Cyber Security

Cyber Security Tips and Advice

Cyber Hacker with skeleton mask and computer reflected in glasses

The following content is based around the Small Business Cyber Guide and the Easy Steps Checklist pubslished by the Australian Cyber Security Centre.

For more comprehensive information visit www.cyber.gov.au

On 6 August 2020, the Australian Government released Australia’s Cyber Security Strategy 2020.

To coincide with this, we at TigerFleet thought that it would be a good opportunity to give an overview of some of the steps that you can take as an individual or small business to protect yourselves from cyber attacks.

To better protect yourself from cyber criminals and secure your accounts and devices, the ACSC recommends that you:

Secure your email, social media and apps

Put strong security on important accounts where you exchange personal or sensitive information such as email, bank and social media accounts.
  • Turn on two-factor authentication, such as a code sent to your mobile, for an extra layer of security.
  • Use strong passwords on your accounts. A strong password is a passphrase of at least 13 characters, made up of about four words that are meaningful for you but not easy for others to guess. For example, ‘horsecupstarshoe’.
  • Don’t use the same password on any of your accounts.
  • Consider using a reputable password manager.

Hint: Use a Passphrase

A passphrase is similar to a password. It is used to verify access to a computer system, program or service. Passphrases are most effective when they are:

  • Used with multi-factor authentication – see below
  • Unique – not a famous phrase or lyric, and not re-used
  • Longer – phrases are generally longer than words
  • Complex – naturally occurring in a sentence with uppercase, symbols and punctuation
  • Easy to remember – saves you being locked out.

Passphrases will significantly increase security. The table below (from www.cyber.gov.au) gives some comparison on the ease of password styles to crack:

 

PASSWORD/ PASSPHRASE TIME TO CRACK EASE TO REMEMBER COMMENTS
(Brute Force Attack)
password123 Instantly Very Easy (too easy) One of the most commonly used passwords on the planet.
Spaghetti95! 24-48 hours Easy Some complexity in the most common areas, and very short length. Easy to remember, but easy to crack
5paghetti!95 24-48 hours Somewhat Easy Not much more complexity than above with character substitution, and still short length. Easy to remember, but easy to crack.
A&d8J+1! 2.5 hours Very Difficult Mildly complex, but shorter than the above passwords. Hard to remember, easy to crack.
I don’t like pineapple on my pizza! More than 1 Year  Easy Excellent character length (35 characters). Complexity is naturally high given the apostrophe, exclamation mark and use of spaces. Very easy to remember, and very difficult to crack.

Watch out for scam messages

Online scams and ‘phishing’ by email, SMS, social media posts and direct messaging are designed to steal your logins, credentials and personal details or to download malicious software onto your devices.

  • Check before you click links – hover over the link to see the actual web address.
  • Never enter your username or password from links in messages to your accounts – go to the official website or app.
  • If a message seems suspicious, contact the person/business through a separate, legitimate source to confirm it.

Secure your mobile and computer

  • Always use a PIN or password on your mobile and computer.
  • Always do the software updates such as Microsoft, iOS and Android.
  • Make sure you download apps from official stores such as the Apple App Store or Google Play for Android.
  • Install security software on your devices to protect you from malicious software.

Check public Wi-Fi before connecting

Information shared through public Wi-Fi hotspots in cafés, airports, hotels and other public places can be intercepted.

  • Turn off automatic connection to public Wi-Fi on your devices.
  • Choose to connect to non-public Wi-Fi for a more secure connection.
  • Consider installing a reputable Virtual Private Network (VPN) solution on your device.

Software Considerations Key areas

Securely organising your software can drastically increase your business’ protection from the most common types of cyber threats.

For example, your operating system is the most important piece of software on your computer. It manages your computer’s hardware and all its programs, and therefore needs to be updated, backed up and maintained.

Improve resilience, stay up to date and stay safe with these software considerations for small businesses.

Automatic Updates

An automatic update is a default or ‘set and forget’ system that updates your software as soon as one is available.

  • Better online security
  • Improved protection (in real-time, directly by the experts) from loss of money, data and identity
  • Enhanced features and efficiencies for programs and apps.

