Securing critical business systems from cyber-attack can be a complex task, with a seemingly endless array of methods available to choose from, each with pros and cons. To help focus our efforts there are various cybersecurity models and frameworks available such as The Essential Eight Maturity Model and the NIST Cybersecurity Framework, both of which offer excellent guidance on improving your cybersecurity posture.

Irrespective of which cybersecurity framework you choose, and which strategies you decide to pursue, there is one cybersecurity control that should be a no-brainer in every organisation, and that’s Multi-factor Authentication.

What is multi-factor authentication?

Multi-factor authentication is an authentication method that requires a user to provide two or more verification factors in order to prove their identity, and gain access to a secure system. In many cases this will mean the user providing their usual password along with some other unique and verifiable piece of information.

There are three main forms of multi-factor authentication in common use:

  • Unique code: In addition to their password the user will be prompted to enter a unique code that they obtain either via a text message, or via an authentication app installed on their smartphone. These codes are valid only for a very short duration, often 60 seconds, before a fresh code is required to successfully complete authentication.
  • Authentication app: When the user attempts to logon to a secure system with their username and password, a prompt will appear on a special authentication app installed on their smartphone. They then simply tap to accept the prompt, and authentication will proceed.
  • Biometric: Every one of us has unique and verifiable biometric features, such as our fingerprints and facial appearance. These unique features can be scanned and used as a second authentication factor.

Why you should enable multi-factor authentication whenever possible

Unfortunately, multi-factor authentication isn’t always enabled by default on the systems that you use, even though it most likely is available as a feature. Until you actively choose to enable MFA on each system that you use, you won’t receive the extra value that it offers, leaving critical business systems potentially exposed to cyber-attack.

So, what are the top 3 reasons to enable MFA?

#1 – MFA protects accounts from unauthorized access

The traditional approach of only requiring a username and password to logon to a secure system is unfortunately not actually very secure, particularly as cyber-criminals become increasingly more determined.

Usernames are often easy to discover, often just being the user’s email address. Passwords can be hard to remember, particularly with so many different systems and passwords to keep track of, so people tend to pick simple ones, or use the same password on many different systems, all of which makes them easier to crack.

Multi-factor authentication on the other hand is extremely effective at protecting user accounts from unauthorised access. This is why most online services make MFA available, and why many such as banks have made MFA compulsory. Even if a cyber-criminal were to obtain your username and password, without access to your second authentication factor they would still not be able to access your user account.

#2 – MFA can enhance the user experience

Multi-factor authentication offers several opportunities to enhance the user experience and, in the process, improve productivity, efficiency and user satisfaction. Single sign-on services that user multi-factor authentication allow users to sign-on once, and then be automatically and securely authenticated into multiple other systems, negating the need for them to sign-on to each system individually.

Biometric multi-factor authentication can alleviate the need to manually enter any authentication details at all. A single fingerprint touch, or a glance at the camera in your laptop can be sufficient to securely login.

Finally, contrary to long held wisdom, the current guidance from security experts such as Microsoft and the NIST is to not force users to change their password periodically, but instead to let them keep the same password indefinitely – on the condition that the password chosen is long, complex, and multi-factor authentication is in use.

#3 – MFA can help comply with standards & regulations

As many organisations seek to push cybersecurity compliance down through their supply chains, demonstrating the maturity of organisational cybersecurity is rapidly becoming a requirement for many government and commercial dealings.

Aligning with a broadly recognised cybersecurity framework such as The Essential Eight or the NIST is an effective and widely adopted approach to not only improving cybersecurity posture, but also being able to demonstrate that maturity to partner organisations when required.

Multi-factor authentication is identified as an essential security control in not only the major cybersecurity frameworks, but also directly in many commercial engagements such as cyber-insurance policies.

Watch our free on-demand webinar now: The Essential Eight Cybersecurity Maturity Model

Conclusion

Multi-factor authentication should be a non-negotiable requirement in every organisation’s cybersecurity strategy. Not only does it provide an effective layer of protection against user account breach, but it can enhance user experience and productivity, while also helping to align the organisation with widely recognised cybersecurity standards.

I recently threw a question out to a group of my professional peers, asking them what they saw as the benefits of aligning IT strategy with business strategy.

