Cyber Security: Reduce The Risk (Part 2)
This is the second post in the Cyber Security series. Because cyber security is so vital to business success, we’ll be releasing more posts after October and into November.
Reduce the Risk (Part 2) details some slightly more technical measures, yet arguably more important. These measures will take some time to implement, but we recommend implementing them before the Christmas break if possible – most cyber-attacks occur when businesses are on holidays. Feel free to discuss this series with your IT team to ensure your company is secure.
Use multi-factor authentication (MFA)
A password is something you know, but it can be copied. A multi-factor authentication (MFA) device is something you have, and while it could be stolen, it cannot be copied. If your MFA device is stolen, you can immediately react and recover. This awareness of theft is something you can’t get with a password. Combined, these levels of security are highly effective. For any account with elevated privileges, MFA is a must.
Using an app like Google Authenticator is easy to integrate into your platform and use. MFA is so simple yet is extremely effective, and only requires as little as 15 seconds every month, although we recommend re-authentication every 24 hours. This introduces the awareness vs culture issue that we’ll address next.
Educate on the ‘human factor’
We recently attended a security seminar lead by Brian Hay at the University of Queensland, and one of the key takeaways was the vulnerability due to the human factor – over 90% of successful hacks occur because of human error.
Specifically, Brian Hay discussed ‘awareness vs culture’. This is the conflict of being a friendly co-worker but in doing so breaking the security and safety rules. For example, would you hold a secure, key swipe door open for an employee you don’t know? What if they were eight-months pregnant with full hands? But this is a key swipe into a restricted area. Everyone must authenticate, every time. It is this principle that is often overlooked due to our historical casual culture. It can even be only enforcing MFA once every month instead of every 24 hours. It’s the convenient thing to do but can have disastrous consequences if a company laptop is stolen the day following authentication. This same ‘awareness vs culture’ dilemma is why scam emails are so disastrously effective. Always question. It’s important to keep the human vulnerability in mind.
As we increasingly depend on the cyber world, we need to raise vigilance and awareness of the threats. This includes training your employees and making sure they are actively aware. The above example with the pregnant ‘employee’ is an effective disguise that security attackers use. We need to adopt that an attacker can be anyone and that they will use any vulnerability we give them. The ‘human factor’ is the most exploited vulnerability in cyber security.
Reduce phishing attack effectiveness
This is a subset of the human factor. A phishing email is a legitimate looking email, often from a seemingly trusted source, but it cons you into sending personal information or it contains a malicious link or file. The most endorsed advice from the security seminar I attended was to never click on a link from an unsolicited email or message. Even the savviest people fall for them. Have your company set up an email inbox rule that only allows known senders. It will still tell you when you receive one from an unknown sender, but you’ll be more aware of a possible phishing attempt.
Hash and season your passwords
Most websites and databases store your passwords as hashed passwords, which is different from encryption. A hashed password is like a baked cake and the password is like the cake recipe. With just the baked cake, you can’t determine the exact recipe. But with the recipe, you can bake the same cake.
So, if a website stored your recipe, someone who breached the website could steal your recipe and pretend to be you. But if the website stores your baked cake, then they don’t know your recipe. To verify it’s you, the website asks your computer to bake your recipe before sending it to the website. The website then compares the freshly baked cake to the one they have in storage. If they taste the same, then they know it’s you, all without knowing your password. It should be noted that no amount of baking can save a weak password.
A secure website is one that does not know their users’ passwords. However, with modern hacking tools, just hashing a password is no longer acceptable, as common passwords are cracked instantly. In microseconds. The best solution is to have the website put some seasoning on your cake. If the seasoned cake is stolen, it’s even harder for the thief to determine the actual recipe because they can’t separate the seasoning from the cake. The simplest and most effective form of seasoning is called a salt. Ask your IT team to check you are hashing and salting your passwords. It’s a simple concept, but ensure you give them enough time to implement it securely.
Encrypt private user information
Encryption is different to hashing. A hash is designed to be irreversible, but encryption is designed to only be reversible with the correct key. This key can be a hashed password. Think of encryption as a padlock and the hashed password as the key. Ensure that all private information in your database is encrypted. This includes credit card details, home/billing addresses, driver’s licences and passports. Encryption makes it harder for a hacker to gain this knowledge. In Australia, you must protect this personal data by law. Just recently, global companies have faced serious consequences because they didn’t have enough protection on their users’ data. The best practice is to have all your data obfuscated in a way that hackers cannot interpret it. But make sure the developers have the time to implement this properly.