Why You Should Ensure Your IT Infrastructure Is Compliant

As you are all aware in February of this year, the Notifiable Data Breaches Scheme commenced in Australia. You as an entity now have the obligation of reporting when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

With the ongoing issues of Data Security and Cybercrime, the European Union has just released their own Data Protection Policy: the General Data Protection Regulation, also referred to as GDPR. This regulation ensures there is one set of data protection rules for all companies operating in the EU, wherever they are based. The most important aspect of these new laws is ensuring your own Company Data is protected and secure. With new threats emerging every day, the risks of not securing your network is more dangerous than ever, especially for companies. Verizon stated that 61 percent of breach victims in 2017 were businesses with under 1,000 employees.

With security and compliance an integral aspect of all companies, in recent months we have been contacting you by either email or phone to discuss your IT infrastructure. Please take these calls and Security Audit notices with serious consideration. If you receive tickets that our technicians are investigating excessive log-in attempts, and request a security audit – please do so. With businesses falling victim to a ransomware attack every 14 seconds, there is no time to waste. We as your Managed Services Provider are doing our best to make sure your company is safe & secure against all threats; however, we need your cooperation to do so.

There’s no question that the situation with cybercrime is incredibly serious. It is not a matter of if you will get targeted, it is when. Products and solutions that have provided a foundation for a small business’s IT 2 years ago are often not adequate to offer full protection against these current threats.

There is no single solution that will fully protect your business, and some businesses may not be able to implement all the recommendations to be fully compliant. Our aim is to provide the required information and recommendations necessary for the business owner to make an educated decision on security and business continuity.

Below are the top 10 minimum requirements for all businesses to consider for increased security:

  1. Enterprise Grade firewall with Advanced Threat Protection for on premise data.
  2. Implementation of VPN for remote access into the business.
  3. Ensure on premise data is backed up to dual destinations, including one off-site.
  4. Implement Advanced Threat Protection on all incoming emails to protect against malicious links.
  5. Migrated emails to Office 365 where possible to reduce the risk of downtime
  6. Ensure all server Hardware is in warranty and all software assurance is maintained
  7. Ensure Office 365 is backed up , including Mail Archiving.
  8. Understand the business continuity plan and time to recovery (virtualisation, live backups)
  9. Draft a Business Disaster Recovery Plan.
  10. Undertake Regular Network and Security Audits including passwords changes.

We want to ensure your company IT infrastructure if as secure as possible. If you would like to discuss your security options further, please contact us sooner rather than later.

P: 1300 705 062

E: sales@abtechnologies.com.au

 

The Dangers of Phishing – Help Employees avoid the Cybercrime trap

To help you be more informed and proactively educate your employees on phishing attacks, we have curated this blog and e-book. In this blog and e-book you will learn the most common types of phishing attacks, how to spot them, tips to protect your company and educate your employees.

What is Phishing?

Phishing is an email that impersonates a legitimate, trusted sender with the goal of collecting sensitive data such as financial data or login passwords. Phishing emails typically contain a malicious link or attachment that install malware or link to a malicious website that lures users into providing information that can later be used for identity or data theft.

Phishing emails are sent to very large numbers of recipients, usually at random, with the expectation that only a small percentage will respond.

Why Phishing is Important

Phishing is an extremely common form of email attack. It is particularly dangerous because it relies on human behaviour. For example, a phishing email might claim that the user’s bank account is overdrawn and require the user to create a login account to access the fake bank website. Since people often use the same password for multiple accounts, the attacker can use the password supplied by the user to try to get into other real accounts owned by that user.

The most commonly reported scams to the ACCC (Australia Competition and Consumer Commission) in 2017 were phishing, reports to the ACCC indicated these scam types all increased in reported losses which surpassed $4.6 million in 2017.

However, the true cost of these kinds of scams are often not felt right away as the scammer’s primary aim is to obtain personal and banking information for future use.

Types of Phishing Scams

1. Deceptive Phishing

What it is: The most common type of phishing scam, deceptive phishing refers to any attack by which the attacker impersonates a legitimate company in an attempt to steal your personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing the attackers’ bidding.

For Example: Scammers claiming to be from a Bank might send out an attack email instructing you that your account has been frozen unless you click on the link provided and enter your account information.

2. Spear Phishing

What it is: Spear Phishing attacks are a personalised way for hackers to target you. Unlike phishing, which are sent in mass to target any user, spear phishing emails target a single person. Criminals select an individual target within an organisation, customize an email inclusive of your name, position, company, and work phone number, gathering this information through social media platforms and other public information. Their goal is to make you think they have a connection, which will lure you into clicking on a malicious URL or open an email attachment.

