In this episode of Any.Talk, we discuss why cybersecurity is important - especially for small businesses - and what the ramifications are of being hacked. We look at examples of external and internal threats and what measures that can be put into place.
Anywise recently obtained a DISP membership, which involved stringent scrutiny on our cybersecurity practices. If you'd like to learn more about how to conduct cybersecurity training with staff or obtaining your own DISP membership, please get in touch with us today.
Listen to the full podcast episode below, or stream it on Apple Music, Spotify or wherever else you listen to podcasts. Make sure to hit the subscribe button.
Any.Talk Episode #15: Cybersecurity
Annie-Mei: Hello and welcome to another episode of Any.Talk. I’m Annie-Mei Forster and today on the show we’re going to be talking about cybersecurity. We’ve got two guests on the show today from Anywise. Senior Consultants Chris McKellar and Susan Kruk. Good morning Chris and Susan.
Susan: Hi Annie-Mei.
Chris: Hi Annie-Mei. Hi Suez.
Susan: Hi Chris.
Annie-Mei: Alright, I’ll start with you Chris. Can you briefly talk about what cybersecurity is important and why small businesses should care about it?
Chris: Cybersecurity is basically anything to do with your IT infrastructure. Now whether that be mobile phones, laptops, computers, servers – or cloud infrastructure systems that you use – any sort of software, apps.
And the reason it’s important is because most businesses would not be able to function without this infrastructure. And a lot of businesses – because of the heavy reliance on this infrastructure – could leave themselves exposed if this was compromised in any way. They have lots of important information, lots of data, lots of intellectual property, financial records, HR records. It’s something they should be mindful of in this day and age.
Annie-Mei: How can small businesses protect themselves from a security breach?
Chris: The Australian Signals Directorate released – what they call – their ‘Essential Eight’, which is a really basic number of measures which an organisation can implement to curtail some of the common areas where breaches may occur.
Simple things such as disabling macros in Microsoft Office, blocking things like Adobe Flash Player in your web browser, restricting admin access to those who need it, patching operating systems, multi-factor authentication, daily backups, whitelisting applications, applying security patches.
Some really simple things that businesses should be able to do; that being said there are still quite a few government departments which don’t follow suit with the ASD basic bare minimum recommendations.
If they can do that, at least they’re getting started. Then there’s plenty of things they can start looking at, investing in security systems and their IT systems.
Annie-Mei: Okay, thanks Chris.
Susan, since last year when everyone migrated to working from home – obviously a lot of people were using their own computers and their own internet networks at home – so how does that affect cybersecurity for companies that might be easier to attack?
Susan: It’s definitely been an interesting move, coming to remote working for the majority of people since last year. And I think we really do need to refocus our security measures. Gone are the days where you walk into an office, all the firewalls are set up, all the systems are set up for addressing cybersecurity and making sure all measures are in place.
You have to – as an individual – now think about what do I have at home on my laptop or my smartphone? What other listening devices could be in the home?
You need to be more mindful of where you’re having your conversations. And so, I think we need to look at that carefully – depending on obviously, the type of contract you’re working on and who your client is – as to what level of conversation you have at home; who else is at home; whether you’re having a conversation outside. I know some people like to take their phones for a walk in the backyard while they’re talking.
You don’t know who’s on the other side of the fence or who’s delivering a parcel or, it could be anything. And not to make us suspicious of everybody around us but more to be mindful of the fact that we are at home. And I think businesses need to also address the fact that people are using their own PCs, laptops and phones, and what measures can they put in place to ensure that those devices are protected to the standard they wish for their company, as well as that of their clients.
Annie-Mei: Okay, thanks Susan. And when you were talking about how people should be more mindful of who might be listening or who might be around them – what other kind of training measures should staff get on cybersecurity?
Susan: First they need to be aware of the types of scams and threats that are present out there: phishing type emails, what you’re putting on your social media (the kind of information you’re putting out there).
Obviously checking your own company’s policies – and as a business owner, what kind of policies do you need to update? What kind of extra measures do you need to put in place to train your staff and that this new way of working is completely covered?
The use of strong passwords, as Chris was mentioning before with the two-factor authentication as a base minimum. Backing up files and data. I know for myself at the moment I have a massive issue with my laptop.
Nothing to do with cybersecurity, but the fact that I do have to back-up everything, delete everything and start again. So make sure that if you’ve got that regular back-up, because if you accidentally lost it and just turned off, you’ve got those files ready and they’re secure as well.
