Cyber Security - How scared should you actually be?

CyberSecurity – Be just the right amount of scared.

What did you dress up as for Halloween this year? If I had the foresight, I would have gone as a Phishing email because that is honestly terrifying to me right now...and with good reason. Australia seems to have made the VIP list of hackers across the planet and the attacks are coming in hard and fast. However, we all know that running around with our hands in the air screaming isn’t going to help anyone and neither is the secure lull of an overly optimistic mentality of “It’ll never happen to us”. The key is to be alert but not alarmed and here’s why.

You are a target

If you hold personal information and data, you are a target. It isn’t just names and email addresses but contact details, identifying information, banking details. As we saw in the recent Optus breach, licenses, and even more terrifyingly with Medibank, medical treatment details. Any information that is linked to the identity of another person or business you are obliged to secure and protect, now with increasing legal and financial penalties if you fail to do so.  

Check out the July-December 2021 ‘Notifiable Data Breaches Report’ from the Australian Government. Of the cybersecurity incidents reported Phishing was the cause of 32%, Compromised or stolen credentials 28% and Ransomware 23%.

This is where we chime in and remind you, you are only as strong as your weakest link. It only takes one click to penetrate the most secure system which is why raising the overall cyber literacy of your organisation must be a priority for any management team or board. Cast your mind back to October 2022 where the theft of the credentials of a high-level access individual within Optus was responsible for the entire breach (the damage of which is still being calculated). It only takes one.

Smarter hackers

Gone are the days where a hacker is hidden in a darkened room, furiously typing to a Daft Punk soundtrack. Information harvesting is happening all around you, all the time. Have you ever been forwarded an innocent quiz on a social media platform requesting your mother’s maiden name and the name of the street you grew up on to generate your unique superhero name? Yeah, don’t do it. Or a phone call or email from someone you know asking for relevant and timely information that is sensitive in nature? Yep, us too. In fact, when we acquired The Virtual IT Department, our team was showered with emails from the previous owner asking for a ‘quick favour’ and some bank information. Luckily, our team are pretty switched on when it comes to such things, but it was such a clear example of how hackers are getting smarter, leveraging actual events to insert themselves into the conversation in a time sensitive way.

The answer? Be the right amount of paranoid.

Before you hyperventilate into a paper bag, let me bottom-line here. There are some simple ways to reduce your risk and an investment today will return in spades.  

1. Training: Do not stop talking about cyber safety. What is it? What is a phishing email? How do we identify one and verify its legitimacy? Simple yet effective stuff. For our customers, we run phishing simulations – identifying which employees clicked on suspicious links and may need upskilling. There is a heap of training tools out there, so utilise them.

2. Implement sensible access restrictions: Regularly audit who has access to what in your systems and make sure there are sensible permission structures within your environment. Events like position changes or staff onboarding or offboarding should be thoughtfully treated in this space.

3. Get help from IT professionals: Gone are the days where “having the knack” for IT  is enough to qualify you to protect professional environments. Organisations like us invest in deep and specific skill sets across multiple employees so you don’t have to hunt for the IT ‘unicorn’ employee – given the rapid changing nature of our industry, they are becoming more and more mythological. Leverage an MSP with a Managed Security offering to provide protection – it is what we are here for!

4. Security is in EVERYONES purview: This is cultural and requires intentionality from the top down. Raising the bar on your cyber culture is essential if you want to remain event-free. Make sure everyone in your organisation knows your policies, protocols and expectations. No excuses. This is a whole new world.

We are all in this together and in the words of someone older and wiser than me, a rising tide lifts all boats. Shared knowledge and elevating the conversation around cyber safety will raise the profile and understanding of how everyone can help protect their organisation, the communities they support and themselves from threat actors (a fancy word for internet bad guys).