For Example: A spear phishing email may appear to come from organization’s HR department asking you to verify your benefits policy information.

3. CEO Fraud

What it is: CEO Fraud is when the attacker has successfully spear phished a CEO or other top executive of the company, and they have managed to steal his or her login credentials.

For Example: The attacker then sends an email from the CEO’s account, or creates a new domain name that is off by one letter or number and duplicates the CEO’s credentials, and requests that employee performs a wire transfer of funds to a financial institution of their choice.

These types of attacks rarely set off typical spam traps because they’re not mass emailed – the victims are carefully targeted by the attacker.

4. Pharming

What it is: While phishing attempts to capture personal information by getting users to visit a fake website, pharming redirects users to a fake version of a legitimate website you are trying to visit. This is done by infecting your computer with malware which causes you to be redirected to the fake site, even if you type the real address or click on your bookmarked link.

For Example: Office 365 Phishing

Emails can contain links that open a phishing page hosted on a compromised WordPress site. The scammers behind this attack have set up their phishing page to look like an Office 365 sign in portal.

The objective of the scam is to harvest victim’s login credentials when they sign into the fake portal.

How to spot a Phishing Attack

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tips to Protect your Business & Educate your Employees

  • Educate all employees and raise awareness of the dangers of Spear Phishing through training.

 

 

 

 

  • Keep your system and programs updated. Install (and use all the features of) a reliable security solution, including vulnerability scanning, patch management, and advanced malware detection.
  • Users need to be cautious and aware of all websites they are accessing, ensuring they are mindful of what files they are opening on corporate computers and devices.
  • Companies need to avoid listing employee names on their company website.
  • All employees need to be aware that Company data and information is an extremely valuable commodity on the cybercriminal market.
  • Users should inspect all URLs carefully to see if they redirect to an unknown website. They should also look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email.
  • Companies should consider amending their financial policies so that no one can authorise a financial transaction via email.

Take Action to Defend Your Business

Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover. It utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.

Head to our webpage to download your Sentinel Data Sheet.

Traditional Email Security Solutions are not Enough

Spear phishing emails are highly personalized. They also happen in a much smaller volume than traditional spam or phishing, and typically they do not contain malicious attachments or links. Because of this, they very difficult to detect using existing email security solutions that rely on volume, rules, or heuristic-based detections. Instead, spear phishers engage in real human conversation with the victim. The messages are very compelling social engineering attacks that ultimately give instructions within the body of an otherwise clean email, making them virtually undetectable with traditional solutions.

Phishing attacks can be enormously costly and destructive, and new scams are appearing every day. Don’t wait until it happens to your business; take action to protect your company from financial and reputational damage, now. Effective cybersecurity requires a multi-layered strategy.

You will significantly reduce the risk of malicious email entering your network. Please contact one of our team members today about your company’s cybersecurity needs.

p: 1300 705 062

e: sales@abtechnologies.com.au

Alliance Business Technologies is Proud to Announce…

ABTechnologies is proud to announce that in May this year we have been awarded two ‘Top Performing Partners for 2018’ awards.

‘Cloud Market Place Partner of the Year’ for Australia at the 2018 Cloud Summit in Florida, USA, and ‘Growth Partner of the Year’ as well as ‘Technical Excellence’ at the Barracuda Networks Awards.

Our Operations Manager, Troy Radloff, flew to the United States to accept the award on behalf of ABTechnologies. The annual awards spotlight Ingram Micro channel partners worldwide who have exhibited a high level of innovation, advocacy, performance and sales success with Ingram Micro and the Ingram Micro Cloud Marketplace. Ingram Micro Cloud identified channel partners who have demonstrated an unparalleled commitment to reinventing the customer experience in the connected economy and driving new cloud capabilities through the Cloud Marketplace. These partners have all demonstrated the ability to help end users transform digitally using cloud technologies. Other criteria used to determine this elite group included overall cloud business growth, peer-to-peer leadership, and level of engagement and alignment with Ingram Micro.

Three of our team members attended Barracuda Networks ‘Big Fish’ Event along with several other Barracuda partners. This is the first year we have attended the event and were honoured to receive three awards. One which we are particularly proud of is our award for Technical Excellence, this award is based on the quantity of achieved technical certifications for the year. We would not have been able to achieve any of these awards without the dedication from our team, and would like to take this opportunity to thank them.

We look forward to achieving more goals as the year goes on.

 

 

 

Privacy Awareness Week 2018

We are proud to be a supporter of this year’s Privacy Awareness Week (PAW).

