- Being hacked is inevitable, how you respond to a breach is important
- Mandatory breach notification disclosure will become law in February 2018
- Learn how to become cyber resilient and know the basics to mitigate risk
Security specialist at Kiandra IT, Daniel Weis assesses the cyber security of small accounting firms, through to multi-billion dollar global organisations and well-known brands - to ensure they don’t become the next “headline” in a hacking scandal.
Weis has earned his stripes as one of the biggest security experts. He was handpicked by the EC-Council as one of the first 10 in the world to undertake the Certified Hacker version 7 training, and has more than 22 industry qualifications under his belt.
Daniel talks to Chartered Accountants ANZ about how organisations can become more cyber resilient and avoid losing face with customers in the event of a security breach.
Cyber resilience and adopting a culture of honesty
With 4.2 billion+ breached records last year being hacked is inevitable. However, Weis says, the important thing is how you prepare for and respond to a security breach. From his experience when a situation is handled with honest communication about what’s occurred and how you’re going to address it, customers forgive you and your reputation remains intact.
“Cyber resilience is being able to ride the storm and come out as unscathed as possible. Our job is to make it harder and mitigate the risks and effects of a breach. If the right controls and measures are in place the hacker won’t get to the sensitive data, we’ll detect it quickly and it won’t affect customers.”
Weis reports that employees are often scared to report having clicked on links to ICT and organisations don’t report data breaches due to fearing a loss of reputation. As a result, “this has not given the security industry a whole lot of real data to work with or insight into the actual extent of data breaches.”
However, this will all change when the Mandatory Breach Notification legislation comes into play on 22 February. This means that if an organisation is breached and it involves personal information, they will be legally required to disclose that the breach has happened or risk hefty fines.
Mandatory data breach notification laws will provide greater security for Australians’ sensitive information. The law responds to the rising number of data breaches, demonstrating that Australians are taking cyber security seriously.
Inside the mind of a hacker
Daniel’s role as an ethical hacker means he’s one of the good guys who get paid to break into organisation and government systems to protect organisations from criminal hackers operating illegally and often, from the DarkNet.
The difference between the good guys and the bad guys is criminal hackers are mostly motivated by money, though, Weis says, revenge is sometimes a factor. To illustrate the profits made by attackers 10 years ago some spammers were making $20k per day from spam and Viagra emails.
Weis told Chartered Accountants ANZ there’s a misconception that kids become ethical hackers straight out of university. To put the amount of experience required into perspective, it took Weis over 20 years to become proficient in all aspects of ICT, and he now trains upcoming ethical hackers.
“The good thing about being an ethical hacker is we still get to do the fun stuff, but with a “get out of jail free card” by having legal documents and agreements between the team and the organisation and partners that we have been engaged to assess.”
“Hackers are smart, and they continue to get better every day. They are technically very proficient and comfortable in a range of areas of ICT and have a breadth of experience.”
So, who and what are the weakest links that criminal hackers target?
One of Weis’ specialities is social engineering or “the art of deception”. He phishes, or calls a user asking for sensitive information, which they’ll often provide, bypassing all defences. He’s also breached organisations through physical access, approaching reception dressed as a service guy to investigate an issue, as well as through imitating a legitimate employee.
“I can come up against the toughest organisations with all sorts of security controls, but it can often be easily bypassed just through a well-rounded phishing email or an obvious password, which usually provides me an entry point.”
Tips to protect yourself from being hacked
Despite the inevitability of being hacked Weis says “it gets tougher every day to get into company networks.” Education is key to keeping on top of the latest security, techniques and vulnerabilities in order to minimise the risk of the bad guys getting in. Weis outlines some basic precautions for all organisations. Trust your intuition, if it seems too good to be true, it probably is. Always stick to well-known sites, check the URL to make sure it’s secure and the real address, don’t follow links in emails (especially suspect ones), use Edge as your web browser, make sure you have endpoint protection installed on your machines, and of course, use a password manager.
Weis also advises to think about what your “internet presence” looks like. Are there legacy systems? Are there lots of ways into the network, are staff trained on cyber security, and are their passwords terrible? Has a security assessment been performed before? Is there a plan in place in the event of a cyber security breach?