Secondary menu

Cyber Security FAQ

Cyber Security FAQ – For the boardroom

Your company contains staff who develop products and services that are competitive. Much of this is based on skills that they spent years developing, and on projects and products that may have received tens of thousands of hours of work to create. All of this is what you sell when you sell your products and services. Yet companies are making increasing use of the internet to perform normal business activity, and there are strong signs, with the development of the Internet of Things, and the increased use of e-commerce, cloud computing services, Big Data, data retention and M2M (machine-to-machine) communication that suggest that this will only increase in the future. With these data driven technologies embedded within the company’s everyday operations, the associated data that is produced, collected and stored, especially commercially sensitive information, becomes the new corporate asset and requires an appropriate level of protection. Over 85% of the security breaches reported to the Australian Signals Directorate would have been foiled by applying basic cybersecurity. For the company boardroom, cybersecurity becomes a broader risk management issue, rather than just an IT department problem. This document answers the main background questions you might have about cybersecurity and will help you to understand the fundamental principles that you should implement to keep your company’s valuable data safe.

What is cybersecurity?

Cybersecurity is a set of practices aimed at making your computer systems resistant to intrusion from unwanted outsiders, and to the release of unauthorised materials from within your company. There are a myriad of technical details which specialists can use to secure your systems. The important thing for a board member is to understand the basic principles of cybersecurity, to know roughly how vulnerable their company is to attack and to know what their company is doing to prevent an attack, and what their company should do in the event of a breach being discovered.

How likely is it that security breaches will happen if we do nothing?

In a 2015 survey by the Australian Government’s Cyber Security Centre, over 50% of responding companies reported that they had detected an attempt at a cybersecurity breach during the last year, often more than one. The larger and more successful your company is, the more likely it is that one or more of your competitors will want to take advantage of any vulnerability and look at what’s on your company’s computers.

What are the most common vulnerabilities that businesses have?

Backdoors in a security system are any secret method of bypassing normal authentication or security controls. Some are created deliberately (to allow technicians to fix user problems), others are created accidentally. Balancing the ability to reset passwords, against securing the data protected by the password is an example of the trade-off that backdoors create.

Denial of service attacks are designed to make a machine or network resource unavailable to its intended users. Attackers can deny service to individual victims by deliberately entering incorrect passwords; thereby causing the victim’s account to be locked, or they may overload the capabilities of a machine or network and block all users at once.

Eavesdropping is the act of surreptitiously listening to a private conversation, typically between hosts on a network. If your network communication uses weak or defective encryption, then it is possible, even likely, that others may intercept your communications without you knowing anything about it. You should use encryption of at least 128-bit AES encryption if you want your data to remain secure long-term.

Tampering describes a malicious modification of products. So-called “Evil Maid” and the planting of surveillance capability into routers are examples. IT products should be purchased from trusted vendors, delivered using trusted transport, and have tamper-resistant packaging you can verify.

Phishing, or social engineering is a significant vulnerability. When it becomes too difficult to gain access to a system using the normal illicit methods, hackers will then attack the most common weak point: the people who run the machines. It then can con staff into releasing passwords, changing network settings or other administrative details, then they can bypass otherwise excellent security by exploiting human ignorance. Having IT staff that are well-known to the rest of your team is one effective way to prevent strangers claiming to need access to your system and being allowed to get that access.

What steps can a board take to significantly reduce the company’s vulnerability to hackers right now?

Implementing all four of these steps properly will reduce your vulnerability by 85% according to the Australian Government:
  1. Application whitelisting, when implemented correctly, makes it harder for an adversary to compromise an organisation’s ICT system. Application whitelisting is a technical measure that prevents any program or software library not on the whitelist from being run. Care must be taken when writing whitelists to ensure that all necessary programs are included; a system so secure it prevents work getting done is worthless.
  2. Speedy Application Patching. A patch is a series of fixes to an existing program. Almost every patch to software includes closing a number of security flaws (e.g. backdoors) that were found in the previous version. As there is a great deal of money to be made in hacking, it is common for flaws in well-known programs to have specific software written to exploit these known bugs within 48 hours of it becoming public. You should patch (or otherwise mitigate) every specific flaw known within this period.
  3. Speedy operating system patching. Programs sometimes have hundreds of thousands of users. Major operating systems like Windows, OSX, Unix, iOS and Android have millions. Even though the number of malicious people operating within these communities is small, the enormous size of the user base means that it’s worth the effort for hackers to keep trying to find holes in the security of operating systems. As with patching your programs, you should apply patches within 48 hours of them becoming available.
  4. Restricting administrative privileges to the lowest level needed for staff to undertake their work is the final basic step to take. Administrative privileges allow a user to control their computer in ways that are essential to hackers, but which are usually not needed by ordinary users. Restricting full administrative access to those staff who have an in-depth understanding of your network, your security and your policies will help you to keep your data secure. As with an application whitelist, administration level access should be restricted to the lowest level necessary for staff to do their jobs, and no lower.

What other threats are out there?

For every new technology there exists flaws in security, and someone who will seek to take advantage of that flaw. If you use the internet, then you can’t have perfect security. But you can use the advice in this document to minimise the chance that you, or your company will be targeted. Just as locking your doors and windows and not leaving spare keys outside helps to secure your house from most would-be burglars, the steps in this document will help your company to take the essential steps to cyber security.

For additional information on ways to mitigate cyber security measures, see the Australian Government's online safety and security website.

download pdf