Be very careful when opening up emails, as many cyber attacks come in via cleverly disguised emails.Damien Battersby
SMART-Connect Business Advisor Damien Battersby from Proactive IT Solutions explains:
- Why you need to be prepared for the new Notifiable Data Breach scheme that the government is bringing in early next year and how this relates to IT Security;
- Why Cyber criminals are focusing on small and medium business more and more and what the threats are.
- Simple things you can do in your business to reduce the chance of being impacted by CyberCrime
Read the summary
What is the notifiable data Breach Scheme and why do we need to be aware of it and prepared for it?
- The Scheme is a Government initiative to do something about Cybercrime
- It applies to businesses turning over more than $3 million pa
- If a cybercrime happens in your business and it involves theft of private data then you have to follow set notification processes
- The people whose data was involved
- The relevant Government Office
Why are cybercriminals focusing more on small to medium businesses and what are the threats?
- Why? Probably because it’s easy. SMEs are not as well protected as big businesses, they don’t have the staff or the resources.
- What are some of the threats?
- Ransomware is a big one – generally comes in via email
- Phishing attempts (where an email tries to trick you to go online and type in personal information)
- Hacking, they can encrypt your files or use your system to launch attacks on other companies.
What are some of the measures we need to have in place to avoid these things happening?
- Password security is the first thing to be careful with.
- Use a password manager to store and protect your passwords
- Set complex passwords at least 12 characters
- Change your passwords about every three months
- Be careful what you use as secret questions
- Be careful what personal information you post on social media
- Educate your employees on an ongoing basis
- Don’t connect to open wireless networks unless you have good security measures in place
- Best advice is to use a VPN solution if using open wireless networks
- Alternatively use your mobile phone data plan
- Make sure your software packages and your operating systems are fully up to date and all critical patches have been applied
- Keep your web platforms (like Joomla and WordPress) up to date
- Back up all your critical data and test your backups regularly
Read the full transcript
Annemarie : I’m your host Annemarie [According to the 2016 Semantic Internet Security Threat Report, cyber attacks again, small business, and they’ve increased from 18% in 2011 to 43%, which I’m sure you would agree is a significant increase, which means we all need to be on alert. Now, Damien Battersby is the founder and managing director of Proactive IT Solutions. An IT company focused on helping business owners improve their bottom line, it’s through best practice technologies. By focusing on the business strategies, and taking a proactive approach, Damien offers more to his clients, maximizing their business performance through their IT systems.
His clients enjoy less down time, higher returns on technology investments, and more profits. Now, along with technology Damien is also passionate about business particularly what he calls, Client Experience. The theory behind this is that by focusing on delivering a consistent, awesome client experience, you’ll have more loyal clients.
Now, on today’s show, Damien is going to speak about, why you need to be prepared for the new Notifiable Data Breaches Scheme, that the government is bringing in early next year, and how this relates to IT security. Why cyber criminals are focusing on small and medium business more and more, and what the threats are. As well as, simple things that we can do in our business, to reduce the chance of being impacted by cyber crime. Welcome to the show Damien.
Damien : Thank you Annemarie.
Annemarie : I only have to recall, I think it was, goodness, I think it was a month or so ago, when cyber crime hit many companies over in the UK. I think, thankfully at that stage, no businesses were impacted here in Australia. But it is getting scary, isn’t it?
Damien : It sure is, it’s certainly out there at the moment, and this year we’ve seen a big rise in the incidences happening and big news worthy ones, where big companies are being affected. Hospitals, manufacturing firms, international companies, it’s unbelievable.
Annemarie : I remember, oh goodness, it would have to be, I think last year sometime. We were visiting one of our property managers up in Queensland, and their entire, I won’t say who it was, but their entire office was down technology wise, because unfortunately one of the Admin. Assistants inadvertently opened an email attachment, and it took days, if not weeks to get back online.
We really do need to be weary. Now, talk about the new Notifiable Data Breach Scheme, what is it, and why do we need to be aware of this, and prepared for it?
Damien : Yeah, look, it’s something that the government’s bringing in February next year, and really what it’s saying is, the government’s putting us all on notice. They’re seeing rapid rise in cyber crime in Australia, and they want to try and do something about it.
In particular cyber crime has a big impact on privacy, and a lot of data breaches involve personal, private data being stolen by cyber criminals. Then that can be used as identity fraud or sold on to third parties for a profit. If you get your identity stolen, it can make your life very difficult, obviously.
Annemarie : Absolutely. I know that there are obviously larger companies, such as, banking, the government themselves, I think they are as an organization, the largest holders of privacy information, I’m sure they’ve got themselves on the list. But if we think of about our small business, how is it going to impact us? Is this going to be copious, more … well, to obviously, technology and things in place that we need to have, to secure data that we have on our customers?
Damien : The scheme at the moment, is going to apply to any business turning over more than three million dollars a year. That’s going to be the majority of businesses out there. What it means is if you have a cyber crime happen in your business, and it involves private data being stolen, you have to go through a certain process to notify, not only the people whose data was involved, but also the government office in charge of managing this. And basically let them what know what’s happened, and also let them know what your strategy is to manage it going forward.
Annemarie : Just give me an idea, if you know, who put this together? Was it a combination of organizations, is this a good thing, or is it going to be just another onus on businesses?
Damien : Well, you do have to think about this, and a lot of small businesses don’t think IT security, and they don’t think about the what if’s, if something happens to them, they hope they won’t get hit. Yes, it is another layer, another thing you have to think about, but I don’t think it’s a bad thing. The possibility of you having a cyber breach is fairly high, unfortunately. You need to put in some things in place to protect yourself, but also be aware that if something does happen, what are going to do to recover from it and move on as a business.
I think it’s just, the government as a whole is seeing, like I said, a really large increase in cyber crime in Australia and they’re having to do something about it, because people’s privacy is being affected. People’s data is being stolen and used. If you’re dealing with a company you want to know that they’re, A looking after your data, and B you want to know if something happens to that data.
I think that’s been the issue there, Annemarie, is that people’s data has been stolen by cyber crime, and these companies have not done anything about it, to warn people. It’s a very serious thing, if suddenly you would go online to do banking one day and you find that you can’t because your identity has been stolen, it’s very serious. You want to know how that’s happen and why.
Annemarie : I think from the point of view too, of our business, we want to make sure that not only are we now putting measures in place to report it, and obviously, allow people to know that this has happened. But even before that, have processes, protocols in place, to avoid ever being in a situation where we do need to then roll out what we have in place, to alert people to the fact that data has been stolen. Because businesses have been crippled, haven’t they?
If they are being attacked, their businesses often cannot access any of their data, therefore, many of us rely on our computer systems to be able to operate.
Damien : Absolutely. Unfortunately we see it almost every week. We hear in the news where clients … and the big one is obviously the ransomware viruses, that have been in the news of late. You get one of those in your network, they will encrypt all your company data. Really, the only way to restore that is go to your backup, bring the data back, and while you’re doing that, your service is down, you can’t get access to data.
For some companies that have got large volumes of data, that can be a couple of days of recovery. Imagine shutting your business down for two days, that’s a massive expense. You’ve got loss labor, loss productivity, as well as, lost income from not being able to do your business.
Annemarie : It really is, I think, an initiative that is going to benefit everyone in the long run, because some of these ransomware once it opens up over viruses, it just spreads like wildfire, and before you know it, unfortunately, many businesses are impacted.
Why do you think that cyber criminals are now focusing on small to medium size businesses, more and more, and let’s talk about what some of these threats are?
Damien : Well, I’ll answer your first question Annemarie, why are they focusing on small, medium business? Well, probably because it’s easy. Corporates have got big IT departments, they can afford to put whole security team in place, to help protect their It and their business. But for a small and medium business, it’s often a lot harder to get access to those expert people, and then they don’t want to spend the money, they think, “We’ll be fine, we’ll mange without it.”
Until they get hit, and then they realize how critical, and important it is to think about. It’s like all these things, small and medium businesses are easy targets for cyber criminals, because they haven’t put the things in place to protect themselves.
Annemarie : Let’s talk about what some of these threats are?