Automatic Backups

An automatic backup is a default or ‘set and forget’ system that backs up your data automatically, without human intervention.

  • Quicker and easier to get your business back up and running if information is lost, stolen or destroyed
  • Protects credibility of your business and help meets legal obligations ^
  • Peace of mind that you’re always protected so you can focus your business efforts that deliver value

Multi-Factor Authentication

Multi-factor authentication (MFA) typically requires a combination of something the user knows (pin, secret question), physically possesses (card, token) or inherently possesses (finger print, retina).

The multiple layers make it much harder for criminals to attack your business. Criminals might manage to steal one proof of identity e.g. PIN, but they still need to obtain and use the other proofs of identity. Two-factor authentication (2FA) is the most common type of MFA.

Small businesses should implement MFA wherever possible. Some MFA options include, but are not limited to:

  • Physical token
  • Random pin
  • Biometrics/ fingerprint
  • Authenticator app
  • Email
  • SMS

People and Procedures Key areas

Businesses, no matter how small, need to be aware of and consciously apply cyber security measures at every level.

Given small businesses often lack the resources for dedicated IT staff, this section addresses how you can manage who can access, and who can control your business’ information, and the training of your staff.

Your internal processes and your workforce are the last, and one of the most important lines of defence in protecting your business from cyber security threats.

Access Control

Access control is a way to limit access to a computing system. It allows business owners to:

  • Decide who they would like to give access privileges to
  • Determine which roles require what access
  • Enforce staff access control limits.

Access control systems help you protect your business by allowing you to limit staff and supplier access to your computer:

  • Networks
  • Files
  • Applications
  • Sensitive data

Peace of Mind (Part 2) – Understanding Cloud Technology

In part one of this discussion on data protection and technology we looked at some of the ways that you can protect your personal data while browsing the internet and shopping online. This part looks at the shift to cloud technology and protecting data stored in the cloud or on in house servers.

What is Cloud Technology?

Cloud technology has been around for many years now, but the levels of trust in the security of the system and understanding of cloud-based technology varies from person to person and company to company. 

Cloud-based software, simply put, is software that is stored on servers owned or leased by the software provider. The servers are typically held within secure and climate controlled third-party data centres, and all you need to access the software is an internet connection and th
e software provider takes care of the rest. You typically pay a subscription fee for the software and access it much the same way that you would access a website.

In House Servers

Until relatively recently, businesses that use software packages and share files and folders across their business network would have needed an in house server and a network of workstations with unique addresses. If set up correctly, a workplace network is a simple way of sharing data among employees and does not require an internet connection to operate.

With increased technology (and access to an internet connection or mobile data network) Virtual Private Networks (VPNs) and Remote Desktop Connections enabled companies to share a single network with multiple physical locations, both nationally and internationally.

Hosted Servers

Server hosting is a bit of mix of the above, and is a service offered by network providers who run all the software that you would ordinarily house on your internal server on a remote server that they either own themselves or lease. You may have a server dedicated to your company, or you may share a partition of one with someone else. You typically rent/lease an amount of data storage space, same as you would rent/lease office space.

As with cloud-based software, you need your own personal computer, laptop or tablet and a reliable internet connection to access the hosted server. 

Which is Better for my Business?

For many people there is something comforting about having a large server ticking away within a data room on your own premises. You know that your data is sitting in your own building, you are in control of its fate – good and bad, and you are not dependent on a third party provider and the internet speed and stability in order to get your daily work done. But, and this is an important but, you need to protect your hardware, software and data; many companies are at risk of losing its data through inappropriate backup schedules, insufficient hardware maintenance, power surges, viruses, spyware, hacking and a host of other factors. 

Although high-end in house servers can be extremely expensive, and the cost of maintaining them can be high, if you are in an area where you do not have fast and reliable internet this might be your only option. Even if you do have good internet, your own server can be a more cost-effective solution for small businesses, and a lower spec server or a powerful PC might suit all your needs. 

Solid state drives offer faster, smaller and longer lasting computers, which may be an option for your in-house server, but these advantages come with a trade-off. Larger capacity solid state drives are expensive, especially for the better brands, which means that storing large amounts of data locally can be very expensive, and increasing your data storage capacity can be complicated.

Cloud-based systems (including hosted servers) easily allow for multiple users to access your important data in real time, from any device, increasing productivity, access to information and user independence. This 
reduces business risk and ensures a level of flexibility that on-premises equipment simply can’t offer. You would typically have a known cost per month to access the system and extra storage/users can be added as and when it is needed.

Providers of cloud services are responsible for a broad set of policies, technologies, applications and controls in order to protect the internet portals you access your data through as a client. They are responsible for ensuring the compatibility of the applications and services they provide with the browsers through which you access them. They are also responsible for the security of your information and take care of hardware maintenance, data backups and related services for you.

Although there are many pros and cons of each type of system, and an initial assessment may suggest that the on-premise solution is cheaper, if all factors are considered, cloud-based technology offers much greater value and flexibility.  

A Common Sense Approach

Regardless of what you decide, you still need to have systems in place to prevent data breaches and potential losses. In part one of this series, we discussed how poor password security is responsible for over 80% of data breaches, but leaving computers unlocked, having inadequate virus and spyware protection and sharing your login details with other people can lead to big problems. 

Even though you might have the latest and the best virus and spyware protection installed, the software you have is always one step behind the bad guys. To put it another way, the antivirus needs the virus to exist in the first place for it to be needed, so never ‘assume’ that you are protected from the suspicious email you are about to open.  

How does TigerFleet Store and Protect your Data?

TigerFleet’s main database is hosted on Microsoft Azure servers. Microsoft Azure has the largest global network, servicing 55 regions and 140 countries around the world. Each region is a set of data centres that are interconnected via a massive and resilient network. The network includes content distribution, load balancing, redundancy, and encryption by default.

Azure regions are organized into geographies, and each geography ensures that data residency, sovereignty, compliance, and resiliency requirements are honoured within geographical boundaries. Geographies are fault-tolerant to withstand complete region failure, through their connection to the dedicated, high-capacity networking infrastructure.

Microsoft’s datacenters comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability, and are managed, monitored, and administered by Microsoft operations staff. The operations staff has years of experience in delivering the world’s largest online services with 24 x 7 continuity.

TigerFleet ensures that data stored with Azure is encrypted in accordance with their standards and maintains control of the keys that are used by its cloud applications to encrypt data. Encryption of data in storage and in transit is deployed by TigerFleet as a best practice for ensuring confidentiality and integrity of data. TigerFleet uses SSL to protect communications from the internet and even between their Azure-hosted VMs.

TigerFleet has opted for Geo-redundant storage (GRS) with Azure. GRS maintains six copies of your data. With GRS, our/your data is replicated three times within the primary region. The data is also replicated three times in a secondary region hundreds of miles away from the primary region, providing the highest level of durability. In the event of a failure at the primary region, Azure Storage fails over to the secondary region. GRS helps ensure that data is durable in two separate regions.

If a customer closes their account, they can request to have all of their data destroyed immediately. If this is not requested, their data is retained by TigerFleet for 12 months, which allows the client to export all of their data to Excel if they wish to use it elsewhere (e.g. upload to a new provider). At the end of this period, however, the data is destroyed.

Why Microsoft Azure?

Access to customer data by Microsoft operations and support personnel is denied by default. When access to customer data is granted, leadership approval is required and then access is carefully managed and logged. The access-control requirements are established by the following Azure Security Policy:

Azure provides customers with strong data security, both by default and as customer options. Azure is a multi-tenant service, which means that multiple customer deployments and VMs are stored on the same physical hardware. Azure uses logical isolation to segregate each customer’s data from the data of others. Segregation provides the scale and economic benefits of multi-tenant services while rigorously preventing customers from accessing one another’s data.

Microsoft helps ensure that data is protected if there is a cyberattack or physical damage to a datacenter. This includes in-country/in-region storage for compliance or latency considerations, and out-of-country/out-of-region storage for security or disaster recovery purposes.

When customers delete data or leave Azure, Microsoft follows strict standards for overwriting storage resources before their reuse, as well as the physical destruction of decommissioned hardware. Microsoft executes a complete deletion of data on customer request and on contract termination.