Cyber-Security: A Pragmatic Approach?

We’re almost bombarded daily with cyber-security related news items.

At one end of the spectrum, we’ve learned that almost all of our computers have latent and fundamental security flaws. Whilst it remains to be seen whether these have been exploited, what makes Meltdown and Spectre particularly sneaky is that they take advantage of optimisations that are built into the very architecture of our computers. Stuff that’s been there for many years.

At the other end, we’ve heard about sensitive Australian Federal Government documents coming into the hands of journalists as the result of being left in filing cabinets that were sold second-hand. Quite literally an extraordinary “cabinet leak”.

In between, we’ve found that data from personal fitness trackers can be used to determine the layout of secret military installations—data of every step you take and every breath you take being used to publicly expose otherwise guarded geography.

But what does this mean to us in our everyday business?

It seems that there is much in the way provocative news when it comes to cyber-security—it really does lead to anxiety about how best to safeguard information.

We could worry day and night.

We could choose to work in a secured building—protected through layers of solid doors like in the opening title sequence to Get Smart—on a computer with no Internet, no network connection, and no ability to bring data in (such as via USB drive or CD/DVD). But that just doesn’t seem realistic.

Can I suggest a pragmatic approach?

Let’s be proactive about what we can realistically influence. For everything else, let’s be mindful and reactive when needed.

To be more specific:

• Acknowledge that security flaws in Windows, Linux, MacOS, iOS, and all those computing operating systems will be revealed from time-to-time. Understand that these will be addressed by their manufacturers in a timely fashion. Your job is therefore to simply ensure that your environment is regularly patched. Don’t worry about things like Meltdown and Spectre per se, rather ensure that you—or your IT provider—adopts a systematic and routine approach to patching servers, desktops, tablets, and smartphones.
• Acknowledge that the physical security of your business environment may pose greater risk than the virtual one. Understand the importance of screen saver timeouts on unattended workstations, that visitors should be challenged for their purpose and not left unescorted, that your server room (if you have one) is locked. Your job is to physically protect your data and dispose of it properly when you’re done with it to avoid a “cabinet leak”.
• Acknowledge that a pretty good picture of your daily life can be pieced together from your use of social platforms. Understand that you might be inadvertently exposing company information in Facebook floundering, Instagram imagery, and wearable workouts. Your job is to recognise and determine what information you want to share about yourself and your business—the two are probably more tightly coupled than you realise.
• Acknowledge that, as humans, we make mistakes and we forget more readily than we realise. Understand the importance of periodically reviewing your technology environment for security flaws. Understand that an ongoing cyber-security training programme can be a critical barrier to protect your business. Your job is to therefore be proactive in managing the human element that interfaces with company data as therein potentially lies the greatest security risk.

In summary, be proactive about what you can realistically influence—be mindful and reactive when needed about the rest.

It’s also worth being mindful that from 22 February 2018, Australian businesses that have experienced a security breach will be required to report to the Privacy Commissioner and notify their Customers. Under the Privacy Amendment (Notifiable Data Breaches) Bill 2016, if the annual revenue of your business is $3M or more then you are required to comply. If you operate in healthcare, childcare, or credit industries you may need to comply regardless of revenue levels.

You might like to consult Is Cyber-Security Everyone’s Responsibility?, CryptoLocker Virus, 7 Steps to Avoid Computer Virus Infections, and 6 Questions to Ask of Your Data Backups for more tips.

Three ways you can apply this information now

• Share this article – who else might find this of interest?
• Start a chat at work – how is your business being vigilant?
• Leave a comment below – do you think cyber-security is everyone’s responsibility?

The above advice is intended to be generalist in nature. Every business is different. Therefore, it’s important to consider your specific situation.

Please feel free to phone 1300 LOFTUS (1300 563 887) to discover how the Loftus team can help protect your business through making computing human.