Securing critical business systems from cyber-attack can be a complex task, with a seemingly endless array of methods available to choose from, each with pros and cons. To help focus our efforts there are various cybersecurity models and frameworks available such as The Essential Eight Maturity Model and the NIST Cybersecurity Framework, both of which offer excellent guidance on improving your cybersecurity posture.
Irrespective of which cybersecurity framework you choose, and which strategies you decide to pursue, there is one cybersecurity control that should be a no-brainer in every organisation, and that’s Multi-factor Authentication.
Multi-factor authentication is an authentication method that requires a user to provide two or more verification factors in order to prove their identity, and gain access to a secure system. In many cases this will mean the user providing their usual password along with some other unique and verifiable piece of information.
There are three main forms of multi-factor authentication in common use:
Unfortunately, multi-factor authentication isn’t always enabled by default on the systems that you use, even though it most likely is available as a feature. Until you actively choose to enable MFA on each system that you use, you won’t receive the extra value that it offers, leaving critical business systems potentially exposed to cyber-attack.
So, what are the top 3 reasons to enable MFA?
The traditional approach of only requiring a username and password to logon to a secure system is unfortunately not actually very secure, particularly as cyber-criminals become increasingly more determined.
Usernames are often easy to discover, often just being the user’s email address. Passwords can be hard to remember, particularly with so many different systems and passwords to keep track of, so people tend to pick simple ones, or use the same password on many different systems, all of which makes them easier to crack.
Multi-factor authentication on the other hand is extremely effective at protecting user accounts from unauthorised access. This is why most online services make MFA available, and why many such as banks have made MFA compulsory. Even if a cyber-criminal were to obtain your username and password, without access to your second authentication factor they would still not be able to access your user account.
Multi-factor authentication offers several opportunities to enhance the user experience and, in the process, improve productivity, efficiency and user satisfaction. Single sign-on services that user multi-factor authentication allow users to sign-on once, and then be automatically and securely authenticated into multiple other systems, negating the need for them to sign-on to each system individually.
Biometric multi-factor authentication can alleviate the need to manually enter any authentication details at all. A single fingerprint touch, or a glance at the camera in your laptop can be sufficient to securely login.
Finally, contrary to long held wisdom, the current guidance from security experts such as Microsoft and the NIST is to not force users to change their password periodically, but instead to let them keep the same password indefinitely – on the condition that the password chosen is long, complex, and multi-factor authentication is in use.
As many organisations seek to push cybersecurity compliance down through their supply chains, demonstrating the maturity of organisational cybersecurity is rapidly becoming a requirement for many government and commercial dealings.
Aligning with a broadly recognised cybersecurity framework such as The Essential Eight or the NIST is an effective and widely adopted approach to not only improving cybersecurity posture, but also being able to demonstrate that maturity to partner organisations when required.
Multi-factor authentication is identified as an essential security control in not only the major cybersecurity frameworks, but also directly in many commercial engagements such as cyber-insurance policies.
Watch our free on-demand webinar now: The Essential Eight Cybersecurity Maturity Model
Multi-factor authentication should be a non-negotiable requirement in every organisation’s cybersecurity strategy. Not only does it provide an effective layer of protection against user account breach, but it can enhance user experience and productivity, while also helping to align the organisation with widely recognised cybersecurity standards.
I recently threw a question out to a group of my professional peers, asking them what they saw as the benefits of aligning IT strategy with business strategy.
The responses I received were nothing short of exceptional. It reinforced for me (yet again) what an insightful, intelligent and progressive professional community I have the good fortune to be part of.
Respondents represented a diverse range of positions including CEOs, founders, self-employed and employees, with an equally diverse range of industries represented, including IT, retail, professional services, medical and creative industries.
Even though everyone brought their own unique perspective to the discussion it was interesting to see that responses could be classed easily within three main categories.
Related: Three Crucial Elements for your IT Strategy
A long time ago in a galaxy far, far away, computers were an indulgent option when running a business. Computers were expensive, had limited functionality and, to many, provided limited value beyond what traditional methods had done. Despite this, the march towards a technology-enabled future proceeded, lead by finance departments looking for efficiencies promised by so called ‘spreadsheet’ software.
Fast forward to today and you would be hard pressed to find a business not dependent on IT in some way or another. These days IT is a given in pretty much every element of business, from finance to marketing, production, design, customer service and all points in between.
