organisations enlisting the help of a third-party security service or managed services provider that can address incident response and detect APTs. In some instances, these managed resources will work with in-house staff and, at the very least, will educate internal employees on how to best protect the business.

Cloud services managed for you

As we’ve written before, consuming cloud through a managed services provider can help organisations leverage best-practice, enterprise-level technology and delivery methods. Having your cloud services managed for you by expert IT providers lowers risk and frees up internal IT staff time — it also makes the integration more seamless. With the recent rise in organisations using a multi-cloud approach — where businesses consume at least two different types of cloud services —, businesses will increasingly need a provider to procure, design and manage these different cloud service providers and platforms. This includes overseeing all the SLAs, performance metrics and billing for you.

Cyber Security is Not Quite All Hype – Your Organisation Needs an Appropriate Security Posture to Protect Itself

By Richard Byfield

A Gartner VP recently suggested thatcurrent cyber security discussions on advanced threats are just hype to which most commercial enterprises should not pay attention. The argument likened cyber security technologies and practice to a “Ponzi scheme”, whereby the returns never match the investment and essentially entrap business into an ever increasing dependence on vendors and technologies.

This viewpoint is bound to draw attention from security vendors, practitioners and consumers. In part, it is most likely designed to create that very response and is a conversation that needs to be had. On the record, we have to agree with the sentiment. Advanced nation state threats are not targeting every commercial enterprise operating in Australia. So why should a business with a market cap of $4 million spend 25 per cent of that value trying to protect themselves from threats that are, in essence, of low to almost no threat?

Yes, there are legal and regulatory obligations for businesses to protect both personal and financial data. There are implications for businesses on the availability of information systems affecting revenue, continuity and a business’s ability to maintain commercial operations. Not to forget the impacts upon the reputation of those organisations whose security is known to have been compromised. Who would feel secure visiting a retail store after media reports suggested that the point of sale mechanism was stealing credit card details for “foreign” hackers?

Like any service designed to support commercial operations, cyber security has a known commercial value and impact. The difficult part is in assessing the “what” of value and business impact. Without this, it is almost impossible to measure the business effectiveness of cyber security.

The security posture should equate to business risk and impact value

At Datacom TSS, our focus is on helping our clients establish a security posture appropriate for business needs. We view a security posture as your organisation’s level of risk based upon commercial asset values (revenue, capital, IP, reputational, regulatory, legal), actual threat and recognised vulnerability. This is assessed against the maturity or effectiveness in ICT design, development, procurement, supply chain, policies, processes and service operations. We, therefore, begin by determining the impact of security specific to your business.

Based upon the assessment against your current security posture, a security strategy can be designed to mitigate or treat identified vulnerable areas in business operations. This strategy is always determined and traced against both business requirements and asset values. This ensures that security outcomes can be quantified against the value they protect versus the cost of implementation. Cost benefit analysis is essential in establishing commercial impact. Security must always be justified and quantified.

If the case for security cannot be justified, then the reasons for implementing security may not be well understood. If you cannot justify your expenditure against a business outcome, you most likely have paid for something you did not need.

The value of trust in your practitioner

It cannot be stated enough that many security outcomes do not involve the sale of a vendor product. As security practitioners, we must remain both solution- and vendor-agnostic in determining outcomes to security strategies. Without this approach, achieving a suitable security posture breaks down into an exercise of setting the strategy to meet product X. This, in turn, leads to businesses purchasing capability that had no impact against actual organisational security threats. The “What can we sell you today?” attitude will not extend effective security gains; adversaries are always adaptive and industry segment threats change constantly. Trust is the key. The truth that sometimes is counter to commercial interest is imperative in protecting assets. Without this, it is all hype.

The outcome

Cyber security is not simply a “product solves everything” industry. It is as much a service to ICT as ICT is a service to business. As such, each business should seek solutions that align with its threat profile and the value of its assets. Being cognisant of these facts will enable both enterprises and governments alike to deliver actual outcomes for cyber security. This will rationalise the current discussions surrounding advanced threats, including that of APT.

In creating an understanding of the position and posture of security, including the needs of business to achieve security, you will avoid the hype and deliver cost-effective capability outcomes.

Being Short-staffed is No Excuse for Mishandling IT Governance and Security

In the 2012 Governance of Enterprise IT (GEIT) Survey by the Information Systems Audit and Control Association (ISACA), organisations in the Asia-Pacific region reported a higher annual incidence of security breaches than the global average and a considerable shortage of IT staff.

The implication apparent to anyone who reads this information is that without enough IT support, organisations can’t get a grip on security. Adopting this mindset that security is only as good as the number of IT staff you have, however, is risky and may give a false sense of security to an organisation. Businesses do not need to pay more IT staff salaries to effectively enforce security across the workplace. Rather, they can approach increasing security awareness from two angles. First, they can develop meaningful business policies all employees are able to embrace and understand to further the cause of improved security. Second, organisations need to be able to leverage the right outside help to consult them on the best security approach to suit their specific business.