Damien : Yeah, obviously, ransomware is the big one, and most ransomware attacks come in and out of our email. We’ve all seen those emails that look legit, but are in fact not, and they take you to a site that looks like, maybe, PayPal or Google login or something, and in fact they’re either harvesting your details, or making you download some malicious code that when runs, then starts to encrypt stuff, and do all sorts of damage in your system.
Ransomware is definitely one of the biggest ones, and that’s the one we see probably most commonly. But certainly the phishing attempts, and that’s where an email is sent to trick you into going online, and typing your personal information in. Banks and stuff will talk about this a lot, they’ll never send a email asking you to login put all your information in. If you ever go to your banking sites or independent link and enter your information in, so that you know you’re logging into a proper legitimate site.
They’re the two main ones, we don’t see so many hacking, but we do have a few clients, unfortunately, who have terminal service, remote service, and they have been targeted by cyber criminals. They’ve been hacked into, and once they’re hacked into, they can use them for all sorts of nasty things. They can encrypt your files, they can use them to launch other attacks onto other companies, they can do lots of nasty things.
That’s probably the third one we’re seeing quite a lot as well.
Annemarie : One of the things that happened to one of the people that I follow, she had a huge following, I’m talking half a million followers on one particular social media profile, and many across others. One of the things that happened was, she wasn’t careful in how she protected her passwords. Hackers were able to determine what her passwords were, and then was able to hack-in.
You could see, every time you refreshed her Instagram account, they were deleting hundreds of posts that she created over the years. For many businesses who are spending a lot of time, and energy, and money on building an online profile, particularly across some of the social networks, this is valuable. To have that be destroyed, almost within 24/48 hours, and it turned out to be young kids, who were very good at, obviously, technology and basically, again, held her to ransom.
If you pay us X amount of money, we’ll restore your accounts. The FBI was involved, in all that kind of thing too. Talk about some of the measures that we need to have in place, to avoid anything like this happening.
Damien : You talk about the password thing, Annemarie, and that is certainly something we talk to our clients to a lot about, because people don’t understand the importance of managing their passwords, and really protecting their online accounts. Many of us, we’ll sign up to a new service, we’ll put a username and set a password, and not really think about that any further.
But unfortunately, all these online services, they’ve got the potential to be hacked, and have your details, basically stolen. And if you’re using the same password for all your online account, you’re putting yourself at incredible risk. They’ve been some messy breaches in recent history. I’ve got LinkedIn that’s been hacked, obviously, Yahoo’s been hacked, Dropbox, Netspace, the list goes on. Most of us would have an account somewhere in there.
Password security is certainly the first thing to really be careful with. That’s in someways a very cheap thing to do, but a lot of people don’t think about doing it. I would recommend using a password manager, something like LastPass, it actually saves your passwords for you, and inserts them in when you go to a online portal.
Set passwords that are complex, lots of random characters, and at least 12 characters. It makes it a lot harder to have your accounts hacked.
Annemarie : With LastPass, for people who haven’t heard that, how do they access that?
Damien : It’s really great, it has got a free version, so you basically go to LastPass, do your search with Google, you’ll find them, you can sign up for free. Once you’ve signed up you install an ad-in, whatever browser you use, Firefox, or Chrome, or IE. It will actually detect when you login to a site, and ask you to have that site saved as a LastPass site. Then next time you go there, it will automatically insert your username and password for you. It will synchronize across devices, so if you’ve got multiple computers, or you’re running Fire, or an iPad, that sort of thing you can have them all synced up.
Essentially, I just have to remember the password to my LastPass account, and I can let it save everything else for me. I did a count a little while ago, I have over 100 online accounts, that I access fairly regularly. Trying to remember a hundred different passwords, which is what you should be doing, is impossible.
Annemarie : LastPass, do a Google for that, and certainly sign up for that. How often then would you say, it’s important for us to change our password? Is that something that LastPass reminds us of, or is there a set time that you recommend is good?
Damien : The best practice is probably every three months. LastPass will tell you if you’ve got too many passwords that are the same, or too simple, and yes it will tell you, you haven’t changed one for a while. It’s a really good tool for keeping on top of that sort of stuff. The other thing with passwords is, a lot of accounts now, or online account have ways to recover your password.
Really be careful about what you use as the secret questions. If you’ve got online social accounts, and you’re talking about your children, your pets and stuff, it doesn’t take anybody too long to figure out that, maybe your secret question is your dog’s name, or your firstborn’s name, something like that.
You’ve gotta be really careful about those secret questions, ’cause that’s another way people can have their accounts hacked really easily.
Annemarie : The example that I mentioned about that person I was following online, that is exactly how they got her passwords. They were the same across all her accounts, and it was something that was personal, that they were able to piece together through what she shared.
You know some of those things that go around for fun, the 20 questions about you, getting to know you better. That kind of information is a goldmine for these hackers, isn’t it? Because they just … nothing stops them from putting it into a file, and then just compiling more and more info, until all of a sudden you’ve provided them a lot of private information.
Damien : Absolutely. It’s almost too easy for them these days, they can go online find a lot about you, some people even have their date of birth and stuff, up on their social media, which I would never do. They can put your date of birth, and it’s just a matter of the software that they use to hack these things, they just use combinations of your favorite pets and that sort of thing, and before long they can hack-in.
You really have to think about this thing, a lot of people post stuff on social media, and they’ve got it public, they don’t think about those things. But they can be used against you very easily.
Annemarie : That’s passwords, what would be something else that we need to be mindful of in order to reduce the chance of being impacted by cyber crime?
Damien : Well, for me the next thing is your employees, your team, and that’s about education. And again, that’s a fairly inexpensive thing to do, and it can have a big impact. You want to make sure that everybody’s aware of what to look for in an email, make sure that they don’t click on anything in an email, unless they double check that it’s okay.
Like I said, most stuff these days seems to come through emails. Some simple team education, if you’re not able to run it yourself, get your IT support people in, and they can run through some really easy things people can check, that can save really a lot of heartache. If you’re not sure about things in emails, then have someone else look at it, or send it to your support people, and they can check it and confirm whether it’s legit or not.
I think team education is probably the next one on the list for me.
Annemarie : The other example about our property manager that, that was exactly what happened. One of the younger team members looked at an email that was coming in, it looked very innocent, as soon as she clicked it, off it went, and they found themselves in all sorts of strife.
Because of the fact that cyber crime can change constantly, this is something that we really need to keep up to date on, and therefore, regularly keep our staff informed, yes?
Damien : Yeah, absolutely. The methods that they’re using, they aren’t changing a whole lot, but certainly with, let’s say emails, you’re seeing new one come out. So, anytime you see the emails that look like they’re from the [ATO 00:16:43], you see the ones from the utility companies. Certainly they are to recognize those, and almost every month they get better and better looking, and even experts can have trouble ascertaining whether they look legitimate or not.
I think it certainly requires a constant education process, and also people tend to forget, we are all so busy, you know, day to day lives. Everyone almost has too many emails coming in, so you get busy and you forget sometimes to check those things. I think constantly reinforcing it, is somethings that’s really, really important.
Annemarie : Emails, you’ve spoken about can be very dicey particularly attachments that, as you say, can be malware or ransomware. What about if some of us do allow our team, on their lunch breaks, to access some of the social media sites like, Facebook, and so forth?
Sometimes people can pick up all sorts of nasty things by clicking on links that are shared by their friends on Facebook, yes, or other platforms?
Damien : Yeah, absolutely. It’s the same sort of thing, be really, really careful before you click on stuff. With Facebook I have it, but I don’t really use any of their apps or anything extra. ‘Cause first of all, it’s probably junk, but I just don’t know where they’re from.
You can’t trust them, and you might allow your team to use those social media platforms, but you might say, “Don’t use them to install anything, or add any apps to your Facebook. It’s not safe, but do that on your own computers, where you know that’s not going to impact on the business.”
Because you’re right, that is a way that cyber criminals can find a way in. And again, your guards down when you’re on Facebook, you’re looking at your feed. You’re clicking on things that people have shared, and again, you can click on something that’s not legitimate, very easily. Get yourself into a lot of trouble.
Annemarie : Yeah absolutely. If it’s your own, if they’re at home at it’s their own computer, well then obviously you’ve got that one computer, which you need to then implement some IT protocols. But if you’re thinking about a business, you’re often networked amongst the team, and it can go back to your server, which unless of course, you think of these things, you just don’t realize until all of a sudden something happens, and then it’s obviously too late.
What are some other things we need to be aware of?
Damien : Well, the other thing is, if you’ve got employees that travel on the road, and use laptops, and phones, and stuff. Make sure they’re not connecting to open wireless networks, unless they’ve got some good security measures in place. Wireless networks, especially open ones, are really a dangerous thing to do. People can basically create hotspots that look legitimate, and you can connect up to it thinking you’re connecting to your cafe’s hotspot, but your actually transacting on somebody else’s device, and they’re collecting all your passwords, and information without you realizing.
I tell people if they want to use a free hotspot, they should really use a VPN solution, so that when they do connect all of their traffic is encrypted it can’t be seen by anybody.
Annemarie : How does someone know the difference between, a VPN solution? Is there a code, or how does that work?
Damien : Well, the way a VPN works is essentially you dial into another computer somewhere else, and it creates a secure tunnel. The big problem with a open wireless network is your details can be gathered, because they can either be unencrypted, or someone could be … if you start logging into a banking site, they can put a pretend banking site up, that collects your username and password without you realizing.
If you put a VPN in place, you’re going to be able to bypass that stuff. It’s a subscription, some of them are free, but the better ones do cost some money. Not a lot of money, maybe 15 dollars a month. You simply run the software when you connect, and it then encrypts everything, and you know that you’re going to be safe, when you’re browsing on that open network.
As a rule I’d probably would stay away, most of us have got pretty good mobile phones, or data plans that we can use for use of data when we are out-and-about.
Annemarie : I remember someone mentioning, that when they go to, sometimes, the local supermarket or even the large chains, they often offer free wifi. They say, “I never long into that.”
Is that something we really need to be cautious about too?
Damien : Absolutely, even if you are logging onto a legitimate network like at the supermarket, guarantee they’ll be collecting your personal information anyway. Because, why are they offering it for free? It’s not just because you’re a great customer, because they actually want to gather intel on you. They might want to- [crosstalk 00:21:08]
Annemarie : Shopping habits or what have you.
Damien : They can do all sorts of stuff now, and that data they get is really for them with marketing and stuff, as a rule, don’t do it, because you just don’t know what they are going to be using your device for.
Annemarie : Are there any other things? I mean, probably, lots and lots of things, but what are some other things that you find people really get themselves into strife, because they don’t have any protocols in place?
Damien : Well, the other thing that has been with the latest ransomware ones is patching. Critical updates to, particularly, Windows computers, but making sure that your software packages, and your operating systems are fully up to date, with critical patches. Because if you don’t you could be leaving yourself open to a security hole, which could land you in some strife. That’s a fairly simple thing to do, in a smaller network. Obviously in a bigger one, you gotta have that managed better, and make sure it’s done.
But yeah, a lot of people out there don’t think that doing software updates is important, but it’s absolutely critical in patching up these holes, because cyber criminals use these things to gain access. Again, once they’re publicized, cyber criminals will use them, because they know people will be slack in going through and installing those updates.
Annemarie : I also heard too, particularly on certain websites, and you know we’ve got plugins on various websites, we need to keep that all up to date too, because any gaps can also allow people to hack-in, and again, finding yourself in strife.
Is that something that you see too?
Damien : Yeah, absolutely. And you know, the big web platforms like, WordPress and Joomla you’ve gotta keep them up to date, as they release a critical patch you have to install it. Because if you don’t, now we’ve seen it time and time again, people don’t do that and then their site gets hacked.
If you’ve got a hacked site, essentially you have to restore that from your backup and if you rely on your website being up to generate a sales traffic or to communicate with your clients, it’s not a really good look if it’s down for a couple of days while you get it fixed.
Annemarie : Yeah, absolutely. You’ve mention this a number of times and I just want to talk about this, because often, I’m talking about a backup, often you’ll either hear someone have to say, “You know what, we haven’t been keeping up to date regular backups.” Again, they find themselves in trouble when they have to rely on that.
But I’ve also heard horror stories where companies were backing up, thinking they were doing the right thing, yet when they had to restore from the backup, all of a sudden they’ve realized that the backups they had been taking weren’t really working properly, and they were in all sorts of strife.