Given this universal adoption, simply ‘using’ IT these days is no longer enough to gain advantage, but is now mere table stakes to stay in the game. So does that mean that technology no longer has any competitive advantage to offer? Quite the contrary. However to gain that advantage IT can no longer be considered an operational issue, but must be given a seat at the board table and aligned strongly with the overall business strategy.
In the not too distant past, being in ‘the cloud’ was a buzz word, but now a significant amount of technology used in businesses is cloud based.
Looking forward, businesses of all sizes and industries seem to be shifting their focus to data. Using business data to make informed decisions is actually quite a recent phenomenon. Where managers once relied upon ‘gut feel’ to chart their course, there are now extensive opportunities to gather, store, organise and utilise information from all sorts of sources to improve organisational agility and effectiveness.
So, essentially, there’s no competitive advantage in merely ‘using’ technology these days, but in using it strategically in alignment with the overall business goals.
Another benefit of aligning IT strategies with business goals is to focus the stakeholders on the objectives of the business. Then the IT systems can be used effectively to carry out those business goals.
It sounds simple enough, but first you need to be clear on what the business strategy is and clearly communicate this strategy with the people in your organisation, including your IT department, so they understand the core business goals and can work towards them. It’s often assumed that an organisation already has, and actively executes a strategic plan, but unfortunately this isn’t always the case.
Aligning IT strategy with business goals helps guide and inform decision making, and ensures that everyone is working towards the same goals and are on the same page. IT systems that are selected and implemented in line with an organisation’s strategic plan are more likely to be valuable, well used tools. A team is more likely to be on board with implementation and training on the new technology if they understand how the IT systems fit in with the business goals.
Focusing IT efforts towards meeting data-driven business objectives will ensure that the whole business believes in the value of IT in achieving the underlying strategic course of the organisation. These days, there are more and more tools available to help harness the power of data from multiple sources into making informed decisions about the direction of the business.
In the Facebook age and with the advent of increased scrutiny from government and regulatory bodies, businesses of all sizes need to be more conscious of the way that they manage and secure sensitive information. Whilst there is some fantastic technology to assist businesses to manage their security, the reality is that alignment of business processes and competently trained staff operating in a culture of awareness is essential in realising the objective of running a secure business.
Ultimately, it’s very much a two way street. Not only is it about your IT being responsive and understanding the needs of your business, but aligning your IT and business objectives also means that you are ensuring that the way in which risks and opportunities around technology are better managed in the business.
Especially in smaller organisations, resources will always be limited, so aligning IT with business strategy means that resources are being used most effectively.
Using the technology that aligns with business goals means that efficiencies can be achieved, which in turn keeps costs to a minimum.
Sometimes with technology, it’s easy to get swept up in the latest shiny gadgets and trends. And while it might be fun to own the latest iPhone, it may not be a necessary tool for stakeholders to achieve their goals. There will also be areas where you may not want to invest in new technologies because it would be undesirable due to high risks, costs or even fragmentation of your data or systems.
If the IT goals are aligned with the business goals, it allows the business to be proactive and intentional with the IT spend and therefore reduce unnecessary costs that come from being at the whim of trends.
There are many benefits to aligning your business’ IT strategy with its business goals, but they can largely be categorised into three areas. In order to remain competitive, to ensure that all stakeholders are working towards the same goals, and to maximise the value from limited resources, it’s worthwhile for business and IT strategies to be aligned. Technology for the sake of technology is of no benefit to anyone, however that doesn’t mean IT should limit its role to processing work orders and printing labels. If IT is providing technology leadership and aligning with the goals of the organisation, that is where the true power of IT will be found in the business.
Whether you are a Digital Transformation powerhouse, or you provide the best Tree Lopping services in Brisbane, technology is integral to the success of your organisation. This is especially true for small to medium businesses where margins can be thin, and the market competitive. To remain agile it’s critical to extract the most out of your technology. One way to do so is to engage the right Managed Service Provider (MSP) to provide outsourced IT support and services.
A Managed Service Provider is a company that gives organisations the capability to outsource their IT service delivery requirements. In other words, an MSP is essentially your IT department. If something breaks, they are on the other end of the phone to make things work again. A good MSP will also actively keep an eye on all systems, proactively resolving issues before they even impact business.
A great MSP will invest the time to learn your business deeply enough to make recommendations and actively partner with you on enabling your team to achieve their goals.