Setting effective policies

According to ISACA’s survey, most organisations expect the second most likely network security threat to occur in the next year to be caused by an employee mistake. Yet many of these organisations have no set security policies outlining what exactly employees should or shouldn’t do to avoid comprising security. Changing employees’ behaviour doesn’t begin with hiring more IT staff to enforce security — it begins with enforcing effective user policies across the business.

Organisations can define user policies based on organisation-wide, departmental or individual risk profile to determine who should have access to which data, networks and systems, and what types of web sites and applications can be used on different devices. If you allow BYOD, you should have a list of approved apps. If you use a cloud computing service, you should have a list of who can access it and who can’t. You should also consider providing lists of banned web sites and providing guidance on which corporate data can be accessed via VPN when employees or offsite.

Once you’ve established what employees should be able to do and have access to, you can then set the procedures for maintaining security and determining what happens in the event of compromised systems, devices or data. Consistent education for current and new employees will help your newly-defined security policies and procedures become engrained in the culture. Security awareness should be a part of every employee’s induction, where practical examples are used to demonstrate why policy, procedures and good security practices are necessary. Ensuring employees know who or where to access meaningful security advice and guidance is also useful. Security refresher workshops should be conducted annually for all employees and updated to reflect the changing threat landscape.

Enlisting the help of outside experts

It is unlikely you can invest enough money to completely secure yourself if you are connected to the Internet and external networks. So you need to understand how to make sure every dollar spent is spent wisely to get the best value from your security investment. Seek independent advice from a product-neutral expert — even better if it’s a consultant or company that has a background in high-level cyber security in areas such as government.

This advice will help you understand your security posture and keep up-to-date on its evolution completely irrespective of specific security products that might not fully protect your organisation. An independent security review can help organisations deep-dive into their security architecture to get an objective view of their needs and identify gaps. This type of customised, independent advice might also include certain tests, such as vulnerability or penetration testing, to ensure you really are protected from the latest cyber threats.

Remember that no one single person will be able to cover your organisation’s attack surface and the entire threat landscape. Rather than worry that you don’t have enough IT staff in place, draw upon your current department resources to help draft and enforce policy and educate employees. Remember, too, that drawing upon external advice can help your organisation get the overall security picture it needs to prevent future threats.

Datacom Delivers Secure App Container Approach to Protect Data for Government

Depending on an organisation’s data and app security needs, there are a few mobile application management approaches that let the IT department lock down corporate or government data. One option formore secure mobility that a government client of Datacom’s recently pursued to introduce BYOD into their department is the application container.

This software protects corporate or government data in an application container on a mobile device so it remains separate from the user’s personal data. Corporate or government data is segmented and only made available through authentication and enterprise-grade encryption. Users can’t move corporate or government data from the application container into the “personal” parts of their phones, and if IT wants to do a corporate or government data wipe, they can leave the user’s own data untouched.

Now, we’re not recommending having no security on the endpoint, especially if you are a government department. That’s the first line of defence if a device gets lost or stolen. By additionally securing the corporate or government data on the device, you can protect the information in the event an outside individual is able to crack into your employee’s phone.

Enabling secure mobility for government data at SEWPaC

The application container approach to protecting government data helped the Department of Sustainability, Environment, Water, Population and Communities (SEWPaC) meet the growing user demand for Apple IOS and Android devices whilst maintaining the level of security required by a government department.

Datacom ACT, which has had an ongoing IT services engagement with SEWPaC for several years, evaluated various technology solutions before selecting the Good for Enterprise software solution. Datacom integrated the container solution into the department’s ICT architecture, first conducting a pilot to ‘prove’ the capability followed by a rapid production rollout. This software allows departmental staff to securely send and receive email on both Android and Apple IOS based phones and tablets, as well as access and modify documents in a secure container.

Using NOC-based architecture to secure the government network, the container solution does not enable data sharing with any non-secure apps. It also offers IT staff the ability to maintain the same security policies regardless of the mobile platform that’s being used. IT staff use a web platform to manage BYOD deployments, including user policy, passwords and both corporate and third-party apps. The solution has helped take SEWPaC into the world of BYOD without having to worry about data loss at every turn.

“The secure separation between personal and organisational data is critical to allowing the department to access the benefits associated with BYOD without compromising our obligations to properly manage government information,” says Al Blake, Chief Information Officer for SEWPaC. “This aligns with our strategy of moving away from ‘hardware management’ to concentrating on what’s important — protecting information.”

Datacom is a sponsor of the inaugural Telework Week this week in Australia and New Zealand to highlight the increased productivity and cost savings that can be gained when employees work away from the office.