Defining your IT strategy is a powerful step towards success, yet alarmingly we still find organisations that don’t take the time to clarify what they expect or require from IT. At its simplest your IT strategy is a statement of how you intend to use IT to support your over-arching business goals. You don’t have unlimited resources to spend on IT, so your IT strategy is there to clarify where you will focus your efforts, and equally as important where you will not.  

In our work with clients formulating and executing on their IT strategies we often see clear trends emerging over time in response to the ever-changing IT landscape. Of course, every company will have their own unique IT strategy, but common patterns can emerge.  

As we work with our clients in preparation for the year ahead, we are seeing the following three themes appearing with consistency.  

Related: Why aligning your IT strategy with business goals is critical for success

User Experience

In response to the pandemic the world of work has changed significantly, also significantly shifting how people relate to their employment, the environments they work in, and the tools that they are expected to use. Simply put, user experience has become a critical element in every IT strategy.  

But what does this mean for your organisation? It means that employees are expecting easy-to-use, efficient and user-friendly technology solutions that allow them to do their job effectively from any location. This includes everything from remote working tools to cloud-based collaboration platforms, all accessible as easily from their smartphone as their home office.  

They are also expecting to have fingertip access to the information and expertise that they need, with top-tier training and support services available when required.  

So, as you plan your IT strategy for 2024, make sure that user experience is at the forefront of your decision making and investment plans. Put yourself in the shoes of your employees and consider their daily tasks and interactions with technology – are they seamless, intuitive and empowering? If not, it’s time to make some changes. 


As technology continues to evolve and become increasingly intertwined with our daily lives, the risk of cyber-attacks and data breaches has also risen exponentially. Cybersecurity is no longer just a concern for IT departments but should be a top priority for every organisation’s IT strategy, with direct board-level oversight.  

A strong cybersecurity plan should include regular security audits, employee training on identifying and handling potential threats, as well as implementing the latest security software and protocols. Importantly in the post-pandemic world, your cybersecurity plan must also consider new ways of working. With many staff now working from home, old ways of securing your organisation may no longer be as effective.  

Cybersecurity not a one-and-done task, but an ongoing process that must be continuously monitored and updated to stay ahead of potential threats. Make sure that your IT strategy reflects this and allocate appropriate resources to keep your organisation’s data safe and secure. 

AI & Automation

2023 was the year that artificial intelligence hit the mainstream, with the release of ChatGPT throwing the floodgates open. The new-found accessibility of AI is emerging as an inflection point on the longer-term trend of business process automation, with the combination of the two promising significant opportunities.  

AI and automation can streamline processes, improve efficiency, and reduce costs in almost every area of your organisation – from customer service to HR to supply chain management. It can also provide valuable insights and data analysis that humans may miss. As the technology continues to advance, it will only become more powerful and integrated with our daily lives.  

It’s no longer a question of if but when AI and automation will become an integral part of every IT strategy. So, in the year ahead, make sure that you’re keeping up with the latest developments and considering how it can enhance your organisation’s operations and drive growth. 


As we move towards 2024, it’s clear that user experience, cybersecurity and AI/Automation will continue to be pivotal elements of every IT strategy. Organisations must prioritize these areas to stay competitive and meet the evolving needs of their employees and customers. With a strong focus on these essential components, your IT strategy can serve as a roadmap for success in the ever-changing digital landscape.  

Keep in mind, however, that these are just three of many elements to consider when crafting your IT strategy. As technology continues to advance, new challenges and opportunities will arise, requiring organisations to stay agile and adaptable.  

Grassroots IT has many years of experience working with clients to formulate IT strategies that align with business goals and lead to tangible results. If you would like to talk about your IT strategy, contact us today. 

As businesses increasingly migrate to digital platforms, cybersecurity has become a non-negotiable priority. Microsoft 365 leads the way in providing robust security solutions and offers an abundance of features designed to safeguard your business data and systems – but how do you navigate the plethora of options available to ensure that you’re choosing the best security measures for your specific needs without feeling overwhelmed?  Enter Microsoft Secure Score.

Just as the name suggests, Microsoft Secure Score is a built-in tool that not only scores your security posture but also recommends actions for improvement. With Secure Score, enhancing your cybersecurity is no longer a daunting task but a series of quick, actionable wins that will strengthen your defence line further against potential threats. 

Secure Score

What is Microsoft Secure Score?

Secure Score is a free tool that comes with Microsoft 365 that analyses your organization’s security stance based on your unique use of Microsoft 365 services. It provides a numerical score, along with a detailed breakdown, of how well you are implementing the recommended security controls. Quite simply, the higher your Secure Score, the lower your risk level.  

Secure Score monitors Identity, Apps, Data, and Devices in Microsoft 365, helping you to report on the current state of your security posture, suggest improvements by providing guidance, visibility and control, and compare yourself against similar sized organisations. 

Importantly, it does not simply focus on one specific area of security in your Office 365 environment. Instead, it looks at all products available under your current licensing and providing recommended actions across multiple areas. Recommendations are presented in an easy-to-understand dashboard, grouped by product, and sorted by the impact the recommended change will have on improving the security of your Microsoft 365 environment. This approach makes it easy to focus your efforts in the right area and avoid spending unnecessary time on actions that won’t move the needle as much.  

