This document has been created and updated since July 2020 to provide some valuable insight into the potential security risks and systems needed, for Australian businesses and individuals to better protect and prepare themselves for potential cyber security threats.
Information & Communications technology has become ingrained with our professional and personal daily lives. We all rely on some form of ICT system daily (or even hourly), which has caused a threat to appear in our lives in the form of criminal ICT activity.
For as long as we are using an ICT system, there will forever be a risk of an attack resulting in the loss of personal or professional, sensitive or critical information being accessed and used maliciously. The attacks can be for any reason; such as personal revenge, financial gain, political beliefs or personal gain. It is the responsibility of all stakeholders to ensure these risks are mitigated, prevented or promptly acted upon; although as an information & communication technology provider, it is our responsibility to spearhead any direction with mitigating these risks.
Notable examples previously include Loss of Data where a company did not plan on staff acting maliciously; resulting in the loss of thousands of dollars in revenue and eventually having to close its doors. Alternatively, Financial Gain can also come about from not including an additional security layer such as two-factor authentication (2FA) resulting in millions of dollars of misappropriated company funds.
Although some organisations may have different levels of security threats, there will always be potential security threats; and different industries, company sizes and critical information will dictate how these risks must be managed.
Criminal ICT threats are potential threats to any company’s ICT infrastructure. In this document, a Criminal ICT threat is defined as a potential computer or network oriented crime, involving either a computer or a network as the device used to commission a crime, or as the target of a potential crime. This involves:
2.1. Cyber Attacks
A Cyber Attack is defined by the Internet Engineering Task Force (IETF) as an assault on a system security that derives from an intelligent threat, i.e. an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.
A Cyber Attack involved a person, a process or a group known as the Cyber Attacker, which can be commissioned by an individual, group, society or organizations potentially originating from an anonymous source.
2.1.1. Distributed-Denial-Of-Service (DDoS)
A Distributed-Denial-Of-Service (DDOS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. These attacks are effective by using multiple compromised computer systems as sources of attack traffic. These sorts of exploited machines can include computers and other networked devices such as mobile phones, laptops, or Internet-Of-Things (IoT) devices.
DDoS attacks cab target varying OSI network levels of a company’s organisation. These attacks can be aimed at any of the following:
1) Physical Layer
2) Data Link Layer
3) Network Layer
4) Transport Layer
5) Session Layer
6) Presentation Layer
7) Application Layer
There are three attack layers of a DDoS Attack:
1) Application Level Attack
a) The goal of an application level attack is to exhaust resources, where webpages are generated on the server and delivered in response to HTTP requests received. Attacks on layer 7 can often be difficult to defend, as servers cannot view the difference between an application level attack and genuine internet traffic.
2) Protocol Attack
a) A protocol attack will cause a disruption to the service by consuming all the available capacity of servers, to render the target
3) Volumetric Attack
a) This attempt to create server congestion by consuming all available bandwidth between the target, and the larger internet. Large amounts of data are sent to a target by using a form of amplification, or another means of creating massive traffic such as requests from a botnet.
2.1.2. Digital Security Breach
A Digital security, or Data Breach, is a security incident in which information is accessed without authorization. These can be a costly event for Australian small businesses, as these can often contain sensitive information valuable to criminals such as full names, credit cards, personal addresses, emails, banking details or passwords.
Data breaches can be caused by the following:
1) Exploiting System Vulnerabilities
a) Out of date software can create a hole that allows an attacker to sneak malware onto a computer and steal data.
2) Weak Passwords
a) Weak and insecure passwords can make attacks (such as brute-force) easier to access, or potentially easier to guess; such as a user’s name or surname, name of business or something easily guessed.
3) Drive-by downloads
a) Many people can unwittingly download a virus by visiting a compromised website; this is done by taking advantage of a browser, operating system or application that has a security flaw.
4) Targeted Malware Attacks
a) These can come in the form of Spam or Phishing by tricking the user into revealing user credentials, downloading malware attachments, or directing users to vulnerable websites.
