Last month’s hacking attack against Telstra was the latest in a growing number of cyber-security threats faced by businesses of all sizes. The intrusion, which leaked the data of up to 35000 of Telstra’s customers, is by no means an isolated incident. According to Privacy Commissioner Timothy Pilgrim, Australia experienced more than one significant data breach a week last financial year, and the actual number could be double that or even more. Telstra itself is still recovering from another breach last December that exposed the data of around 60000 of its customers. What’s more, the majority of these incidents are easily avoidable.
While dedicated cyber-security can be a pricey resource, it’s a worthy investment to protect your brand and profitability – particularly as a single highly-visible security breach can cause irreparable damage to both. This is especially true for e-commerce businesses and others with significant online operations, whose systems are often left vulnerable to attack in multiple places. So what can businesses do to reduce their chances of getting stung.
Improving response times
The first thing businesses can do is simple: make sure you know when you’ve been hit by an attack. Many companies only know their defences have been breached when they hear about it from a third party, whether that be customers or the media.
By that time, your reputation and brand may have already suffered significantly, not to mention the lost profits if a hacker has taken your website or e-commerce channels offline for any period of time. When Sony’s Playstation network was compromised last year, it took the company almost a week to respond – by which time hackers had stolen the data of up to 77 million users and publicly tarnished the brand’s global standing.
Make sure your IT systems are sufficiently monitored that they alert you in the event of any attempt to get inside, no matter how small it may seem. If you’re outsourcing your data or infrastructure, check that your provider is watching your assets at all times and will alert you in the event of an incident: they play a critical role in your cyber-security policy, as we’ll return to later.
Testing the perimeter
Prevention, of course, is better than cure, no matter how fast your response time. Most businesses already have some sort of cyber-security system in place: chances are your servers are behind a firewall, and you run regular antivirus scans of your PCs. These are good measures to have in place, but are they the right ones? The majority of businesses have no basic cyber-security processes and procedures in place, and many organisations don’t keep track what measures are currently deployed across their systems.
This ad hoc approach to cyber-security is why so many intrusions or breaches occur as a result of human oversight or avoidable technical slip-ups. Just a few days after the latest Telstra breach, LEGO Australia reported a vulnerability which could compromise the data of more than 1500 of its users as the result of an incorrectly configured SSL certificate. In other words, someone had forgotten to encrypt the data, leaving it potentially accessible to hackers. Many e-commerce sites use the same back-end payment mechanisms, which helps hackers know what to target; poorly-written code and databases in these sites only make intrusions easier.
Rather than simply using off-the-shelf security, test your systems for vulnerabilities and address them as quickly as possible. A reputable cyber-security firm should not only be able to detect the weak points in your business, but also provide recommendations about the fastest and most effective ways to plug the holes in your defences. Often this can be as simple as remembering to install software updates and patches or using the right settings on your machines. By testing your cyber-security against a variety of threats, you can ensure your measures are the right ones for your business.
How secure is your provider?
The same standards should apply to your third-party IT providers. It’s easy to forget that when you outsource your IT services, you’re placing the security of your business in the hands of another organisation. If that third-party provider doesn’t properly look after your data or quality of service, your business will bear the consequence. And your security is only as good as your weakest provider’s: the latest attack against Telstra didn’t target the company itself, but a third-party provider which hosted much of Telstra’s data.
Businesses need to thoroughly assess the cyber-security credentials of third-party providers before enlisting their services. Secure providers will have not only a strong reputation, but also the cyber-security certifications to support it. Global certifications like ISO27001 and PCI indicate these providers keep their defences up to date with the latest emergent threats, and monitor your systems for suspicious activity on a 24/7 basis. Australian government certifications, like ASIO and DSD certification, indicate that government trusts these providers with even their most sensitive data – one of the strongest measures of a secure hosting environment.
E-commerce businesses will particularly benefit from 100 per cent -uptime guarantees and certifications which indicate their service won’t go down in an outage. And all businesses should lay out the terms of cyber-security when drawing up contracts with providers, keeping data and services within Australian borders (and thus the Australian legal system) as much as possible.
Rigorous and up-to-date knowledge of cyber-security threats is the best form of defence for any business. Cyber-security firms and reputable service providers can help build up this knowledge and supplement it with their own expertise. Given the fatal risks to brand and profits that malicious intrusions now pose, cyber-security knowledge is a worthy investment of your time and money. But the best cyber-security strategies – like early-warning alerts, system tests and an awareness of your provider’s track record – are mainly just common-sense.
Art Leyzerovich is the general manager emerging technologies (hosting) at Macquarie Telecom. Mark Hofman is the technical lead at Shearwater Solutions