Key features of Secure Score

Key features of include: 

Security Recommendations 

Secure Score provides actionable security recommendations tailored to an organization’s specific environment. These recommendations cover areas like identity and access management, data protection, threat detection, and more. 

Point-Based Scoring 

Each recommended security improvement comes with a point value. By implementing the recommendations, your organization can earn points and increase your Score. 

Comparison and Benchmarking 

Secure Score allows you to compare your security posture with industry benchmarks and similar organizations. This feature provides valuable insights into how well you are performing relative to your peers. 

Threat Intelligence Integration 

The tool integrates with Microsoft Threat Protection, offering real-time threat intelligence and helping you stay ahead of emerging threats. 

Historical Tracking 

The system maintains a historical record of progress, enabling you to visualize your security journey and measure improvements over time. 

Why use Microsoft Secure Score?

Microsoft Secure Score provides high impact recommendations to improve your cybersecurity posture, usually requiring little or no additional expense. Rather than requiring new and additional security services, Secure Score simply helps you to make the most of the features that you already have access to within the Microsoft 365 platform.  

Importantly, Secure Score may help you reduce your cyber-insurance premiums. With cyber-insurance becoming a vital piece of any cybersecurity strategy, many insurers are now recognising the value of Microsoft Secure Score and factoring it in when calculating insurance premiums. Improve your Secure Score and you can potentially reduce your cyber-insurance premiums.  

Not only that, but if your organisation aligns with one of the recognised cybersecurity frameworks, such as the Essential Eight, improving your Secure Score can also positively impact your alignment with your chosen framework.  

Using Microsoft Secure Score

You can find your Secure Score in the Microsoft Defender Portal. Navigating the portal is quite intuitive, allowing you to focus on the insights and recommendations provided. Importantly, each recommended action also provides details on how the action will impact your security standing, along with any potential user impact.  

Recommendations may range from reviewing an existing policy to implementing changes that may have a significant impact on users completing everyday tasks. As with all such changes, it’s important that you carefully assess the recommendation and consider the potential impact on operations.  

Secure Score 2

Reporting and Tracking with Secure Score

When embarking on a process of change, it’s important to measure and demonstrate progress over time. Thankfully the Secure Score portal provides a historical view of your organisations score over the last 90 days, showing a trend line that makes sudden changes easily visible. A list of recommended actions is also shown, showing when there was a change to each action, if points were gained or lost and allowing you to understand sudden changes in score. 

The Secure Score dashboard shows different metrics and trends, where an action may have regressed, recent decreases, points achieved, along with a comparison against similar sized organisations. Metrics and trends can be shown over 7, 30, & 90 days or using a custom date range and can be filtered based on the 4 main categories Secure Score applies against.  

Secure Score 4

Safely Implementing Changes (without the drama)

Unfortunately, there are too many stories of (easily avoided) problems being created when security changes are made without proper consideration. One story that we’ve heard too many times is when an over-enthusiastic sysadmin has enabled multi-factor authentication or conditional access policies within Microsoft 365 without properly preparing the organisation – thus effectively locking many, if not all, staff out of the system. Problems like this are easily avoided though, with appropriate forethought and planning.  

For many clients we find that an effective approach is to develop a roadmap of changes based on the Secure Score recommendations, and then progressively work through these changes over a period of weeks, reviewing improvements in their Secure Score as they go. Some changes may be quick and easy to implement, while others may require more careful management, such as technical change control and user training. By approaching this as a progressive roadmap of smaller actions you can ensure ongoing improvement while managing the risk of disruption.  

How we improved both user experience and security with secure score

Grassroots IT recently helped a mid-sized non-profit organisation that was struggling with their systems. They reported inconsistent user experience across their Tenant, no defined settings for users when accessing systems and their users didn’t trust that they could easily access Office 365. When a review was conducted of the organisation’s Secure Score, it was immediately apparent that there were problems with both Identity and Apps within their tenant.  

Utilising the recommended actions in Secure Score, Grassroots IT was able to implement multiple changes to their environment that made the user experience easier while also improving their overall security posture. Some of these changes included simplifying the user login process, enabling self-serve password recovery and using a single authentication service for apps. At the same time, multifactor authentication was enabled for all users, and appropriate policies were implemented to protect users from malicious content and emails, significantly improving their Secure Score and security posture.  

Additional Resources

Microsoft Secure Score is a powerful tool for improving the security of your Microsoft 365 environment. To learn more, speak to us today, or explore some of these additional resources.  

In a post-pandemic world, flexible working arrangements have become the norm for many. Where working remotely was previously the exclusive domain of salespeople and on-site consultants, these days an office full of staff seems a rare sight, with online meetings commonplace.

While the long-term future of work is still unclear, it’s fair to say that remote working in some form is here to stay, bringing with it new challenges for business leaders, not least of all those tasked with cybersecurity. Old approaches to securing the organisations digital assets have been rendered outdated, while new unforeseen risks have emerged almost overnight.

So, what are the most pressing cybersecurity risks with a remote workforce, and how do you ensure the ongoing protection of your business in light of these changing threats?

Understanding the risks

The various tools and techniques that cyber criminals employ to attack those working from home are generally no different to those used elsewhere, however in a work-from-home context some threats are greater than others and can pose unique challenges. Here are three of the highest risk cyber-threats for staff working from home.