Planning for, and mitigating against data breaches can be critical to an Australian company’s policies & procedures, as a data breach can potentially leave an organisation liable for damages caused by compromised user data.
2.2. Cyber Theft
Cyber Theft is defined as a computer offence that occurs when a person steals something via the internet such as personal information, financial records, trade secrets and intellectual property. Cyber Theft falls under the broader definition of theft, which includes Larceny, Burglary and Robbery.
Once a cyber theft has taken place, all stakeholders can be responsible for costs of remediation which, depending on the size of the organisation, can be significant. Costs can be incurred with the following factors:
◦ Costs incurred by customers and other third parties such as stakeholders, shareholders or vendors as a result of cyber theft
• System recovery
◦ Repairing or replacing computer systems along with lost data; This can also involve temporary company closure, which would in turn result in lost revenue.
• Notification expenses
◦ If you have had a breach of data, you may be liable to notify customers in the event of a cyber theft attack.
• Regulatory fines
◦ Depending on the industry, you may receive state or federal fines and/or prosecution with failure to protect consumer data.
• Class action lawsuits
◦ Large-scale data breaches have historically led to class-action lawsuits on behalf of stakeholders whose data and privacy had been compromised.
Identity theft is the crime of obtaining the personal or financial information of another person for the sole purpose of assuming that person’s name or identity to make transactions or purchases.
This form of cyber-theft can compromise sensitive information including criminal, medical, financial and child identity.
A hacker, in this document, is defined as a person, group or process which uses a computer or network, to gain unauthorized access to data.
While Hackers are often thought of as an individual or a group of people wanting to cause harm to large multinational corporations, it can often come in the form of any person or group responsible for hacking.
The act of ‘hacking’ in itself is not always defined as criminal, and this is important for Australian businesses to realise. Intentionally ‘hacking’ their company’s infrastructure can be done to identify security flaws, and make changes once flaws have been found. This is commonly referred to as either ‘white hat hacking’, or ‘penetration testing’. Hacking is a very loose definition as it can mean any type of malicious or non-malicious activities relating to questionable access, usability and manipulation of an ICT system.
System failure means the failure of any component that supports the overall power supply, operation, and/or general access to the system. Potential system failures for Australian businesses can include:
• Computer failure
◦ Motherboard short circuit
◦ Hard drive failure
◦ Power supply short circuit
◦ Soldering points short circuit (USB connections, power supply units (PSUs), Wifi/Wired connection points etc
• Input/Output device failure
◦ Printer short circuit/explosion
◦ Keyboard failure
◦ Mouse failure
◦ Webcam failure
• Network Failure
◦ Internet/phone service disruption
◦ Failed network cable
3.1. Hardware Failure
Hardware failure is defined as a random, but inevitable event that can, and at some point, will happen to all organisations using some form of technology to manage business processes. While this is not commonly caused by a malicious act, it
is frequently a result of poorly managed, or outdated hardware which may lead to loss of time and/or data; which can have an impact on an Australian business financially.
While many systems are now moved on to the cloud, many services such as Google Cloud, Azure, AWS or Oracle implement their own redundancy procedures for outdated or faulty data, service and replacement of local hardware is still very important to be able to access cloud data.
3.2. Software Failure
Software Failure can, and often does mean catastrophic loss of time and data for a business. A software failure is defined as a failure that occurs when the user perceives that the software has ceased to deliver its expected result, with respect to the specification input values.
This can be caused by a flaw in software redundancy, but also with relation to this policy, includes potential failure to update software which can cause potential security flaws, based on superseded software versions.
Software failure can also be defined as:
• Functionality errors; This is an error which may not be catastrophic, however can cause loss of time and/or unexpected results when using a system.
• Communication errors; This is an error which can include lack of instructions for the user, inability to communicate between input/output devices, or network devices.
• Missing command errors; when an expected command or intended function is missing.
• Syntactic error; When words or scripts are misspelled or mistyped causing other issues.
• Error handling error; This is when an error occurs, but the user is unable to see what the error is, or correctly perceive the error.