Limiting access to documents and files. Making sure that there’s a need-to-know policy within the organisation and that your staff understand that.
And also, how to report a security event. Make sure that your people have the right security training. Again, depending on your client and what you’re involved in.
For Anywise, we’ve recently been certified with DISP membership and so we need to be very mindful of the fact that we are within the defence industry and we need to start thinking that way.
We need to ensure that people have the proper security awareness training, insider threat training, as well as other threats. And to ensure that, that is updated regularly. And that people within our business, know how to report an incident, what the timeframes are around reporting, and that it doesn’t matter how minor it is, just report it. Because no incident should go without notification.
Annie-Mei: Okay, thanks Susan. So, going back to what you were talking about, how you have to be mindful working with defence because you need to get a security clearance. Why is a security clearance necessary for defence and what process do people have to go through to get one?
Susan: For security clearances, they’re required on a case-by-case scenario with projects. But you’re dealing with defence who have a great deal of importance placed on protecting their people, their IP, their assets, their equipment. And so, if we want to fit into the defence industry and work with them, then we need to be scrutinised for our background, our memberships, our associations, and so forth.
So that defence feels comfortable in saying, “Anywise and its people – or whoever the individual may be who is going for the security clearance – we feel safe in bringing you onboard and allowing you (depending on the level of clearance you’re going for) to have access to certain information, assets and people.”
Because that’s of very high importance to defence to protect themselves against internal and external threats. And to make sure that those who are coming onboard are the right fit for defence. And so, in order to go through a clearance: first of all – do you need one?
You need to make sure as a business that your personnel actually need that clearance; they’re not just handed out willy-nilly. It does go through a very stringent process. Again, it depends on what level of clearance you’re going through. The process and the background checks go back minimum five to 10 years of your personal history and they check everything.
The process can take quite some time depending on – maybe you’ve just become an Australian citizen – so, they might take a little bit longer to look into your background and where you’ve come from.
I think the quickest turnaround I’ve seen on a clearance – and again, at the lower level – being granted would be approximately two to three months. So, it takes a lot of time, it takes a lot of care to look after your security clearance and ensure that if there’s any change of circumstance that that is updated. If there’s any suspicious activity or they’re in communication with someone and they’re asking a lot of strange questions; all these things need to be reported.
And then you also need to have your clearance re-validated periodically, depending on your level of clearance. So, it’s not just: ‘here you go, you’re good to go’. You need to be careful. It’s not really something you should go around discussing either. Again, you’re protecting yourself and your client.
And that helps with working on contracts. If you’ve got a company that has gone through that process. That again, takes quite some time; you’ve got people ready to go. You’re probably going to be more attractive to a project. The people are in the right place, they’ve got the clearances and they’re good to go; as opposed to another company who have no training in place, have got no clearances in place and might not be as aware of what security means for defence.
Annie-Mei: Okay, thanks Susan. Just going back to small businesses in general. Chris, you were saying before how ASD has their ‘Essential Eight’ for how companies can protect themselves from getting attacked, but for a small company what advice would you give them if they thought, ‘oh it’s only the big companies that get hacked. Why should we invest time and money into cybersecurity?’ What would your advice be?
Chris: It’s one of those things, isn’t it? Like backing up your data.
‘I wish I would’ve done it’ – type of thing. After the fact.
It might be a small manufacturing firm with a handful of employees, but they might have really great IP with what they do. They might play an essential role in a supply chain. So, a critical role. And paying attention to cybersecurity and security in general, really protects the business, the future of the business, their reputation, winning future work.
So, what might seem like a large investment; it’s time well spent. There are really simple things that you can do. Things like what Suez was saying, just being aware of what email you’re opening, what websites you’re going to, making sure you’ve got virus protection, malware protect, backup of your data. If you do get compromised, you can recover from it.
There’s software and platforms which can help you control access for your employees to certain apps, software or shared hard drives that you use, so you can actually lock them down rather quickly if a breach has happened or an internal bad actor. So, an internal staff member who might be acting malicious for whatever reason. You can lock them out of it, or you can get notified of access that is out of the ordinary.
Anywise has worked with a company that makes SIEM software called LogRhythm. It can basically monitor anything, any access from stuff like Google Suites (G-Suites) and Microsoft Office 365, all the way up to servers and shared hard drives, routers, firewalls, laptops. It can record physical access like swipe cards and biometrics.
