Sometimes life gives you happy coincidences, and some times less happy ones.
These past few weeks have seen a spate of data breaches, and “hacks” (Think the Optus or G4S data breach) where a large proportion of our population has suddenly had a personal encounter with “threat actors” interacting with their otherwise Instagram or TikTok online life.
October is Cyber Security Awareness Month. Could we have asked for a “better” set of circumstances to raise awareness than millions of Australian’s suddenly asking “I was HACKED?!?!”.
The sudden rush of leaked and stolen personally identifiable information (PII) has very much brought to the public conversation, the concepts of privacy and cyber security. The fact that his data could conceivably be used to get financial loans or create online accounts (for example, on a sports betting website) is causing worry, concern, and even potential safety risk for specific vulnerable groups of people.
The mainline news narrative has mostly exaggerated the risks. No, no one is getting into your bank account automatically, it is nigh impossible for someone to re-mortgage your house, BUT, this data being available means that various identity fraud operations have had their jobs made much easier.
We saw this when opportunistic secondary attackers used leaked Optus data sets to “phish” and target people to install malware on their PC’s or phones.
Optus has responded by engaging credit and privacy monitoring services from Equifax, which will monitor or alert if big or small ticket items suddenly appear on your credit record, and this, while nice, is very much trying to coax the panicked horse back into the stable with the leaking roof while the lock on the gate is likely still not fixed.
The Australian government actually has fairly decent privacy laws and clear expectations on the correct handling of customers PII, and we expect Optus to cop a rather hefty fine with a wincing number of zeroes attached.
Concurrently the Australian Cyber Security Centre (ACSC),has been doing laudable work in providing simple, easy to implement security steps that are applicable and relatively easy to implement for small businesses and all the way up to bigger Australian corporates. Their Essential Eight, and the Essential Eight Maturity Model are a great roadmap of how to get from “less secure” to “more secure”.
Here at OpusV we get the special joys of working with Security Compliance across a range of industries, more so of late addressing the incoming requirements of the Australian Energy Sector Cyber Security Framework (AESCSF), which provides an even more focused and disciplined approach to security implementation for Critical Infrastructure. We have been working on implementing more mature security architecture in grid connected power generation for over 5 years now, and I expect that given the general state of the power industries awareness of Cyber Security, we will be working on this for years to come.
But for yourself? Some simple things to make sure you are not the weak point in your company’s security environment:
- Use a password manager – They are built into most web browsers, or can be added as simple add-ins. Then use it correctly. DO NOT use the same password on more than one website.
- Report Odd emails or communications – I have had my own staff approached by someone impersonating “me” on WhatsApp asking them to reset access to my accounts. Thankfully we have standard procedures around credential resets which involves picking up the phone and receiving verbal confirmation that request is valid.
- For Management – Give your staff time and resources. Security for the frontline people, is a matter of eyeballs and time. Your staff will need the ability to look, centralise a whole lot of data, and then look through it some more. Practically, your IT department may need more man power, or time carved out of other duties so that the security aspects get the love and attention the desperately need.
Stay safe out there, it isn’t going to get any easier on its own!