• Calculation error; This can include miscalculations from the Software. These can include errors such as bad logic, incorrect formulae, data type mismatch, coding errors or function call issues.
• Control flow errors; A software control flow is defined as what the software is doing, and what it will do next after intended/unintended events. An example is if a user clicks a button which says ‘save and close’, the software should automatically save data, and then close the function. If this does not happen, that is perceived as a control flow error.
4.1. General ICT threats can be defined as common threats to plan for. These include:
• Technology with weak security
◦ This can often happen with outdated software/hardware.
◦ An example of this security flaw is with a large change between Windows 7 and windows 8. A hacker could create a .BAT (batch) file, which could be placed on a USB and set to automatically open or install a malicious file. A hacker could simply insert a USB into a windows 7 computer, and malicious software would automatically be installed. This was patched with windows 8, although windows 7 operating systems still have this potentially catastrophic security flaw.
• Social media attacks
◦ A very prevalent social media attack is known as ‘water-holing’. This means that hackers taking advantage of a site that everyone trusts (such as Facebook or LinkedIn), and will post links which appear to be a legitimate company, although lead to an unsafe site which may compromise user data.
◦ These water-holing threats are extremely common on social media sites. Commonly appearing legitimate, they can often lead users to access ‘free downloads’ of popular PC games, links to win free iphones or gaming consoles, which ask a user to enter login details; providing the cyber criminals with user data.
• Mobile Malware
◦ Mobile malware is malicious software which is specifically designed to access data via a mobile device (Android, iOS or Windows). This has become more prevalent since technology has evolved, and almost all small businesses are able to access important data from their mobile device as well as PC. Types of mobile malware include:
▪ Spyware/Madware; This is when a malicious file or script is installed on a device, consensually but often unknowingly by the device user. This is often to collect user data or to send spam/adware. This is frequent with Facebook, where users may unknowingly begin to send spam links to other Facebook users, as their device has become compromised.
▪ Drive-by downloads; This is when a user opens a malicious link or website, and files are automatically downloaded onto the device. Although these are frequently adware, which often does not compromise sensitive information, it can cause frustration and has potential to be catastrophic.
▪ Trojans; A Trojan virus has been around for a long time, where a malicious file is installed on the device, and sends a payload back to the original file owner/creator, which commonly contains all user saved data on the device.
▪ Phishing; This is when a user may visit a legitimate appearing website, to enter their login details for the site, without realising they are entering sensitive information on an alternate, compromised website.
– These are common with sites such as PayPal, or Australian banking websites. A user may receive an email stating that their details have been compromised, and they need to log in and check their password. A link in the email, to paypal for example, may not lead to paypal.com, but rather to an alternative URL such as ‘mypaypalsite.com’ which is a compromised site.
▪ Browser Exploits; This is when an outdated mobile web browser may have a security flaw. Normally what constitutes a browser update is when a potential security flaw is identified, the browser is then updated and the security flaw is patched. Without updating, the security flaw remains, and it can be a risk for businesses.
• Third-party Entry
◦ This is where cyber criminals will find the path of least resistance and attack through a third-party entry point; such as a hacker who connects to a company’s wifi unknowingly, to access data over a local network.
• Neglecting proper configuration
◦ More of a human error, this is when recommendations and requirements are neglected, causing a security issue.
• Outdated security software
◦ Much like any outdated software or hardware, outdated security software may not be able to identify potential risks or malicious files/scripts. Security and antivirus software is frequently updated due to cyber criminals finding new ways to circumvent security and firewalls; the older the security software, the more likely there will be ways for cyber criminals to circumvent them.
• Social Engineering
◦ This is becoming more and more common, especially with website small businesses. This is where a cyber criminal is relying on a person’s emotions, or lack of knowledge to access company
information, or for staff to send funds or details to cyber criminals.
◦ An example of a social engineering ICT threat is a cyber-criminal can send an enquiry through a sites contact form, stating they have ‘hacked’ their site and will hand over access once the site owner has sent funds. Although there has not in fact been any hack, the cyber criminal is relying on the individual to believe they have been hacked.