All businesses need IT support to some degree. These days it’s just part and parcel of doing business. Some organisations may be able to get by doing their own IT support, or perhaps only calling on an IT expert from time to time when things really get out of hand. But irrespective of how you currently manage your IT, at what point is it time to level up and engage with an MSP?
Here are some common signs it might be time to investigate whether engaging an MSP would be valuable for your business.
It’s probably fair to say that there are many businesses operating with one person wearing a multitude of hats, one being the “IT guy”. The problem with this is that, while this person is probably more tech savvy than the average bear they are probably not up to date with the latest IT developments. It’s also probably a significant challenge for this busy person to balance the IT needs of the organisation whilst also remaining productive at their core job. Ultimately this leads to IT only receiving reactive attention when absolutely necessary, and a clear loss of focus and productivity from the lucky person.
You could hire a dedicated IT person (which is undoubtedly a better option than folding IT responsibilities into an existing role within the organisation), but not only is this a significant investment, what if your IT person gets sick or needs to take leave? Add to this the challenges of not only recruiting, but supporting, management and developing a lone IT staff member, and this option can often prove a poor investment.
Instead of hiring your own in-house IT staff, you could consider using an MSP who can give you the benefits of a full IT department at a fraction of the cost. Your employees can focus on your core mission and you can rest easy knowing that your IT demands are being professionally managed.
When the systems we use on a daily basis break down, business owners very quickly realise that the technology powering their business is incredibly complex. If the technology under the bonnet in your business is constantly experiencing problems, there is a good chance that this is significantly impacting your staff happiness, customers experience and of course your bottom line.
Partnering with a quality MSP can take you from a reactive, painful break-fix cycle to a situation where you are empowered to plan your IT Strategy and benefit from reduced maintenance and replacement costs. A quality MSP will take a proactive approach to the maintenance, patching and monitoring of your technology and make business-focused recommendations on how to improve the business through technology (rather than selling you the latest technology, with its relevance to the business as an afterthought). Proactive is always a better, more economical option than being reactive.
It can be challenging to budget effectively for your IT requirements. Some months you might have to replace a laptop, while others may see you need to stump up for a new server or address a critical security incident that needs to be dealt with immediately. This is an even harder task for smaller businesses.
The ability to budget your IT services on a monthly basis makes planning how to spend your valuable dollars much easier. As well as more predictable costs for your services, your systems are actually kept in better working order and will last longer with professional programmed maintenance. The right MSP will be able to work with you to understand your business requirements and stabilise your IT spend over the medium term with forward planning and budgeting.
Each Managed IT service provider will price their IT support contracts differently, however there are some common approaches that most MSP’s work with.
This is a tried and true pricing model where customers are billed a predictable flat fee for the monitoring and maintenance of specific devices, such as laptop and desktop computers, servers and even mobile devices. The predictability and flexibility of this model is attractive to both customers as well as the MSP. Potential drawbacks could be in situations where customer organisations may have numerous devices used by the same employee.
The per-user pricing model is similar to the per-device pricing model, with the difference being that the flat fee is billed per end user per month and covers support for all devices used by each end user.
The premise of the tiered managed service provider model is to build bundled packages of services, starting from a basic package and becoming increasingly more expensive based on providing more comprehensive services. Some companies use names like Bronze, Silver and Gold for each level.
As an example, a “Bronze” managed services package may include basic phone and remote support for an entry-level price. Bumping up to the higher priced “Silver” desktop managed services package, which may include proactive patch management and scheduled on-site visits, and the “Gold” package may include around the clock emergency after-hours support.
Sometimes referred to as “cake” pricing (whereby you buy the entire cake, rather than the individual components of eggs, flour and icing) this model provides a comprehensive service and the MSP essentially becomes the outsourced IT department of the business. The comprehensive suite of services is certainly valuable to the customer because it provides specialist industry experience and advice, but it doesn’t require the business owner to commit to their own permanent IT department when the business environment and their needs evolve over time.
Before embarking on employing the services of a Managed Service Provider, an agreement will generally be drawn up to protect the client and the MSP and ensure clear communication between the stakeholders.
Most MSP agreements will generally answer the following questions:
Your Managed Service Provider should be on top of all technological aspects of your infrastructure. They should be able to discern and have a record of which updates need to be implemented, and what hardware needs to be replaced when necessary. They should also have systems in place that ensure the technicians looking after your infrastructure are kept up to date and informed.
