Why its important to to stay cyber safe

/

Another day another data breach.

Medibank recently came forward and admitted that the hacker who had breached their systems had access to the data of all 3.9 million of their customers.

Specifically, the accessed data includes:

name
address
date of birth
phone numbers
Medicare number
policy number
and in some cases, claims data.

It seems the hacker gained access via compromised credentials from someone high up with a high level of access.

This goes to show how easily this can happen.

Even with Cyber Security in place, people are always the weakest link, which is why regular Security Awareness Training for you and your team is such an important part of any Cyber Security strategy.

What’s your disaster recovery plan?

/

If you're running a business, you would know the importance of business continuity and disaster recovery planning.

This is a perfect topic to discuss seeing this is Cyber Security awareness month, and backups and disaster recovery are an important part of your Cyber Security planning.

For those of you leveraging the cloud, is your only backup saving files to cloud storage?

It's a common misconception that cloud storage is a suitable backup solution i.e. your only backup is you synching or storing your files in OneDrive, Dropbox, Google Drive, Box etc.

Why is this not considered a backup?

A backup should allow you to recover any file or files from any historic point in time with ease and speed.

The issue with just relying on cloud storage as a backup is that you can inadvertently delete or move things like files and folders, and with it lose your file revision history.

If you're using Microsoft 365 or Google Workspace, there's more data to protect than just the files stored in cloud storage like Onedrive and Google Drive. Emails, messages, chat history, to name a few.

Just ask the IT team at KPMG who because of a blunder deleted the personal chat histories of 145,000 Microsoft Teams users.

The data was unrecoverable.

There are third-party backup providers who can back up your cloud storage automatically.

Consider it a cloud to cloud backup.

Platforms like Microsoft 365, if set up correctly with the right policies in place can protect and retain data even if deleted. However, restoring files isn't necessarily that quick or straightforward.

A good third party cloud backup solution will provide the simplicity of backup restores when needed. However, not all are created equal, and some don't offer granular restores of data, nor do they back up everything.

Are you using cloud storage as your only backup? Do you back up your cloud storage?

Securing your emails

/

One of the most common hacks we see with small to medium businesses are email breaches.

How does this happen?

Someone is using the same password for their email account as they are for another service, say Dropbox, who are then involved in a data breach.

Your details including your password are stolen and published on the Dark Web for hackers and scammers to purchase.

Calling them hackers is actually too much of a compliment, so lets call them scammers.

Now the scammers have your password. They manually try and access your email account. If you don't have multifactor authentication enabled on your account, then, boom, they are in.

So now these scammers, sit, wait and watch. They might be pulling 12 hour shifts, just watching many different breached email accounts.

So what are they looking for? Invoices you send out.

They then put a rule in place on your emails, so that any correspondence between you and your clients or customers is hidden in a folder. Then they doctor the invoice and make a slight change. The bank account details.

Soon after they'll send your client(s) a new invoice and let them know that the account details have changed. They will often send several follow up emails asking your client(s) for payment.

If your client doesn't suspect anything, they might pay the invoice. The scammers will usually transfer the money immediately, and then often it's gone.

You might be thinking that you don't send invoices. If that's the case, the scammers will often leave, but not before they send a phishing email from your email to all your contacts in the hope they'll get into other accounts.

Rinse and repeat.

Here are the lessons learned.

1) Enable MFA for any account that offers it. NBot all MFA is created equal. e.g. we've seen cases of breached emails with MFA and push notifications turned on.

2) Review your processes. You should have a process in place for when a supplier changes their bank details.

Do you have these things in place in your business?

Everything is Hackable

/

The recent Optus data breach may well have been preventable, and the way Optus handled the breach was very average at best.

However, even if they did everything right, a data breach can still happen. ⚠️

The single largest Cyber Security risk in an organisation is its people 🤷. As long as there are people in organisations, there will always be a risk. Humans can make mistakes, be manipulated, tricked, and even engineered.

The reality is, Cyber Security is about risk mitigation, not elimination. There is no silver bullet.

It's a common belief that Cyber Security is an IT responsibility and unfortunately, many organisations put blind faith in their IT provider or department and put their head in the sand with the attitude that the IT guys are across it 👩‍💻.

Unfortunately, many IT providers just aren’t across Cyber Security. They may just not have the resources to upskill, they haven’t prioritised it, or their clients just don't have the budget or see the value💸.

We were once there too.

The fact that their clients expect them to be 100% across it doesn’t help, and ultimately the IT guys will cop the blame in the event of a Cyber incident.

For Cyber Security to be effective in any organisation, it must be driven from within. It starts from the top down and needs to be ingrained in the culture of an organisation with everyone ensuring it's a forethought, not an afterthought.

IT plays an important role in Cyber Security, but not the only role. We can help mitigate the risks to your organisation by setting up your technology in line with best security practices. There are also risk areas that are not our expertise, so it's important we stay in our swimming lane 🏊.

Last year a supply chain breach resulted in 800-1500 IT businesses worldwide and their clients' computers being the victims of a ransomware attack.

In that case, there might have been more that could have been done to prevent the infection, however, often the reason it isn't done is that the clients aren't willing to spend on necessary Cyber Security measures. This is the exact reason we have stopped selling most Cyber Security as a separate thing. It's just part of what we do.

I'm not blaming businesses either, as many just don't have the required information and understanding to make those decisions. Cyber Security is often complicated, and for many, it's simply overwhelming and they just don't know whom to turn to or where to start.

There is a lot we as IT providers, or the term I prefer, Technology Mentors, can do to navigate you through the complex and scary world of Cyber Security.

But we also can't force you to do it.

