Does Australia need an infosec wake-up call?

By on
Does Australia need an infosec wake-up call?

[Blog post] Yes, we are vulnerable.

Is Australia too complacent with regards to its information security? What kind of wake-up call will it take to shake us into action?

Earlier this month, two iconic Australian department stores were hacked and a large consignment of customer records were stolen.

However, before the Kmart and David Jones breach revelations hit the Australian media, there appeared to be a belief that we’re generally not the target of cybercrime.

Most medium to large business owners (unless they are in hi-tech) believe that the majority of cybercrime affects the US market because the breaches to hit the press have typically been US retailers, US health providers and US government agencies.

But now local home delivery business Aussie Farmers Direct has been hit within a few weeks of Kmart and David Jones, with the personal details of more than 5000 of its customers being posted online. Maybe this is the wake-up call Australian businesses need?

The truth is that we are not safe and never have been. Cybercrime is already a massive issue for Australia, with identity theft increasing to over $1bn last year (a conservative estimate since not all cases are reported).

We need to be ready to deal with attacks when they come and take proactive measures to prevent the attackers from getting into our systems in the first place.

You should start by comparing the defences in your business to the defences you use to protect your home. It’s possible to adopt security measures that don’t cost the earth but keep out opportunist attackers.

At home, you keep your jewellery in a separate locked safe along with your most important documents, such as passports and birth certificates.

Treat your most important business assets differently to the rest of your data: keep them on a separate system or network and make sure they are encrypted and only accessible to those that need access.

If you have expensive equipment in your home, you protect it with reasonable locks on your external doors. However, we don’t trust our external doors are good enough to keep out determined thieves, so we have home insurance just in case.

Consider taking out cyber insurance for your business, but just like your home insurance, make sure you meet the obligations of the policy, otherwise the insurer might not pay out.

If you don’t keep your systems up-to-date with the latest security patches, you might be breaching the terms of your policy, so beware of such clauses.

Also, consider installing an alarm. In the same way a burglar alarm acts as a detective and deterrent measure in your home, you can use intrusion detection and prevention systems in your business to shore up your network.

Consider outsourcing some aspects of your security to an expert. In the same way you might employ a private security company to patrol your property and react to your alarm systems, you can outsource the monitoring of your information systems to a managed security services provider, achieving a guaranteed level of service and risk reduction that you might not have the experience or resources to achieve internally.

What if the worst happens and you get burgled? You won’t hide the fact from your neighbours, as that knowledge might help them prepare themselves and step up their own security measures in case the criminals come back.

You’ll make as many people aware of what was stolen as you can, just in case they see it for sale on Gumtree or eBay (even if it’s just a remote chance).

From a business perspective, be prepared to call in the cavalry, so make sure you have an incident response plan that you thoroughly test prior to any major incident occurring. Your contact list includes calling the police and warning customers, suppliers and subcontracts that they may be at risk.

You also need to be ready to talk to the press. If you are breached and it’s a big deal, make sure you know how to explain the problem to the media and be transparent with about what was taken and what you are doing to fix the problem.

Part of successful incident management is not only communicating to the right people what they need to know, but it’s also about managing the rumour mill.

With just a little planning and some common sense security measures, you can make your business considerably more secure than it is today.

You just need to take that first step, audit your current situation and make plans for dealing with the the worst case, should it happen.

Because, if recent history is anything to go by, it will happen before you think.

Got a news tip for our journalists? Share it with us anonymously here.
Tony Campbell
Tony Campbell has been a technology and security professional for over two decades, during which time he has worked on dozens of large-scale enterprise security projects, published technical books and worked as a technical editor for Apress Inc.

He was was the co-founder of Digital Forensics Magazine prior to developing security training courses for infosec skills.

He now lives and works in Perth, where he maintains a security consulting role with Kinetic IT while continuing to develop training material and working on fiction in his limited spare time.

Read more from this blog: Unpatched

Most Read Articles

Log In

  |  Forgot your password?