The Impacts of a Cyber Attack
In your personal life and as an employee, there are many aspects to consider when it comes to the use of devices (e.g. smartphones, tablets, computers and laptops). E.g. compromises of devices and the information they store can have significant productivity, financial impacts to your business as well as personal and emotional impacts on the people involved.
The following advice has been written to provide guidance on how to secure devices and protect both your personal and business-related information.
Use legitimate software and keep it up to date
It is important that ALL devices are configured to automatically apply updates as updates for applications and operating systems are released by vendors. Further, new versions of applications and operating systems regularly include additional security features to make it more difficult for devices to be compromised. You should always use legitimate applications that you have purchased from a physical store, a trusted app store or downloaded from a reputable vendor’s website. NEVER use pirated applications, or untrusted app stores, this will lead to devices becoming compromised.
Back up your important files
Save all your important files to your business network drives or approved online storage service (cloud service). This will ensure your important files have been backed up as part of your organisation’s backup procedures.
This will allow you to get your business back up and running if information is lost, stolen or destroyed. It protects credibility of your business and help meets legal obligations so you can focus your business efforts that deliver value.
Lost or stolen personal devices
One of the biggest risks to information is from lost or stolen devices. Ensure you know where your devices are always, avoid leaving them unattended when away from your vehicle and, if leaving them at home, store them in a secure location. If devices support the ability to encrypt your device, these measures should be activated as they can provide additional security in the event of it being lost or stolen.
Be suspicious of unsolicited communications
Unsolicited communications in the form of phone calls, SMS, instant messages and emails are often trying to get you to do something that will benefit someone else. It might just be spam trying to get you to buy things or it might be trying to get you to access a file that will compromise your device; access your information (such as intellectual property or financial details).
If someone has sent you an SMS, instant message or email that you think is strange (including requests to click on a link, open attachments or to provide a password), delete it.
Use a screen lock
A screen lock should be activated after 15minutes of inactivity on laptops or desktop PCs. A screen lock after 2 minutes of inactivity on a smartphone should also be used. Both should require a password to regain access to the device.
Use different passwords for websites and apps
Use different passwords for websites and apps, especially for those that store your credit card details or any personal information. If you use the same username (such as an email address) and password for a number of websites and apps, and one website or app is compromised, someone accessing that information is more likely to be able to access other websites and apps which you commonly use.
NEVER use your @yourbusiness.com.au email address for personal social media, online shopping or other non-work-related activities. These sites can and have been breached in the past and put your organisation at risk of spear-phishing or brute force password attacks.
Multi Factor Authentication
Some websites and applications offer the ability to use Multi Factor Authentication (multiple steps to logon), such as a number sent via SMS or Authentication app to your mobile phone in addition to you using your username and password. The use of such mechanisms, even though they may be slightly inconvenient to use, offer far greater security and protection for your information. Don’t use ‘remember my password’ functionality within your web browser. This can place your passwords at an unnecessary risk of being compromised. If you struggle to remember passwords, consider using a trusted password manager application (Dashlane or LastPass).
Monitor your online presence
Social media can pose a number of risks to both your business and employees when used in an inappropriate or unsafe manner.
Due to its popularity, social media is a common way for an adversary to gather information on you or your employees, projects and systems. When sensitive or inappropriate information is posted on social media, it has the potential to harm your interests, security or economic wellbeing. Information that appears to be benign in isolation could, if collated with other information, have a considerable impact.
Personal information posted on social media can also be used by an adversary. It can be used to develop a detailed profile of an individual’s lifestyle and hobbies. This information could be used in social engineering campaigns aimed at eliciting sensitive information from individuals or influencing individuals to compromise an organisation’s systems.
The compromise of social media accounts could also contribute to identify theft, fraud and/or reputation damage or embarrassment to individuals.
Social media for business purposes
The use of social media for business purposes should be governed by social media usage policies. The following measures should be implemented for corporate social media accounts:
- Ensure only authorised users have access to your business social media accounts.
- Ensure users are informed of, and agree to, social media usage policies.
- Ensure users are trained on the use of your business social media accounts.
- Ensure users are aware of what can, and cannot, be posted using business social media accounts.
- Ensure users are aware of processes for responding to posting of sensitive or inappropriate information.
- Ensure users are aware of processes for regaining control of hijacked business social media accounts.
Ensure users’ access to business social media accounts (either direct or delegated) is revoked immediately as soon as there is no longer a requirement for access.
Social media for personal purposes
The use of social media for personal purposes should be governed by common sense and a healthy level of scepticism.
The following measures should be adopted by individuals for the use of their personal social media accounts:
- When creating social media accounts, use an alias rather than disclosing your full name.
- Use a personal email address rather than a business email address. If possible, use a separate personal email address for social media.
- Apply any available privacy options and use a private profile where available.
- Restrict the amount of personal information placed on social media such as your home or work address, phone numbers, place of employment, and any other personal information that can be used to target you.
- If your location or movements are sensitive, be aware of social media apps that automatically post your location. Also, remove GPS coordinates from any pictures posted.
- Do not post information that is not for public release from your current or previous jobs.
- Carefully consider the type and amount of information you post. Remember the internet is permanent and you can never fully remove what has been posted.
- Monitor information friends post about you to prevent the unauthorised disclosure of your personal information.
- Be wary of accessing shared links or attachments, including via direct messaging services.
- Be wary of unsolicited contacts. Do not accept requests from people that you do not know.
Securing social media accounts
The following measures should be implemented for the use of both company and personal social media accounts:
- Use a strong password that is unique for each social media account and is not re-used on any other system. Use multi-factor authentication where possible.
- Do not share passwords for social media accounts.
- Do not store passwords for social media accounts in emails or in documents.
- Do not elect to remember passwords for social media accounts when offered by web browsers. Avoid configuring social media apps to automatically sign in.
- If asked to set up security questions to recover social media accounts, do not provide answers that could easily be obtained from public sources of information.
- Do not access social media accounts from untrusted devices in internet cafes or hotels.
- Always remember to sign out of social media accounts after use.
- Use lock screens and a password on devices that have access to social media accounts.
- Where possible, access social media accounts using devices that are using the latest versions of software and have had all recent updates applied.
- Remember to close old social media accounts when they are no longer required.
Contact the Authors
Digital Forensic Analyst | SECMON1
Director | SECMON1
Phone +61 428 183095
PH 1300 410900
The Rialto, 525 Collins St. Melbourne