Phishing & other scams

Phishing and other such scams are fraudulent attempts to obtain sensitive information from users, such as usernames, passwords and credit card details, usually by sending fake email purporting to be from a known, trusted person or brand. WFH users are often more vulnerable to such attacks as they may not have the same level of active awareness as others, may use personal email accounts alongside work email, and may not have ready access to corporate security tools and support.

Read more: How to identify a phishing email

Device security

Device security refers to the protection of physical computing devices, such as laptops, smartphones and tablets against unauthorised access which would in turn give cybercriminals access to confidential corporate information. This is of particular concern with staff working from home as physical security of devices is likely to be less than in an office environment, particularly when others have access to the same work environment at home.

Home workers are also more likely to use personal computing devices rather than business supplied devices, with or without explicit permission to do so. Personal devices are likely not configured with the same security controls as company-owned devices, nor actively monitored, managed or updated with the latest security updates.

Data leakage

Data leakage is the unauthorised transmission of data from within the company to an external destination or recipient, whether intentionally or otherwise. Users working from home are likely to use a poorly secured home network, have inadequate access controls in place around confidential information, and may even use personal cloud services instead of, or alongside approved company services, all of which pose the very real risk of leaking important company information.

Implementing Solutions

The good news is that there are proven strategies for effectively mitigating each of these threats in a work-from-home scenario.

Cloud Platforms

Cloud platforms such as Microsoft 365 are by nature designed to support remote working. It doesn’t matter whether you are physically in the office, at home or on a client site, the way you access a cloud service, and the security controls available are the same. By their very nature this makes cloud platforms a better, and potentially more secure option for supporting home-based workers than traditional infrastructure solutions.

Device Management

Ensuring the security of physical devices at home presents a unique challenge best addressed by strong policy. A work-from-home policy must enforce the use of company-owned devices only, enabling the deployment of strong security controls to the device such as patch management, managed detection & response agents and data encryption. The policy must also discuss the physical security of devices, the use of automatic screen locking and immediate mandatory reporting if a device is misplaced.

It is worth briefly mentioning the topic of Bring-you-own-device (BYOD), whereby staff may use their own devices to access corporate systems. Allowing for BYOD is a perfectly valid option, however, please be aware of the security implications of such a policy and adjust accordingly.

Employee training

A strong culture of cybersecurity awareness can be one of your most effective defences against security breach and data loss, and especially so when staff work from home. Users must be well versed on recognising threats such as phishing emails and how they should respond. They should also be clear on all relevant policies and understand the importance of compliance.

Read more: Building a culture of cybersecurity awareness in your business.


The post-pandemic work-from-home movement is here to stay, with undeniable benefits for many people. It does however bring with it unique cybersecurity risks that the organisation must proactively address to avoid inadvertently allowing cyber criminals access to corporate systems.

Grassroots IT is well versed in helping our clients support their home-based workers with secure, scalable systems. For help protecting your remote workers contact us today.

In the digital age, cybersecurity has become a critical concern for businesses of all sizes. However, there are numerous misconceptions surrounding this complex field that can lead to complacency and, ultimately, vulnerability. In this post, we debunk ten of the most common cybersecurity myths that could be putting your business at risk.

Myth 1: My business is too small/boring to be attractive to hackers

Every business, regardless of its size or industry, is a potential target for cybercriminals. Small businesses often fall into the trap of believing they’re too insignificant to attract attention. However, hackers often target smaller businesses precisely because they tend to have weaker security measures in place. With many cyber-attacks launched at scale (eg: phishing emails) the incremental cost to hackers of targeting your small, boring business is negligible, yet the potential pay-off can still be significant.

Myth 2: My data is safe in the cloud

While cloud storage providers implement robust security measures, it doesn’t mean your data is invincible. Cybercriminals have been known to breach cloud security, and human errors can also lead to data exposure. It’s crucial to understand the shared responsibility model of cloud security and ensure you’re doing your part to protect your data. The cloud providers provide the platform, and the means to secure your data, but ultimately the responsibility for doing so is yours.

Read more: 5 Critical Questions to Ask About Your Microsoft 365 Security

Myth 3: My Data is safe on my own server

Storing data on your own server doesn’t automatically make it safe. Without proper security measures in place, your server can be just as vulnerable as any cloud service. Regular updates, patches, and strong access controls are essential to protect your data (many of which are automatically done for you in the cloud).

Myth 4: Cybersecurity is my MSPs responsibility

While your IT department or MSP plays a crucial role in implementing and maintaining security measures, cybersecurity is everyone’s responsibility from the bottom of the org chart all the way to the board. A commitment to cybersecurity must be lead from the top, with company directors holding particular responsibilities for protecting the organization’s digital assets.

Read more: 5 questions board members need to ask about cybersecurity

Myth 5: My team works from home, so security is their responsibility

Remote work has blurred the lines of responsibility for cybersecurity. However, as an employer, it’s your duty to provide secure systems and training to your employees. This includes secure communication tools like Microsoft Teams, and guidelines on safe online practices.

Myth 6: Cybersecurity is too expensive

With the average cost of a data breach in Australia reaching $4.4 million, the cost of a data breach can far outweigh the investment in cybersecurity. While implementing robust security measures may require an upfront investment, this can be far less costly than the potential financial and reputational damage caused by a breach.