This PAW is all about promoting privacy as part of everyday business. Running from 13 to 19 May, the
theme ‘Privacy: from principles to practice’ focuses on the need for organisations to develop and reassess
systems, processes, culture, and practice to make sure the protection of customers’ personal information
comes first.

Your privacy and personal information is valuable to us, which is why we are a PAW 2018 supporter. To
help you understand how we handle personal information, read our privacy policy here: http://www.abtechnologies.com.au/privacy-policy/

You can get involved in PAW by discussing privacy and taking steps to handle your personal information
with care. Here are a few quick tips you can use today:

1. Read the privacy policy of any new app or website where you enter personal information
2. Use passwords with a combination of letters and numbers, which aren’t easy to guess that are over
eight characters
3. Check the privacy settings on your social media profiles and change them to your preferences
4. Respect other people’s privacy – ask for permission to post images or videos where they are
identifiable
5. Check for the padlock symbol and “https” at the start of a URL – this indicates that the website is
secure.

Disaster Recovery: Why Define your RPO and RTO

While it is nearly impossible to predict what the next disaster will be, it is easy to prepare for, especially if you have an effective business continuity plan.

The first step towards having a secure and available business environment is determining your Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO and RTO are both essential elements of business continuity; however, they have some critical differences.

Recovery Time Objective (RTO)

Your RTO is the target time you set for recovery and restoration of your IT and business activities after a disaster. Typically, this is defined by how much downtime you can afford before your business suffers. It can include:

  • Time to discover and fix the problem
  • Time to recover data from backups
  • Time to restore your data and systems

The goal of your RTO is to calculate how quickly you can recover when disaster strikes. Establishing your RTO ensures that the disaster recovery strategy you have in place will meet these needs during a disaster.

The shorter your RTO is, the larger your disaster recovery investment is likely to be.

Important factors to determine RTO include: The amount of downtime your business can absorb, how much revenue is lost while you rebuild your IT environment, and what you’ll need to recover to get your business back up and running.

Recovery Point Objective (RPO)

RPO is focused on data and your company’s loss tolerance in relation to this data. RPO is determined by looking at the time between data backups and the amount of data that could be lost in between backups.

Imagine you’re writing a lengthy essay on a computer that you know will crash, but at an unexpected point in time. How often would you feel the need to save your work? The length of time between saves determines how much work you will lose, and how much time it will take to recover that lost work. This time becomes your RPO, and is the indicator of how often you need to back up your data.

The same applies for a disaster affecting your IT systems. Therefore your RPO is the shortest time you should let pass between backups. If you find that your business can survive three to four days in between backups, then the RPO would be three days.

Important factors for RPO include: How often important data changes at your organisation, how often backups will be run, and how much space you have available to store the backups.

What is the main difference between RTO and RPO?

The main difference between these two metrics is their purpose. RTO is generally large scale, looking at your entire business. Whereas RPO is focused on your company’s data and your overall resilience to the loss of it.

When a disaster strikes your company, every second is valuable. Contact us today to discuss how our business continuity systems and solutions can help your business.

For more information about determining your RPO and RTO per application and data set, contact us today at 1300 705 062.

How to recognize phishing email messages, links, or phone calls

Phishing email messages, websites, and phone calls are designed to steal money. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer.

Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something off of a website.

What does a phishing email message look like?

Here is an example of what a phishing scam in an email message might look like.

  • Spelling and bad grammar.Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam. For more information, see Email and web scams: How to help protect yourself.
  • Beware of links in email.If you see a link in a suspicious email message, don’t click on it. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company’s web address.

Links might also lead you to .exe files. These kinds of file are known to spread malicious software.

  • Have you ever received a threat that your account would be closed if you didn’t respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised. For more information, see Watch out for fake alerts.
  • Spoofing popular websites or companies.Scam artists use graphics in email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows. For more information, see Avoid scams that use the Microsoft name fraudulently.

Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered.

Beware of phishing phone calls

Cybercriminals might call you on the phone and offer to help solve your computer problems or sell you a software license. Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Once they’ve gained your trust, cybercriminals might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable.

Treat all unsolicited phone calls with scepticism. Do not provide any personal information.

Schedule a meeting with ABTechnologies to discuss developing a strategy that provides real business IT security.

Source: Microsoft

 

Notifiable Data Breaches Scheme

A consolidated guide about the Data breach preparation and response —

The OAIC has released a guide titled Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth) (Privacy Act). Find this guide here.

This guide consolidates the information provided in the Data breach notification — A guide to handling personal information security breaches released in 2014, the Guide to developing a data breach response plan released in 2016, and the resources published to assist entities in complying with the Notifiable Data Breaches (NDB) scheme.

In addition to outlining the key requirements relating to data breaches in the Privacy Act, including personal information security requirements and the obligations of the Notifiable Data Breaches scheme, the guide covers other key considerations in developing a robust data breach response strategy. This includes key steps to take when a breach occurs, the capabilities of staff, and governance processes.

Privacy Impact Assessment eLearning Course —

We have listed below new resources including an online course, which takes approximately 1 hour, and a list of FAQ’s, to be referred to in conjunction with all previous content.

This eLearning program complements the OAIC’s Guide to undertaking privacy impact assessments, and aims to give you information on conducting a PIA in an easy-to-understand format so that you can have the confidence to do a PIA in your organisation or agency.

What is the Notifiable Data Breaches Scheme?

The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all agencies and organisations with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.

The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach. The Australian Information Commissioner (Commissioner) must also be notified of eligible data breaches.

Agencies and organisations must be prepared to conduct a quick assessment of a suspected data breach to determine whether it is likely to result in serious harm, and as a result, require notification.

When does the notification obligation arise?

The amended Privacy Act will require APP Entities to provide notice as soon as practicable to the OAIC and affected individuals where there are reasonable grounds to believe that an “eligible data breach” has occurred (unless an exception applies). Relevantly:

  • data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, leaving the information on the bus);
  • an eligible data breach will arise where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure;
  • serious harm, while undefined, is likely to include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation; and
  • serious harm will be likely if such harm is “more probable than not” having regard to a list of relevant matters to be included in Part IIIC. The matters include the sensitivity of the information, any security measures taken (such as encryption) and how easily those security measures could be overcome (for example, if the encryption key has also been accessed).

How to Notify:

This notification obligation will involve at least a two-step process. First, the APP Entity must prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC (ABTechnologies will prepare this on your behalf). The APP Entity (Your Company) must then take steps to notify the affected individuals (staff, customers, etc.). The actual steps required will depend on the circumstances, but will usually include sending the statement to the individual via the usual means of communication between the APP Entity and individual.

The notification to affected individuals and the OAIC must include the following information:

  • The identity and contact details of the organisation.
  • A description of the data breach
  • The kinds of information concerned and;
  • Recommendations about the steps individuals should take in response to the data breach.

If an APP Entity only has reasonable grounds to suspect that an eligible data breach has occurred, the notification obligation will not arise, However, the APP Entity will be required by the new legislation to complete a “reasonable and expeditious” assessment into the relevant circumstances within 30 days. Importantly, shutting one’s eyes will not allow APP Entities to avoid the requirements of the Privacy Act.
For full guide on notifying individuals about an eligible data breach: Who to notify and how to notify them in the instance of a data breach.

Exceptions to the data breach notification requirement

Various exemptions to the notification requirement will be included in the amended legislation.
Perhaps the most interesting exception is that a notification will not need to be given if the APP Entity takes remedial action before any serious harm is caused by the breach.
This exemption demonstrates the value of early detection and action. Importantly, the ability of a company to detect a data breach at the first available opportunity and take action in respect of it will be a function of the organisation’s preparedness for such an occurrence.
In order to be properly prepared, it is likely that a prudent organisation will have in place detailed policies and procedures which outline the steps that are to be taken in response to a serious data breach, regardless of whether that breach has occurred as a result of inadvertence on the part of the organisation and its employees (eg. as a result of personal information being lost) or following a co-ordinated attack by hackers.

Penalties:

A failure to comply with the notification obligations will fall under the Privacy Act’s existing enforcement and civil penalty framework. Accordingly, APP Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties.

What should you do?

  • Sign up to the OAIC newsletter. This will ensure you are updated with the most recent information and resources.
  • Audit your current information security processes and procedures to ensure they are adequate (prevention will soon be much more palatable than the cure); and
  • Prepare a data breach response plan (or update your current plan) to enable the APP Entity to respond quickly, efficiently and lawfully to an actual or suspected data breach.

The OAIC currently operates a voluntary data breach notification scheme and has published various resources to assist APP Entities with their handling of data breaches. Much of that guidance will assist APP Entities in ensuring that they comply with the mandatory data breach notification scheme and it is expected that the OAIC will release new or updated guidance over the coming months.

However, further steps are likely to be necessary in order to ensure that your organisation understands the impact of the scheme and to make the necessary preparations for its introduction.

As the Australian Government releases more information, we will be sure to keep you updated. Please follow our social media pages & contact us if you have any further queries.