Cybersecurity Archives | Page 2 of 3

As businesses increasingly migrate to digital platforms, cybersecurity has become a non-negotiable priority. Microsoft 365 leads the way in providing robust security solutions and offers an abundance of features designed to safeguard your business data and systems – but how do you navigate the plethora of options available to ensure that you’re choosing the best security measures for your specific needs without feeling overwhelmed? Enter Microsoft Secure Score.

Just as the name suggests, Microsoft Secure Score is a built-in tool that not only scores your security posture but also recommends actions for improvement. With Secure Score, enhancing your cybersecurity is no longer a daunting task but a series of quick, actionable wins that will strengthen your defence line further against potential threats.

What is Microsoft Secure Score?

Secure Score is a free tool that comes with Microsoft 365 that analyses your organization’s security stance based on your unique use of Microsoft 365 services. It provides a numerical score, along with a detailed breakdown, of how well you are implementing the recommended security controls. Quite simply, the higher your Secure Score, the lower your risk level.

Secure Score monitors Identity, Apps, Data, and Devices in Microsoft 365, helping you to report on the current state of your security posture, suggest improvements by providing guidance, visibility and control, and compare yourself against similar sized organisations.

Importantly, it does not simply focus on one specific area of security in your Office 365 environment. Instead, it looks at all products available under your current licensing and providing recommended actions across multiple areas. Recommendations are presented in an easy-to-understand dashboard, grouped by product, and sorted by the impact the recommended change will have on improving the security of your Microsoft 365 environment. This approach makes it easy to focus your efforts in the right area and avoid spending unnecessary time on actions that won’t move the needle as much.

Key features of Secure Score

Key features of include:

Security Recommendations

Secure Score provides actionable security recommendations tailored to an organization’s specific environment. These recommendations cover areas like identity and access management, data protection, threat detection, and more.

Point-Based Scoring

Each recommended security improvement comes with a point value. By implementing the recommendations, your organization can earn points and increase your Score.

Comparison and Benchmarking

Secure Score allows you to compare your security posture with industry benchmarks and similar organizations. This feature provides valuable insights into how well you are performing relative to your peers.

Threat Intelligence Integration

The tool integrates with Microsoft Threat Protection, offering real-time threat intelligence and helping you stay ahead of emerging threats.

Historical Tracking

The system maintains a historical record of progress, enabling you to visualize your security journey and measure improvements over time.

Why use Microsoft Secure Score?

Microsoft Secure Score provides high impact recommendations to improve your cybersecurity posture, usually requiring little or no additional expense. Rather than requiring new and additional security services, Secure Score simply helps you to make the most of the features that you already have access to within the Microsoft 365 platform.

Importantly, Secure Score may help you reduce your cyber-insurance premiums. With cyber-insurance becoming a vital piece of any cybersecurity strategy, many insurers are now recognising the value of Microsoft Secure Score and factoring it in when calculating insurance premiums. Improve your Secure Score and you can potentially reduce your cyber-insurance premiums.

Not only that, but if your organisation aligns with one of the recognised cybersecurity frameworks, such as the Essential Eight, improving your Secure Score can also positively impact your alignment with your chosen framework.

Using Microsoft Secure Score

You can find your Secure Score in the Microsoft Defender Portal. Navigating the portal is quite intuitive, allowing you to focus on the insights and recommendations provided. Importantly, each recommended action also provides details on how the action will impact your security standing, along with any potential user impact.

Recommendations may range from reviewing an existing policy to implementing changes that may have a significant impact on users completing everyday tasks. As with all such changes, it’s important that you carefully assess the recommendation and consider the potential impact on operations.

Reporting and Tracking with Secure Score

When embarking on a process of change, it’s important to measure and demonstrate progress over time. Thankfully the Secure Score portal provides a historical view of your organisations score over the last 90 days, showing a trend line that makes sudden changes easily visible. A list of recommended actions is also shown, showing when there was a change to each action, if points were gained or lost and allowing you to understand sudden changes in score.

The Secure Score dashboard shows different metrics and trends, where an action may have regressed, recent decreases, points achieved, along with a comparison against similar sized organisations. Metrics and trends can be shown over 7, 30, & 90 days or using a custom date range and can be filtered based on the 4 main categories Secure Score applies against.

Safely Implementing Changes (without the drama)

Unfortunately, there are too many stories of (easily avoided) problems being created when security changes are made without proper consideration. One story that we’ve heard too many times is when an over-enthusiastic sysadmin has enabled multi-factor authentication or conditional access policies within Microsoft 365 without properly preparing the organisation – thus effectively locking many, if not all, staff out of the system. Problems like this are easily avoided though, with appropriate forethought and planning.

For many clients we find that an effective approach is to develop a roadmap of changes based on the Secure Score recommendations, and then progressively work through these changes over a period of weeks, reviewing improvements in their Secure Score as they go. Some changes may be quick and easy to implement, while others may require more careful management, such as technical change control and user training. By approaching this as a progressive roadmap of smaller actions you can ensure ongoing improvement while managing the risk of disruption.