Myth 7: I’ll know if my systems have been hacked

Many breaches go undetected for months, or even years. Cybercriminals often aim to infiltrate systems without detection, stealing data or causing damage over time. Regular system audits and monitoring are essential to detect and respond to breaches promptly.

Learn more: 24×7 peace of mind with managed detection & response

Myth 8: My staff are too smart to get hacked

Even the smartest individuals can fall victim to sophisticated cyberattacks. Phishing attacks, in particular, have become increasingly convincing and can easily trick unsuspecting users. Regular training and awareness are crucial to equip your staff with the knowledge to identify and avoid such threats.

Read more: Building a culture of cybersecurity awareness in your business

Myth 9: Strong passwords are enough

While strong passwords are a fundamental part of cybersecurity, they’re not a panacea. Multi-factor authentication (MFA), secure network connections, and regular software updates are just as important in protecting your systems.

Myth 10: We only need to protect against external hackers

Insider threats, whether malicious or accidental, are a significant risk. Employees can inadvertently cause a breach by clicking on a malicious link or misconfiguring a database. Regular training, strict access controls, and monitoring can help mitigate this risk.

Cybersecurity is a complex field that requires a proactive and informed approach. In the realm of cybersecurity, complacency can be your biggest enemy. Grassroots IT are cybersecurity experts, ready to help secure your business against cyber criminals. To see how we can help, speak with us today.

Microsoft Office 365 is built from the ground up to be a highly secure platform, but that doesn’t necessarily mean that your own Office 365 environment is configured securely. There are numerous different ways that organisations can use Office 365, and just as many ways that it can be configured.

Ultimately the responsibility for securing your Office 365 environment, and the information and data stored in there, rests with you. Microsoft provides the platform and the means, but it’s up to you to consider your unique situation and ensure that appropriate security measures are taken.

So how do you know if your Office 365 environment is secure? Every organisation is different, and with so many ways of using and securing Office 365 there is no one-size-fits-all solution. The good news is that there are some well-established best-practices that can significantly strengthen the security of your environment.

Here are five critical questions that you need to ask about your Office 365 security to ensure that you’re properly protected.

#1. What Microsoft Office 365 plan do we use?

Let me start by saying that Microsoft has a frustrating habit of changing product names and bundles regularly, which can lead to some confusion. So, for the sake of clarity, let me share a bit of history with you.

First there were the Office 365 plans, offering a suite of products such as Word, Excel, Email and Teams. Then Microsoft added a whole new line of plans called Microsoft 365, which included all the things from Office 365, plus added a whole lot more, mainly to do with security and governance. Then more recently the Office 365 name has been retired entirely, leaving only Microsoft 365 plans to choose from. If you were using Office 365 plans before these changes happened, you will still be on those same Office 365 plans now.

It’s important to understand which Microsoft Office 365 plan you subscribe to, because not all of them have access to the better security features. For most organisations, we recommend that you subscribe to the Microsoft 365 Business Premium plan, or for some larger organisations, the enterprise level Microsoft 365 E3 or Microsoft 365 E5 plans. The important services that are included in these plans (but not the lower plans) are Azure Information Protection and Intune, both of which bring a range of security and data governance capabilities to your environment.


Review all your Microsoft Office 365 subscriptions and consider upgrading any that are not Microsoft 365 Business Premium, E3 or E5 so that you can take advantage of the better security and governance capabilities.

#2. What’s our Microsoft Secure Score?

Microsoft Secure Score is a rating of your organisation’s Microsoft 365 security posture, compiled from a range of configurations, metrics and various other data points, depending on what Microsoft 365 plan you subscribe to, and what services you use. The higher the number, the more secure you are.

In addition to a numeric score, the Secure Score dashboard will also provide actionable insights and prioritized recommendations tailored to your unique needs. By following these recommendations, you can progressively improve your Secure Score and strengthen the security posture of your Microsoft 365 environment to provide better protection for your confidential data.


Review your Secure Score and progressively implement the recommendations to improve your score.

#3. Is Multi-factor Authentication enabled on all our Microsoft 365 accounts?

Multi-factor authentication (MFA) is an authentication method that requires a user to provide two or more verification factors to prove their identity and gain access to your Microsoft 365 environment, most often a password plus a unique code provided by a separate app.

Despite being one of the most effective cybersecurity measures you can implement in your Microsoft 365 environment, MFA is not always enabled by default or enforced across all accounts. The important point to remember is that your security is only as strong as the weakest link, so for MFA to be most effective it must be enforced on all accounts in your Microsoft 365 environment, not only some of them.


Review all accounts in your Microsoft 365 environment and enable MFA where necessary. Configure Microsoft 365 to enforce MFA on all accounts by default.

Read more: 3 reasons you need to enable Multi-factor Authentication (MFA) today

#4. Are we using dedicated Microsoft 365 admin user accounts?

Every Microsoft 365 environment has one or more “admin” user accounts. These accounts possess elevated privileges that allow them to perform sensitive tasks such as changing system settings and accessing data anywhere across the environment. These admin privileges can be seen as the “keys to the kingdom”, and if allowed to fall into the wrong hands can be exploited to cause significant damage.