Your Managed Service Provider should be consistently evaluating the health of your infrastructure, ensuring that all systems are appropriately patched and secured, validating system utilization, recommending changes and upgrades to software and hardware when needed. They should be offering constant reviews on the overall status of your IT operations to ensure you are match fit. The true value of your MSP will be recognised not only by your technology being maintained at optimal performance and stability, but in enabling and empowering you to focus on your own core business and what really matters.
Your Managed Service Provider should want to develop a strategic partnership with your organisation to ensure long term success for your business. An MSP should always have a top-level view of your entire IT infrastructure and how it relates to the operation of your business. In addition, your MSP should be able to respond and react to changing business conditions, and provide consultative advice to IT priorities and challenges that can affect your business even if they’re not currently responsible for it.
In short, a strategic partnership with a quality Managed Service Provider should enable you to plan and budget for your main IT expenses, rather than falling into a costly and unpredictable break-fix cycle. When you find the right MSP to suit your business needs, you will be able to focus on your core business, confident that your IT systems are running smoothly and proactively managed.
It’s been an amazing few years at Grassroots IT, not least of all because of the international growth that we’ve experienced both with our clients and our team. If you had have asked me five years ago whether Grassroots IT would one day not only be supporting multinational clients, but have our own workforce spread across three countries, I would have replied with “Maybe in 20 years”. Yet here we are, doing just that.
It turns out that running a geographically and culturally diverse team can be pretty rewarding but, like anything in business, it’s not without its challenges. Issues such as organisational culture, HR and, of course, legal and accounting matters all become so much more important when working with a diverse team. The good news is that there are some great resources available to help navigate these areas successfully.
Day to day operational activities also need careful attention to ensure that staff can operate effectively. Simply transferring a phone call to a colleague can become an entirely different proposition when that colleague is in a different timezone. Again, there is good news with a number of technology tools available to help.
Read on as we run through a selection of the tools that we use at Grassroots IT to let our diverse staff effectively support our clients across multiple countries and timezones.
Voice over IP (VoIP) is a technology that lets us run our phones over network and internet connections, rather than traditional phone lines. Using VoIP means that we’re not physically constrained to a particular location the way that we would be with traditional phone lines, as well as having some great features that are either hard or expensive to come by with traditional telephony.
Here are some examples of how we are using this to our advantage:
We haven’t done a direct comparison of our call costs using VoIP vs using traditional telephony, so I can’t comment on that, however I can say that we could not operate the way we do without the unique flexibility that VoIP provides.
Video calls in Microsoft Teams (a core part of Microsoft Office 365) are hands down our preferred way of communicating between team members. When we can’t physically be together in the same room, a video call is the next best thing. There’s so much unspoken context and communication that simply gets lost in email, chat and even voice calls that you can still convey via video. We have our daily huddles across countries using Teams, and making a video call is our preferred channel for one on one, or multi-party discussions.
Teams is also an excellent chat platform for those quick, sharp questions and answers that don’t need a full blown conversation. We have a number of different channels within Teams covering range of topics such as one for helpdesk, one for the leadership team, and one for sharing the fun personal projects and hobbies we each enjoy.
Even though we find ourselves using fewer documents, such as Word and Excel files, they are still an important part of our business, and often need to be accessible to staff in multiple locations, as well as remotely from home or a client site. Traditionally we have used a shared folder (which we called our G Drive) on one of our servers, which remote staff would need to access via a VPN. These days with far more powerful and flexible options available, we no longer have a G drive at all.
Microsoft SharePoint is our preferred method of file storage and sharing, as well as for hosting our intranet with sections for HR, Service Delivery and Projects. SharePoint also integrates perfectly with Microsoft Teams, meaning that a lot of the time we don’t even have to leave the excellent Teams application to access our SharePoint content.
You may have noticed a common thread running through all of these systems that we rely on – namely that they all support, at their core, the two concepts of Cloud and Mobility. The reality is that cloud and mobile friendly applications are now the norm (for very good reason), and if you’re not embracing this yet in your business, you can be confident that your clients and competitors are. In our case these solutions have enabled our business to evolve in directions that only a few years ago would have been very challenging and expensive.
In just the last five years, business leaders have changed the tone of their cyber security conversations. It is no longer a discussion about layers of defence or the beefiness of the firewall, instead Directors now understand it’s no longer a matter of ‘if’ but instead a matter of ‘when’ the system will be breached. And the smart companies have already started to shift their resources from preventative techniques to detective ones.
