Nine’s cyber security attack has shock waves around Australia, but the media company’s security breach isn’t anything new.
In reality, businesses large and small are at risk – from the country’s media companies to the smallest of family-run operations.
A recent survey conducted by the Australian Cyber Security Center found that small to medium-sized businesses (SMBs) who outsourced their IT security believe they are better protected than they really are, and that one in five SMBs didn’t know ‘phishing’.
At the same time, almost half of SMBs rated their understanding of cybersecurity as ‘average’ or ‘below average’ and had poor cybersecurity practices, while almost half of SMBs reported they spent less than $500 on cybersecurity per year.
Hackers are continuously honing techniques to stay ahead of the majority of Australians as they have the ability to attack, but simply wait until when they decide to strike.
There are some simple steps that businesses can take to better protect themselves from attackers.
Do your research
In order to protect your business from attack, you need to have a good understanding of what you’re up against. You can’t fight an unknown enemy, after all. The first step is to understand the various different forms of attack, such as:
- Keystroke logging
- Insider threat
- Drive-by download
- Spear phishing
- Person-in-the-middle attacks
Thoroughly research these various forms of cyber attack, and learn the techniques and best practices to protect yourself from them.
For example, to better protect yourself from phishing, be cautious about all communications you receive, don’t open any attachments contained in a suspicious email, and never enter any personal information on a pop-up screen.
Get your passwords in check
You probably know that you should be changing our passwords regularly, but how often do you actually put that knowledge into practice? Passwords should be rotated at the very least every 60 days, although every 30 days is even better.
Passwords should be at least 8 to 10 characters long, have at least one number, one capital letter, and one special character, such as one of the following: ‘!@#$)’.
Multi-factor authentication (MFA) goes beyond a single password – it adds an extra layer of security by using two or more pieces of evidence to log in to a single location.
Some common examples of MFA include an SMS message, phone call, or authenticator app to verify a browser login. Other verification factors could include personal questions, a physical object such as a security token or bank card, or fingerprint, face, or iris scanning.
MFA isn’t a failsafe security method, but it does add another layer of protection against online identity theft and other online fraud since a password alone is no longer enough to give the attacker access to their information.
No shared accounts
Every staff member should have their own accounts with their own unique user ID and password, so that there is no need to share passwords between staff members.
Any shared accounts should be removed and replaced with individual accounts, and each individual account should have its password updated regularly.
The same should be true of any external IT support staff. If you have five external IT support staff, all staff must have a unique ID and password with MFA enabled.
This means that every time someone accesses your network, you can log and track exactly when, where, and who it was accessed by.
Cybersecurity is no longer a simple fix of having an antivirus and firewall, it is sophisticated and targeted using various attack techniques.
Installing a firewall or antivirus software is no longer enough, and weak spots need to be identified and eradicated before an attack occurs. All companies must prioritise their cyber security to ensure they are not the next cautionary tale.
Ajay Unni is the founder of Stickman Cyber, a business that helps companies mitigate their cyber security risk. He is part of the 2020 NSW Government Cyber Security Task Force, a group of experts tasked with normalising cyber security standards and increasing adoption of cyber security practices.