User accounts used for everyday tasks such as checking email and editing work documents should never be granted such elevated admin privileges, so as to reduce any potential harm should the account be compromised. Instead, dedicated “admin” accounts should only ever be used for duties requiring elevated security privileges.

Not only does this approach reduce the risk of accidental changes or security breaches, but it also makes it easier to monitor and audit their activities, improving accountability and traceability of any suspicious actions taken within your Microsoft 365 environment.


Review all user accounts in your Microsoft 365 environment for elevated admin privileges and remove such privileges in favor of dedicated admin accounts.

#5. How are we monitoring for suspicious activity within Microsoft 365?

Even with a well secured Microsoft 365 environment, ongoing monitoring and alerting of unusual activity is important for the prevention of a full-blown security incident. Monitoring can help identify a range of suspicious activities, such as multiple failed login attempts, unusual data access or transfers, and changes in user permissions. These could be signs of a brute force attack, data breach, or insider threat.

Moreover, monitoring isn’t just about detection, it’s also about response. When you spot suspicious activity, you can quickly investigate, take corrective action, and learn from the incident to strengthen your defenses.


Ensure monitoring is configured within your Microsoft 365 environment, and alerts are sent to the most appropriate person to take action as required.

Microsoft 365 is a highly secure platform, but that doesn’t mean that your organisation’s Microsoft 365 environment is secure by default. Microsoft provides the means, but ultimately, it’s up to you to ensure that your environment is secured appropriately, and that starts with asking the right questions.

If you have questions about your Microsoft 365 security, Grassroots IT can help. Speak with us today.

What is Cybersecurity Awareness?

Cybersecurity awareness is the level of understanding and mindfulness that people in your organisation have of the various cybersecurity threats that they may face, and how they should best respond.

A shocking 82% of all data breaches involve some human element, such as social engineering or through plain old human error and misuse. What this tells us is that people – our staff, suppliers and partners – can not only be the weakest link in our cybersecurity posture, but also offer the greatest potential to help protect against cyberattack.

Cybersecurity awareness is the lever that we must use to shift our people from being our biggest cyber-risk to being our strongest line of defence.

Why is Cybersecurity Awareness important?

With the average cost of a data breach in Australia reaching $4.4 million, cybersecurity attacks pose a very real and present threat to organisations of all types. Cybersecurity frameworks such as the ACSC Essential Eight and the NIST CSF can help us with strategies and security controls to help mitigate these risks, but technical controls can only help so far.

With the statistics clearly showing that the human element plays a major role in the effectiveness of our defences, we ignore cybersecurity awareness at our peril.

How to build a culture of cybersecurity awareness

Intentionally building any culture takes time, commitment and consistency to create and reinforce the behaviours that we wish to see in our organisation. Building a culture of cybersecurity awareness is no different.

Here are five practical ways to engage your organisation and build the cyber-aware culture you need.

Secure leadership buy-in

Culture is lead from the top and cybersecurity awareness is no different. All organisations look to their leaders to set the direction for the company not only through explicit statements, but also through implicit and implied messaging. Leaders must be seen to embrace the importance of a cybersecurity aware culture, and to lead by example.

Securing leadership buy-in can be helped by:

    • Taking a holistic view of the organisation, of which a cybersecure culture is merely one piece.
    • Connecting a cyber-aware culture to the company’s strategy, goals and aspirations.
    • Clearly communicating the business case for strong cybersecurity awareness.

Promote robust policies, procedures and best practices

Robust cybersecurity policies and procedures are at the heart of any cyber-secure organisation. Policies and procedures must walk the fine line between protecting the organisation and being overly restrictive on how staff may go about their work. Too lenient and they may be ineffective – too stringent and staff satisfaction and productivity may suffer.

Policies and procedures should be promoted regularly to keep them top of mind with staff, along with examples of best practice responses to various likely scenarios.

Some common ways of promoting cybersecurity policies and best practices can include:

  • Ensure policies and procedures are clear, actionable and easily accessible to all staff.
  • Download, print and share posters and resources promoting cybersecurity best practice.
  • Communicate examples of real-world cybersecurity threats, and best practice responses through internal communications channels.

Conduct regular cybersecurity training

Regular cybersecurity training will not only keep cybersecurity top of mind and reinforce best-practice threat response, but it will provide an avenue for keeping staff updated on the latest cyber-threats they may face. The challenge of course is to keep training engaging and effective.

You might like to consider these Ideas for delivering engaging cybersecurity awareness training:

  • Mix up the format of delivery between online, in-person and self-paced.
  • Keep training sessions short, high energy and with a clear take-away message.
  • Consider bringing in an external trainer to inject new ideas and energy.

Schedule simulated cyberattacks

Research has shown simulation-based cybersecurity awareness training to be the most effective when compared to other methods such as instructor led (a close second place) and online delivery. Simulations may be run periodically to quantify the level of cybersecurity awareness in the organisation and identify improvement over time.

19v2 How To Increase 1

Table courtesy of ISACA.orgIn practice, the most common form of simulated cyberattack is referred to as “Friendly Phishing”, whereby staff are sent a fake phishing email to see how they respond. Those who are successfully tricked by the fake phishing email are immediately shown the error of their ways and are offered a brief online training snippet to educate them on how they could have identified the threat in time, and what a more appropriate response would have been.

