IT Security is a controversial topic. Just like backing up your data, it is something a lot of (often new) business operators do not consider or take into account until they are faced with a serious situation that results in a complete shutdown of operations and there is no choice but to deal with the circumstances. Modern IT systems tend to be quite a bit more sophisticated and resilient as compared to what was offered in the past in terms of both software and hardware - e.g. there is less of a risk of your Operating System being a major security risk. Nowadays, it's usually the fault of the end user that causes the system to be compromised.
In this article, I will go through some of the more common issues and threats that can affect you and your business.
Online Identity Theft
Online Identity Theft is the most pressing issue with some of the most serious consequences. This is one of the worst outcomes that results from a poor approach to cybersecurity.
This is the act by which criminals steal your identity information (full name, middle name, address, DOB...) and exploit it for their gain.
If you are an employer, you have to be especially diligent in safeguarding the personal data your employees entrusted you with. Critical private information such as TFN and Superannuation details must be kept securely out of reach.
Safeguarding against identity fraud is largely preventative in nature. The key is to limit the supply of data to third parties, especially to entities that have no particular use for such data. For example, while a financial institution has a genuine reason for collecting your DOB (Date of Birth), a random internet forum does not. Ask yourself, do you even need to supply your real name to a forum? By not giving out excess details about yourself, you are limiting the chances of your data snaking it's way into the hands of a criminal.
It's also a good idea to prevent online services from storing your credit cards details. While its acceptable for major payment gateways to hold such information, it is not the best idea to entrust a random business to store your credit card details - you simply have no way to tell as to the level of their compliance. If a service provider offers an option to prevent the storage of credit details for future use - make use of such option.
It is also not the best practice to hand out your home address left and right. As a business operator you probably have a PO Box that you should be making use of - while it may be convenient to receive everything to your home address, especially with the Covid-19, it creates an additional security risk.
The other two key ways to prevent identity theft is to diligently select your passwords and avoid falling for "phishing" attacks. These will be discussed separately.
Please note that if you do suffer financial consequences from the theft of personal information, such as unauthorised credit card charges, you should call your bank and immediately cancel the affected card (and probably others as a safety measure). And if you have somehow been signed up for a new loan contract, which is rare but does happen, you have a very serious breach to deal with.
Phishing refers to the technique cybercriminals use to disguise themselves as legitimate correspondents. This usually shows up in the form of emails that pretend to be from government agencies such as ATO, telecommunication and utility providers. These emails generally ask for your login details and/or personal information, which cybercriminals then exploit to carry out identity theft.
Phishing emails sometimes present well and quite difficult to discern from legitimate emails. The trick is that government agencies and major service providers do not send emails that ask users to login and verify their personal data. It is safe to ignore these.
Phishing has also recently taken on a new angle where criminals make use of credentials of smaller firms. This generally shows up in the form of emails that include a payment request for a fake invoice with the intention to mislead accounts payable. This could directly impact you, as a business owner, as your business credentials may be used for this purpose without your knowledge.
One of the ways to combat this is to implement a strict DMARC (Domain-based Message Authentication, Reporting & Conformance) policy for your domain name to explicitly limit the authorised email servers that can send emails from your domain. This will have an effect of recipient email servers rejecting fraudulent messages outright, as cybercriminals sending them out would not have the authority to use your legitimate email server (they would use their own or a "captured" one for sending out emails). It is not a foolproof system, but it works to some extent.
With all the discussion and recommendations around the correct use of passwords, things have still not improved. Poor use of passwords remains the biggest security flaw that the end users impose on themselves.
You can see many websites requesting minimal length, unusual characters, digits etc as a way to force users to select a high quality password. Most users still end up choosing something that is too simple to their own detriment.
The first issue with using a weak password is that it is subject to dictionary attacks. Dictionary attacks work on the premise that the password is common, so the technique is as simple as brute force attempts at guessing the correct one.
The second issue is that people have a tendency to use the same "preferred" password everywhere. The problem here is that if a criminal gets access to one account, they may be able to get into other services with your email/password combination. Following which, your personal data can be harvested from your accounts and you could be facing an identity theft scenario.
If your employees have access to any sort of company systems, a good technique to avoid issues is to not let them choose their own passwords. Create a strong random unique password for each employee and assign it to them.
As an example, "sydney123" may seem like a good choice for that new online service you just signed up to. It isn't. An example of a good password is "Rgc47bQtd9KaUtJu". It's something you will not remember - hence you will need a system to securely store these passwords. This may appear time-consuming, but it can potentially save you a lot of headache over the long term. These types of passwords can be easily created with random password generator tools freely available online.
In the next article...
In Part 2, I will touch on the following topics:
- Domain name passwords - how your domain name can be stolen
- Cryptocurrency extortion attempts and "Bitcoin Email Scams"
- Hardware and software settings to minimise your employees as an IT security risk.
If you are interested to discuss how to make your business work online, please get in touch with us. We have plenty of experience running a variety of online projects and have the necessary technical expertise to build a custom digital solution for your business.