The fact that historical approaches to cybersecurity are no longer good enough is an indication that cyber attackers have become more intelligent and patient, and that the nature of the attacks are more sophisticated. In today’s digital world, this is something business leaders have come to accept.
The perimeter of your network can no longer be defined and effectively controlled, instead attackers have learned to be patient and exploit lower risk vulnerabilities that are usually ignored by internal IT teams, allowing exploits to go unnoticed.
This demonstrates all the more reason Australian businesses need to take cyber security more seriously. The first step will be to focus on predicting where the next risks will be for their business and working pre-emptively to come up with solutions.
There is no better way to demonstrate the urgency of developing formal cyber security plans for your business than looking at some of the big players and the cost of their data breaches:
The brand we know and love, Target was subjected to a malware based attack through a compromised point of sale system that allowed hackers to steal credit card information of customers for three years without detection. Target’s share prices dropped 13.7% the month of announcing the data breach, and said the cost of the breach aftermath was close to $163 million.
This time hackers used more complex exploits. They utilised highly sophisticated phishing, calling employees pretending to be from internal IT teams, and ended up creating fake digital authentication certificates to bypass security systems. The breach allowed the hackers to expose the entire Sony employee email servers to the public. Sony admitted the cost of the IT repairs after the breach totalled $35 million, with the total cost of the breach coming close to $1 billion.
Government departments are especially vulnerable which is why the Coalition has recently introduced an Australian Government Cyber Security Strategy. In the United States, however, the Office of Personnel Management had 22 million government employee records stolen by a contractor who was tasked with performing background checks. The information stolen included employee driver’s licences and passport information.
One of the largest breaches of customer information ever recorded, Yahoo reported in late 2016 that a breach occurred three years earlier in 2013 of over 1 billion user accounts that were compromised by hackers. The cyber criminals took and published the user records which included full names, emails, data of births, secret questions and answers and passwords. Verizon Communications reduced its original take-over bid of Yahoo by $925 million as a result of this breach, with the real implicated cost of the breach not disclosed, the catastrophic effect of the breach has certainly been felt in the reputational damage Yahoo has faced in the media.
This is question most want answered. How can I be breached? With the premise of the question being ‘what can I do to prevent this particular breach?’ The reality is, for close to 60% of cases, attackers will be able to compromise an unprepared organisation within minutes.
Between 70-90% of malware samples were uniquely created to an organisation. This means attackers will likely evaluate your specific business, looking closely at the applications you are running to develop a unique exploit.
The prevalence of phishing is also a very high risk. Two thirds of incidents where a business was compromised included a pattern of phishing. In a recent study by the Ponemon Institute, 23% of business employees open phishing messages and 11% click on attachments within the first hour of receiving them.
Perhaps you’re not in the middle of a take-over bid, but the cost of cyber breaches will still be great. IBM interviewed 1500 organisations and found that the data breach cost per record (that is, think how many paying customers you have ever had in your company records) would amount to between $200-400 per customer. And the costs are growing. You need to consider not only the IT repair and hardware costs, but the reputational damage that will inevitably occur when you are forced to publically disclose your company was breached by the Privacy Commissioner (and the cost of fines if you don’t).
Start by assessing the cyber risks that apply to your business. Look at your cyber maturity and your business objectives:
Cyber threats will continue to rapidly evolve in the years to come. It is now more critical than ever to ensure you remain a step ahead of cyber criminals and your competitors to give your company the edge to grow and succeed securely.
https://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-in-2013-14/
http://www.csoonline.com/article/2879444/data-breach/hack-to-cost-sony-35-million-in-it-repairs.html
https://cybersecuritystrategy.dpmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf
http://fortune.com/2017/01/09/yahoo-marissa-mayer-board-verizon-acquisition/
Cost of Data Breach Study: United States, Ponemon Institute LLC, May 2016.
https://www-03.ibm.com/security/infographics/data-breach/
This is a guest post by Gavin McDowell, Chief Security Officer at Gridware Cybersecurity. Gavin is a highly experienced information security expert with over 17 years experience in the IT industry. Gavin McDowell is the Chief Security Officer at Gridware Cybersecurity. Gavin is a highly experienced information security expert with over 17 years experience in the IT industry. Prior to Gridware, Gavin held several senior security roles at Accenture Consulting, Symantec Australia and Westpac Banking Corporation. Gavin has a Bachelor of Computer Science (First Class Honours) from the University of Sydney and a Masters of Business Administration from Macquarie Graduate School of Management.