Be consistent and stay informed

When impacting any organisational change, it is important to be consistent both in the message and the delivery. Be clear up front what you want your cybersecurity culture to look like and ensure that all key stakeholders are aligned and have the tools available to drive the necessary change.

Organisational culture requires ongoing stewardship. It takes time to establish the culture that you want, and ongoing vigilance to keep it strong. Maintaining an effective culture of cybersecurity awareness is an ongoing process, not a once-off activity


Cybersecurity awareness presents both the biggest threat and the largest opportunity to your organisation’s cybersecurity posture. A poor level of awareness will leave you exposed to attack, regardless of what technical security measures you may have in place. A culture of high cybersecurity awareness on the other hand will be your strongest line of defence in protecting your company.

With new and evolving cybersecurity threats emerging almost daily, the risk to business is greater than ever, with a 2022 study by IBM reporting that the average cost of a data breach in Australia is now $4.4 million. The good news is that this is less than the global average of $6.2 million. The bad news is that the escalation of cybersecurity threats shows no sign of slowing anytime soon.

So, the question is, how do you keep your organisation safe in such a hostile cyber environment? The best place to start is by educating yourself on the nature of cybersecurity risks and the options available to help mitigate them.

In this post we discuss the top five cybersecurity threats to be aware of in 2023. These are the most common threats that we see in our work helping clients to both mitigate these risks and respond to incidents.


Phishing is one of the most common forms of attack whereby fake emails are sent purporting to be from sources familiar to the target, such as the Commonwealth Bank, Australia Post or Microsoft. The goal of phishing is to trick individuals into granting access to secure systems by either handing over password details or allowing the installation of malware onto their computer. Once the attacker has gained access to company systems, they may explore and plan their next steps undetected.

Protecting against Phishing

There are several ways to protect your organisation against phishing attacks, such as:

  • Multi-factor Authentication: Even if an attacker obtains password details, MFA will protect the user account security. Most modern applications support MFA natively, but it may not be enabled by default. For applications that do not support MFA, or for more complex requirements, add-on MFA solutions are available.
  • Email filtering: Effective email filtering will stop a large portion of phishing emails before they even reach employee inboxes. All of the major email platforms such as Microsoft Office 365 come with a basic level of email filtering, with more advanced filtering available as required.
  • User education: Employee cyber-awareness is critical to recognising and not engaging with phishing attacks. An educated workforce is an extremely effective risk mitigation strategy.

Business Email Compromise

Business email compromise is a strategy used by attackers to defraud a target company, employed once they have gained access to secure systems via other means. With access to company systems, they will gather information regarding financial processes, payment systems and client relationships. They will monitor email communications to learn who in the organisation has financial authority and the language and methods that they use to communicate.

Once they have the information that they need, attackers will then seek to deceive employees, clients and business partners into making payments to their bank accounts rather than genuine ones. These fraudulent requests for funds can be difficult to identify and lost funds can be challenging to trace and recover. The potential for direct financial loss through business email compromise is significant.

Protecting against Business Email Compromise

There are several ways to protect against Business Email Compromise, such as:

  • Multi-factor Authentication: MFA is an effective defence against many user account attacks, helping to protect account security even in the event that a password is compromised.
  • User education: Employees involved in financial transactions must be particularly vigilant for potential threats and take all necessary precautions.
  • Verification processes: Secondary verification (such as a phone call) on all financial transactions and change of detail requests can help to identify attempted fraud before it’s too late.

Social Engineering

Cybercriminals will often seek to gain the trust of their targets in order to elicit the information that they need to breach secure systems. Any form of social interaction with the malicious intent of gaining access to secure systems can be considered social engineering. A common approach is to create fictitious personas on social media which are then used to establish fake relationships with potential victims and trick them into allowing access to company systems.

Protecting against Social Engineering

Strategies to mitigate the risk of Social Engineering can include:

  • User education: All employees should be trained to identify potential social engineering threats and to respond accordingly.
  • Endpoint protection: All computers should be protected with advanced endpoint protection software to detect and block the installation or execution of malicious software.
  • Multi-factor Authentication: MFA provides an effective defence against user account breach even in the event of a password being compromised.


Ransomware is a particular form of malicious software (aka malware) that, once active within a computer system, will encrypt critical data rendering it inaccessible until a ransom is paid. Unfortunately for some business owners, even when a ransom is paid, access to the data is not always restored. Ransomware is responsible for some of the largest and highest profile security incidents in recent times. A ransomware attack can be devastating to any organisation, grinding operations to a halt.

Protecting against Ransomware

All forms of malware including ransomware can be mitigated with strategies such as:

  • Endpoint protection: All computer systems must be protected with advanced endpoint protection software.
  • System updates: Computer systems without up-to-date software and operating systems are a common weakness that attackers can exploit.
  • Isolated backups: Not only should backups be monitoring and tested regularly, but a copy should be stored separately and unattached to the main systems to protect attackers from being able to compromise backups.
  • User education: Human error is common factor in many malware infections. Training employees to recognise a potential malware infection and respond accordingly is critical.

Supply Chain Attack

A supply chain attack is a form of cyber-attack that targets an organisation indirectly via less secure partners in their supply chain, most commonly software vendors. The malicious actors look to compromise a particular software application which, once deployed in the target organisation’s network, will then allow unauthorised access to company systems.

Although not strictly a supply chain attack, it’s worth noting the importance also of supply change cyber-resilience. An attack on your supply chain may prove to be just as disruptive as an attack through your supply chain.

Protecting against Supply Chain Attack

  • Risk management: Include Supply Chain in risk management plans, including disaster recovery and cybersecurity incidents.
  • Least trust security: Limit supplier access to the minimum required.
  • Vendor security requirements: Incorporate clear vendor security requirements into supply agreements.

Watch our free on-demand webinar now: Managing the risk of supply chain attack


Cybersecurity starts with an understanding of the threats that your organisation may face, and the options available to you to mitigate those risks. From there you can prioritise and focus your cybersecurity efforts with confidence.

For help protecting your business, speak with one of our cybersecurity experts today.

Effective cybersecurity is as much about policy & governance as it is about tools and technology, however knowing where to start with these things can be challenging. In this post we have compiled a list of useful cybersecurity policy resources to help you build and enhance your cybersecurity governance.

Australian Cyber Security Centre

The Australian Cyber Security Centre (ACSC) is an initiative of the Australian government’s Australian Signals Directorate. The website contains a wealth of resources for both individuals and organisations, including alerts for new security threats, and the ability to report a cybercrime or security incident.

ACSC Homepage |

Essential Eight Maturity Model

The Australian Cyber Security Centre (ACSC) has developed extensive strategies for the mitigation of cyber security incidents, with the most effective of these labelled The Essential Eight. Not only is the Essential Eight an excellent initiative for every business, Essential Eight compliance is also fast becoming a mandatory requirement for many tenders, contracts and cybersecurity policies.

Essential Eight Maturity Model |

Key questions for an organisation’s board of directors

The Australian Securities & Investment Commission has compiled a list of key questions for board members to consider. Topics include Risk management framework, Identifying cyber risk and incident response awareness.

Key questions for an organisation’s board of directors | ASIC

Create a cybersecurity policy

The Australian government Business website provides an excellent quick-start guide to creating your own cybersecurity policy. Of course every policy will be unique to your own organisation, but this guide provides an excellent template to get you started, including sections such as:

  • Password requirements
  • Social media access
  • Incident response planning

Create a cyber security policy |

University of Queensland Cyber Security Policy

The University of Queensland has published its own Cyber Security Policy which provides an interesting real-world example of such a policy. Although of course uniquely crafted for the university’s own purpose, it does provide a useful example of how such a policy can be shaped.

Cyber Security – Policy – Policies and Procedures Library – The University of Queensland, Australia (

It is a common understanding that passwords are supposed to protect our accounts. But how much does your designated password protect you and your information? If the bad guys come hacking into your personal and corporate accounts one day, how sure are you that it’s going to be a tough job for them? Let us help you assess how easy it is for a hacker to take a quick guess of your password.


Your password is your first line of defense from wrong doers in the digital world. And yet, it is something that we often overlook and take for granted. When was the last time you spent a dedicated amount of time to think about what password to use for your new account? We often just use a single password across all of our accounts to save us the time and effort. Am I right? This is a definite no-no! Using a single password for all accounts is just making a hacker’s job much easier. So what is the best way to manage passwords and protect your accounts?

In order to plan for an effective account protection strategy, let’s start with a rundown on how hackers guess passwords:

1. Wild guess

 Although you can’t really call it ‘wild.’ These hackers are trained to squeeze the juice out of your public information just to get a list of sophisticated guesses to your password. They use sophisticated programs and procedures to ultimately catch that one ticket into your personal data.

2. Shoulder Surfing

 Sadly there are lurkers who discreetly stick their heads out from behind your shoulder as you type in your password, prying on what you type and browse. Don’t underestimate them – always be cautious of who can see your information in your surroundings.

3. Dictionary-based attacks

 There are some hackers who are so hard working that they would endure matching your personal data with every word in the dictionary. Yes, they exist. They would browse through every possible word to partner with, for example, your birth month, in order to guess your passwords.

4. Phishing

 Be careful of strange emails that you find in your inbox – this might be a phishing attack. They might be schemes sent by scammers who are trying to lure you into clicking and opening malicious files that intend to steal your personal information. As of October 2018, phishing activities has already cost victims $47,676 of loss this year (source: So beware of being tricked into opening an email about winning a brand new car and clicking on links.  

5. Brute-force Attack

 As the label implies, it’s a pretty vicious attack on your accounts. All the hacking techniques mentioned above are used on your account to track your keystroke and eventually get whatever important data can be stolen from you.

Knowing these hacking strategies and your current password choices, can you confidently say that your accounts are safe? Now that you already have an idea how cyber criminals do it, here are some ways on how you can minimise your risks: 

Password Security Tips

1. Create a password with at least 8 characters.

I know people will usually recommend starting at 6 but, it wouldn’t hurt to add in two more characters if it means increasing your security because nowadays, the longer your passcode is, the more time a hacker needs to spend cracking their way into your account.

2. Make use of a variety of lowercase and uppercase letters, numbers and special characters.

To make it harder to track and follow your keystrokes, you might want to utilise as much letters and characters as you can.

3. Never use your personal data in your password. Remember how hackers can ‘guess’ well?

Remember that most of the time, the people who are trying to hack their way into your account already know enough about you. Don’t use a word or phrase that can be obviously related to you.

