Reading through the latest ransomware report provided by Datto and collated from 200+ Managed Services Providers across Australia and New Zealand, I grew concerned about how Australian Small-Medium Businesses may be thinking about the growing threat landscape.
As a Director on the Subnet board, I find that my business partner and I debate and discuss many things including our staff, our customers and the things that impact us driven by the world around us.
Sometimes the decisions we make are based on clear paths, legislative changes imposed on us by the government, changes to the industry imposed by shifts in the market or even changes in the competitive landscape. Unfortunately, in many cases, the choices aren't clear, and it takes a robust discussion and working with third parties to highlight the right path.
I find that cybersecurity is falling more into the unclear direction bucket, partially because of the breadth of the issue and partly due to the ever-changing risks associated with it.
In talking to our customers, we often find they are in the same boat; some see the problem as an insurance piece where they can pay a fixed amount per month to pass on the risk. Unfortunately, this has proven not to be a great approach - as some insurers are classing cyber-threats as 'acts of war' which negates any compensation.
Most boards that I have discussed CyberSecurity concerns with have an understanding that something needs to happen, but many have limited depth of knowledge on the issue, thus how to combat the breadth of the issues becomes the problem.
In Subnet's case, we chose to take the following approach to cybersecurity:
1. Upgraded our perimeter - while we understand that a firewall box doesn't fix security, it was the low hanging fruit to kick off the journey. In our case, we landed on a Fortinet appliance that scans and detects threats coming into our network.
2. Create and Implement a Security Policy - this is not an 'Acceptable Computer Use' policy that we commonly see still in place at customer's sites. Instead, it is an in-depth security policy that defines:
- what happens if a device is breached or an end-user leaks information,
- what settings are in place on our infrastructure to protect us,
- what data/hardware/software is allowed within our environment,
- how we manage our data,
- how we provide ongoing training our end users,
- how we interact with third parties, and how they could impact us.
Once completed, we had it reviewed and critiqued by a third-party to ensure we hadn't missed a threat vector or any gaps in our thoughts, and finally,
3. Create a Security Working Group - we understand that security is a journey and not a destination. That's why we have a working group that meets fortnightly to discuss issues and implement changes as we see them surface in the landscape.
If you want to talk more about how Subnet implemented our policies over a coffee, or how Subnet's Consulting team can help implement yours or speak to your board about the real risks, please reach out.
Am I wasting my money on IT?
How do I know if I'm safe from hackers?
Is this 'cloud' thing for me?
Am I making the right decision?
Is now the right time to upgrade?
Can I sweat my assets past five years?
In talking to customers, these are the types of questions I hear the most; essentially what they feel is the general uncertainty of making the right and most cost-effective decision for their business.
Since 2000 we have been helping our customers in the education, aged or disability care and corporate fields with consulting products like ICT health checks and system audits to discover what is wrong with their hardware/software or staff and to allow them to plan their way forward. These types of checks are still valid, and especially useful in getting to know an environment or business at the start. Unfortunately, these deliver limited value to a business with an ongoing relationship with a supplier.
Personally, as someone that leads a business - the conversations that I prefer to have with my suppliers and customers, and to be honest the ones that I feel best represent real value, have almost nothing to do with ICT. The discussions about my business and my customers show that they care about what I am trying to achieve and the pain points I have when trying to implement the strategy.
Over the years, this is where Subnet has planted the SEED (Subnet Exec to Exec Discussions), enabling our executive team talk to your executive team on the same level, dealing with the same type of issues as peers. Following these discussions, we can translate strategic decisions made at the executive level to technical designs created utilising our team of very experienced solutions consultants and technical staff.
In my experience this allows us to get to the heart of the issues and be in better alignment with the strategy which delivers more creative and cost-effective solutions. Using this process develops a trusted partnership between the two parties, which doesn't happen overnight, but generally bears the best long-term fruit.
Out of these discussions, we can hand over to Subnet's experienced consulting team to drill into gathering better business intelligence through services including: