Welcome to the second article in the five-part series on Cybersecurity 2021. ICYMI (in case you missed it) here is the link to the first article - Five signs that your organisation is at high risk of cyberattack - in the series.
A targeted cyberattack happens every 39 seconds on average. While it is easy to think it will never happen to your organisation, with around 164 cybercrime reports per day in Australia, or one every 10 minutes, it is a matter of when, not if, your organisation will become a victim.
20 years ago I was playing on a Playstation 2, using AltaVista to search for the latest news and wondering what it would be like to have a phone that had more than snake on it. Security in those days meant getting a copy of VirusBuster to make sure my first computer didn't catch the flu or the world stop working with a Y2k bug. I couldn't have imagined having a phone that took photos, let alone how much the world would change - but I was excited by the notion.
Reading through the latest ransomware report provided by Datto and collated from 200+ Managed Services Providers across Australia and New Zealand, I grew concerned about how Australian Small-Medium Businesses may be thinking about the growing threat landscape.
In today’s ‘data-sensitive’ world where the loss of consumer or employee information could have severe monetary and reputational repercussions; it’s increasingly important to ensure that all data is backed up regularly and properly.
As a Director on the Subnet board, I find that my business partner and I debate and discuss many things including our staff, our customers and the things that impact us driven by the world around us.
Sometimes the decisions we make are based on clear paths, legislative changes imposed on us by the government, changes to the industry imposed by shifts in the market or even changes in the competitive landscape. Unfortunately, in many cases, the choices aren't clear, and it takes a robust discussion and working with third parties to highlight the right path.
I find that cybersecurity is falling more into the unclear direction bucket, partially because of the breadth of the issue and partly due to the ever-changing risks associated with it.
In talking to our customers, we often find they are in the same boat; some see the problem as an insurance piece where they can pay a fixed amount per month to pass on the risk. Unfortunately, this has proven not to be a great approach - as some insurers are classing cyber-threats as 'acts of war' which negates any compensation.
Most boards that I have discussed CyberSecurity concerns with have an understanding that something needs to happen, but many have limited depth of knowledge on the issue, thus how to combat the breadth of the issues becomes the problem.
In Subnet's case, we chose to take the following approach to cybersecurity:
1. Upgraded our perimeter - while we understand that a firewall box doesn't fix security, it was the low hanging fruit to kick off the journey. In our case, we landed on a Fortinet appliance that scans and detects threats coming into our network.
2. Create and Implement a Security Policy - this is not an 'Acceptable Computer Use' policy that we commonly see still in place at customer's sites. Instead, it is an in-depth security policy that defines:
- what happens if a device is breached or an end-user leaks information,
- what settings are in place on our infrastructure to protect us,
- what data/hardware/software is allowed within our environment,
- how we manage our data,
- how we provide ongoing training our end users,
- how we interact with third parties, and how they could impact us.
Once completed, we had it reviewed and critiqued by a third-party to ensure we hadn't missed a threat vector or any gaps in our thoughts, and finally,
3. Create a Security Working Group - we understand that security is a journey and not a destination. That's why we have a working group that meets fortnightly to discuss issues and implement changes as we see them surface in the landscape.
If you want to talk more about how Subnet implemented our policies over a coffee, or how Subnet's Consulting team can help implement yours or speak to your board about the real risks, please reach out.
Am I wasting my money on IT?
How do I know if I'm safe from hackers?
Is this 'cloud' thing for me?
Am I making the right decision?
Is now the right time to upgrade?
Can I sweat my assets past five years?
In talking to customers, these are the types of questions I hear the most; essentially what they feel is the general uncertainty of making the right and most cost-effective decision for their business.
Since 2000 we have been helping our customers in the education, aged or disability care and corporate fields with consulting products like ICT health checks and system audits to discover what is wrong with their hardware/software or staff and to allow them to plan their way forward. These types of checks are still valid, and especially useful in getting to know an environment or business at the start. Unfortunately, these deliver limited value to a business with an ongoing relationship with a supplier.
Personally, as someone that leads a business - the conversations that I prefer to have with my suppliers and customers, and to be honest the ones that I feel best represent real value, have almost nothing to do with ICT. The discussions about my business and my customers show that they care about what I am trying to achieve and the pain points I have when trying to implement the strategy.
Over the years, this is where Subnet has planted the SEED (Subnet Exec to Exec Discussions), enabling our executive team talk to your executive team on the same level, dealing with the same type of issues as peers. Following these discussions, we can translate strategic decisions made at the executive level to technical designs created utilising our team of very experienced solutions consultants and technical staff.
In my experience this allows us to get to the heart of the issues and be in better alignment with the strategy which delivers more creative and cost-effective solutions. Using this process develops a trusted partnership between the two parties, which doesn't happen overnight, but generally bears the best long-term fruit.
Out of these discussions, we can hand over to Subnet's experienced consulting team to drill into gathering better business intelligence through services including:
As a company that was started on a university campus, Cisco’s roots in education are shown in its ongoing commitment to the themes of learning and innovation that have become central to its culture. Cisco leads the way when it comes to providing the education and commercial sectors with solutions that create completely integrated and secure wireless environments.
Transitioning to the cloud can be a great move for your not-for-profit organisation.
You will have more control over your usage and costs, and the flexibility to scale as required. The cloud also enables more effective collaboration between your team, brings efficiencies to your processes, and can reduce the time your IT department spends on maintenance.
With so many organisations adopting the cloud, it may no longer seem a question of if, but when you will follow suit. However, depending on the work you do, sticking with your traditional infrastructure might be the best solution.
Here we’ll share 10 important points to consider to ensure a successful cloud transition for your not-for-profit.
From February 2018, the Notifiable Data Breach (NDB) scheme comes into effect.
For businesses with an annual turnover of $3 million, this means strict new reporting requirements if a serious data breach occurs. Failure to comply can result in hefty fines, for both the organisation, and the individuals involved.
If the new mandatory disclosure laws affect your business, it’s important you fully understand your responsibilities and take steps now to ensure your sensitive data is secure.
Here, we’ll share the key points of the new legislation and provide some tips to help you make sure your organisation has the right security measures in place to minimise the risk of a data breach.