The responses I received were nothing short of exceptional. It reinforced for me (yet again) what an insightful, intelligent and progressive professional community I have the good fortune to be part of.

Respondents represented a diverse range of positions including CEOs, founders, self-employed and employees, with an equally diverse range of industries represented, including IT, retail, professional services, medical and creative industries.

Even though everyone brought their own unique perspective to the discussion it was interesting to see that responses could be classed easily within three main categories.

Related: Three Crucial Elements for your IT Strategy

Using Information Technology helps businesses remain competitive

A long time ago in a galaxy far, far away, computers were an indulgent option when running a business. Computers were expensive, had limited functionality and, to many, provided limited value beyond what traditional methods had done. Despite this, the march towards a technology-enabled future proceeded, lead by finance departments looking for efficiencies promised by so called ‘spreadsheet’ software.

Fast forward to today and you would be hard pressed to find a business not dependent on IT in some way or another. These days IT is a given in pretty much every element of business, from finance to marketing, production, design, customer service and all points in between.

Given this universal adoption, simply ‘using’ IT these days is no longer enough to gain advantage, but is now mere table stakes to stay in the game. So does that mean that technology no longer has any competitive advantage to offer? Quite the contrary. However to gain that advantage IT can no longer be considered an operational issue, but must be given a seat at the board table and aligned strongly with the overall business strategy.

In the not too distant past, being in ‘the cloud’ was a buzz word, but now a significant amount of technology used in businesses is cloud based.

Looking forward, businesses of all sizes and industries seem to be shifting their focus to data. Using business data to make informed decisions is actually quite a recent phenomenon. Where managers once relied upon ‘gut feel’ to chart their course, there are now extensive opportunities to gather, store, organise and utilise information from all sorts of sources to improve organisational agility and effectiveness.  

So, essentially, there’s no competitive advantage in merely ‘using’ technology these days, but in using it strategically in alignment with the overall business goals.

Aligning IT and business goals helps focus the organisation on business objectives

Another benefit of aligning IT strategies with business goals is to focus the stakeholders on the objectives of the business. Then the IT systems can be used effectively to carry out those business goals.

It sounds simple enough, but first you need to be clear on what the business strategy is and clearly communicate this strategy with the people in your organisation, including your IT department, so they understand the core business goals and can work towards them. It’s often assumed that an organisation already has, and actively executes a strategic plan, but unfortunately this isn’t always the case. 

Aligning IT strategy with business goals helps guide and inform decision making, and ensures that everyone is working towards the same goals and are on the same page. IT systems that are selected and implemented in line with an organisation’s strategic plan are more likely to be valuable, well used tools. A team is more likely to be on board with implementation and training on the new technology if they understand how the IT systems fit in with the business goals.

Focusing IT efforts towards meeting data-driven business objectives will ensure that the whole business believes in the value of IT in achieving the underlying strategic course of the organisation. These days, there are more and more tools available to help harness the power of data from multiple sources into making informed decisions about the direction of the business.

In the Facebook age and with the advent of increased scrutiny from government and regulatory bodies, businesses of all sizes need to be more conscious of the way that they manage and secure sensitive information. Whilst there is some fantastic technology to assist businesses to manage their security, the reality is that alignment of business processes and competently trained staff operating in a culture of awareness is essential in realising the objective of running a secure business. 

Ultimately, it’s very much a two way street. Not only is it about your IT being responsive and understanding the needs of your business, but aligning your IT and business objectives also means that you are ensuring that the way in which risks and opportunities around technology are better managed in the business.  

Maximise value from limited resources for long term success

Especially in smaller organisations, resources will always be limited, so aligning IT with business strategy means that resources are being used most effectively. 

Using the technology that aligns with business goals means that efficiencies can be achieved, which in turn keeps costs to a minimum. 

Sometimes with technology, it’s easy to get swept up in the latest shiny gadgets and trends. And while it might be fun to own the latest iPhone, it may not be a necessary tool for stakeholders to achieve their goals.  There will also be areas where you may not want to invest in new technologies because it would be undesirable due to high risks, costs or even fragmentation of your data or systems. 

If the IT goals are aligned with the business goals, it allows the business to be proactive and intentional with the IT spend and therefore reduce unnecessary costs that come from being at the whim of trends. 

