<< Back to article Print this page Loading page, please wait...

An Infosec End of Financial Year

by Brett Callaughan, Senior Sales Engineer – ANZ, Malwarebytes

Brett Callaughan (CSO Online)
23 June, 2017 20:45

As Australian businesses gears up for the financial year-end, it may well be time to review your security settings and general cyber hygiene. After all, you may be investing in new technology to take advantage of the latest Federal Government SME budget tax incentives and bringing on board a new fleet of tablet and other smart devices.

Security is not simply a case of better technology. It requires investment in processes and staff training. Users, for example, need to be educated and made aware of what a suspicious email looks like. In SME businesses, there is often a general lack of specific security skills and processes. Many breaches are often the result of a simple setting misconfiguration.

At the same time, you probably have lots of accounts, but it’s easy to divide them up before getting on with the “how secure is all this stuff anyway” task ahead of you:

As June 30 approaches, here are some security processes you can put in place to ensure organisational resilience for the year ahead.

1. Lock down your mission critical accounts.

Throw your really important email address, that social media account you maintain for work, and the cloud storage account with all your important things in it under this banner.

Do you use 2FA, like Google Authenticator?
Do you have a backup plan in place in case you lose your phone (and thus access)?
Are you using a password manager?
Do you have all security features enabled?
Do you use regional lockout and need to alter these settings before hitting the road? Or does it have a Plan B to let you alter on the fly?
It’s easy to forget about websites – does your host have a secure login setup, or should you be looking to move to a more reliable provider?
Do you have one foot in the faintly aggravating pool of domain registration? If they provide additional security features related to privacy/anti-spam/”locking” the domain, are you using them?

Also of note, but easy to forget: your gaming accounts, which (depending on sales) may have hundreds or even thousands of dollars invested in them over time. It’s certainly a pain to micromanage lots of client logins from Steam to UPlay and back over to Origin, but having said that, all of your password juggling problems can quickly be resolved by deploying your favourite password manager of choice.

These are probably the main items of note that you’ll want to concern yourself with.

2. Be aware of third party access permissions.

One of the web’s biggest strengths is being able to tie all of our programs and services together. It’s great! Unfortunately, it’s also not great and can lead to major problems should one of those services be compromised. It only takes one hack and then you’re pushing all sorts of wacky content (and by wacky, I mean “help, my eyeballs are melting“). There is no real solution to this one; if a third party service is popped while you’re in bed asleep, you’re going to wake up to disaster.

What you can do, is jump into application settings/management and see what lies within. If you have a bunch of old apps you haven’t used for in ages, revoke permissions. Not sure how app X or Y got there in the first place? Revoke. It doesn’t matter whether the unused app is a big brand or something a teenager cobbled together in their bedroom – everything is potentially hackable, but this is all about reducing the risk a little bit. If you still get caught after amending your settings to something you’re comfortable with, don’t feel too bad about it.

3. Look after your Nothingburger accounts.

We all have them – those accounts we create purely because we have to, or ones we use for buying things on an occasional basis. Forum registrations. That one gaming site you can’t stop screaming at people in ALL CAPS. The only seller of that unique brand of salad dressing you like. Something about cat memes.

However.

Don’t fall into the trap of cursing them all with the same username/email/password combination, on the basis that they’re all “disposable”. You might not think they’re important, but most of these Nothingburgers contain a juicy filling. A forum registration with your real DOB here, a shopping account with your real name and address there, or that gaming forum with a pile of HERE’S MY PHONE NUMBER, FIGHT ME private messages from 2008. All of this can be used against you. The moment one is popped, the hackers will try those same credentials against lists of other websites. At that point, it’s game over – and let’s face it, nobody wants to spend three hours trying to reclaim a dozen stolen logins while wading through a conga line of tech support.

Do the right thing and generate a bunch of random passwords via your favourite password creation tool. Mmm! That is a tasty nothingburger!

If you’ve shored up your super important accounts, dealt with the generic logins, and sorted out third party permissions, you’ve probably come to the end of your great end of financial year cleanse! There’s always something else to fix or tune up, but the above is certainly a quick and easy way to divide up the gigantic pile of accounts you probably have in your gigantic account pile of accounts bag.

At the end of the day, organisational resilience at all levels is the best investment and defence that a business can adopt to keep its business safe.