A full 24/7 overview of what’s going on in their company. They can be alerted to any potential breaches or activity that is outside the ordinary. And then they can take either the automated access or intervene physically, if required. The ramifications of what might seem insignificant can be rather massive.
Susan: And sorry Chris if you wouldn’t mind me adding just an example. Like you were saying, you might just be a small organisation and think – ‘well why is this important to me?’ It could just come down to the pure simple fact – money.
Every business works and operates – well, not every, but majority of businesses – to bring in some form of income for themselves and for their employees. So, to give you an example of an actual event, last year I was working with another company. And we’re talking about a plumbing company, so you think well ‘what am I going to gain by hacking a plumbing company?’
And it was a young girl in her early 20s. And unfortunately, the company did not have – I mean let’s just put it out there – they had a similar password, a standard password for most people in the office.
Number one error. So of course, she was able to access a lot of information. We don’t believe she was working alone. For the level that she hacked the systems, we believe there was a bigger team operating behind the scenes. And so, she was logging in from home. She was logging in at all sorts of hours. She was looking up things when we went back through her history.
You know – what’s jail time for fraud? You know, alert!
So eventually it did come to light that something untoward was happening. But when she was walked out the door, the siphoning of money started happening as well and things were being purchased on our credit cards. And, however they had hacked into the system, they were almost one step ahead because as we were changing passwords, they were still in the system of notifications.
And so, it took quite some time to shut it all down and be completely separated from this person, or group of people. And obviously afterwards it also came to light that she was known to police for a long list of similar breaches in companies. And so, then I guess you also look at your background checks in your hiring and resource policies and procedures.
But, just to give an example, here’s a plumbing company and here was a major hack. She’s also in the court system as well, doesn’t turn up and so forth. So, these people don’t really care about what they’re doing. They just want to get in there and get your information, get access to your company credit cards, copy your business models, and things like that.
So taking the time and putting in those – and if you can afford it go up a little bit higher – basic levels of protection to help safeguard you and your company against these sorts of things.
Annie-Mei: Yeah, and I guess you hear about in the news all the time, this big company’s been hacked, and your clients won’t want to deal with you in the future if their information is being compromised.
Like last year, how Isentia that media monitoring company got hacked and they had information for various government organisations and journalists’ names and their contact details. Money is obviously a really big part of it but also personal data as well.
Susan: That’s right, and confidence in your company. Like you said, no one’s going to want to work with you if you can’t protect their information.
Chris: There’s so many unintended consequences with regard to privacy, personal security and that sort of thing. There’s been instances where the location of military bases and that have been uncovered by the use of Strava.
So Strava is an app, which is used by runners and cyclists. A lot of people like to maintain a healthy lifestyle. And they’d be running around the bases and that, it would hack into the Strava information and correlate that with who these people are. That might be a LinkedIn profile or a Facebook profile. See all these people who have got certain jobs and insinuate that there’s a base there.
So, there’s so many things, which you might be completely oblivious to, which could compromise if you work at a certain facility or what not. We all carry a personal tracking device on us regularly and are pretty oblivious to information that can be gleaned from that by third parties.
Annie-Mei: I just want to finish up by talking about how Anywise can help other businesses with their cybersecurity.
Chris: So, as I mentioned before, Anywise is partnering with LogRhythm, which is a SIEM (Security Information and Event Management software). That would be doing it an injustice because it’s a lot more than that. But for any companies out there that are looking to take a sort of active approach to monitoring their IT and security infrastructure; they can reach out to us and we can discuss the benefits and how that can happen.
I think one of the big things as well with say, the defence industry in Australia is securing our supply chain and also sovereign capability manufacturing. So, having all that in-house in Australia.
Then the next thing would be to have all the members of a supply chain to do their utmost to secure that supply chain.
Suez as well, with Anywise becoming a member of the DISP panel. Did you want to talk about that?
Susan: Yeah sure, so we’ve got in place our training schedule and templates; and we have a lot of information that we can help other companies with. If they’re interested, they can get in touch with us to help set up some training around security and if they need help with their DISP applications as well, we are also in a position to help with that too.
Annie-Mei: Okay, thank you for the discussion today. Thank you, Chris and Susan, for talking about cybersecurity.
Susan: No worries, Annie-Mei. Thanks for having us.
Chris: Thanks Annie-Mei.