• Lack of encryption
◦ The purpose of Australian businesses to use data encryption is to protect digital confidentiality as it is stored on computer systems, and transmitted using the internet or other network mediums. Data encryption includes authentication, integrity, and non-repudiation.
▪ Authentication allows for the verification of the messages origin
▪ Integrity provides proof that a messages contents have not changed since it was sent, and
▪ Non-repudiation ensures that a message sender cannot deny sending the message.
◦ Lack of encryption, such as using outdated, standard DES encryption is prevalent with, as an example, a mail server running an outdated version of Outlook; This means that although a message sender may be legitimate (looks like it is from a customer, or manager), that there is no way that the receiver can be assured the message was in fact sent from the correct sender, and that the message contents have not changed since the message was sent. This can be a very large security flaw; using up to date software which uses AES encryption is very important for businesses.
• Corporate data on personal devices
◦ Almost all companies allow the use of company data to be accessed from personal devices; this is unlikely to change any time soon, and can cause very large security risks for businesses; as an employee/contractors device may not be bound by any agreement, as well as having the device constantly nearby; meaning the user may be visiting a compromised site in their own time, accessing a public network, or some other use of their device which creates a risk for business and its data.
4.2. Human Error
For as long as people are going to be using technology, there will always be a risk where human error is the weak link in a security flaw. In 2019, approximately 90% of data breaches were due to human error. There are four fundamental security risks when dealing with human error, and these are:
1) Using weak passwords
a) Default credentials can be cracked by a
brute-force attack, or may already be known to a cyber criminal, such as using the same password across an entire business.
b) Passwords containing personal or corporate data can be guessed easily.
c) Simple sequences (alpha-numerical) can be seen if a cyber criminal can watch the keyboard when a password is entered, or can be easily guessed.
2) Carelessly handling sensitive data, such as:
a) Accidentally deleting essential files with sensitive data or security information
b) Purposefully removing files without understanding their importance
c) Sending emails with sensitive data to the wrong recipients
d) Accidentally making changes in documents due to carelessness
e) Sharing sensitive data with colleagues using unsecured messengers
f) Not backing up critical data
3) Using outdated or unauthorized software. Examples of this can include:
a) Ignoring software updates
b) Disabling security features, and
c) Downloading unauthorized software.
d) Many employees can often cause this risk by stating the reason is it is too much work; having to constantly update software, updates are at the wrong time, as a force of habit, or lack of cybersecurity knowledge.
4) Lacking knowledge of cyber security. Although many company employees do act sincerely, lack of common cybersecurity knowledge can also mean there is a weak link in a businesses cyber security. This posts a risk when an employee may:
a) Follow suspicious email links and attachments
b) Use a personal device for work purposes
c) Use a public Wifi without a Virtual Private Network (VPN)
d) Plug in insecure devices
e) Perform unauthorized system changes.
4.3. Data Breach
A data breach is an incident that has resulted in unauthorized access to data via a computer or a network. Types of data breaches occur through the following:
◦ This occurs when a cyber criminal finds a vulnerability in an ICT system, such as an outdated app or operating system, and will access data through the vulnerability.
• Weak Password
◦ This occurs when a password can be cracked via a brute force attack, or can be easily guessed.
• Malware attack
◦ This occurs through a medium such as phishing
which it uses to gain entry to a system.
• Drive-by downloads
◦ This occurs when malicious files or scripts can be deployed via a compromised website.
• Social engineering
◦ This occurs when a cyber criminal is relying on human error or reaction to gain access to an ICT system, such as pretending to be IT support.
Spam is defined as unsolicited, bulk email. This can be anonymous, mass-mailed, or unsolicited mail covering just about any subject. Almost everyone has encountered spam if they have ever used email or the internet.
It is necessary to combat spam as it can cause a communications overload, waste of company time, irritation, the loss of important information, as well as criminalization. Spam can include adult content, chain letters, pharmaceutical products, fake notifications such as lottery wins, letters from a Nigerian prince, or personal loans.
