With two recent news articles about criminals impacting Australian businesses via email scams, I thought it important to provide this blog post is to help business owners in uplifting their security posture to help prevent this happening to your organisation:
Expect these types of scams to only increase, so if you haven't already started preparing, then you are running the risk your business will be next on the growing list of phishing scams.
Big vs Small Business
Whether you are a big or a small business, there are principles that can be set, and the only difference is in the manner they are implemented.
This post is aimed at helping small business but I've added a couple of recommendations for large enterprise too.
See how many of the below you have implemented. And please note, the below is not an exhaustive list, but a free list to get you started.
Awareness / Training...Patching People
Are you making sure that your personnel, specifically your financial and accounts personnel are aware of these types of attacks and how these scams operate?
Small Business: Sending your staff to a blog like this is a great step in the right direction. And it is also free! So as a start, make sure they do not click on links or open attachments from untrusted emails. And have them read resource material from trusted sources like ScamWatch.
Big Business: You should have a reoccurring Cyber awareness training program and regularly testing employees with phishing emails to verify the results.
Software Updates...Patching Machines
Are your operating systems and applications patched in a timely manner?
Small Business: Turn on automatic updates for both the OS and applications. Make sure the firmware on your border router is kept up to date.
Big Business: Implement a Patch Management and Vulnerability Management program - for OS, Network, Middleware, IoT, IT/OT, and Application - increasing the maturity until you can achieve ASD Essential Eight maturity level 3.
Anti-malware/Anti-virus and Firewall
Is your local firewall enabled and do you have an anti-virus / anti-malware running on your machines?
Small Business: For Windows users, turn on the local firewall with Windows Defender.
Big Business: As above. And integrated these logs into your SIEM.
Safe Browsing
Do you have add-blockers and script-blockers enabled on your web browser?
Can you browse to Not Safe For Work (NSFW) websites like pornography?
Small Business: Using a browser like Brave is a very easy way to browse the Internet safely. Inform staff not to browse to NSFW sites, as there is a good chance they will be infected with malware.
Big Business: The installation of a proxy server is necessary to control traffic flow to and from the Internet. Safe browsing would need to be enabled based on the type of standard browser chosen in the environment.
Password Vault
If you are remembering passwords then you are doing it all wrong. Invest in a password vault and set a long passphrase in order to access the vault. All other passwords are now random long characters or passphrases generated by the password manager.
Multi-Factor Authentication (MFA)
Turn on MFA for all your Internet accessible applications including:
O365
EMail
Banking
Finance (Xero)
Blogs / Website (Wix)
Domain Hosting
Facebook / Instagram / Twitter / LinkedIn
Side Channel Verification
And finally, whenever transferring large sums of money from email requests. Call up the end party to double check the BSB and Account Number are correct.
In closing
As mentioned above, this list is not exhaustive, but for small businesses it is not expensive, it is easy to implement, and could be the difference between your business going under or thriving. And whether big or small, if you find you are NOT participating in these types of behaviors/controls then you are placing your business at unnecessary risk.
And as always, if you wish to learn more about any of the above, then be sure to reach out to us for a confidential discussion.
