Are personal devices putting your organisation at risk?

/

Does your organisation allow employees to 'bring your own device(s)' (BYOD)?

A few years ago, the trend shifted from strictly company-issued devices to allowing employees to BYOD.

The motivation was simply convenience. With a surge in smartphones and devices, it seemed an easier choice for organisations to just allow users to use their own devices rather than issuing company ones for all staff.

Since the pandemic, this trend is reversing, and the main reason is the security and control of company data.

Simply put, it just isn't possible to completely secure access to company data for employees using personal devices.

There are some conditional access policies we can enforce for M365 accounts, which is better than nothing, but still not enough security.

Therefore, we currently provide clients with recommendations on how users can improve security when accessing company information. Still, they are simply recommendations, and without having full control over those devices, you're putting the organisation at risk.

The issue for those organisations that have allowed BYOD, is the cost and project scale involved in replacing all personal devices with company-issued ones.

Microsoft has recently released Windows 365, which will deliver a full, personalised PC experience from the cloud to any device, giving workers and organisations power, simplicity and security for hybrid work.

Virtual cloud desktops are not a new thing for Microsoft. Azure Virtual Desktops (AVDs) have been around for years, but the configuration and costs have traditionally been quite complex, and therefore not offered by many IT providers.

AVDs are great when you have multiple users, as you can pool resources to save costs, and as you're charged by the minute, so they won't cost you once shut down.

Windows 365 differs in this respect, as they are a fixed cost per month per virtual desktop, regardless of how much it's used.

For us and our clients, these two solutions are the answer to the BYOD dilemma for remote or offshore teams using personal devices, or if your organisation has part-timers, casuals or contractors, where it's difficult to justify the cost of company-issued devices.

Does your organisation allow the use of personal computers or phones?

Technology is becoming simpler and more easily accessible.

/

Whilst this is at large a good thing, there are pitfalls to this.

Most businesses seek technology solutions as the answer to a business problem.

Anyone can use Google to research technology solutions, and many modern businesses do this and also implement the solution on their own without a solid selection and digital transformation process.

The result is that they set themselves up to fail, and the following things can happen:

- the technology isn't implemented successfully
- the technology doesn't get used to its fullest potential
- the team are often not trained in the new technology
- once implemented the business realises there are key things it doesn't do
- if it's an app, it may not talk to other core apps in their business

Common Google searches might include:

- What is the best CRM?
- How can I best manage my emails?
- What is the best Antivirus?
- Which is better, Google Workspace or Microsoft 365?
- Should I use Windows or Mac?

These questions might sound familiar to you. You have probably asked at least one of them yourself.

The truth is, these are the wrong kind of questions to ask.

Hear me out.

As I often say, technology is no silver bullet.

If you ever find yourself asking this sort of question, I challenge you to go higher upstream. Or, as I like to call it, what's the 50,000 ft/m question?

What is the actual business problem you're trying to solve? Is it actually a technology problem, or could it be a process problem?

Technology is not going to fix a bad or missing system or process. In fact, without solid underlying processes in your business, your technology will just amplify your frustrations and pain.

Always start with your people in mind first, then the systems and processes before adding technology.

Once you've reviewed and refined your processes, it will be much easier to evaluate what technology will best fit into your business, rather than trying to fit your business around the technology.

So what's the best CRM?

Some better questions to ask might be:

- What do I want/need a CRM to do for my business?
- Do I need it just for customer relationship management or do I want to run campaigns? Or both?
- What features are must-haves/would be nice, but not essential?
- What missing feature would be a deal-breaker?
- Does it integrate well into my existing apps and email?
- Do I have a solid underlying process for managing clients right now?
- If I want to run campaigns, do I have a clear marketing plan in place?

And perhaps the best question of all:

Is this the most important thing I should be focusing on right now?

Or put another way:

Will it make the boat go faster? (Bonus video in the comments)

Are you asking the right questions before implementing technology into your business?

Not all multi-factor authentication (MFA) is created equal.

/

While any MFA is better than none, there are different levels of security risks associated with the various types of MFA that are available to secure your online accounts.

We at Infinite Edge are on a mission to make businesses more cyber intelligent, and part of that is cyber security intelligence (CSI).

So I thought I would break down the different types of MFA available, and the various risk levels associated with each.

🔑 Email authentication

This is the least recommended version of MFA and belongs in the one time password (OTP) category. If a hacker or scammer has access to your email account, it's simple for them to circumvent MFA by getting the code sent to your compromised email account.

🔑 SMS authentication

There have been a number of documented cases where hackers steal someone's identity or trick the customer service representative from the victim's phone provider into locking the owner out of the account. Then they port the mobile number to another carrier and get the MFA code sent to themselves.

🔑 Push Notifications

This was very commonly recommended by IT providers in previous years, due to the ease of use. i.e. instead of entering the six digit OTP MFA code every time, you receive a push notification to your authenticator app asking you to approve or deny the login.

