What steps are you taking to make sure your business is doing all it can to reduce risk and be cyber safe?

/

One thing that can be a guiding light for Australian businesses is the Essential Eight, developed by the Australian Cyber Security Centre.

It is a condensed and prioritized list of their Strategies to Mitigate Cyber Security Incidents and is a great starting point for all businesses. The list includes...

- application control
- patch application
- Microsoft Office macro settings
- user application hardening
- restrict admin privileges
- patch operating systems
- multi-factor authentication
- daily backups

We've spoken before about Multi-Factor Authentication (MFA) and the importance of keeping your software updated, but which of these are you implementing in your business?

Securing your business using Microsoft 365 Compliance Centre

/

In today’s digital world, data security is essential to the success of any business.

As technology advances, so do the threats to your data.

To mitigate these risks, businesses must be proactive in protecting their data from malicious actors, inside and out.

From our experience, Microsoft 365 has the edge over Google Workspace when it comes to managing and reporting on cyber security in an organisation.

However, neither platform is as secure as it could and should be out of the box.

For businesses that use Microsoft 365, that’s where Microsoft 365 Compliance Centre comes in. This powerful tool helps businesses ensure that their data is secure and compliant with industry regulations.

Microsoft 365 Compliance Centre is a cloud-based platform that provides end-to-end visibility into your organisation's security state and compliance posture. It offers advanced analytics, reporting, and insights into your data security posture, as well as real-time alerts when suspicious activity is detected. With these features, businesses can quickly identify potential threats and take the necessary steps to protect their data.

Microsoft 365 Compliance Centre offers numerous benefits to businesses looking to secure their data assets. For example, it provides organisations with an automated way to monitor activities across all devices in their environment, including mobile devices, in order to detect suspicious behaviour and prevent potential attacks before they happen.

Additionally, it helps organizations stay compliant with industry regulations by providing detailed reports on all areas of compliance risk, such as user access rights and personal identifiable information (PII) storage.

Finally, Microsoft 365 Compliance Centre also includes built-in intelligence capabilities that allow organisations to quickly respond to threats or anomalies in near real-time.

One of the most important features of Compliance Centre is the Microsoft Secure score, which is a measurement of an organisation's security posture, with a higher number indicating more recommended actions taken.

Most clients we onboard have a secure score of around 20%, however, for SME businesses you should be aiming for between 60-70%. Anything above that is dependent on whether or not you're an enterprise organisation with relevant enterprise licensing.

Microsoft 365 Compliance Centre is the perfect solution for businesses looking to secure their data assets from external threats or malicious actors while ensuring compliance with industry regulations.

This powerful tool can help protect your business from potential cyber-attacks and is an integral part of keeping you compliant with applicable laws and regulations and managing your business's cyber security strategy.

Not all multi-factor authentication (MFA) is created equal.

/

While any MFA is better than none, there are different levels of security risks associated with the various types of MFA that are available to secure your online accounts.

We at Infinite Edge are on a mission to make businesses more cyber intelligent, and part of that is cyber security intelligence (CSI).

So I thought I would break down the different types of MFA available, and the various risk levels associated with each.

🔑 Email authentication

This is the least recommended version of MFA and belongs in the one time password (OTP) category. If a hacker or scammer has access to your email account, it's simple for them to circumvent MFA by getting the code sent to your compromised email account.

🔑 SMS authentication

There have been a number of documented cases where hackers steal someone's identity or trick the customer service representative from the victim's phone provider into locking the owner out of the account. Then they port the mobile number to another carrier and get the MFA code sent to themselves.

🔑 Push Notifications

This was very commonly recommended by IT providers in previous years, due to the ease of use. i.e. instead of entering the six digit OTP MFA code every time, you receive a push notification to your authenticator app asking you to approve or deny the login.

Uber suffered a well-known breach due to an MFA fatigue attack, i.e. the hackers sent continuous MFA prompts to the victim until they eventually hit approve.

In some cases, users may accidentally hit approve when prompted.