What things can you speak about around backups, to really make sure that what we are backing up is the right thing, and it’s working?
Damien : There’s nothing worse, is it, than thinking you’re doing the right thing. Backups are one of those classics where you don’t want to have to test it when you really need it. Unfortunately, a lot of businesses do that, they don’t never test. That’s really the thing you can do, is actually test it by recovering a file, and doing that regularly, so you know your backup is working.
You can also have your backup monitored by a third party, we do that for our clients. With the products we sell, we actually have our products verify the backups daily. We can say if there’s an issue, and if there is, get it resolved straight-a-way. Because you don’t want to be in that position where, you gotta recover when these cyber threats happen, and you get impacted. Usually you have to recover all your data, you need to know you can recover all your data, and you need to know you can recover your data from a timely point.
You don’t want to have to go back to last months backup, and lose a months worth of data, because for some reason it wasn’t working.
Annemarie : Or inadvertently, we’ve been backing up and we don’t realize that we’ve had a virus sitting there waiting, dormant or whatever you call it, the backup we were going to restore, sorry you have to go back even further, because your system was compromised.
Damien you have been an absolute wealth of knowledge, we could continue talking, I know for a whole hour on this and just kind of cover the surface. Share a little bit more about the services that you offer, because I know we’ve only just touched the surface, and this is really important.
Give people a little bit of an overview of who you are, what do you offer, and then of course how people can get in contact with you.
Damien : Yeah, absolutely, Annemarie. We look after IT for small and medium business. Really we are your one stop shop for all your IT needs. We do day to day support, we do upgrades to hardware, we do software upgrades, help people move to the cloud. We’re doing a lot of work now with high-tech security. Focusing on the security side of things, if you’re a bit worried about your IT security, we can come in a do a free review, we can have a look what you’ve got and provide you with an idea of any weaknesses you might have there or anything you might need to look at improving, and that way at least can input a plan to improve your security and make sure you’re not a sitting duck.
We also do a general IT review, which can look at things like, How is your systems running? Are they running well? What’s your overall efficiency? A lot of people are doing manual processing nowadays, when they can actually make that a little more electronic automated thing.
That’s some of the things we do. We help a deep range of clients, everything from a two-person business, right up to 100 PC business. We are in lots of industries, we’ve got lots of experience looking after lots of different types of businesses out there.
Annemarie : Fantastic. What’s your web address? How can people get in contact with you?
Damien : People can go right to our website, which is, proactiveitsolutions.com.au, and there’s a contact phone on that, that they can use to contact us. We’ve got lots of information on there, we’ve go what we call, inside articles, which is lots of articles giving some advice on lots of different areas. Quite a few on security, and the cloud, and that sort of thing. It might be an interesting read if you’re looking to learn more as well.
Annemarie : Yeah, fantastic. Of course that website again, proactiveitsolutions.com.au
Listen to the Podcast
Associated Best Practice Benchmarking Statements
BEST PRACTICE BENCHMARK: We have a comprehensive IT security program in place including a backup system that is tested weekly and a multipronged best practice CyberProtection strategy that protects us from current and emerging Cyberthreats. #Technology #Risk
IT Systems and Security Advisor
Damien Battersby is founder and managing director of Proactive IT Solutions, an IT company focused on helping business owners improve their bottom line through best practice technology. Over the past 15 years, Damien has worked with hundreds of small and medium business owners helping them get the best from their business through better technology.
By focusing on the business strategy and taking a proactive approach, Damien offers more to his clients, maximizing their business performance through their IT systems. His clients enjoy less downtime, higher returns on technology investments and more profits.
Along with technology, Damien is also passionate about business and particularly what he calls ‘Client Experience’. The theory behind this is that by focusing on delivering a consistently awesome client experience, you will have more loyal clients who spend more and never question your pricing. This of course translates to a better bottom line. Damien believes that by choosing the right technology, maximizing client experience can be systemized enabling a repeatable best practice "Client Experience".
The SMART-Connect Podcast is one of the ways that SMART-Connect Alliance business advisors and business specialists share key information, business insights, strategies and case studies with their clients and alliance partners, ensuring they are kept up to date with important news, ideas, risks and opportunities that can impact their business.