There is a profound difference between feeling secure and being secure. Cyber security is constantly evolving with it's rules adapting every few months. Consequently, effective cyber security has become as much if not more reliant on process over products. In other words, it's more about how security is managed rather than the actual technology in place. So, if it's all about process, how does a small business that outsources their IT really know if they are secure?
The unfortunate truth is that most business leaders rely on blind trust.
Whether it be misplaced trust, ignorance, or a combination of both; most businesses are far more at risk than their leaders or owners are aware. This gap in understanding and resulting lack of actions being taken is contributing to many businesses becoming more and more exposed when it comes to data breaches, data loss and/or insurance issues.
When outsourcing IT, many businesses quite rightfully have an expectation that their provider is looking out for them on the cyber security front. Whilst this is generally accurate; there are many levels to cyber security. More often not, the reality of the protection a business has is very different to the expectations of where they think they are.
Effective cyber security requires clear communication of expectations and requirements between business leaders and the provider. Without regular dialogue, your security strategy is going to be misguided at best.
Your provider should be held accountable for communicating your exposure, providing recommendations, and providing you the ability to make clear and confident decisions. Commonly this dialogue is not routine but rather is instigated either by the client in reaction to a directors concern, or brought about by the provider in the context of a new product they have to sell.
If your provider is not driving the security conversation proactively then it is more than likely that your security is lagging well behind your expectations. Cyber security done well takes a lot of work; any provider working hard in this space is undoubtedly going to want to be talking to you about it.
Being secure is like being healthy; despite everyone having a different opinion on what it is, you kind of know it when you see it. Likewise, it is important to define goals in the same way that you would with a nutritionist or personal trainer.
If you told a health professional you wanted to be healthier, you would expect them to start asking questions. Do you want to lose 10kgs? do you want to gain 10kgs? Do you want to run a mile? or do you want to climb a mountain?
Without understanding what you are trying to achieve, they would be ineffective in helping you achieve your goals. Similarly, an IT provider needs to take the time to ask questions. They should understand the risks, and impacts that a cyber attack could have on both the commercial and reputational elements of your business. Without this knowledge they are likely to provide little more than good feelings.
This is pretty easy to test; if you tell your provider that you are concerned about security and they immediately respond by explaining all the things they do to keep you safe or worse, begin to sell additional products and uplifts; then they're not conditioned to listen and understand your needs.
Some important things to consider when defining what 'secure' means to you:
The above questions and others like it are all about understanding exposure and risk. Ultimately its these elements that should inform what 'secure' is to you. The standard of 'secure' should be driven by the commercial impact to the business, rather than some arbitrary level of security as defined by the IT industry. If your provider is unable to have this conversation on a commercial level, you have a major gap in your security strategy that is either falling short, or wasting money.
In either case, there are those who operate an effective security practice, and those that say they do security with their clients. The latter is far more common as Managed Service Providers (MSPs) look to create addons and low cost features to add to their subscription offerings in an effort to make them appear more valuable and appealing.
Whilst this technically passes the test for 'doing security', it commonly does very little in the modern world towards making an environment secure.
The most commons security features or addons provided by MSPs:
Whilst these are all essential components of a robust security strategy, simply having them does not ensure any real level of success in regard to cyber security. These features are common predominately since they are all low touch, automated processes provided by the remote monitoring and management systems that MSPs employ.
This is the functional equivalent of putting on a jacket and helmet before riding a motorbike. It will provide the comfort of feeling safe, but ignores all the other variables of safety such as weather conditions, the riders ability, the roadworthiness of the bike, adherence to speed limits, etc. All of which are just as important albeit much more difficult and costly to control.
Some of the hallmarks of an MSP that is truly providing an effective security practice include:
Ultimately if you decide that security is important to you, ie. it represents a big enough risk to justify investing in it, you need to understand the difference in the above to avoid wasting your money on false assumptions.
You shouldn't need to become an expert in cyber security to get the results you require. Your provider should be meeting you on your level to have these discussions.
Like any specialised field, you may not understand all that they do, but you can recognise a mature and competent person/provider in their field when you see them. You can recognise them by the way that they work, the logic of their processes, and ultimately the clarity and insight they are able to provide you regardless of your knowledge in the matter.
This is what great customer service and value is made of, and is likely a cornerstone in your business as it relates to your product or service.
The gap between good and bad is as broad as that of good to great. If you're not getting great clarity and results in regard to cyber security, you really need to assess your needs and consider that you may need to make a change.
Ignorance is not bliss in the realm of cyber security. Likewise, it's important to keep a good balance between security, functionality and costs.
If your unable to have this conversation with your provider, are intimidated by the topic or would just like an outsider's perspective; we would be happy to have a brief chat to get you pointed in the right direction.
Simply give us a call or book a time directly here https://calendly.com/ray-sweeney
The purpose of a password is to protect sensitive data from unauthorised access.
For a long time, to keep up this protective layer, we have advocated that employees create ever more complex passwords and change them even more often.
This is now wrong ! What’s the point of a password system if it makes employees lives even more complex and it doesn’t even properly provide protection any more? Most current password practices were designed for a different age and are no longer fit for purpose. One enormous lesson that the COVID pandemic has taught us, is that the work environment is now totally different :
However, Human Nature is unchanged:
The more rules and complexities and changes you introduce , the more people will try to find an easy way around them.
The new Best Practice Password System:
If you do this, then:
Even better, with the right computer equipment, you can now even get rid of passwords all together when using a trusted device. Your employees will really appreciate the difference and your security will now actually work !
If you need help , feel free to give us a call; we’re happy to lend our expertise to your organisation.
As we are all still trying to understand what the lasting impact of the COVID-19 pandemic will be, many organisations are taking a hard look at their operating costs and looking for potential cuts. Protecting cash flow is vital right now. At Sensible we want to help you implement strategies that can help reduce your IT costs and set you up with a system flexible enough to support your business through the many changes (or pivots) you might be making to position yourselves to thrive through it all. We want to offer you guidance and support through these times, and potentially help you save some money.
Take a look at your current technology solutions. Take stock of everything you are paying for and ask yourself these questions:
• Is this the right system for my business? Does it accomplish all I need it to?
• Are we currently utilising all the tools we are paying for? Can we cut any?
• Do we lack internal processes? Are there ways I can improve efficiency and save our employee’s time?
The easiest way to reduce costs is to get rid of what’s not working. Many companies have a habit of purchasing a new tool or service to meet an immediate need. Little do they know they usually already have a tool that could meet that need, it’s just not being used properly. Here is a free tip: Do you have Office 365? Most companies get this package so they can use programs like Word and Excel, but don’t fully utilise the other apps that come with it. Microsoft teams can easily replace Slack and Zoom, and Sharepoint or OneDrive can do the job of Google Drive and Dropbox. You’re already paying for Office 365, and the tools themselves are more powerful, providing integration of your information and files across all the apps. You might simply need some training or guidance on how to implement these tools into your business processes, and we can help with that.
Is IT your core skill set? Will you ever be as efficient and skilled as a complete team of specialists? Often your time will be better spent doing what you are best at, then wasting countless hours trying to learn an entirely new skill set. Additionally, can you really afford not to do IT the right way? Payroll and training costs alone can be a nightmare. Outsourcing a portion of your IT needs to a 3rd party resource like Sensible can help you simultaneously improve your technology management, and potentially save money. If you’re currently relying on an internal IT manager or a small internal team, are they struggling to keep up with the tsunami of complex and ever-changing technology needs and services? Important competitive projects may be delayed while your team has to complete training, and you become the test environment for their new skills, increasing your risk. Sensible offers a full-service solution for your IT needs, resulting in a higher standard than most organisations can achieve in-house.
How does your current IT resource handle your technology needs? Are you currently working with a “break-fix” style of management, where you pay for problems as they occur whether or not they happened before? Or are you paying a predictable monthly fee for a process that analyses your business, looks for opportunities to improve your staff productivity and tries to prevent problems in the first place? We believe you should engage a provider like us, who trusts their systems to offer you unlimited support for a fixed fee. Those quick fixes add up quickly, and with the right solution, you can eliminate them.
As we are working remotely, it is more imperative than ever to understand how to protect your data. Protecting your finances, your reputation, and your Intellectual property can be costly, mainly if not implemented properly. However, it is even more expensive if you don’t protect them adequately at all. Adhering to compliance regulations can be costly and often means implementing and maintaining a stringent security infrastructure- do you have the expertise to do this most cost-effectively?
We could cover many more steps to take, but these are the areas where we think you can make the most impact on you and your business. If you’re hesitant about tackling this problem on your own, that’s okay! We encourage you to contact Sensible. We can help you identify these problems and guide you on how to solve them. Give us a call!
Microsoft Office 365 has proven itself to be one of the foremost business-level office solutions in the world, regardless of industry. It’s a set of tools that companies and MSPs all over the world utilise and promote—but that doesn’t mean it’s perfect, and it definitely doesn’t mean that people have mastered and taken advantage of all of its features. Unfortunately, one of the most important aspects of IT management is neglected in most Office 365 implementations: cybersecurity.
Here in Australia we’ve seen a number of high-profile successful cyberattacks in the past few months; Toll Group suffered two attacks, BlueScope Steel was hit by an attack that forced them to shut down operations company-wide, and money management company MyBudget was hacked, causing a nationwide shutdown that left over 13,000 customers financially upset.
If companies of that size are able to be hacked, so can your organisation—you cannot assume that your standard firewall and antivirus combination will keep you safe.
This takes us back to Office 365, which has a variety of security features that many organisations are not aware of, and therefore do not utilise. With more and more organisations moving to Office 365, there are more and more people not optimising their environment or taking the next steps to protect themselves. When we consider the growth and staying power of remote work environments, it becomes an even higher priority.
In our years of experience, we’ve run into a few cases where a company adopts Office 365 out-of-the-box, and experiences some form of cybercrime that they thought they were safe from. In one case, there was a malicious actor that was automatically forwarding every email the employee received to their company’s competition—including sensitive personal and financial information. Office 365 has a security feature that can alert the user and/or administrator if company emails are being forwarded outside of the network, or if there’s other strange behaviour—but this feature is not enabled automatically. The victimized company in that case was being spied on for two weeks before they found out —not many companies come out of that with revenue and reputation intact. If they had looked into their cybersecurity options, and didn’t assume that Office 365 automatically secured everything, this could have been mitigated or avoided entirely.
Another form of security that Office 365 supports is “impossible travel detection”. In an impossible travel scenario, the system detects if logins are being attempted from different geographic locations in a timeframe that you couldn’t physically achieve. e.g. Login attempt in London, and after an hour it’s being attempted again from New York. This is impossible travel, and it’s a major indicator that someone is trying to hack your account. There are tools to detect those things and alert the proper individuals—but again, these are not automatically turned on. You need to set it up specifically.
While those tools (and others like them) are less known or understood, there is one security feature that almost everyone is aware of—and also isn’t activated out-of-the-box : Multi-Factor Authentication (MFA). With MFA activated, users are required to validate their login attempt via another system—this could be a text message, a smartphone app, or token. While yes, MFA adds another step to every login, it also adds an impossible step to any hacker or social engineer that manages to get a hold of your password. If they don’t have both your password and your smartphone, they can’t get into your account to cause problems. Sensible recommends always implementing MFA.
Another major misconception and point of neglect with Office 365 is the assumption that data stored in OneDrive or other Cloud-based solutions are backed up. Microsoft only supplies a short term recycle bin. They do not supply backups at all: this is up to you to arrange. Just because you are working in the cloud does not mean your data is immune from accidental / intentional data loss or corruption.
So what can we do? Sensible is happy to work with you to improve your cloud defences and cybersecurity solutions, whether it involves an Office 365 subscription or not. We begin by discussing your current environment, and business, before auditing your company for security risks. Once we’ve audited your network and identified your weak points, we can work with you to improve. Whether there’s a certain cybersecurity benchmark you want to hit, or if you need to meet regulatory compliance criteria, we can help you get there.
If you’re interested, feel free to give us a call; we’re happy to lend our expertise to your organisation.
Businesses and organisations of all kinds are thinking about the eventual transition back into the office environment. This experience will be different for each organisation. Some have been running essential services during the COVID-19 outbreak, and haven’t really noticed much change in this. Their experience will differ greatly from the business that transitioned to an entirely remote workforce in response to the pandemic—their needs are going to be more costly and drastic. Whatever your experience has been, or what your situation currently is, it’s time to start planning for what comes next. Are you going to return to the office life, like before the pandemic? Are you going to stay entirely remote? The answer to both of these questions is likely “no.” Most organisations would benefit from adopting the Hybrid Working Model.
The Hybrid Working Model (HWM) is simply a simultaneous adoption of in-office and remote work environments. We’re expecting to see a significant number of workers continue to work from home after the social distancing and quarantine restrictions are lifted, and we expect that number to stay fairly consistent. There are also good reasons for returning to the office: face-to-face collaboration can be more effective than remote collaboration, it’s easier to stay focused without the trappings of home, and there are social benefits to working in the office with other people. With these things in mind, we need to look at what businesses and non-profit organisations need to do to prepare for this kind of HWM environment.
Security is always important, but it’s even more important right now. Ransomware attacks have increased by 400% over that last three months as a result of the COVID-19 pandemic response. With businesses and organisations everywhere trying to function with a hastily-assembled remote work environment, hackers are taking advantage of the generally weakened cybersecurity. Your business needs to take steps now to solidify your cybersecurity solution and prepare for securing your HWM environment. We expect issues regarding file version control and virus corruption to spike as employees move back into the office, which can put company data at risk.
The quickest and most cost-efficient step you can take to shore up your security is to enable Multi-factor Authentication or Two-Factor Authentication across all of your accounts and devices. Requiring a secondary verification source (like a smartphone app or a text code) to access accounts and data adds a layer of defense that all but the most dedicated hackers and cybercriminals won’t be able to penetrate. Beyond that, Sensible is happy to work with you to refine and strengthen your cybersecurity offering.
When your team is split between the office and remote work, there are a few things that can make a positive impact. The first of which is establishing solid policies around transferring data between home and the office. The second one is to learn and leverage the full functionality of your current tools. We very commonly see people using great tools like Microsoft Teams, but not using it effectively. For example, Teams has a chat function, a collaborative file sharing function, video conferencing, and task management; a lot of companies only use it for communication. Leveraging your tools to the fullest extent, especially when on-site and remote workers are working together on one project.
We hope this article highlighted some helpful things for you, and gave you an idea of what you need to prepare for when implementing your Hybrid Working Model environment. If you’re interested in working with a trusted IT partner, Sensible is happy to help you figure out how to best meet your needs.
When it comes to security, it’s better to be safe than sorry. But as the Equifax leak case has taught us, once a security breach does happen, it’s best not to be sorry twice. Read on so your business doesn't experience the same fate as the giant, bumbling credit bureau.
Equifax, the huge American credit agency announced in September 2017 that its database was hacked, resulting in a leak of tons of consumers' private data, including personally identifiable information of around 143 million US and UK citizens. It included names, social security numbers, addresses, birthdates, and credit card and driver’s license numbers.
Equifax responded by setting up a new site, www.equifaxsecurity2017.com, to help its customers determine whether they had been affected and to provide more information about the incident.
Soon after, Equifax’s official Twitter account tweeted a link that directed customers to www.securityequifax2017.com, which is actually a fake site.
Fortunately for Equifax’s customers, the fake phishing site was set up by a software engineer who wanted to use it for educational purposes and to expose flaws in Equifax’s incident response practice. So, no further harm was done to the already-damaged customers, and Equifax is left with even more embarrassment.
One of the huge mistakes Equifax made in responding to its data breach was setting up a new website to give updated information to its consumers outside of its main domain, equifax.com.
Why? You first need to know that since the invention of phishing scams, organised criminals have been creating fake versions of big companies’ websites. That’s why so many major corporations buy domains that are the common misspellings of their real domains.
You should also know that phishers can’t create a web page on the company’s main domain, so if Equifax’s new site was hosted there, it’d be easy for customers to tell whether the new page was legitimate and not be fooled by a fake domain name.
What’s obvious from this embarrassing misstep is that Equifax had never planned for a data leak. And this is an unforgivable oversight by a company that handles the information of over 800 million consumers and more than 88 million businesses worldwide.
Whether your business is a small startup or as big as Equifax, it needs to prepare for a data breach. Besides having a comprehensive network defence plan, you also need to have the right incident response plan in place. New Australian Data Privacy Laws which come into effect in February 2018 have stiff penalties and mandate that you must have a data breach system in place.
So what you should do is implement a system that makes you aware of leaks, then, after you’ve discovered the leak is, first of all, be upfront with your customers and notify them as soon as possible.
You also need to establish a message that includes the following information:
You should also create a web page to keep your customers up to date. But remember, the new web page should be under your company’s primary domain name.
As we’ve seen from Equifax, an incident response plan that's robust is a must. Feel free to talk to our experts about how you can come up with an acute one -- so you won’t have to repeat Equifax’s apologetic statement, since it doesn’t help the company redeem it's reputation at all.
Are your Business Passwords Already Up for Sale?
Over the past 12 months, I have personally spoken with over 100 Australian business owners, and found that a whopping 42% have had at least 1 Ransomware Attack or Data Breach.
I am sure you’d agree – that is just shocking. Stop tolerating….
How is this happening?
Employees, left to their own devices, don’t know how to manage passwords. This results in them being easily hacked, sold on the dark web and leaving your business as an easy target for ransomware / data breaches.
Another independent survey* showed:
Note : Criminals read the same surveys
Once a username and password is known it is extremely valuable and likely to be useful for some time…
But what if the breach has already happened?
How would you know? What user accounts and passwords are already compromised?
Sensible Business Solutions today launches a brand new Dark Web Search service that continuously monitors the dark web for user names and passwords that are currently offered for sale and how the breach occurred.
Call Me : Kevin Spanner at Sensible to find out more on 1300-SENSIBLE (736-742)
* Survey By Keeper Security
*Not familiar with the term “Dark Web”?