How we improved both user experience and security with secure score

Grassroots IT recently helped a mid-sized non-profit organisation that was struggling with their systems. They reported inconsistent user experience across their Tenant, no defined settings for users when accessing systems and their users didn’t trust that they could easily access Office 365. When a review was conducted of the organisation’s Secure Score, it was immediately apparent that there were problems with both Identity and Apps within their tenant.

Utilising the recommended actions in Secure Score, Grassroots IT was able to implement multiple changes to their environment that made the user experience easier while also improving their overall security posture. Some of these changes included simplifying the user login process, enabling self-serve password recovery and using a single authentication service for apps. At the same time, multifactor authentication was enabled for all users, and appropriate policies were implemented to protect users from malicious content and emails, significantly improving their Secure Score and security posture.

Additional Resources

Microsoft Secure Score is a powerful tool for improving the security of your Microsoft 365 environment. To learn more, speak to us today, or explore some of these additional resources.

In a post-pandemic world, flexible working arrangements have become the norm for many. Where working remotely was previously the exclusive domain of salespeople and on-site consultants, these days an office full of staff seems a rare sight, with online meetings commonplace.

While the long-term future of work is still unclear, it’s fair to say that remote working in some form is here to stay, bringing with it new challenges for business leaders, not least of all those tasked with cybersecurity. Old approaches to securing the organisations digital assets have been rendered outdated, while new unforeseen risks have emerged almost overnight.

So, what are the most pressing cybersecurity risks with a remote workforce, and how do you ensure the ongoing protection of your business in light of these changing threats?

Understanding the risks

The various tools and techniques that cyber criminals employ to attack those working from home are generally no different to those used elsewhere, however in a work-from-home context some threats are greater than others and can pose unique challenges. Here are three of the highest risk cyber-threats for staff working from home.

Phishing & other scams

Phishing and other such scams are fraudulent attempts to obtain sensitive information from users, such as usernames, passwords and credit card details, usually by sending fake email purporting to be from a known, trusted person or brand. WFH users are often more vulnerable to such attacks as they may not have the same level of active awareness as others, may use personal email accounts alongside work email, and may not have ready access to corporate security tools and support.

Read more: How to identify a phishing email

Device security

Device security refers to the protection of physical computing devices, such as laptops, smartphones and tablets against unauthorised access which would in turn give cybercriminals access to confidential corporate information. This is of particular concern with staff working from home as physical security of devices is likely to be less than in an office environment, particularly when others have access to the same work environment at home.

Home workers are also more likely to use personal computing devices rather than business supplied devices, with or without explicit permission to do so. Personal devices are likely not configured with the same security controls as company-owned devices, nor actively monitored, managed or updated with the latest security updates.

Data leakage

Data leakage is the unauthorised transmission of data from within the company to an external destination or recipient, whether intentionally or otherwise. Users working from home are likely to use a poorly secured home network, have inadequate access controls in place around confidential information, and may even use personal cloud services instead of, or alongside approved company services, all of which pose the very real risk of leaking important company information.

Implementing Solutions

The good news is that there are proven strategies for effectively mitigating each of these threats in a work-from-home scenario.

Cloud Platforms

Cloud platforms such as Microsoft 365 are by nature designed to support remote working. It doesn’t matter whether you are physically in the office, at home or on a client site, the way you access a cloud service, and the security controls available are the same. By their very nature this makes cloud platforms a better, and potentially more secure option for supporting home-based workers than traditional infrastructure solutions.

Device Management

Ensuring the security of physical devices at home presents a unique challenge best addressed by strong policy. A work-from-home policy must enforce the use of company-owned devices only, enabling the deployment of strong security controls to the device such as patch management, managed detection & response agents and data encryption. The policy must also discuss the physical security of devices, the use of automatic screen locking and immediate mandatory reporting if a device is misplaced.

It is worth briefly mentioning the topic of Bring-you-own-device (BYOD), whereby staff may use their own devices to access corporate systems. Allowing for BYOD is a perfectly valid option, however, please be aware of the security implications of such a policy and adjust accordingly.

Employee training

A strong culture of cybersecurity awareness can be one of your most effective defences against security breach and data loss, and especially so when staff work from home. Users must be well versed on recognising threats such as phishing emails and how they should respond. They should also be clear on all relevant policies and understand the importance of compliance.

Conclusion

The post-pandemic work-from-home movement is here to stay, with undeniable benefits for many people. It does however bring with it unique cybersecurity risks that the organisation must proactively address to avoid inadvertently allowing cyber criminals access to corporate systems.

Grassroots IT is well versed in helping our clients support their home-based workers with secure, scalable systems. For help protecting your remote workers contact us today.

Explore Common Cybersecurity Myths and Misconceptions

In the digital age, cybersecurity has become a critical concern for businesses of all sizes. However, there are numerous misconceptions surrounding this complex field that can lead to complacency and, ultimately, vulnerability. In this post, we debunk ten of the most common cybersecurity myths that could be putting your business at risk.