There are many benefits to aligning your business’ IT strategy with its business goals, but they can largely be categorised into three areas. In order to remain competitive, to ensure that all stakeholders are working towards the same goals, and to maximise the value from limited resources, it’s worthwhile for business and IT strategies to be aligned. Technology for the sake of technology is of no benefit to anyone, however that doesn’t mean IT should limit its role to processing work orders and printing labels. If IT is providing technology leadership and aligning with the goals of the organisation, that is where the true power of IT will be found in the business.

As the new Notifiable Data Breach Schemecomes into effect in Australia as of 22 February 2018, there is now an onus on business to protect and notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. When most people think of data breaches, they think of sneaky virus attacks with employees being tricked into opening files allowing viruses to penetrate servers, but the reality can be much more mundane, plausible and preventable. And it’s not all about IT systems and cybersecurity. There have been numerous cases of hard copy records being disposed of inappropriately, sensitive data on USBs lost on the way home or machines being disposed of complete with data on the hard disk. (As a side note, did you know that GrassrootsIT offers a service where your decommissioned hardware is disposed of securely?)

Who is covered by the data breach scheme?

The Notifiable Data Breach (NDB) Scheme affects organisations covered by the Privacy Act – that is, organisations with an annual turnover of $3 million or more. But, if your business is ‘related to’ another business covered by the Privacy Act, or deals with health records (including gyms, child care centres, natural health providers, etc.,), or is a credit provider, then your business is also affected.

What do you need to do?

Complying with these new laws means more than ringing the bell and notifying your customers and authorities when a breach occurs. Organisations are required to take all reasonable steps to prevent a breach occurring in the first place. This means putting in place the systems and procedures to identify and assess breaches and issue a notification if a breach is likely to cause ‘serious harm’.

How do you assess your risk?

The Privacy Act already requires organisations to take all reasonable steps to protect personal information. The new data breach laws merely add an additional layer to assess breaches and notify where the breach poses a threat.
  • Firstly, consider some of the following questions:
  • How does personal information flow into and out of your business?
  • What information do you gather?
  • What information do you provide?
  • Where do you store private information? – What systems do you use, where do these systems store data, what level of security is provided within those systems and what level of access does each team member have (and should they have access for their role)?
  • Who in your organisation has access to sensitive information, and not just who is accessing the information for their work but who ‘could’ access this information?
  • What are the possible impacts on an individual’s privacy?
  • What are the policies and procedures in place to manage private information, including risk management and mitigation, are these adhered to and actively managed?
  • Do you have a policy review process, and if so, is it reviewed at least annually, and also with the introduction of new systems and technology? (Remember, you can’t just have a policy sitting somewhere, it needs to be actively reinforced and adopted by team members)
  • Protect your business. Document, document, document! If there is ever an issue where your business’ culpability is assessed, your capacity to prove that you took all reasonable steps will be important.

What is your Data Breach Plan?

When it comes to data breaches, all organisations must have a data breach response plan. The data breach plan covers the:
  • Actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team.
  • Members of your data breach response team (response team), and;
  • Actions the response team is expected to take.
Hopefully all the systems you have in place will ensure you don’t need to deal with a data breach, but if it does happen, you will need to notify various parties, including:
  • The individuals impacted by the data breach
  • The Office of the Australian Information Commissioner
You can notify the Commissioner using this form. To access the full guide to the Notifiable Data Breach Scheme, you can find it on the OAIC website. While it’s unknown at this stage what the repercussions will be from a data breach and how the OAIC will police it, it’s important that we get our preparation in place. At the end of the day, making sure we have robust systems to protect the data of our clients should be high on the priority list anyway – this is just another reminder to ensure we have the right policies and procedures in place to back up what we’re already doing. If you need any assistance assessing the security of your IT systems, contact us today.

Whether you are a Digital Transformation powerhouse, or you provide the best Tree Lopping services in Brisbane, technology is integral to the success of your organisation. This is especially true for small to medium businesses where margins can be thin, and the market competitive. To remain agile it’s critical to extract the most out of your technology. One way to do so is to engage the right Managed Service Provider (MSP) to provide outsourced IT support and services.

What is a Managed Service Provider?

A Managed Service Provider is a company that gives organisations the capability to outsource their IT service delivery requirements.  In other words, an MSP is essentially your IT department. If something breaks, they are on the other end of the phone to make things work again. A good MSP will also actively keep an eye on all systems, proactively resolving issues before they even impact business.

A great MSP will invest the time to learn your business deeply enough to make recommendations and actively partner with you on enabling your team to achieve their goals.

When do I need a Managed Service Provider?

All businesses need IT support to some degree. These days it’s just part and parcel of doing business. Some organisations may be able to get by doing their own IT support, or perhaps only calling on an IT expert from time to time when things really get out of hand. But irrespective of how you currently manage your IT, at what point is it time to level up and engage with an MSP?

Here are some common signs it might be time to investigate whether engaging an MSP would be valuable for your business.

You don’t have a dedicated IT department or IT staff member

It’s probably fair to say that there are many businesses operating with one person wearing a multitude of hats, one being the “IT guy”. The problem with this is that, while this person is probably more tech savvy than the average bear they are probably not up to date with the latest IT developments. It’s also probably a significant challenge for this busy person to balance the IT needs of the organisation whilst also remaining productive at their core job. Ultimately this leads to IT only receiving reactive attention when absolutely necessary, and a clear loss of focus and productivity from the lucky person.

You could hire a dedicated IT person (which is undoubtedly a better option than folding IT responsibilities into an existing role within the organisation), but not only is this a significant investment, what if your IT person gets sick or needs to take leave? Add to this the challenges of not only recruiting, but supporting, management and developing a lone IT staff member, and this option can often prove a poor investment.

Instead of hiring your own in-house IT staff, you could consider using an MSP who can give you the benefits of a full IT department at a fraction of the cost. Your employees can focus on your core mission and you can rest easy knowing that your IT demands are being professionally managed.

You experience ongoing technology headaches

When the systems we use on a daily basis break down, business owners very quickly realise that the technology powering their business is incredibly complex. If the technology under the bonnet in your business is constantly experiencing problems, there is a good chance that this is significantly impacting your staff happiness, customers experience and of course your bottom line.

Partnering with a quality MSP can take you from a reactive, painful break-fix cycle to a situation where you are empowered to plan your IT Strategy and benefit from reduced maintenance and replacement costs. A quality MSP will take a proactive approach to the maintenance, patching and monitoring of your technology and make business-focused recommendations on how to improve the business through technology (rather than selling you the latest technology, with its relevance to the business as an afterthought). Proactive is always a better, more economical option than being reactive.

Your IT costs are unpredictable

It can be challenging to budget effectively for your IT requirements. Some months you might have to replace a laptop, while others may see you need to stump up for a new server or address a critical security incident that needs to be dealt with immediately. This is an even harder task for smaller businesses.

The ability to budget your IT services on a monthly basis makes planning how to spend your valuable dollars much easier. As well as more predictable costs for your services, your systems are actually kept in better working order and will last longer with professional programmed maintenance. The right MSP will be able to work with you to understand your business requirements and stabilise your IT spend over the medium term with forward planning and budgeting.

What types of Managed Service Provider pricing models are available

Each Managed IT service provider will price their IT support contracts differently, however there are some common approaches that most MSP’s work with.

Per Device

This is a tried and true pricing model where customers are billed a predictable flat fee for the  monitoring and maintenance of specific devices, such as laptop and desktop computers, servers and even mobile devices. The predictability and flexibility of this model is attractive to both customers as well as the MSP. Potential drawbacks could be in situations where customer organisations may have numerous devices used by the same employee.

Per User

The per-user pricing model is similar to the per-device pricing model, with the difference being that the flat fee is billed per end user per month and covers support for all devices used by each end user.

Tiered

The premise of the tiered managed service provider model is to build bundled packages of services, starting from a basic package and becoming increasingly more expensive based on providing more comprehensive services.  Some companies use names like Bronze, Silver and Gold for each level.

As an example, a “Bronze” managed services package may include basic phone and remote support for an entry-level price. Bumping up to the higher priced “Silver” desktop managed services package, which may include proactive patch management and scheduled on-site visits, and the “Gold” package may include around the clock emergency after-hours support.

All You Can Eat

Sometimes referred to as “cake” pricing (whereby you buy the entire cake, rather than the individual components of eggs, flour and icing) this model provides a comprehensive service and the MSP essentially becomes the outsourced IT department of the business. The comprehensive suite of services is certainly valuable to the customer because it provides specialist industry experience and advice, but it doesn’t require the business owner to commit to their own permanent IT department when the business environment and their needs evolve over time.

How do contracts with MSPs generally work?

Before embarking on employing the services of a Managed Service Provider, an agreement will generally be drawn up to protect the client and the MSP and ensure clear communication between the stakeholders.

Most MSP agreements will generally answer the following questions:

  • Who: Who are the parties involved? Of course, there is the MSP and client but are there any other third party entities in the picture?
  • What: What services are being provided? What devices are covered? Arguably more importantly, what isn’t covered under the agreement? What are the expectations in terms of access and resources to facilitate the MSP in being enabled to deliver the required level of service?
  • Where: Does the provision of services entail remote delivery or are on-site services included as well? If on-site is not covered, what is the hourly rate to do any on-site work? What client locations are included?
  • When: What are the hours of operation? What are the Service Level Agreements for response time, resolution?
  • How: What is the process for customers to submit a service request? How are issues escalated? What are the terms of payment for the account?
  • Baseline

How do I choose a Managed IT Service Provider?

You need an MSP that is up to date with your technology.

Your Managed Service Provider should be on top of all technological aspects of your infrastructure. They should be able to discern and have a record of which updates need to be implemented, and what hardware needs to be replaced when necessary. They should also have systems in place that ensure the technicians looking after your infrastructure are kept up to date and informed.

You need an MSP that focuses on optimising your technology investment.

Your Managed Service Provider should be consistently evaluating the health of your infrastructure, ensuring that all systems are appropriately patched and secured, validating system utilization, recommending changes and upgrades to software and hardware when needed. They should be offering constant reviews on the overall status of your IT operations to ensure you are match fit. The true value of your MSP will be recognised not only by your technology being maintained at optimal performance and stability, but in enabling and empowering you to focus on your own core business and what really matters.

You need an MSP who works in a strategic partnership with your organisation.

Your Managed Service Provider should want to develop a strategic partnership with your organisation to ensure long term success for your business. An MSP should always have a top-level view of your entire IT infrastructure and how it relates to the operation of your business. In addition, your MSP should be able to respond and react to changing business conditions, and provide consultative advice to IT priorities and challenges that can affect your business even if they’re not currently responsible for it.

In short, a strategic partnership with a quality Managed Service Provider should enable you to plan and budget for your main IT expenses, rather than falling into a costly and unpredictable break-fix cycle. When you find the right MSP to suit your business needs, you will be able to focus on your core business, confident that your IT systems are running smoothly and proactively managed.

It’s been an amazing few years at Grassroots IT, not least of all because of the international growth that we’ve experienced both with our clients and our team. If you had have asked me five years ago whether Grassroots IT would one day not only be supporting multinational clients, but have our own workforce spread across three countries, I would have replied with “Maybe in 20 years”. Yet here we are, doing just that.

It turns out that running a geographically and culturally diverse team can be pretty rewarding but, like anything in business, it’s not without its challenges. Issues such as organisational culture, HR and, of course, legal and accounting matters all become so much more important when working with a diverse team. The good news is that there are some great resources available to help navigate these areas successfully.

Day to day operational activities also need careful attention to ensure that staff can operate effectively. Simply transferring a phone call to a colleague can become an entirely different proposition when that colleague is in a different timezone. Again, there is good news with a number of technology tools available to help.

Read on as we run through a selection of the tools that we use at Grassroots IT to let our diverse staff effectively support our clients across multiple countries and timezones.

Voice over IP (VoIP) Telephones

Voice over IP (VoIP) is a technology that lets us run our phones over network and internet connections, rather than traditional phone lines. Using VoIP means that we’re not physically constrained to a particular location the way that we would be with traditional phone lines, as well as having some great features that are either hard or expensive to come by with traditional telephony.