4.5. Natural Disaster
A natural disaster is defined in this document as a major adverse event, resulting from natural processes of the Earth. Every business must have a plan when managing ICT security. Although a natural disaster may be completely random and non-malicious, it can still cost a business valuable data.
Natural disasters can:
• Destroy networks, limiting access to data stored on the cloud for extended periods of time
• Destroy hardware i.e. flooding, fire
• Severely limit a businesses ability to complete standard business processes for extended periods of time.
Data Fidelity takes ICT risks very seriously. Our approach is to identify, assess and mitigate potential security threats for clients.
We maintain a proactive approach towards potential security flaws and risks, to build a new ICT policy tailored to each client based on all factors outlined in this document, and the unique ICT risks that can be present in each business’s daily processes. We also offer training, as well as penetration testing to search for potential security flaws between different systems.
Data Fidelity implements some in-house risk management procedures for all client data. Data Fidelity’s risk management includes the following:
1) Customer Data Security. We use Gsuite Premium in parallel with Google Drive File Stream for document storing and processing. This is so that we have access to data at all times from multiple devices; in the event that a client requires immediate access to data, or has an urgent need for changes to a website, web app or mobile app, we can access the documents and quickly make changes to these.
a) Gsuite premium is secured via Google’s 2FA Authenticator app, ensuring only stakeholders have access to Data Fidelity email accounts.
2) Customer Data Storage. We also implement a local backup in the event that a natural disaster prevents us from accessing Google Drive. We use a local Server, storing customer data locally and backed up via RAID 1 hard drive configuration.
a) In addition to local data storage, for our local data storage we have implemented a 2FA Key method. The 2FA Key method is a physical USB key, which must be inserted into the server at all times that data is required to be accessed, added or removed. Without a 2FA key inserted, all data is automatically encrypted and is inaccessible, even on a compromised network.
b) All local storage is only accessible via a Cat6 Ethernet cable, and does not have WiFi capability. In the event of a compromised network, the server can have the Ethernet cable physically removed, as well as the 2FA key removed to both encrypt local data, and shut local data off from internet access and prevent any potential unauthorized data transfer.
3) Website Security. We use a number of website tools, such as WordPress, and Microsoft Visual Studio. We recommend hosting via Google Cloud, as Google Cloud has built-in distributed denial of service (DDoS) protection, as well as generic adware & malware blockers. Google Cloud offers DDoS protection by automatically blocking IP addresses which send a sudden and exponential number of HTTP requests, recognizing this as a DDoS attack.
a) In the event that customers have arranged their own hosting for a WordPress website, we use Wordfence to both scan for, and prevent adware, malware, spam or bloatware to appear on websites as popup ads, misappropriated form data, as well as securing our clients data.
b) For websites, web apps & native mobile apps built from scratch, we create secure sites by using the following practices:
i) Avoid scripting using Code Access Security (CAS), partially trusted code, APTCA, .NET remoting, DCOM or Binary formatters.
ii) Utilizing the SafeInt library in Microsoft Visual Studio, to prevent integer overflow and other potential exploitable errors with any new website, web or mobile app.
4) System vulnerabilities. We run a website Penetration test which is a real-life hack, to check for potentially exploitable security flaws. We use a combination of either Metasploit for a fundamental ‘hacker’ approach, to check for vulnerabilities, or using Loader.io for a combination of penetration and load testing.
a) We also recommend regularly running penetration tests on systems to check for vulnerabilities every system update.
b) In addition to this, simulating a social engineering hack with staff is a useful practice to check that staff are aware of safe ICT practices; sending a ‘fake’ email with a simulated fake URL, which reports on who has entered information into a fake website.
6.1. All risk management policies & procedures created by Data Fidelity are recommended to be incorporated into all staff & stakeholder training, to better manage potential risks. Every new risk management policy & procedure includes the following below..
6.1.1. Safe Email Use
Be wary of all attachments and links. Any attachment can contain malware, and should be treated as such. This can even mean email attachments and links sent from trusted friends & family, may unknowingly be sending malware to your device. It is best to only open attachments and links from well-known, verifiable sources.