Myth 1: My business is too small/boring to be attractive to hackers

Every business, regardless of its size or industry, is a potential target for cybercriminals. Small businesses often fall into the trap of believing they’re too insignificant to attract attention. However, hackers often target smaller businesses precisely because they tend to have weaker security measures in place. With many cyber-attacks launched at scale (eg: phishing emails) the incremental cost to hackers of targeting your small, boring business is negligible, yet the potential pay-off can still be significant.

Myth 2: My data is safe in the cloud

While cloud storage providers implement robust security measures, it doesn’t mean your data is invincible. Cybercriminals have been known to breach cloud security, and human errors can also lead to data exposure. It’s crucial to understand the shared responsibility model of cloud security and ensure you’re doing your part to protect your data. The cloud providers provide the platform, and the means to secure your data, but ultimately the responsibility for doing so is yours.

Myth 3: My data is safe on my own server

Storing data on your own server doesn’t automatically make it safe. Without proper security measures in place, your server can be just as vulnerable as any cloud service. Regular updates, patches, and strong access controls are essential to protect your data (many of which are automatically done for you in the cloud).

Myth 4: Cybersecurity is my MSPs responsibility

While your IT department or MSP plays a crucial role in implementing and maintaining security measures, cybersecurity is everyone’s responsibility from the bottom of the org chart all the way to the board. A commitment to cybersecurity must be lead from the top, with company directors and CEOs holding particular responsibilities for protecting the organization’s digital assets.

Myth 5: My team works from home, so security is their responsibility

Remote work has blurred the lines of responsibility for cybersecurity. However, as an employer, it’s your duty to provide secure systems and training to your employees. This includes secure communication tools like Microsoft Teams, and guidelines on safe online practices.

Myth 6: Cybersecurity is too expensive

With the average cost of a data breach in Australia reaching $4.4 million, the cost of a data breach can far outweigh the investment in cybersecurity. While implementing robust security measures may require an upfront investment, this can be far less costly than the potential financial and reputational damage caused by a breach.

Myth 7: I’ll know if my systems have been hacked

Many breaches go undetected for months, or even years. Cybercriminals often aim to infiltrate systems without detection, stealing data or causing damage over time. Regular system audits and monitoring are essential to detect and respond to breaches promptly.

Learn more: 24×7 peace of mind with managed detection & response

Myth 8: My staff are too smart to get hacked

Even the smartest individuals can fall victim to sophisticated cyberattacks. Phishing attacks, in particular, have become increasingly convincing and can easily trick unsuspecting users. Regular training and cybersecurity awareness are crucial to equip your staff with the knowledge to identify and avoid such threats.

Myth 9: Strong passwords are enough

While strong passwords are a fundamental part of cybersecurity, they’re not a panacea. Multi-factor authentication (MFA), secure network connections, and regular software updates are just as important in protecting your systems.

Myth 10: We only need to protect against external hackers

Insider threats, whether malicious or accidental, are a significant risk. Employees can inadvertently cause a breach by clicking on a malicious link or misconfiguring a database. Regular training, strict access controls, and monitoring can help mitigate this risk.

Dispel Cybersecurity Myths To Protect Your Business!

Cybersecurity is a complex field that requires a proactive and informed approach. In the realm of cybersecurity, complacency can be your biggest enemy. Grassroots IT are cybersecurity experts, ready to help secure your business against cyber criminals. To see how we can help, speak with us today.

Microsoft Office 365 is built from the ground up to be a highly secure platform, but that doesn’t necessarily mean that your own Office 365 environment is configured securely. There are numerous different ways that organisations can use Office 365, and just as many ways that it can be configured.

Ultimately the responsibility for securing your Office 365 environment, and the information and data stored in there, rests with you. Microsoft provides the platform and the means, but it’s up to you to consider your unique situation and ensure that appropriate security measures are taken.

So how do you know if your Office 365 environment is secure? Every organisation is different, and with so many ways of using and securing Office 365 there is no one-size-fits-all solution. The good news is that there are some well-established best-practices that can significantly strengthen the security of your environment.

Here are five critical questions that you need to ask about your Office 365 security to ensure that you’re properly protected.

#1. What Microsoft Office 365 plan do we use?

Let me start by saying that Microsoft has a frustrating habit of changing product names and bundles regularly, which can lead to some confusion. So, for the sake of clarity, let me share a bit of history with you.

First there were the Office 365 plans, offering a suite of products such as Word, Excel, Email and Teams. Then Microsoft added a whole new line of plans called Microsoft 365, which included all the things from Office 365, plus added a whole lot more, mainly to do with security and governance. Then more recently the Office 365 name has been retired entirely, leaving only Microsoft 365 plans to choose from. If you were using Office 365 plans before these changes happened, you will still be on those same Office 365 plans now.

It’s important to understand which Microsoft Office 365 plan you subscribe to, because not all of them have access to the better security features. For most organisations, we recommend that you subscribe to the Microsoft 365 Business Premium plan, or for some larger organisations, the enterprise level Microsoft 365 E3 or Microsoft 365 E5 plans. The important services that are included in these plans (but not the lower plans) are Azure Information Protection and Intune, both of which bring a range of security and data governance capabilities to your environment.