Here are some examples of how we are using this to our advantage:

  • All of our staff have an extension on our phone system, irrespective of what country they are in. They can answer calls, make calls, and transfer calls easily.
  • Most of our staff do not use a physical telephone. Instead they use a softphone application on their computer or smartphone. This also means they effectively take their extension with them when working from a client site, or home.
  • We have multiple phone numbers coming into the one phone system. For example we have a local phone number in Brisbane and another in Auckland, both ringing into the same phone system.

We haven’t done a direct comparison of our call costs using VoIP vs using traditional telephony, so I can’t comment on that, however I can say that we could not operate the way we do without the unique flexibility that VoIP provides.

Microsoft Teams for video, chat & collaboration

Video calls in Microsoft Teams (a core part of Microsoft Office 365) are hands down our preferred way of communicating between team members. When we can’t physically be together in the same room, a video call is the next best thing. There’s so much unspoken context and communication that simply gets lost in email, chat and even voice calls that you can still convey via video. We have our daily huddles across countries using Teams, and making a video call is our preferred channel for one on one, or multi-party discussions.

Teams is also an excellent chat platform for those quick, sharp questions and answers that don’t need a full blown conversation. We have a number of different channels within Teams covering  range of topics such as one for helpdesk, one for the leadership team, and one for sharing the fun personal projects and hobbies we each enjoy.

SharePoint for document management

Even though we find ourselves using fewer documents, such as Word and Excel files, they are still an important part of our business, and often need to be accessible to staff in multiple locations, as well as remotely from home or a client site. Traditionally we have used a shared folder (which we called our G Drive) on one of our servers, which remote staff would need to access via a VPN. These days with far more powerful and flexible options available, we no longer have a G drive at all.

Microsoft SharePoint is our preferred method of file storage and sharing, as well as for hosting our intranet with sections for HR, Service Delivery and Projects. SharePoint also integrates perfectly with Microsoft Teams, meaning that a lot of the time we don’t even have to leave the excellent Teams application to access our SharePoint content.

You may have noticed a common thread running through all of these systems that we rely on – namely that they all support, at their core, the two concepts of Cloud and Mobility. The reality is that cloud and mobile friendly applications are now the norm (for very good reason), and if you’re not embracing this yet in your business, you can be confident that your clients and competitors are. In our case these solutions have enabled our business to evolve in directions that only a few years ago would have been very challenging and expensive.

In just the last five years, business leaders have changed the tone of their cyber security conversations. It is no longer a discussion about layers of defence or the beefiness of the firewall, instead Directors now understand it’s no longer a matter of ‘if’ but instead a matter of ‘when’ the system will be breached. And the smart companies have already started to shift their resources from preventative techniques to detective ones.

The fact that historical approaches to cybersecurity are no longer good enough is an indication that cyber attackers have become more intelligent and patient, and that the nature of the attacks are more sophisticated. In today’s digital world, this is something business leaders have come to accept.

The perimeter of your network can no longer be defined and effectively controlled, instead attackers have learned to be patient and exploit lower risk vulnerabilities that are usually ignored by internal IT teams, allowing exploits to go unnoticed.

This demonstrates all the more reason Australian businesses need to take cyber security more seriously. The first step will be to focus on predicting where the next risks will be for their business and working pre-emptively to come up with solutions.

There is no better way to demonstrate the urgency of developing formal cyber security plans for your business than looking at some of the big players and the cost of their data breaches:

Case Study 1 – Target

The brand we know and love, Target was subjected to a malware based attack through a compromised point of sale system that allowed hackers to steal credit card information of customers for three years without detection. Target’s share prices dropped 13.7% the month of announcing the data breach, and said the cost of the breach aftermath was close to $163 million.

Case Study 2 – Sony Pictures

This time hackers used more complex exploits. They utilised highly sophisticated phishing, calling employees pretending to be from internal IT teams, and ended up creating fake digital authentication certificates to bypass security systems. The breach allowed the hackers to expose the entire Sony employee email servers to the public. Sony admitted the cost of the IT repairs after the breach totalled $35 million, with the total cost of the breach coming close to $1 billion.

Case Study 3 – US Office of Personnel Management

Government departments are especially vulnerable which is why the Coalition has recently introduced an Australian Government Cyber Security Strategy. In the United States, however, the Office of Personnel Management had 22 million government employee records stolen by a contractor who was tasked with performing background checks. The information stolen included employee driver’s licences and passport information.