Don’t be fooled. Cyber criminals can use social engineering to fool a company director, employee, subcontractor or shareholder to open and deploy malware, while not believing they are doing so. This may be a scam email stating to be from IT support, from the government, or any legitimate sender; with links containing malware. Although some infamous phishing scams are well-known and obvious (Such as an email from a Nigerian prince), other emails can be much more clever and up to date; Such as an email claiming to be the ATO requesting a login to MYGov (via a malicious link) to avoid an audit.
Keep personal information private. Norton360 Security, a highly reputable antivirus software company, analogizes emails as a postcard. Between a
person sending a postcard and the receiver receiving the postcard, it can be passed through any number of hands before it reaches the intended recipient; and any sort of information can be added or removed from the postcard. Email works in the same way; A sender may not realise they have a compromised computer, and by sending or receiving an email with personal information can be read by a cyber criminal.
Keep your operating system up to date. The purpose for software updates to all operating systems is due to a vulnerability being found by either a penetration test, or by a cyber criminal finding and exploiting a new vulnerability, or by finding a new way to cause a data breach on a victim’s computer. Current operating system versions mean that users have the most secure version, as previous versions have vulnerabilities which are patched in later versions.
Use Antivirus software. Using up to date, comprehensive antivirus software is a powerful tool to mitigate most risks when using IT systems. A small cost can prevent big losses in the future. Data Fidelity uses Norton360 on all Windows PCs and servers, and on all Android and peripheral media devices such as media players, streaming devices, gaming consoles or any IoT (Internet of Things) devices.
6.1.2. Setting out processes for common tasks
1) Plan for attacks. This means rather than taking a reactive approach to when a data breach occurs, complete security related tasks under the presumption that a breach will happen.
2) Consider social engineering for IT systems. What may sound like an inconvenience for staff members, but what is a powerful tool, is to limit the usability of devices on the local network. If a staff member only requires specific access to specific websites, it is worth implementing web browsers with access limited to only trusted websites, which employees require for their day to day operation. By limiting the number of systems that stakeholders have access to, you are mitigating the risk of cyber attacks via social engineering.
3) Design a secure network topography. A local network for an office may require devices with internet access, however by limiting who can access the network is a good practice. This may mean, as an example, that if all devices are Windows/Apple PCs, a Wired network in place of a more popular Wireless network can limit outside intrusion. Alternatively, if a Wireless network is a necessity, it is worth allowing network traffic via IP or MAC filtering. IP Filtering filters network traffic by only allowing network traffic from specific IP addresses, and MAC filtering will only allow connections via specific devices (a MAC address is hard coded into every network connected device, and cannot be faked). A network manager is also able to use a third party program such as Wireshark to monitor network
traffic, and be notified of any unknown IP or MAC addresses as they appear on the network.
4) Incentivize good ICT risk practices for employees. Every employee loves an incentive, creating an incentive for consistent good behaviour can work exceptionally well.
5) Establish key stakeholder/s for when a cyber attack, or data breach occurs. A systems administrator will generally have administrative access to a database or a server, and can monitor and mitigate a data breach as it happens. Much like if a building were to catch fire, most offices have a fire warden to help an evacuation. In the event of a cyber attack, it is good practice to nominate a ‘cyber warden’ who can delegate tasks and manage the attack as it is happening.
6) Create a response plan. This is to include steps to secure sensitive information. Some common tips to include in a response plan include:
a) Killswitch, to completely box-off the local area network from outside sources, so that if a device has been compromised, it cannot communicate or share data externally. This may cause a temporary closure of a business once the malicious code has been found, but it can also prevent a data breach. Some companies refer to this process as sandboxing.
b) Contact stakeholders who have the capacity to deal with the threat. This can be contacting the ICT provider, the in-house IT specialists, or the department/general manager. Important stakeholders to contact are the stakeholders who have the tools to manage and eliminate the threat.
c) Think of the risk in financial terms. If a staff member’s computer is infected with Adware, it will have to be managed; although an employee receiving spam popups for pharmaceutical products will not cause a significant financial loss to a business. If however, a business PC has become infected with Ransomware, it can have immediate catastrophic consequences, and must be dealt with immediately.