Recommendation

Review all your Microsoft Office 365 subscriptions and consider upgrading any that are not Microsoft 365 Business Premium, E3 or E5 so that you can take advantage of the better security and governance capabilities.

#2. What’s our Microsoft Secure Score?

Microsoft Secure Score is a rating of your organisation’s Microsoft 365 security posture, compiled from a range of configurations, metrics and various other data points, depending on what Microsoft 365 plan you subscribe to, and what services you use. The higher the number, the more secure you are.

In addition to a numeric score, the Secure Score dashboard will also provide actionable insights and prioritized recommendations tailored to your unique needs. By following these recommendations, you can progressively improve your Secure Score and strengthen the security posture of your Microsoft 365 environment to provide better protection for your confidential data.

Recommendation

Review your Secure Score and progressively implement the recommendations to improve your score.

#3. Is Multi-factor Authentication enabled on all our Microsoft 365 accounts?

Multi-factor authentication (MFA) is an authentication method that requires a user to provide two or more verification factors to prove their identity and gain access to your Microsoft 365 environment, most often a password plus a unique code provided by a separate app.

Despite being one of the most effective cybersecurity measures you can implement in your Microsoft 365 environment, MFA is not always enabled by default or enforced across all accounts. The important point to remember is that your security is only as strong as the weakest link, so for MFA to be most effective it must be enforced on all accounts in your Microsoft 365 environment, not only some of them.

Recommendation

Review all accounts in your Microsoft 365 environment and enable MFA where necessary. Configure Microsoft 365 to enforce MFA on all accounts by default.

#4. Are we using dedicated Microsoft 365 admin user accounts?

Every Microsoft 365 environment has one or more “admin” user accounts. These accounts possess elevated privileges that allow them to perform sensitive tasks such as changing system settings and accessing data anywhere across the environment. These admin privileges can be seen as the “keys to the kingdom”, and if allowed to fall into the wrong hands can be exploited to cause significant damage.

User accounts used for everyday tasks such as checking email and editing work documents should never be granted such elevated admin privileges, so as to reduce any potential harm should the account be compromised. Instead, dedicated “admin” accounts should only ever be used for duties requiring elevated security privileges.

Not only does this approach reduce the risk of accidental changes or security breaches, but it also makes it easier to monitor and audit their activities, improving accountability and traceability of any suspicious actions taken within your Microsoft 365 environment.

Recommendation

Review all user accounts in your Microsoft 365 environment for elevated admin privileges and remove such privileges in favor of dedicated admin accounts.

#5. How are we monitoring for suspicious activity within Microsoft 365?

Even with a well secured Microsoft 365 environment, ongoing monitoring and alerting of unusual activity is important for the prevention of a full-blown security incident. Monitoring can help identify a range of suspicious activities, such as multiple failed login attempts, unusual data access or transfers, and changes in user permissions. These could be signs of a brute force attack, data breach, or insider threat.

Moreover, monitoring isn’t just about detection, it’s also about response. When you spot suspicious activity, you can quickly investigate, take corrective action, and learn from the incident to strengthen your defenses.

Recommendation

Ensure monitoring is configured within your Microsoft 365 environment, and alerts are sent to the most appropriate person to take action as required.

Microsoft 365 is a highly secure platform, but that doesn’t mean that your organisation’s Microsoft 365 environment is secure by default. Microsoft provides the means, but ultimately, it’s up to you to ensure that your environment is secured appropriately, and that starts with asking the right questions.

If you have questions about your Microsoft 365 security, Grassroots IT can help. Speak with us today.

What is Cybersecurity Awareness?

Cybersecurity awareness is the level of understanding and mindfulness that people in your organisation have of the various cybersecurity threats that they may face, and how they should best respond.

A shocking 82% of all data breaches involve some human element, such as social engineering or through plain old human error and misuse. What this tells us is that people – our staff, suppliers and partners – can not only be the weakest link in our cybersecurity posture, but also offer the greatest potential to help protect against cyberattack.

Cybersecurity awareness is the lever that we must use to shift our people from being our biggest cyber-risk to being our strongest line of defence.

Why is Cybersecurity Awareness important?

With the average cost of a data breach in Australia reaching $4.4 million, cybersecurity attacks pose a very real and present threat to organisations of all types. Cybersecurity frameworks such as the ACSC Essential Eight and the NIST CSF can help us with strategies and security controls to help mitigate these risks, but technical controls can only help so far.

With the statistics clearly showing that the human element plays a major role in the effectiveness of our defences, we ignore cybersecurity awareness at our peril.

How to build a culture of cybersecurity awareness

Intentionally building any culture takes time, commitment and consistency to create and reinforce the behaviours that we wish to see in our organisation. Building a culture of cybersecurity awareness is no different.

Here are five practical ways to engage your organisation and build the cyber-aware culture you need.

