Every year, after noting which attacks have been reported, national cybersecurity watchdog CERT NZ releases a list of Critical Controls to help you protect your software and systems. “If you don’t have these controls in place, you have a soft underbelly and hackers will come after you,” says Rob. “But when you implement them, they will prevent the majority of what’s out there.”

Let’s look at those controls and other means of protection…

Passwords

Passwords are the key to our most sensitive and important data, yet many people don’t observe safety protocols, which include:

• Not replicating passwords across sites. This is known as good “password hygiene”.
• Don’t use your birthdate or name, or those of your family.
• Don’t reveal information that might hold the key to your passwords or their recovery questions. For example, some social media posts ask for personal details in the name of fun, e.g. to find out your “rockstar name”.
• Store digital passwords in a password manager or physical copies in a safe, secure place.
• Longer passwords are better. Use a combination of lower and upper case, numbers and special characters.
• Screen your keyboard when entering account details in public spaces to prevent anyone from watching – this is known as shoulder surfing.
• The haveibeenpwned website lets you check whether your email login has been captured in a site breach. If it has, change your password in case it has been compromised.

Provide and use a password manager

Password managers enable storage and encryption. They can also create long, complicated, unique passwords for each site or account you log into, avoiding replications that could be exploited.

Patch your software and systems

This will help protect against the scripts detailed at the end of our cybercrime article last week, so it’s important to quickly patch all your software, from operating systems and applications to firewalls and routers, after security patches have been released. We recommend doing it each night.

“PCs and laptops are being used in home networks, airports and hotels, so it’s really important to patch those devices as soon as they become available,” says Rob.

Implement multi-factor authentication and verification

If a hacker acquires your username and password, multi-factor authentication will likely prevent them from going any further due to the request for secondary proof of identification.

Configure logging and alerting  

Set up alerts with service providers such as Office 365 to notify you of suspicious logins. These should be sent to someone who will see and act on the alerts, if necessary. “It’s about trying to take action as it’s happening, as well as finding out what went wrong and fixing it,” says Rob.

Asset lifecycle management

It’s important to manage and maintain your assets through their lifespan from purchase to usage, retirement and disposal. This includes deleting data if a computer is disposed of or passed from one user to another.

Implement and test backups

All your data should be backed up and stored securely offline or in the cloud to reduce the impact of ransomware attacks, and backups should be run automatically from a schedule.

“We still come across businesses where back-ups constitute a USB thumb-drive that gets a couple of files put on it and goes home at night and that’s really not good enough in the modern environment,” says Rob. “Also, test your back-up and recovery plans to make sure they work and take action if they don’t.”

Application control

Most malware is introduced through malicious email attachments, unintentional file downloads from websites, or downloads that people authorise without understanding the consequences. Application control can include “allowlisting” (formerly known as “whitelisting”), which governs which apps your employees can run on their PCs.

Enforce the principle of least privilege

Providing the minimum level of access that users need to perform their role makes Admin accounts less exposed to attack, helps protect against installation of unsafe software, limits access by segregating duties, and guards against accidental or deliberate actions that can cause security incidents.  

Implement network segregation

Larger businesses can make it harder for would-be attackers to move around their network by breaking it down into smaller segments and setting appropriate access controls.

Set secure defaults for macros

Attackers often use macros to hide malicious programs in software like Microsoft Office. You can help prevent this by using secure defaults and macros, forcing them to run only in sandboxed environments, or disable macro use if you don’t use them.

Cyber insurance

Cyber insurance will help protect your business in the aftermath of cybercrime, however, it’s critical to carefully read the wording, comply with your obligations and talk to your insurer or broker if you have any doubts.

For example, a clause that requires “written” cybercrime training materials for your employees with “regular” updates could mean your insurance is invalid if you instead provide video training or don’t meet your insurer’s definition of “regular”.

Sometimes policies no longer reflect current best practice, for example, requiring employees to change their passwords every six weeks. This is no longer considered best practice because many people just add numbers to their passwords (e.g. Britannyt1, Britanny2, Britanny3). “When a hacker sees that a password has a number on it – a one or two or three – they’ll just try the incrementals,” says Rob.

Working from home

Office environments generally offer more protection, like firewalls and additional network controls, but when people take their laptop home, they’re often on the same network as home computers, devices or smart TVs and appliances that contain security vulnerabilities or can’t be updated or patched, or apps that could allow hackers to get into your network. “So you need to make sure that computer is safe at home, the hotel, the airport – everywhere else that it’s working.”

One way to do this is to set up your work equipment on a separate network from your home devices and appliances.

Employers can also provide a level of protection by controlling how work computers are configured, but if employees use their own computers, you can create and enforce policies, for example, staff can’t log in until the computer has verified that it has working anti-virus, current patches and so forth.

• If you’d like assistance, or to become an ongoing client, please contact Rob at Rob.McEwan@bakertillysr.nz or Greg Taylor at Greg.Taylor@bakertillysr.nz. Their team services clients nationwide.