🔑 Number match

As a result of the risks associated with push MFA authorisation, companies such as Microsoft introduced number matching. Essentially, this adds an extra step to push authorisation and asks the user to enter a matching two-digit number on their authenticator app.

Microsoft has recently announced they are forcing this on push notification MFA setups from Feb 27 2023.

🔑 Passwordless Authentication

For Microsoft users, even better is passwordless authentication. If you don't have a password, then it can't be compromised.

The way passwordless authentication works is the user enters their email address, and then they are prompted by the MS authenticator app to number match the displayed two-digit code.

We've begun rolling this out to all our clients, and it's a game changer.

There are also biometric MFA and hardware USB keys. The former is not recommended to fully replace OTP MFA due to reliability and stability issues, and the latter whilst considered probably the most secure type of MFA, is costly and the keys can be lost or misplaced.

Unfortunately, sometimes you're at the mercy of whatever MFA solution is offered by the online service. Whilst not ideal, as I said earlier, any MFA is better than no MFA.

What MFA authentication are you using?

Everything is Hackable

/

The recent Optus data breach may well have been preventable, and the way Optus handled the breach was very average at best.

However, even if they did everything right, a data breach can still happen. ⚠️

The single largest Cyber Security risk in an organisation is its people 🤷. As long as there are people in organisations, there will always be a risk. Humans can make mistakes, be manipulated, tricked, and even engineered.

The reality is, Cyber Security is about risk mitigation, not elimination. There is no silver bullet.

It's a common belief that Cyber Security is an IT responsibility and unfortunately, many organisations put blind faith in their IT provider or department and put their head in the sand with the attitude that the IT guys are across it 👩‍💻.

Unfortunately, many IT providers just aren’t across Cyber Security. They may just not have the resources to upskill, they haven’t prioritised it, or their clients just don't have the budget or see the value💸.

We were once there too.

The fact that their clients expect them to be 100% across it doesn’t help, and ultimately the IT guys will cop the blame in the event of a Cyber incident.

For Cyber Security to be effective in any organisation, it must be driven from within. It starts from the top down and needs to be ingrained in the culture of an organisation with everyone ensuring it's a forethought, not an afterthought.

IT plays an important role in Cyber Security, but not the only role. We can help mitigate the risks to your organisation by setting up your technology in line with best security practices. There are also risk areas that are not our expertise, so it's important we stay in our swimming lane 🏊.

Last year a supply chain breach resulted in 800-1500 IT businesses worldwide and their clients' computers being the victims of a ransomware attack.

In that case, there might have been more that could have been done to prevent the infection, however, often the reason it isn't done is that the clients aren't willing to spend on necessary Cyber Security measures. This is the exact reason we have stopped selling most Cyber Security as a separate thing. It's just part of what we do.

I'm not blaming businesses either, as many just don't have the required information and understanding to make those decisions. Cyber Security is often complicated, and for many, it's simply overwhelming and they just don't know whom to turn to or where to start.

There is a lot we as IT providers, or the term I prefer, Technology Mentors, can do to navigate you through the complex and scary world of Cyber Security.

But we also can't force you to do it.

Until Cyber Security is legislated and becomes part of a Director's responsibility, which it should and will, things won't change quickly enough.

#cybersecurity #riskmanagement #business #beautifullysimpletech

Cyber Security Is Easier Than You Think...

/

What sensitive client data are you keeping on your computers or devices?

Recently, we performed one of our complimentary security health checks on a new client, and we found that 40 credit card details were being kept in a spreadsheet on the reception computer. The potential liability cost listed is probably too modest.

The computer was also missing critical software updates and didn't have a current anti-virus/security software installed.

This is a common scenario for many businesses. People just don't know what they don't know.

What sensitive data are you keeping, that you don't need to, or that exposes you to risk?

It's never too late to start. Don't be ashamed if you have no idea about your security.

Cybersecurity is easier than you think. Just start with one thing.

Still not sure what to start with? Here are some of our recent posts that could be places to start:

Password Behaviour and Management

Multi-Factor Authentication

Or head on over to our FREE Resources page to see some of our Guides and helpful Checklists!

Network Detective EXCERPT

Network Detective EXCERPT