Secure leadership buy-in

Culture is lead from the top and cybersecurity awareness is no different. All organisations look to their leaders to set the direction for the company not only through explicit statements, but also through implicit and implied messaging. Leaders must be seen to embrace the importance of a cybersecurity aware culture, and to lead by example.

Securing leadership buy-in can be helped by:

- Taking a holistic view of the organisation, of which a cybersecure culture is merely one piece.
- Connecting a cyber-aware culture to the company’s strategy, goals and aspirations.
- Clearly communicating the business case for strong cybersecurity awareness.

Promote robust policies, procedures and best practices

Robust cybersecurity policies and procedures are at the heart of any cyber-secure organisation. Policies and procedures must walk the fine line between protecting the organisation and being overly restrictive on how staff may go about their work. Too lenient and they may be ineffective – too stringent and staff satisfaction and productivity may suffer.

Policies and procedures should be promoted regularly to keep them top of mind with staff, along with examples of best practice responses to various likely scenarios.

Some common ways of promoting cybersecurity policies and best practices can include:

Ensure policies and procedures are clear, actionable and easily accessible to all staff.
Download, print and share posters and resources promoting cybersecurity best practice.
Communicate examples of real-world cybersecurity threats, and best practice responses through internal communications channels.

Conduct regular cybersecurity training

Regular cybersecurity training will not only keep cybersecurity top of mind and reinforce best-practice threat response, but it will provide an avenue for keeping staff updated on the latest cyber-threats they may face. The challenge of course is to keep training engaging and effective.

You might like to consider these Ideas for delivering engaging cybersecurity awareness training:

Mix up the format of delivery between online, in-person and self-paced.
Keep training sessions short, high energy and with a clear take-away message.
Consider bringing in an external trainer to inject new ideas and energy.

Schedule simulated cyberattacks

Research has shown simulation-based cybersecurity awareness training to be the most effective when compared to other methods such as instructor led (a close second place) and online delivery. Simulations may be run periodically to quantify the level of cybersecurity awareness in the organisation and identify improvement over time.

Table courtesy of ISACA.orgIn practice, the most common form of simulated cyberattack is referred to as “Friendly Phishing”, whereby staff are sent a fake phishing email to see how they respond. Those who are successfully tricked by the fake phishing email are immediately shown the error of their ways and are offered a brief online training snippet to educate them on how they could have identified the threat in time, and what a more appropriate response would have been.

Be consistent and stay informed

When impacting any organisational change, it is important to be consistent both in the message and the delivery. Be clear up front what you want your cybersecurity culture to look like and ensure that all key stakeholders are aligned and have the tools available to drive the necessary change.

Organisational culture requires ongoing stewardship. It takes time to establish the culture that you want, and ongoing vigilance to keep it strong. Maintaining an effective culture of cybersecurity awareness is an ongoing process, not a once-off activity

Conclusion

Cybersecurity awareness presents both the biggest threat and the largest opportunity to your organisation’s cybersecurity posture. A poor level of awareness will leave you exposed to attack, regardless of what technical security measures you may have in place. A culture of high cybersecurity awareness on the other hand will be your strongest line of defence in protecting your company.

Effective cybersecurity is as much about policy & governance as it is about tools and technology, however knowing where to start with these things can be challenging. In this post we have compiled a list of useful cybersecurity policy resources to help you build and enhance your cybersecurity governance.

Australian Cyber Security Centre

The Australian Cyber Security Centre (ACSC) is an initiative of the Australian government’s Australian Signals Directorate. The website contains a wealth of resources for both individuals and organisations, including alerts for new security threats, and the ability to report a cybercrime or security incident.

ACSC Homepage | Cyber.gov.au

Essential Eight Maturity Model

The Australian Cyber Security Centre (ACSC) has developed extensive strategies for the mitigation of cyber security incidents, with the most effective of these labelled The Essential Eight. Not only is the Essential Eight an excellent initiative for every business, Essential Eight compliance is also fast becoming a mandatory requirement for many tenders, contracts and cybersecurity policies.

Essential Eight Maturity Model | Cyber.gov.au

Key questions for an organisation’s board of directors

The Australian Securities & Investment Commission has compiled a list of key questions for board members to consider. Topics include Risk management framework, Identifying cyber risk and incident response awareness.

Key questions for an organisation’s board of directors | ASIC

Create a cybersecurity policy

The Australian government Business website provides an excellent quick-start guide to creating your own cybersecurity policy. Of course every policy will be unique to your own organisation, but this guide provides an excellent template to get you started, including sections such as:

Password requirements
Social media access
Incident response planning

Create a cyber security policy | business.gov.au

University of Queensland Cyber Security Policy

The University of Queensland has published its own Cyber Security Policy which provides an interesting real-world example of such a policy. Although of course uniquely crafted for the university’s own purpose, it does provide a useful example of how such a policy can be shaped.

Cyber Security – Policy – Policies and Procedures Library – The University of Queensland, Australia (uq.edu.au)

It is a common understanding that passwords are supposed to protect our accounts. But how much does your designated password protect you and your information? If the bad guys come hacking into your personal and corporate accounts one day, how sure are you that it’s going to be a tough job for them? Let us help you assess how easy it is for a hacker to take a quick guess of your password.

