On behalf of Leap, I wanted to share an important update on the topic of IT Security.
What have we been doing?
Currently, we provide a managed solution called “Leap Security Services”. At the time this offering was created and named (back in 2012) it provided a solid level of coverage for most companies. It has three basic protection mechanisms;
- Basic Email Spam Filtering
Despite global security firms like Symantec, Trend, Webroot, Kaspersky etc. spending millions on research and development, the new breeds of ransomware continue to breach defences. This 2018 report from Datto shows the scary environment we are now faced with;
To reduce confusion and respond to the changing landscape, we have renamed this offering to “Leap Anti-Virus”. We have always used a multilayered approach to security for maximum protection, however, even this now requires new defences and approaches to mitigate the risks. Leap is undertaking an on-going program to raise the level of security awareness and help our clients navigate these risks.
What has shifted so suddenly?
As technology has overtaken how, where and what we do in our companies it has expanded the footprint for attacks. According to the Australian Cyber Security 2017 Threat Report, this has led to:
- An increase in the frequency, scale, sophistication and severity of cyber incidents
- More diverse and innovative attempts to compromise networks
- Increasing number and scale of distributed denial of service incidents
- Cybercriminal sophistication and deliberate targeting
- Foreign states increasing their level of investment in cyber capabilities
The speed, angle and combination of threats have left many companies exposed and yet others still unaware of the risk they are running by not acting. Just this year alone there have been major attacks and breaches at organisations like Austal Ships, Perth Mint and PageUp.
Even basic fraud like business email compromise scams has cost Australian business $2.8 million. Thishas risen 30% from last year according to the ACCC and has an average cost per victim of $30,000. So, security is not just about spies and hackers it is also about identity and criminals.
What are some examples of what we’re seeing?
Over the past 6 months, there were 18 data breaches reported to us where we assisted our clients from a wide variety of verticals. The types of attacks were:
- Phishing emails – 72%
- Ransomware – 11%
- Brute force – 11%
- Stolen laptop – 6 %
It is clear that email is still the most common method of attack. Other interesting findings from the email attacks were:
- After a compromise, the attackers used the account to send spam emails – 50%
- Spear phishing (targeting people to transfer money) – 27%
This could have been prevented by:
- Educating and training users to not click on suspicious emails
- Not downloading applications that haven’t been tested
- Changing passwords to more secure and enforcing multi-factor authentication
- Implementing well known and tested security recommendations such as NIST framework (US),ISO/IEC 27000 standards and ASD Essentials Eight (Australian Signals Directorate)
According to the most recent quarterly report from the OAIC, of breaches reported, 50% of the malicious attacks came from phishing emails. Human error played a big part with 12% sending an email with personal information to the wrong recipient.
This report captures notifications received by the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme between 1 July 2018 and 30 September 2018 (data breaches).
Data breaches are becoming more common, and now that mandatory notifications are in effect, taking steps to reduce the possibility of a breach should be a priority. Unfortunately, many organisations are still unaware of their responsibilities and this is also why the OAIC has the power to issues fines up to $2.1 million.
What we are doing about it?
The IT industry is grappling with how to respond to the demands and pressures of this escalating security shift. Whether it is a lack of graduates and qualified staff to inconsistent legislation to inadequate community awareness the problem is confronting.
Through our affiliations and global relationships including with organisations like Microsoft and Telstra, we have both learnt and witnessed firsthand what is required. Our focus areas in the next 12 months are;
- Updated security training for all internal Leap staff
- Investment in R&D in new technologies to improve our clients’ security posture
- Educating and training our clients about cybersecurity
- Increasing our partnership and engagement level with key security vendors
- Certifying our capability and skills at a company level
What are your options moving forward?
The Wall Street Journal’s Cybersecurity Research Director, Ron Sloan shared these five questions at anAustralian Institute of Company Directors talk that we think every business should consider;
- What does cyber security mean to your organisation?
- Who are the key people responsible for cybersecurity at your organisation?
- How vulnerable is the organisation?
- What’s your organisation’s risk tolerance and exposure?
- And what’s your long-term strategy for dealing with cybersecurity?
Answering these questions should be the start of your journey because unlike other areas of technology security is a joint responsibility.
Our Top 5 recommendations for you;
- Engage in Security Awareness Training for your staff so everyone can get a better understanding of the current threats on how to protect themselves
- Design an internal cybersecurity incident response plan so your staff are ready when there is an incident
- Undertake a Leap Security Audit for your business
- Create a Business Continuity and Disaster Recovery Plan and test them to make sure that they work and would be ready when there is a real incident
- Take out Cyber Insurance
We will continue to be in communication regarding new offerings and increased protection standards we are introducing to help you keep your data and your business safe.