The growing recognition that cyber-attacks and data breaches are on the rise puts the onus on all businesses and organisations, in both the public and private sector, to protect their data and their systems from malicious intrusion. Whilst the facts of the recent ABS census debacle are still hazy, you don’t have to be as prominent as the ABS to be of interest to tech-criminals.
It can and will happen to you
“Why would anyone want to hack our systems?” It is a fair and reasonable question. Your organisation might have data on a lot of clients or maybe not much at all. You may not even have a lot of Intellectual Property of significance but whatever you do have is important to you.
It is only a matter of time before you receive an email containing highly sophisticated software that enables hackers to infiltrate your computer. Imagine you are waiting for a parcel delivered by Aus Post and up pops an email that looks like the one you are expecting. It usually happens when you are off-guard. By the time you have clicked through to find out it is a fake, the damage has already been done.
Why they want your computer
Two attack scenarios are common:
Ransomware – You get locked out of your computer and a message says that for just $500 “they” will release it for you. As a note, NEVER give your payment details to these criminals. Would you trust them? It is now too late, you must rebuild your computer from scratch.
Use by hackers – To prevent being tracked, hackers like to use other peoples’ computers to do their dirty work for them. They try to install software, that you are completely unaware of, which connects your computer to others via the internet and does who knows what?
So regardless of what your computer does, it is only a matter of time before it is a target.
Guidelines for your organisation
The Commonwealth Government recently released their Protective Security Policy Framework (PSPF). It provides policy, guidance, and best practice to foster a positive culture of security across corporate and non-corporate Commonwealth entities. It also serves as a blueprint to guide state governments in developing their own security policies (For Victoria, refer to the VPDSF below). Broadly, the framework contains 36 mandatory requirements across the following:
Where to start with Information Security
Certainly there is crossover between the above domains and the requirements are very broad. However it is clear that the following steps, derived from the PSPF mandatory requirements, or Victorian Protective Data Security Standards (for Victorian agencies) will set any organisation on the right path.
1. Define a clear direction
Start with defining a clear direction on Information Security through the development and implementation of an IS policy.
Some relevant starting questions that will help to shape your policy are:
Where is information stored?
How many storage systems are there?
Is information stored in the same manner and location both for internally and externally generated information?
Who has access to the information?
What controls are in place to prevent unauthorised access?
2. Keep it relevant to you
Organisations come in all shapes and sizes. With untold amounts of information flowing into and out of your organisation, it is important understand the following:
What information is permitted to be retained by your organisation?
The difference between personal and confidential information
What legislation, if any, relates to your information.
3. Document and implement procedures
To ensure that information, systems and network tasks are managed securely and consistently, make sure they are clear and known! In many cases, this will include a breach notification and management plan.
4. Seek external advice and opinions
By going through these steps you will naturally assess your current processes and their suitability. You may find that while your IT people are keen to be involved, this may not be their area of expertise. These issues are complicated and they are often outside the natural knowledge of people within the organisation. It may be that you require an independent opinion or guidance on what could be an extensive review.
We would value the opportunity to assist as you develop your information management security framework.