Your password is your first line of defense from wrong doers in the digital world. And yet, it is something that we often overlook and take for granted. When was the last time you spent a dedicated amount of time to think about what password to use for your new account? We often just use a single password across all of our accounts to save us the time and effort. Am I right? This is a definite no-no! Using a single password for all accounts is just making a hacker’s job much easier. So what is the best way to manage passwords and protect your accounts?

In order to plan for an effective account protection strategy, let’s start with a rundown on how hackers guess passwords:

1. Wild guess

Although you can’t really call it ‘wild.’ These hackers are trained to squeeze the juice out of your public information just to get a list of sophisticated guesses to your password. They use sophisticated programs and procedures to ultimately catch that one ticket into your personal data.

2. Shoulder Surfing

Sadly there are lurkers who discreetly stick their heads out from behind your shoulder as you type in your password, prying on what you type and browse. Don’t underestimate them – always be cautious of who can see your information in your surroundings.

3. Dictionary-based attacks

There are some hackers who are so hard working that they would endure matching your personal data with every word in the dictionary. Yes, they exist. They would browse through every possible word to partner with, for example, your birth month, in order to guess your passwords.

4. Phishing

Be careful of strange emails that you find in your inbox – this might be a phishing attack. They might be schemes sent by scammers who are trying to lure you into clicking and opening malicious files that intend to steal your personal information. As of October 2018, phishing activities has already cost victims $47,676 of loss this year (source: scamwatch.gov.au). So beware of being tricked into opening an email about winning a brand new car and clicking on links.

5. Brute-force Attack

As the label implies, it’s a pretty vicious attack on your accounts. All the hacking techniques mentioned above are used on your account to track your keystroke and eventually get whatever important data can be stolen from you.

Knowing these hacking strategies and your current password choices, can you confidently say that your accounts are safe? Now that you already have an idea how cyber criminals do it, here are some ways on how you can minimise your risks:

Password Security Tips

1. Create a password with at least 8 characters.

I know people will usually recommend starting at 6 but, it wouldn’t hurt to add in two more characters if it means increasing your security because nowadays, the longer your passcode is, the more time a hacker needs to spend cracking their way into your account.

2. Make use of a variety of lowercase and uppercase letters, numbers and special characters.

To make it harder to track and follow your keystrokes, you might want to utilise as much letters and characters as you can.

3. Never use your personal data in your password. Remember how hackers can ‘guess’ well?

Remember that most of the time, the people who are trying to hack their way into your account already know enough about you. Don’t use a word or phrase that can be obviously related to you.

4. It’s better if you don’t use real words.

What I mean by this is that you can use words that are hard to “guess” and identify. Maybe use that one phrase you came up with in primary school that nobody understood.

5. Make random patterns that hackers will have a hard time following.

Hackers can track your keystrokes in order to decipher which letters or characters you are constantly using. Making your password random can help minimise the risk of getting your usual password input tracked and followed by cyber criminals.

You can also have a look at an infographic of an anatomy of a secure account to have a more comprehensive view of how you should be securing your accounts.

Don’t take your password for granted and take the easy way out, rather than thinking of a good one. And if you’re like me who tends to forget anything (and everything), including passwords, there are tons of useful tools and apps that you can use to store your precious security passcodes.

Here are some of the more well known password management programs.

1. LastPass

One of the top on the list of best password managers. It features advanced hashing that provides a secure haven for your passwords. It runs across a wide range of operating systems and is free of charge unless you want to buy Premium subscription. Having the free version is not bad at all with 2 Factor Authentication feature and a robust password generator.

2. Dashlane

Aside from keeping your password safe. Dashlane also has a feature called digital wallet where you can safely manage your credit card information so you can securely make online purchases. It also allows you to sync your data to the cloud so you can access your passwords wherever.

3. Sticky Password

It is one of the most user-friendly password applications in the market. It may look a little outdated but works as well as the other ones already mentioned. It provides secure management for an unlimited number of passwords. It is free of charge unless you upgrade to premium then you can sync your data into different devices.

4. bitwarden

It is an open source software (which means it’s free!) that features 2-Factor Authentication, end-to-end encryption and enables syncing to multiple devices without limits. It also boasts a password generator and runs through multiple operating systems.

At Grassroots IT, we recommend the BEST way to protect your accounts is using Multi Factor Authentication (MFA). So that even if the hackers guess your passwords, they still need a real-time authenticator to get into your accounts. Read more about that over here.

It can be easy to overlook such a thing as your account passwords but we really do live so much of our lives online these days, that it’s become increasingly important to be vigilant about protecting our personal information and corporate data. If you need any help setting up some additional security for your personal accounts, don’t hesitate to make a time with us.

Back to more news, updates and resources or learn more about Cybersecurity

CEO’s play a vital role in protecting their business from cybersecurity attack, however for many CEO’s, the world of cybersecurity leaves them feeling confused and vulnerable. This is perfectly understandable given the complex and rapidly changing nature of security threats facing all organisations. So how does a CEO properly secure their business? The good news is that there is no need to become a cybersecurity expert! Here are our top 5 cybersecurity tips for CEOs to help their organisation stay safe from online attacks.

#1. Get board level buy-in for cybersecurity

In the past, cybersecurity was a technical IT responsibility. However, cybersecurity has been developing more into a business driver rather than a technology issue for some time. That’s why it’s important to ensure board level buy-in and support.

The main ways that CEOs can gain buy-in from their board are:

Quantifying the company’s cyber risk based on budgets
Defining a clear return on investment (ROI)

#2. Have a cybersecurity plan in place

A cybersecurity plan is something every staff member, at every level, must be aware of. This means that if a breach occurs, everyone knows what to do.

A cybersecurity plan should include:

Security policies, procedures, and controls required to protect the company
An outline of the specific steps to take to respond to a breach

This plan can also be called a ‘Crisis Management Plan’, which you can learn more about in our blog ‘5 questions board members need to ask’.

#3. Don’t skimp on your cybersecurity budget

Cybersecurity is not a one-size-fits-all kind of investment. Many companies – especially SMEs, Non Profit organisations and start-ups – struggle to make the right security choices. Yet choosing cheaper options will end up costing more in the long term.

Cybersecurity is more than just having anti-virus software in place. The best cybersecurity measures are outlined in the Essential Eight Framework, as identified by the Australia Cyber Security Centre.

Essentially, your cybersecurity needs to cover:

Prevention/protection from an attack – aimed at preventing malware delivery and the execution of malicious code
Limiting the extent of an attack – aimed at limiting how far an intruder can get
Data recovery & system availability – aimed at restoring your data and systems if an attack occurs

#4. Expect to be breached

The chance of experiencing a ransomware breach in today’s world is high, so it’s important to quickly identify when an attack has occurred. The sooner a breach has been identified, the better!

The main things for a CEO to understand are:

How the company monitors ransomware attacks or breaches
How staff report any suspicious activity
How a breach is communicated to the rest of the company

#5. Create a culture of awareness

All company departments and employees should be involved in protecting the company’s valuable and sensitive data. Crafting a culture where all employees see themselves as having an active cybersecurity role is the key to addressing an inevitable ransomware attack. It’s important that this culture starts at the top with the CEO.

Three ways to help create this desired culture are:

Create a cybersecurity plan that is well known, and referred to often
Launch cybersecurity awareness & education initiatives for employees along with regular and ongoing training sessions
Emphasise the importance of cybersecurity in all mass-communications with staff

Understanding ransomware and what to do when it occurs is the job of a CEO. By implementing the above 5 cybersecurity tips for CEOs, you will be well on your way to properly protect yourself from a ransomware attack, and ensure your company isn’t tomorrow’s news!

Why should board members be concerned about cybersecurity?

A cybersecurity breach can be extremely disruptive and expensive, potentially resulting in significant downtime and lost productivity, permanent loss or public exposure of confidential information, reputational damage and direct financial loss. The potential impact of a security breach could be devastating or potentially fatal to any organisation. That’s why cybersecurity should have oversight at the highest level.
A robust cybersecurity strategy will also call on resources from across the organisation, including finance, human resources, IT, and operations. To gather this appropriate support and commitment from across the organisation requires a suitably senior authority to champion the cause.

Here are the 5 cybersecurity questions board members need to ask.

#1. What measures are in place to protect the organisation from cyberattack?

Although board members don’t need to have a deep technical knowledge of the organisation’s cybersecurity defences, some understanding of the systems that are in place is important. Equally critical is an understanding of how these systems are resourced and managed on an ongoing basis, as well as how the board will be kept informed.

Cybersecurity is not a “once-and-done” proposition; it’s one that must be actively managed. Are your security measures current and always evolving to keep up with new and more sophisticated threats? Are they being audited regularly to identify gaps and ensure compliance with established standards? Are your systems proactively tested, such as with mock attack scenarios and penetration testing?

#2. How do board members know if a cybersecurity breach has occurred?

In the event of a successful cybersecurity attack against your organisation, a rapid response is critically important to limit the extent of the attack and minimise the potential impact. The longer a successful attack is allowed to remain in place, the further it may spread and the more complex and expensive it may become to resolve.

As a board member you should satisfy yourself that any security breach will be rapidly identified and responded to. Ask:

How does the company monitor for cyberattacks and breaches?
Are staff appropriately trained to identify and respond to attacks quickly?
How do staff report any suspicious activity?

#3. How do we respond in the event of a cybersecurity breach?

Instead of considering how your organisation will respond if a breach occurs, think instead in terms of responding when a breach occurs. Assume that a breach will occur and plan accordingly by having an incident response plan in place.