6.1.3. Managing changes to ICT systems
Prior to an ICT system being built, it is fairly commonplace for potential bugs or errors to surface; as these can be easily managed before any new system becomes critical to a business. Once a business has deployed and is using a new system, it can become more difficult and time consuming to make changes to a system. Data Fidelity implements the following practices when making changes to a system:
1) Create a backup of an entire system. This means that in the event that there is a catastrophic error, or potential for long-term downtime of a system, a complete backup of the old system and its data can quickly be restored.
2) Build a new system in parallel with the old. This means that rather than making changes to a live system, new changes can be tested for potential bugs, errors or security issues prior to deployment.
3) Clearly identify the goals for the changes to be made. This may mean a simple bug fix, or it may mean an overhaul and redesign of a system. Often with IT, Lateral thinking is common. This means that if there are new goals to be made, there may be multiple ways to reach the same goal, each with different costs, development times and with different software stacks or platforms. A business may find cost more important than longer development or testing time, or may find time is imperative, in which case a more expensive solution is used.
6.1.4. Response to ICT Incidents
For our clients, Data Fidelity believes the most important aspect when considering a response to an ICT incident is Business Continuity. This means having a plan in place that can mitigate the impact to a business, either financially, socially or functionally, to continue trading with the least financial and social impact, and as promptly as possible.
1) Assemble the business team. This can be a team leader, manager, external or internal stakeholders, as long as they are people who are skilled and with the right equipment to manage an ICT incident.
2) Identify the source. This may be a network vulnerability, an employee’s computer or personal device, a peripheral device (USB, Network attached storage).
3) Contain and recover. This may include sandboxing the infected device or devices, or potentially the entire business. Once the incident is contained, it is important to rectify the devices and return them to operating condition.
4) Assess the damage and severity. It is important to assess the severity after action has been taken to identify and contain the incident. Assessing the damage may mean businesses are (by law) required to notify its clients, shareholders or stakeholders of a data breach. It is also important to assess how the incident happened. Depending on the targeted data, it may have been an entirely external, random cyber attack looking to obtain client financial information, or it may have been an ex-employee simply wanting to disrupt business operations.
5) Begin the notification process. It is important to notify all affected parties of a data breach and its severity. It is important to complete the notification process as soon as a data breach has happened, as it can give time for
compromised parties to change passwords, and secure their data in other ways.
6) Plan to prevent the same type of incident in the future. Unfortunately, no business can be 100% proactive against every single method of cyber attack, due to its constantly evolving methods and practices. It is important to learn from the incident, and build policies & procedures to ensure it does not happen again.
To identify potential ICT security risks, it is worth inspecting, and reporting on the following potential vulnerabilities:
• Support personnel
• Mission or purpose
• Functional requirements
• IT Security policies
• IT Security Architecture
• Network Topology
• Information storage protection
• Information flow
• Technical security controls
• Physical security environment
• Environmental security
To assess ICT risks for the above potential vulnerabilities, points to consider are:
• The mission of the system, including the processes implemented by the system
• The criticality of the system, determined by its value and the value of the data to the organisation
• The sensitivity of the system and its data
Investigating the potential vulnerabilities and assessing them considering the above points will help build each business a Business Impact Analysis (BIA) which can quantify potential risks in terms of how it will affect the business in the event of
a cyber attack in terms of loss of business, cash flow, customer data, public reputation and down time.
When mitigating each of the risks in a BIA, consider the following objectives:
• Organizational policies
• Cost-benefit analysis
• Operational impact
• Applicable regulations
• Effectiveness of recommended controls
• Safety and reliability
Send us a quick message, and we will endeavour to contact you as soon as possible.
Alternatively, feel free to use our complimentary Quote Tool service to find our how much a new website will cost you today.
Download a FREE copy of our E-book, covering: