Cybercrime protection

Implementing full-strength cybercrime protection

Protection against cybercrime is about preparation, education and technical infrastructure.

Being prepared before an attack is essential, not only for protecting the financial interests and reputation of your business but also from the perspective of legal responsibility. It is unusual for companies in this day and age not to process and/or store customer data in one form or another and with this data comes security responsibilities and requirements. The information below provides an overview of information and data security requirements plus links to helpful resources for businesses working on implementing a cybercrime business-continuity plan.

To fully protect your business, here are the steps to address:

  1. Understand what legislation applies to you and make sure you comply - Australian National Data Breach scheme/Privacy Act; PCI DSS Payment Card Industry Data Security Standard; GDPR.
  2. Make sure your technical infrastructure is secure and covers these aspects: anti-virus, anti-malware, 2-factor authentication, backups, firewalls, remote management and monitoring.
  3. Ensure your organisation has proper policies and procedures in place and enforced to minimise an attack being successful.
  4. Educate yourself and employees about the different types of cyber attacks. An understanding of how an attack might take place makes it much more likely an attack will be recognised before the damage is done.
  5. Assess your business’s insurance coverage to decide if your current policy covers you in the event of a cyber attack.

Legislation

Office of the Australian Information Commissioner (OAIC)

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney General's portfolio. The OAIC deals with three main functions - privacy, freedom of information and government information policies. With regard to businesses and IT security, the OAIC operates the Notifiable Data Breach (NDB) scheme.

The NDB scheme was launched on 22 February 2018 and is relevant to ‘agencies and organisations regulated under the Australian Privacy Act 1988’. The NDB scheme oversees and provides guidelines for organisations in the event that a data breach occurs that involves the personal information of individuals being accessed by unauthorised persons.

Useful resources include:

- Does my small business need to comply with the Privacy Act?

- Data breaches preparation and response - a guide to managing data breaches in accordance with the Privacy Act 1988

Payment Card Industry Data Security Standard (PCI DSS)

The PCI Security Standards Council is a global forum for the payments industry. Handling customer credit card details is a huge responsibility and must be done securely. The PCI Security Standards Council works to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.

Useful resources include:

- Self-assessment questionnaire for small merchants and service providers )

General Data Protection Regulation (GDPR)

In addition to security measures that protect your business-critical data, business leaders also need to be knowledgeable about and possibly compliant with GDPR. Does your business comply with the European Union’s General Data Protection Regulation? Is it applicable to you? Even if you are a small business based in Australia GDPR may be relevant to you:

"From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU." Source: General Data Protection Regulation guidance for Australian businesses

Useful resources:

- General Data Protection Regulation guidance for Australian businesses

- eugdpr.org

IT infrastructure

To actually block an attack from a cybercriminal a strong technical infrastructure that covers all gateways to the outside is necessary. This means implementing solid business continuity processes such as antivirus and malware-prevention applications, backups, firewalls and remote maintenance and monitoring technology to enforce good security practice across an organisation and keep all workstations up-to-date and running efficiently.

IT Basecamp offers a workstation cybersecurity bundle that provides all this protection at an affordable cost for SME’s.

Contact us to discuss customised IT solutions for protecting your business from cybercrime.

Two-factor authentication

This is the easiest and fastest way to make an impact on your protection against cybercrime. Two-factor authentication adds a second layer of security to an account, so even if a hacker does discover your password, your account is still secure. Your business is instantly less vulnerable if your critical applications are protected by 2-factor authentication. It relies on knowledge and possession - the ‘knowledge’ is something you know, ie your password, and the ‘possession’ is something you have access to, ie an authentication code or key (usually via your phone). Without both of these, your identity cannot be verified and access to the account is denied.

IMPORTANT NOTE: Take the time to do the full set up and complete the backup recovery contacts and recovery codes. It is important. If for some reason you lose access to one or other of your verification methods (you forget your password for example, or lose your phone) you WILL need a backup method. Once 2-factor authentication is set up your account is now secure, remember? You, too, will be denied access if you cannot properly verify your identity.

Useful resources:

- Google 2-factor setup instructions

- Microsoft 2-step setup instructions

- Two-factor authentication: who has it and how to set it up

First steps after an attack

If you find yourself in the situation where you have just clicked a link and realise you have given access to a hacker, there are things you can do instantly to try and contain the problem. A cyber attack relies on access to the Internet, so break the connection ASAP. This has to be done fast - remove the network cable, unplug the router, switch off the WiFi, shutdown the PC. Then get IT support and explain exactly what you did to enable the attack.

Policies and procedures

Having policies and procedures in place that create mindfulness of cybercrime can make a significant impact on catching attacks before damage takes place. Currently, the most common cyber attacks are Business Email Compromise. This is when a hacker gains access to an email account and exploits the trust of users to carry out fraud. For instance, upon gaining access to the MD's email account a hacker might send an email to the admin staff requesting money is transferred to a new business account. In reality, the new business account is actually the hackers and relies on the trust of the admin staff to follow the MD's instructions. If this company has procedures in place whereby any email request involving the transfer of funds must always be verbally confirmed with the MD there is an instant safety net in place and the opportunity to avoid the scam.

SANS Institute - information security policy templates

The SANS Institute is a global, cooperative research and education organisation established in 1989 to help the entire information security community. As well as providing training and security certification SANS develops, maintains, and makes available at no cost a large collection of research documents about various aspects of information security. It also operates the Internet's early warning system - the Internet Storm Centre.

Useful resources:

- a range of information policy templates provided by SANS for use by the business community to assist companies in quickly developing and implementing security policies

Education

Keep yourself and your staff knowledgeable and up-to-date. If staff know the types of methods and techniques scammers and hackers use, they are likely to recognise and identify a scam rather than falling victim to it. Scamwatch is a good source for keeping up-to-date in this area.

Insurance

Assess your business’s insurance coverage and talk to your insurance company to decide if your current policy covers you in the event of a cyber attack - the fallout from a data breach can be enormous costs, fines, stress and loss of time; having an insurance policy where resources step in to pay costs and enact the cleanup can be business-saving!

The cleanup and repair costs associated with a fire or theft are easy to imagine, but the repercussions of a cyber attack can be harder to picture. Depending on the type of cyber attack these can include the obvious first-party costs such as:

  • business interruption, loss of revenue while business systems are cleaned up and secured
  • cost of a professional negotiator and ransom payment if the cyber attack includes ransom demands
  • mandatory Data Breach Notification expenses for businesses with annual turnover greater than AUD$3million
  • cost of credit monitoring services for affected customers
  • crisis management expenses, including forensic expert costs and the cost of public relations consultants
  • loss of time of business managers to coordinate and deal with the post-attack cleanup

Then there are third party costs including:

  • privacy liability - lawsuits by customers arising from system security failures that result in unauthorised access to or dissemination of private information on the internet
  • lawsuits arising from intellectual property, trademark and copyright infringement
  • reputational liability - lawsuits alleging disparagement of products or services, libel, slander, defamation and privacy
  • lawsuits arising from system security failures that result in harm to third-party systems and property
  • lawsuits arising from a system security failure that results in your clients’ systems being unavailable to customers
  • privacy regulatory fines and penalties

As well as coverage for these potential costs a cyber insurance policy can also offer support such as:

  • 24/7 emergency hotline
  • data breach reporting assistance
  • IT forensics
  • credit monitoring
  • data restoration professionals
  • public relations professionals
  • legal representation
  • expertise and experience in managing cybercrime events