Imagine this scenario: You're leading a critical 12-month long project. It's Monday morning, and you're ready to dive into the final phase when suddenly, you can't access any of the project files. The only thing you can open is a .txt file demanding a hefty $100,000 ransom for the decryption of your data. The clock is ticking - you only have three days to pay the ransom, or the project data will be publicly released. Your business has just fallen victim to a ransomware attack, and you can't afford any project delays.
How did this occur? Was it the suspicious email your co-worker opened last Friday? Was it the network firewall with a critical patch that’s three months overdue? Was it the limited user access restrictions across the company network?
Incidents like the above can happen to any business, no matter the size or industry. In fact, during the 2021-22 financial year, over 76,000 cybercrimes were reported to the Australian Cyber Security Centre (ACSC). That's one report every 7 minutes! Plus, the financial injury of these crimes is staggering, averaging nearly $90,000 for a medium-sized business (20-199 employees).
Whether you’re a small retailer or a large financial institution, modern business is underpinned by technology and is easily disrupted by cyber threats. That's why it's essential to implement fundamental cyber security practices to manage this risk.
Here are six fundamental cyber security practices that every business, no matter the size or industry, can implement as a starting point:
- Vulnerability & Patch Management: Exploitation of software vulnerabilities or weaknesses are one of the most common methods of delivering a cyber-attack, and the ACSC indicates cybercriminals will often do so within 48 hours of a vulnerability being made public. Regularly updating software and infrastructure is one of the easiest cyber security measures to implement. Ensure that critical vulnerabilities are patched within 48 hours and, where possible, implement automatic software updates.
- Access Control: Only authorised users should have access to your data and systems. Use the Principle of Least Privilege (PoLP) and role-based access control to limit user access to only what is needed to complete their job. Regularly review user access requirements and offboard users promptly. In addition, the implementation of strong passwords, frequent password rotation, and multi-factor authentication reduces the risk of user account compromise. If users work remotely, ensure data and systems are securely accessed through a VPN or by implementing zero trust security.
- Data Protection: Data is critical to any business, and data loss or compromise can quickly result in significant business interruption, recovery costs, reputational damage, and legal liability. Protecting data should be a two-pronged approach – prevention and recovery. Prevention ensures only authorised users can access, read, or change data. This could include role-based access control or cryptographic controls such as encryption. Recovery involves backing-up data (e.g., to the cloud or an external storage device) and ensures data can be quickly recovered if manipulated or lost. Data backups should also be protected from unauthorised access, isolated from corporate networks or devices, and regularly tested.
- Incident Detection & Prevention: Security technology is essential in managing cyber security, serving as both a first line of defence against cyber-attacks in the wild, and backstops when other controls fail. As a minimum, endpoints should be provided with antimalware software with up-to-date signatures. Network perimeters should be protected with firewalls that are regularly updated and configured to block network traffic by default. Security logs and alerts should be centrally monitored to facilitate prompt incident response.
- Incident Response: Most organisations have established procedures and training for physical emergencies such as fires. These help to ensure the organisation and staff can respond quickly to mitigate loss in the event of an incident. The same applies to cyber security – a formalised and regularly exercised cyber incident response plan helps to ensure an organisation can quickly respond and recover from a cyber incident. As with any emergency procedure or plan, testing should be regularly completed to ensure stakeholders are appropriately trained, aware of their responsibilities and that the plan remains relevant to business needs.
- The Human Element: In some ways the human element is the weakest link in cyber security. For instance, it’s much easier to trick someone into giving you their login credentials, than it is to guess those credentials. Cybercriminals exploit the human element through social engineering attacks such as phishing. The best form of prevention against social engineering is education and establishing a culture of collective responsibility for cyber security. Users should be trained in basic cyber security hygiene such as strong passwords, and how to recognise and report phishing emails. It’s also important to regularly test the effectiveness of training through exercises such as phishing simulations.
Remember, no business is immune to cyber threats, but implementing these six basic cyber security practices can significantly reduce the risk and impact of cyber-attacks. Don't wait until it's too late, make cyber security a fundamental part of your business risk management strategy.
About the Author:
Simon Milliken
Risk Engineer P&C - Technology/Cyber Specialist, Chubb
Based in Sydney, Simon has been a key contributor to Chubb Risk Engineering Services since 2013. With a Bachelor of Engineering (Mechanical) and a Graduate Certificate in Cyber Security, Simon has comprehensive knowledge and a high level of expertise in technology and cyber risks.
Simon takes a holistic approach to risk management. By understanding the interconnection between different types of risk and accounting for both the likelihood and consequence of different risk factors, Simon assists clients to identify potential exposures and develop comprehensive strategies to mitigate them. Simon has worked with clients across a wide range of industries including food and beverage manufacturing, glass and plastic manufacturing, datacentres, telecommunications, healthcare, life sciences, media/broadcasting, industrial automation, defence, clean technology and fintech.
In addition to his technical knowledge, Simon is well-versed in technology and cyber industry-specific trends and stays up to date on the latest industry developments to ensure that Chubb’s clients receive the best possible advice and solutions.
This content is brought to you by Chubb Insurance Australia Limited (“Chubb”) as a convenience to readers and is not intended to constitute advice (professional or otherwise) or recommendations upon which a reader may rely. Any references to insurance cover are general in nature only and may not suit your particular circumstances. Chubb does not take into account your personal objectives, financial situation or needs and any insurance cover referred to is subject to the terms, conditions and exclusions set out in the relevant policy wording. Please obtain and read carefully the relevant insurance policy before deciding to acquire any insurance product. A policy wording can be obtained at www.chubb.com/au, through your broker or by contacting any of the Chubb offices. Chubb makes no warranty or guarantee about the accuracy, completeness, or adequacy of the content. Readers relying on any content do so at their own risk. It is the responsibility of the reader to evaluate the quality and accuracy of the content. Reference in this content (if any) to any specific commercial product, process, or service, and links from this content to other third party websites, do not constitute or imply an endorsement or recommendation by Chubb and shall not be used for advertising or service/product endorsement purposes. ©2023 Chubb Insurance Australia Limited ABN: 23 001 642 020 AFSL: 239687. Chubb®, its logos, and Chubb.Insured.SM are protected trademarks of Chubb. Published 03/2020.
Insights & Resources
We keep you informed – and your business protected – with these helpful articles.