4. It’s better if you don’t use real words.

What I mean by this is that you can use words that are hard to “guess” and identify. Maybe use that one phrase you came up with in primary school that nobody understood.

5. Make random patterns that hackers will have a hard time following.

Hackers can track your keystrokes in order to decipher which letters or characters you are constantly using. Making your password random can help minimise the risk of getting your usual password input tracked and followed by cyber criminals. 

You can also have a look at an infographic of an anatomy of a secure account to have a more comprehensive view of how you should be securing your accounts.

Credit Card 1591492 1920 (2)

Don’t take your password for granted and take the easy way out, rather than thinking of a good one. And if you’re like me who tends to forget anything (and everything), including passwords, there are tons of useful tools and apps that you can use to store your precious security passcodes.

Here are some of the more well known password management programs.

1. LastPass

One of the top on the list of best password managers. It features advanced hashing that provides a secure haven for your passwords. It runs across a wide range of operating systems and is free of charge unless you want to buy Premium subscription. Having the free version is not bad at all with 2 Factor Authentication feature and a robust password generator.

2. Dashlane

Aside from keeping your password safe. Dashlane also has a feature called digital wallet where you can safely manage your credit card information so you can securely make online purchases. It also allows you to sync your data to the cloud so you can access your passwords wherever.

3. Sticky Password

It is one of the most user-friendly password applications in the market. It may look a little outdated but works as well as the other ones already mentioned. It provides secure management for an unlimited number of passwords. It is free of charge unless you upgrade to premium then you can sync your data into different devices.

4. bitwarden

It is an open source software (which means it’s free!) that features 2-Factor Authentication, end-to-end encryption and enables syncing to multiple devices without limits. It also boasts a password generator and runs through multiple operating systems.

At Grassroots IT, we recommend the BEST way to protect your accounts is using Multi Factor Authentication (MFA). So that even if the hackers guess your passwords, they still need a real-time authenticator to get into your accounts. Read more about that over here.

It can be easy to overlook such a thing as your account passwords but we really do live so much of our lives online these days, that it’s become increasingly important to be vigilant about protecting our personal information and corporate data. If you need any help setting up some additional security for your personal accounts, don’t hesitate to make a time with us.

Back to more news, updates and resources or learn more about Cybersecurity

CEO’s play a vital role in protecting their business from cybersecurity attack, however for many CEO’s the world of cybersecurity leaves them feeling confused and vulnerable. This is perfectly understandable given the complex and rapidly changing nature of security threats facing all organisations. So how does a CEO properly secure their business? The good news is that there is no need to become a cybersecurity expert. Here are our top 5 cybersecurity tips for CEOs to help their organisation stay safe from attack.

#1. Get board level buy-in for cybersecurity

In the past, cybersecurity was a technical IT responsibility. However, cybersecurity has been developing more into a business driver rather than a technology issue for some time. That’s why it’s important to ensure board level buy-in and support.

The main ways that CEOs can gain buy-in from their board are:

  • Quantifying the company’s cyber risk based on budgets
  • Defining a clear return on investment (ROI)

#2. Have a cybersecurity plan

A cybersecurity plan is something every staff member, at every level, must be aware of. This means that if a breach occurs, everyone knows what to do.

A cybersecurity plan should include:

  • Security policies, procedures, and controls required to protect the company
  • An outline of the specific steps to take to respond to a breach

This plan can also be called a ‘Crisis Management Plan’, which you can learn more about in our blog ‘5 questions board members need to ask’.

#3. Don’t skimp on your cybersecurity budget

Cybersecurity is not a one-size-fits-all kind of investment. Many companies – especially SMEs and start-ups – struggle to make the right security choices. Yet choosing cheaper options will end up costing more in the long term.

Cybersecurity is more than just having anti-virus software in place. The best cybersecurity measures are outlined in the Essential Eight Framework, as identified by the Australia Cyber Security Centre.

Essentially, your cybersecurity needs to cover:

  • Prevention/protection from an attack – aimed at preventing malware delivery and the execution of malicious code
  • Limiting the extent of an attack – aimed at limiting how far an intruder can get
  • Data recovery & system availability – aimed at restoring your data and systems if an attack occurs

#4. Expect to be breached

The chance of experiencing a ransomware breach in today’s world is high, so it’s important to quickly identify when an attack has occurred. The sooner a breach has been identified, the better!

The main things for a CEO to understand are:

  • How the company monitors ransomware attacks or breaches
  • How staff report any suspicious activity
  • How a breach is communicated to the rest of the company

#5. Create a culture of awareness

All company departments and employees should be involved in protecting the company’s valuable and sensitive data. Crafting a culture where all employees see themselves as having an active cybersecurity role is the key to addressing an inevitable ransomware attack. It’s important that this culture starts at the top with the CEO.

Three ways to help create this desired culture are:

  • Create a cybersecurity plan that is well known, and referred to often
  • Launch cybersecurity education initiatives for employees
  • Emphasise the importance of cybersecurity in all mass-communications with staff

Understanding ransomware and what to do when it occurs is the job of a CEO. By implementing the above 5 steps, you will be well on your way to properly protect yourself from a ransomware attack, and ensure your company isn’t tomorrow’s news.


Office 365
Popup Logo
Find out more about how we can help.
Get in touch today.