There is a large portion of the internet that is not indexed by search engines like Google. This is the “Deep Web.”
The US Government created this more secure (and usually encrypted) area of the Internet. It quickly became a preferred communication channel for privacy-conscious individuals, organisations and governments to share data, without detection.
However, criminal organisations now use the deep web as a platform. The term “Dark Web” describes the pockets of the deep web that are used to buy, trade and exploit illegal items (AKA Silk Road, etc.) and illegally acquired data (credit cards, passwords, etc.).
Traditional ransomware like WannaCry has been explained a thousand ways on a thousand blogs. But one thing you may not have thought about is what ransomware would be like if it infected your mobile device. Read on to learn more.
Like its desktop equivalent, mobile ransomware needs to be installed on your device before it can do damage. For Android devices, this means mobile apps that hide their true intent. There are two ways to install programs on your mobile device: downloading them from app stores like Google Play and Amazon Appstore, or downloading them directly from websites and email links.
Surprisingly, both come with risks. Unverified sources often advertise free apps that hide malware, and the best of these can occasionally avoid detection and be allowed into monitored app stores.
Similar to ransomware on personal computers, mobile ransomware holds data stored on your device hostage and demands ransom. For example, in the case of a ransomware that came with the "OK" app, a popular Russian social network platform that was infected earlier this year, a user is prompted to change device settings. There is no option to close the prompt and tapping Accept locks everything down and leaves you with nothing but a ransom note.
First and foremost, avoid downloading apps directly from websites or third-party app stores. Additionally, make sure you turn on Google’s security system -- Verify Apps -- which scans all the apps about to be installed on your device for potential threats. You can do so by opening your Android's settings, choosing Security, tapping on Verify Apps, and activating ‘Scan device for security threats’.
Second, install antivirus software on your device and keep it up to date.
Third, back up important files from your device to either a USB disk, a computer, or any cloud-based services. This way, you won’t lose your valuable data if you are forced to factory-reset your device.
Last, if ransomware made its way into your device, don’t pay. According to IT security company ESET, mobile ransomware very rarely includes programming to reverse the damage it has done.
Losing any type of data is an enormous inconvenience, but businesses need to be especially careful about careless employees. Data loss could result in lawsuits or regulatory fines, so it’s important that you know how to safeguard your Android against ransomware.
For more in-depth advice on how to protect yourself and your business from this threat, get in touch with our experts today.
Last week’s massive ransomware outbreak called WannaCry that affected over 150 countries and dominated the news headlines globally was just the beginning.... We expect newer, more malicious versions any day.
This event had a massive impact everywhere, including the National Health Scheme in UK, blocking all access to patient records. Imagine what it could do to your business?
Ransomware is malicious software that blocks and encrypts computers and files (including backups) until a ransom is paid to organised crime. It spreads very easily across networks.
Organised crime reaped over USD $300million from one ransomware variant in 2016 alone. No wonder they invest in newer techniques every few months to trick people into running malicious software.
The result of such an attack may be complete loss of access to the data on all of your connected computer systems and your backups. The resulting damage to your business, customers, suppliers and employees could be catastrophic.
Paying the ransom may often seem like the only option but it is no guarantee that the ransom won’t be increased or the damage reversed or a backdoor left open for future attacks. Contrary to opinion, Telstra’s latest Cybersecurity Report showed that in 2016 less than 1/3 of people retrieved their data after paying the ransom.
Smaller Businesses are being Targeted
Wannacry was a general attack on all vulnerable users / computers around the world. No business is immune. Small and medium sized businesses, who often think they are too small or unimportant to be targeted are increasingly seen by criminal organisations as ‘soft targets’.
In fact, smaller enterprises like yours probably don’t have the scale and resources of larger enterprises like the UK’s NHS to survive an attack. It’s even more vital you protect yourself.
In recent months it has become clear that conventional anti-virus solutions, though reasonably adequate to date have been far out-paced by the capabilities of modern malware.
To stay protected from the latest ever sophisticated “threat landscape” requires a proactive, managed and continually evolving solution. These attacks can only be mitigated if continually updated layers of systems and processes are maintained to keep pace. This is called “Active Defence in Depth”.
Until recently, this was beyond the reach of businesses of your size.
We have launched a Free Report on how you can start protecting your business. The 10 Most Critical IT Security Protections Every Business Must Have In Place NOW.
The WannaCry attacks are a wake-up call and urgent reminder of the ever present threat that is only one click away. Please remember that should your data be compromised the subsequent disruption to your business could be an expensive, even disastrous test of your current defences.
ACT NOW !