Case Study 4 – Yahoo

One of the largest breaches of customer information ever recorded, Yahoo reported in late 2016 that a breach occurred three years earlier in 2013 of over 1 billion user accounts that were compromised by hackers. The cyber criminals took and published the user records which included full names, emails, data of births, secret questions and answers and passwords. Verizon Communications reduced its original take-over bid of Yahoo by $925 million as a result of this breach, with the real implicated cost of the breach not disclosed, the catastrophic effect of the breach has certainly been felt in the reputational damage Yahoo has faced in the media.

So how can my company be compromised?

This is question most want answered. How can I be breached? With the premise of the question being ‘what can I do to prevent this particular breach?’ The reality is, for close to 60% of cases, attackers will be able to compromise an unprepared organisation within minutes.

Between 70-90% of malware samples were uniquely created to an organisation. This means attackers will likely evaluate your specific business, looking closely at the applications you are running to develop a unique exploit.

The prevalence of phishing is also a very high risk. Two thirds of incidents where a business was compromised included a pattern of phishing. In a recent study by the Ponemon Institute, 23% of business employees open phishing messages and 11% click on attachments within the first hour of receiving them.

What will a cyber breach cost?

Perhaps you’re not in the middle of a take-over bid, but the cost of cyber breaches will still be great. IBM interviewed 1500 organisations and found that the data breach cost per record (that is, think how many paying customers you have ever had in your company records) would amount to between $200-400 per customer. And the costs are growing. You need to consider not only the IT repair and hardware costs, but the reputational damage that will inevitably occur when you are forced to publically disclose your company was breached by the Privacy Commissioner (and the cost of fines if you don’t).

Where should I focus if I want to protect my business?

Start by assessing the cyber risks that apply to your business. Look at your cyber maturity and your business objectives:

  • What digital solutions are changing in line with where the business is heading?
  • Consider how you will mitigate those risks, what is your ‘plan b’ and ‘failsafe’ for each critical system?
  • What type of cyber awareness training might be appropriate for your employees and how regularly should they refresh their knowledge?
  • Ensure you have senior management support for good cyber practices and that is reflected through the company culture.
  • Ensure you have three lines of defence for critical systems:
    • the right configurations,
    • effective and regular monitoring of those controls and configurations, and;
    • having an independent expert regularly audit and assess those controls to determine any weaknesses.

Cyber threats will continue to rapidly evolve in the years to come. It is now more critical than ever to ensure you remain a step ahead of cyber criminals and your competitors to give your company the edge to grow and succeed securely.

References:

https://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-in-2013-14/

http://www.csoonline.com/article/2879444/data-breach/hack-to-cost-sony-35-million-in-it-repairs.html

https://cybersecuritystrategy.dpmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf

http://www.cnbc.com/2017/03/14/verizon-sought-925-million-discount-for-yahoo-merger-got-350-million.html

http://fortune.com/2017/01/09/yahoo-marissa-mayer-board-verizon-acquisition/

Cost of Data Breach Study: United States, Ponemon Institute LLC, May 2016.

https://www-03.ibm.com/security/infographics/data-breach/

This is a guest post by Gavin McDowell, Chief Security Officer at Gridware Cybersecurity. Gavin is a highly experienced information security expert with over 17 years experience in the IT industry. Gavin McDowell is the Chief Security Officer at Gridware Cybersecurity. Gavin is a highly experienced information security expert with over 17 years experience in the IT industry. Prior to Gridware, Gavin held several senior security roles at Accenture Consulting, Symantec Australia and Westpac Banking Corporation. Gavin has a Bachelor of Computer Science (First Class Honours) from the University of Sydney and a Masters of Business Administration from Macquarie Graduate School of Management.