Until Cyber Security is legislated and becomes part of a Director's responsibility, which it should and will, things won't change quickly enough.

#cybersecurity #riskmanagement #business #beautifullysimpletech

Optus Data Breach – The Latest Advice on What You Should do if You’ve Been a Victim

/

What data was stolen?

According to Optus, the stolen data includes:

·       Names

·       email addresses

·       postal addresses

·       phone numbers

·       dates of birth

·       passport numbers

·       driver’s licence numbers

·       Medicare numbers

Contrary to some reports, passwords and financial information were not stolen.

However, this is a great opportunity for your to do some “spring cleaning” and improve your password and Cybersecurity hygiene.

Firstly, get yourself a password manager, such as LastPass, so you can not only store all your passwords securely, you can use the manager to:

  • Check how secure your passwords are

  • Ensure you’re using unique passwords for every site or service you’re subscribed to

  • Check to see if your email address(es) or commonly used passwords have ever been involved in a known breach. You can also check this at Have I Been Pwned.

DON’T make up your own passwords.

Password managers create random, unique passwords, and let you set the complexity and length.

We recommend:

  • Upper and lowercase characters

  • Numbers

  • Symbols (not all sites allow this)

  • 20 characters (not all sites allow passwords this long)

Set a complex and easy to remember master password for your password manager.

We recommend a sentence with upper and lowercase, numbers and a symbol. E.g. ILoveParisInSpring2022! is a strong password.

For any sites or services, you’ve subscribed to that offer multifactor authentication for your online accounts, turning this on is a must. Only certain sites force multifactor authentication on you, such as financial accounting packages such as Xero and MYOB.

For any others, the best thing to do is to Google “How to turn on multifactor for %INSERT SERVICE HERE%” and you should be able to find an FAQ page for that service explaining how to enable it.

This is your first line of defence!

Now, not all multifactor authentication is created equal. Some are more secure than others. e.g. getting a code sent to your email or sending an SMS to your mobile is not recommended. This is worth a separate post. Watch this space!

However, some sort of MFA is better than nothing.  

What Else Should You Do?

Contact your local Road and Traffic Authority

The New South Wales, Victoria, Queensland, and South Australia governments have started clearing bureaucratic hurdles for anyone who can prove they are victims of the hack.

Each state has different laws and processes, so be sure to check out your local Road and Traffic Authority website for more information.

VIC: Information regarding Optus breach : VicRoads

NSW - https://www.service.nsw.gov.au/optus-breach 

QLD - https://www.qld.gov.au/transport/licensing/update/change-your-customer-reference-number

SA - https://service.sa.gov.au/news?a=1112633

ACT - https://www.accesscanberra.act.gov.au/s/article/Information-about-the-Optus-data-breach

WA - https://www.transport.wa.gov.au/aboutus/37546_48564.asp

TAS - https://www.service.tas.gov.au/services/me-and-my-identity/personal-information-card/impacted-by-the-recent-optus-cyberattack

Medicare

All the customers who have an unexpired Medicare card will be contacted by Optus. There are a further 22,000 expired Medicare card numbers that were exposed, and the holders of those cards will also be contacted directly. It's worth noting that Optus says personal information cannot be accessed using just a Medicare number.

Credit Reporting

Optus is providing one year of free Equifax credit reporting, identify and credit monitoring tool. Contact Optus for a code - then go to https://www.equifax.com.au/optus  

Put a temporary ban on your credit reporting - this will block anyone from applying for credit in your name. Extensions to the ban are possible under certain circumstances, especially if you suspect you’ve been the target of identity theft or Cybercrime. https://www.equifax.com.au/eform/submit/credit-ban   

Banking

Make sure all your financial systems have multi-factor authentication. Surprisingly, and perhaps even shockingly, some banks and financial institutions don't force MFA on you, and some don't even offer it.

Contact your bank and notify them your data has been breached in the Optus breach and ask them to put a note on your file.

How do I replace my passport?

You can replace your passport by:

·       going through Passport replacement portal

·       picking up a form at a participating Australia Post outlet

·       contacting an Australian diplomatic or consular mission

Further Information

If you think you may be affected by the recent Optus data breach, contact Optus Customer service on 133 937Optus Media Centre | Optus

If you need assistance with taking these steps, please visit cyber.gov.au or on 1300 CYBER1 hotline

Be alert for scams referencing the Optus data breach. Learn how to protect yourself from scams by visiting www.scamwatch.gov.au.

If you are concerned that your identity has been compromised or you have been a victim of a scam, contact your bank immediately and call IDCARE on 1800 595 160. 

If your identity has been stolen, you can apply for a Commonwealth Victims' Certificate 

The following websites can help you protect yourself and stay informed:

·      Identity theft | Moneysmart

·      Identity fraud | OAIC

·       Report cybercrime | https://www.cyber.gov.au/acsc/report

·      Australian Cyber Security Centre Homepage | ACSC

·       Office of the Australian Information Commissioner

Complaints

If you wish to make a privacy complaint, If you have been affected by the data breach and wish to make a privacy complaint, you can raise this with Optus

If you are unable to resolve your complaint with Optus, you may wish to lodge a complaint with the Telecommunications Industry Ombudsman. If you are unsatisfied with the outcome, you can lodge a privacy complaint with the Office of the Australian Information Commissioner.

Credit:

The Guardian Optus data breach: everything we know so far about what happened | Optus | The Guardian

Malwarebytes Optus data breach "attacker" says sorry, it was a mistake (malwarebytes.com)

ABC News Impacted by the Optus data breach? Here's how to replace your passport, drivers licence and Medicare card - ABC News

Australian Goverment Optus Data Breach | Australian Passport Office (passports.gov.au)