Uber suffered a well-known breach due to an MFA fatigue attack, i.e. the hackers sent continuous MFA prompts to the victim until they eventually hit approve.

In some cases, users may accidentally hit approve when prompted.

🔑 Number match

As a result of the risks associated with push MFA authorisation, companies such as Microsoft introduced number matching. Essentially, this adds an extra step to push authorisation and asks the user to enter a matching two-digit number on their authenticator app.

Microsoft has recently announced they are forcing this on push notification MFA setups from Feb 27 2023.

🔑 Passwordless Authentication

For Microsoft users, even better is passwordless authentication. If you don't have a password, then it can't be compromised.

The way passwordless authentication works is the user enters their email address, and then they are prompted by the MS authenticator app to number match the displayed two-digit code.

We've begun rolling this out to all our clients, and it's a game changer.

There are also biometric MFA and hardware USB keys. The former is not recommended to fully replace OTP MFA due to reliability and stability issues, and the latter whilst considered probably the most secure type of MFA, is costly and the keys can be lost or misplaced.

Unfortunately, sometimes you're at the mercy of whatever MFA solution is offered by the online service. Whilst not ideal, as I said earlier, any MFA is better than no MFA.

What MFA authentication are you using?

Humans are always the weakest link when it comes to cyber security

/

I thought, being Friday, I might take a bit of a light-hearted approach to highlighting one of my favourite topics: the human risk of cyber security.

I'll let the video speak for itself. I've shared this before, but it's worth another share. Now, this is an ad for Cisco Cloud Lock, which I'm not affiliated with, but their ads are clever, relevant, and relatable.

Whilst it highlights real-life risks, it does miss the mark, giving you the impression that their service is the silver bullet that will protect us silly humans from ourselves and the business.

This simply isn't true. Nothing will protect you or your business 100% from data breaches or cybercrime.

There is no silver bullet when it comes to Cybersecurity.

Contrary to popular belief, and security vendors with ads like these don't help the matter, Cybersecurity is not just an IT problem. IT is not your only line of defence. A successful cyber security strategy has to be owned and driven from within an organisation. It needs to be a "done with" you, not a "done for" you approach.

Cyber security is everyone's responsibility, and if your organisation isn't focusing on the human factor with regular education of your team and security awareness training, you are exposing yourself to massive risk.

Just start with one thing.

Here are some simple action items for you:

1. Check whether you’ve been involved in a breach at Have I Been Pwned.

2. If you have been breached, get a good password manager to randomise and store your passwords. You shouldn't be creating your own passwords. And contrary to popular belief, changing your passwords regularly is not recommended, unless you know if it was involved in a breach. Good password managers like LastPass keep an eye out for any breaches you might be involved in. And think of all the headspace you'll free up by not having to remember passwords!

3. Turn on MFA for all your cloud accounts or apps. If you don’t know how simply Google “Turn on MFA for <insert cloud app here>”

4. Secure your devices. If you’re using a personal device for work, which you shouldn't, then something as simple as creating a separate login that doesn’t have admin rights on the computer you’re accessing work information on.

5. Update your apps! Many updates address security risks or flaws. Yes, they can be annoying, but why put yourself and your business at unnecessary risk!

And finally, because it's topical if you are or were a Medibank or AHM customer, the Australian government has released a fact sheet on what you should do next. https://www.homeaffairs.gov.au/news-media/archive/article?itemId=961

What simple change can you make today, that will improve your cyber security?

Are partnerships part of your lead generation strategy?

/

We're working on some exciting partnership opportunities with some amazing entrepreneurs both in the Abundance Global community and also within my network.

I know there are many people and businesses doing it tough right now, and my heart sinks when I hear stories of businesses closing their doors virtually overnight.

But, if you can manage to shift your state, and get into a positive mindset, what I've found is that there are opportunities to work together and do great things, or help those that need it most.

Never before have I seen so many business owners open to discussions around joint ventures or partnerships.

There is so much talent out there, and now more than ever people are so open, vulnerable, and despite everything, their resilience is nothing short of inspiring.

After all, we are entrepreneurs. Being blindsided is not a new concept for us. Maybe not this mother of all blindsides, but, we will prevail, and we will persevere, and we will learn powerful lessons out of all this.

Every conversation I've had, I have either been able to help them or have been helped or coached in some way.

Imagine what we could achieve if we worked more closely together?

So we've decided to double down on partnerships. One of my weekly critical drivers is to have at least four partnership touchpoints per week.

We're fortunate to be in an industry where we are probably one of, if not the most trusted advisers a business has. This gives us the opportunity to introduce our partners to our clients if they are in need of a product or service that will help their business thrive.

We refer to our clients, Bookkeepers, Accountants, Lawyers, Web and App Developers, Systems Consultants, Sales Consultants, to name a few of our awesome partners.

If you're struggling to work out who would be a good partner for your business, ask yourself one simple question:

Who deals with your clients before and after you do?

United, we have the power to change the world.

Are you nurturing your business partnerships?