“Our strategy is to provide a superior service and charge more than the competition does.” “Our strategy is cost based…we can service the client cheaper than our competitors can.” “We use the shotgun strategy. It works well for us.” “Our strategy is to not grow too fast.” We have all heard these strategy statements, or ones like them. There are many more where they come from and a significant similarity between them is that none are a strategy on its own. The point here is that each statement may address a key business function or decision but if it is pursued in isolation or is over emphasised, it may lead to gaps or weaknesses in other areas of the business plan. Business strategists (owners, managers and entrepreneurs) must have an integrated, overarching concept of how the business will achieve its objectives – a strategy. It may seem as though strategy is something for the ‘big corporates’ to worry about, but strategy is just as important for small and medium enterprises – to channel the passion and drive that most small business owners have into positive results. It is interesting that the word ‘strategy’ is derived from the Greek ‘strategos, or the art of the General’. An important link here is that the General(s) referred to, similar to business leaders, had to orchestrate multiple battles on multiple fronts over extended time frames. They had to resource their army then ensure that all components of their forces were where they had to be, when they had to be, doing what they had to do and complementing each other. Hannibal’s decision to use elephants to cross the alps was not his whole strategy…it was a small part of it. So where to for help? A search for ‘business strategy’ books on Amazon.com this week resulted in 13,246 listings. Needless to say there is no shortage of reading material available on the subject. Getting straight to the point, an excellent article on the subject is by respected authors Hambrick & Frederickson (2001) who argue that a comprehensive business strategy addresses five elements. 1. ARENAS: Where will we compete?
  • Which geographic locations?
  • Which market segments?
  • Which products or services?
2. VEHICLES: How will we get there?
  • Organic growth?
  • Joint ventures?
  • Franchising?
  • Acquisitions?
3. DIFFERENTIATORS: How will we win?
  • Price?
  • Customisation / differentiation?
  • Product reliability?
  • Image?
3. STAGING: What will our speed and sequence be?
  • In what sequence should our initiatives be undertaken?
  • How fast should we grow?
4. ECONOMIC LOGIC: How should we obtain our returns?
  • Lowest cost through scale advantages
  • Premium price due to unmatchable service?
  • Premium price due to patents or proprietary product features?
To illustrate their model, Hambrick & Frederickson map out the strategy of an international furniture retailer. Can you guess who it is? ARENAS: Where will we compete?
  • Inexpensive contemporary furniture.
  • Young, white-collar customers.
  • Worldwide.
VEHICLES: How will we get there?
  • Organic expansion.
  • Wholly owned stores.
DIFFERENTIATORS: How will we win?
  • Very reliable quality.
  • Low price.
  • Fun, non-threatening shopping experience.
  • Instant fulfilment.
STAGING: What will our speed and sequence be?
  • Rapid international expansion, by region.
  • Early footholds in each country; fill in later.
ECONOMIC LOGIC: How should we obtain our returns?
  • Economies of scale (global, regional and individual-store scale).
  • Efficiencies from replication.
I’m sure it will come as no surprise to know that it will take more than answering questions off the top of your head to develop a good strategy. A robust strategy will require the investment of considerable time and effort in analysing your competitors, industry, market trends and customer needs as well as your own capabilities and capacity. For those of you who would like to test the quality of their strategy Hambrick & Frederickson offer six evaluation criteria:
  1. Does your strategy fit in with what’s going on in the environment? Is there a healthy profit potential where you are headed? Does your strategy align the key success factors of your chosen environment?
  2. Does your strategy exploit your key resources? With your particular mix of resources, does this strategy give you a good head start on competitors? Can you pursue this strategy more economically than competitors?
  3. Will your envisioned differentiation be sustainable? Will your competitors have difficulty matching you? If not does you strategy specifically include a ceaseless regime of innovation and opportunity creation?
  4. Are the elements of your strategy internally consistant? Have you made choices of areans, vehicles, differentiators, staging and economic logic? Do they all fit and mutually reinforce each other?
  5. Do you have enough resources to pursue the strategy? Do you have the money, managerial time and talent, and other capabilities to do all that you envision? Are you sure you are not spreading you resources too thinly, only to be left with a collection of feeble positions?
  6. Is your strategy implementable? Will your key constituencies allow you to pursue this strategy? Can your organisation make it though the transition? Are you and your management team able and willing to lead the required changes?
Whether you develop your strategy formally or informally, there is no doubt that it will be better for considering each of the five elements. Good luck. Reference: Hambrick, D.C. & Frederickson. J. W., 2001, ‘Are you sure you have a strategy?’, Academy of Management Executive, 1 October, pp. 48-59.  
Logo

Fill Out Details To Download The Program Overview