At a basic level, a cybersecurity incident response plan should include:

Formation of an emergency cybersecurity incident response team to manage the incident response.
Definitions of what a cybersecurity incident is (and isn’t).
An incident response management flowchart to help employees understand the steps to be followed during a cyberattack.
Cybersecurity incident response communication templates to help with timely companywide communications for the more severe security breaches.
An emergency contact list and communications plan to keep internal and external stakeholders informed and coordinated.

#4. Are response plans in place and tested?

When you’re thinking about how the organisation will respond in the event of a security breach, there are three plans of critical importance. Satisfy yourself that all three plans are in place, and are reviewed and tested on a regular basis.

Backup plan

In many cases, when recovering from a security breach the organisation may need to recover lost or damaged data from backup. The backup plan should detail how the organisation backs up important data, and how often? What is included in the backups? How often are the backups tested? How secure are the backups if a security breach occurs?

Disaster recovery plan

A disaster recovery plan details how the organisation will recover from a disaster, such as a security incident. Disaster recovery will often rely on the backup plan, but will also consider how the backups are to be used, what order systems are to be recovered in, how long recovery efforts may take, and what additional resources may be required, such as new data centre equipment or cloud tenants.

Business continuity plan

A security breach may result in significant disruption to business operations, with key systems rendered useless. A business continuity plan should address how the business may keep operating (even at reduced capacity) while the security incident is addressed and business systems recovered to an operational state.

#5. Will we be covered by cyber-insurance?

Cyber insurance can help not only with the immediate response to an incident, but also with immediate and longer-term recovery efforts. Ensure you understand the scope and limitations of cyber insurance policies, that sufficient coverage is in place, and satisfy yourself that all policy obligations are being met by your organisation to ensure any claims are not denied. Cyber insurance may cover:

Loss of revenue due to interrupted business
Hiring negotiators
Paying a ransom
Recovering or replacing your data
Legal claims
Investigation by a government regulator
Copyright infringement
Misuse of intellectual property online
Crisis management and monitoring

It’s no secret that, as we become more and more dependent on technology to run our businesses and become reliant on internet-connected devices, both for our personal and professional lives, we also become more vulnerable to cyber threats. US$2.9 billion is lost to cybercrime each minute and, as at 2020, the average cost of a data breach was a staggering US$3.86 million. However, there are some cybersecurity essentials that we can put in place, ranging from simple to more complex, in order to protect ourselves and our businesses from cyber attacks.

#1. Turn on MFA everywhere you can

This is one of the simplest, but most effective cybersecurity essential strategies. It’s usually free, if not very cheap and easy to activate. Most applications (including Microsoft 365 and social media apps like Instagram and Facebook) have now adopted Multi Factor Authentication (MFA or 2FA) methods that you can activate by doing a quick look at your account settings.

This adds another layer of security (besides your username and password) to your accounts, requiring a real-time password before allowing entry to your account, making it far more difficult to penetrate and access your data. There are different methods depending on which app you’re using but the most common ones would be via a unique One-Time-Code sent through text, email or a code generator app like Google Authenticator.

#2. Implement the right cybersecurity strategy for your business

These days, no business is “too small” to put adequate cybersecurity defenses in place. All businesses who access the internet need a cybersecurity strategy, including endpoint security protection and management, network firewall management and security monitoring and alerting. Cybersecurity is more than just anti-virus software. If you aren’t sure what your business requires when it comes to cybersecurity, consult an expert and ensure you have the best strategy in place for your business.

#3. Promote a Cyber-secure company culture

Unfortunately many cyber attacks occur because of human error – when someone clicks on a malicious link or opens a suspicious email. Make sure that cybersecurity is a regular topic of conversation between your staff. Promote the importance of a positive cybersecurity stance in your business and make sure that everyone is following the trend. Welcome ideas about how you can better improve your cybersecurity measures and keep an active discussion around it.

Empower your staff with better knowledge of cybersecurity, its risks and effect on the business by conducting cybersecurity training – either internally or by hiring a knowledgeable cybersecurity expert to conduct the training. Making sure that everyone in your organisation is equipped with proper knowledge of cybersecurity best practices could save you from the otherwise dreadful consequences.

#4. Protect your Business with Cyber-insurance

Although cybersecurity defences can physically protect your business from cybersecurity risks, having an incident response plan and insurance coverage could literally save your business from going under if the worst case scenario happens. It’s important to consult an insurance broker to source the best protection for your business, as coverage can change from policy to policy, but most cyber-insurance will cover your business in the event of:

Business interruption loss due to a network security failure or cyberattack.
Data loss and restoration
Incident response and investigation costs
Delay, disruption, and acceleration costs from event/s causing business interruption
Crisis communications and reputational mitigation expenses
Liability arising from failure to maintain confidentiality of data
Liability arising from unauthorised use of your network
Network or data extortion / blackmail (where insurable)
Online media liability
Expenses relating to regulatory investigations

Cybersecurity can often be put in the “too hard basket”, especially by smaller businesses who don’t perceive their risk to be very high. But when we are so connected to the internet through so many devices these days, we cannot afford to become complacent. Ensure you have all the cybersecurity fundamentals covered for your business in order to stay safe from cyberattacks.