How to prepare your business for a Cyberattack – and what to do afterwards

Cyber security, Malware and Security Threats

While there are many things you can do to prevent and prepare for them, Cyber-attacks may seem unavoidable. Making sure you have a Cyber Security Strategy in place can help reduce the risk and severity of breaches and help you navigate the fallout after an attack occurs.

What to do before a cyber breach

If anything, the recent string of data breaches and hacks has shown that no business is safe from cyber-attacks. However, having a Cyber Security strategy can go a long way in increasing your company’s preparedness.

One of the best starting points for your cyber security strategy is to follow the Australian Cyber Security Centre’s Essential Eight. According to the ACSC:

“While no set of mitigation strategies is guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.”

You can read more about how to implement this framework via our article why the Essential Eight is vital for your business or by referring to the ACSC’s Essential Eight guidelines. Every business needs cyber security protection, especially those dealing with sensitive personal data. Some companies may also need to consider the need for cyber security insurance, also known as cyber liability insurance or cyber insurance.

Signs that you may have had a Cyber Attack or breach

A cyber-attack or leak can happen anytime and involves attempts to steal or destroy data, money, or intellectual property or disrupt and cause system outages. Some of the signs of a potential cyber security incident include the following:

Unauthorised access to a system or attempts to access a system
Emails with suspicious attachments or links
Questionable network or system activity
Suspected tampering of electronic and computer devices

Shortly after a cyber security incident, you may experience unusual activity on your systems, including:

Data is missing or appears altered.
Noticeably increased start-up times of computer hardware or starting up incorrectly
Computer systems are running slower than usual
Frequent crashes of computers on previously working devices
Company email accounts sending spam to contacts
Your internet browser automatically directs you to unsafe or suspicious websites
Computer hardware running low on storage space, where they were no issues previously
Being unable to access system and network accounts

If these issues occur, immediately contact your IT provider or Managed Service Provider (MSP) and enact your cybersecurity incident response plan.

After a breach

Sometimes breaches happen. No cyber security plan is entirely impassable, but your response to a leak or hack will have significant ramifications for the future of your business and your customers. Therefore, a company should have a cybersecurity incident response plan (CIRP).

A well-designed CIRP helps you mount an effective and swift response to cyber incidents. The following steps will help get your business up and running as quickly as possible.

Limit Damage

Limiting the damage wherever possible is essential if you suspect a cybersecurity incident has occurred. First, turn off all computers and disconnect them entirely from the internet and wall power. This removes the chance for a hacker to continue accessing your devices or spreading the attack across your network. At this point, it’s important not to connect any backup systems or portable devices, such as laptops, to your network as you want to keep the integrity of your backups to prevent data loss and decrease the chance of spreading the cyber-attack.

Enact your Cyber Security Incident Response Plan (CIRP) and Seek Help

Your business should have a cyber security incident response plan as outlined above. Now is the time to use it. Ensure all staff members know their responsibilities and the tasks they must perform. If your business still needs a CIRP, contact your managed service provider (MSP) or contact us for help. One of the best resources for Australian Businesses is the Australian Cyber Security Centre (ACCC). Their website provides guidance to help businesses identify cyber-attacks and incidents – and for immediate assistance, you can call the Australia Cyber Security Hotline: 1300 Cyber1 (1300 292 371).

Contact your IT provider or MSP so they can identify the cause of the cybersecurity incident and can limit the damage caused. In many cases, your MSP can contain and eliminate the threat and repair and restore your crucial business systems. Make sure to consider the best way to contact your MSP as attackers may have already compromised methods such as email; instead, phone them directly via their support line. At GCIT, our clients can contact us directly via 1300 369 111.

Report the Cyber Security Incident to the authorities

Another consideration is whether you need to contact the police, the Office of the Australian Information Commissioner (OAIC) or your insurance company if you have cyber security or business insurance.

A Cyber Security incident can result in a data breach, and personal information can be compromised. In such an event, you may have an obligation to notify authorities, including the OAIC and the Australian police.

The Australian Cyber Security Centre (ACSC) also have a tool called ReportCyber for reporting cybersecurity incidents. Reporting assists the ACSC in developing advice, techniques, and capability to respond to and prevent cyber-attacks and threats.

It is vitally important to report any instances of cyber attacks resulting in data breaches. Per the Privacy Act 1988, notifications to the OAIC must be made within 30 days or as soon as practicable.

Entities responsible for certain critical infrastructure assets are now obligated to notify the Australian Cyber Security Centre (ACSC) of the cyber security incident within strict timeframes, as little as 12 hours for highly critical incidents. This reduced time frame is due to amendments made to the Security of Critical Infrastructure Act 2018 (Cth) (SoCl Act) on the 8th of July, 2022. To learn more about these changes, HWL Ebsworth Lawyers wrote a great article describing how this effect businesses and to whom it applies.

Investigate the Breach

Once the cyber-attack has been contained and all affected devices are quarantined, it’s essential to identify how exactly the breach occurred and what the damage is. To do this, you may employ the skills of a forensic IT specialist who investigates the causes and effects of the cyber security event. This is important for three reasons:

It allows you to identify what occurred and the scope of the breach.
It enables you to formulate an effective plan to respond to the cyber security event, and it will determine the gaps and vulnerabilities in your company’s cyber security.
It’ll allow you to perform fixes so the same occurrence doesn’t happen again.

Notify Customers and Clients

After your team members are informed, and you have alerted the relevant authorises about the cyber-attack, it is time to notify your customers or clients. If the cyber security breach falls under the Privacy Act (1988), you must promptly notify the individual at likely risk of serious harm. In addition, under the Notifiable Data Breach (NDB) scheme, you must inform the affected individuals and the OAIC when an eligible data breach occurs.

According to the OAIC, an eligible data breach occurs when:

There is unauthorised access to or unauthorised disclosure of personal information or a loss of personal data that an organisation or agency holds
This is likely to result in serious harm to one or more individuals, and
The organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

This notification to individuals must include recommendations about the steps they should take in response to the data breach. When communicating with customers and clients, it is vital to be transparent and open about how the data breach affects them and what you are doing to improve the situation. Some key things to communicate are:

When did the breach happen, and why?
What systems/services have been affected?
What steps are you taking to resolve the situation?
Is the breach ongoing, and can you say when you will fix it?
Who can customers contact if they have questions or concerns?

Depending on the extent of the data breach or cyber-attack, it may be worth hiring a public relations firm for the duration of the incident. This can help improve communication between you and your customers.

Restore and Recover Data and Systems

Once the breach has been isolated and eradicated from your systems, recovering and restoring your IT systems, networks, and devices can begin. Many organisations will have a business continuity plan or disaster recovery plan. This plan details how your company will ensure its ability to continue providing services to your customers or continue operations. However, even if no plan was implemented, this process should include restoring systems to normal operations, monitoring to confirm that any previously affected systems are operating normally, and making plans to remediate vulnerabilities to prevent similar incidents.

Evaluate and Improve

When the cyber security incident is resolved, it’s essential to reflect on the actions that occurred and improve your cyber security in the future using the information gained during the event. This will not only strengthen your defensive capabilities into the future but strengthening your cyber security can also improve your standing when it is time to renew your Cyber Security Insurance.

Some Considerations when creating a Cyber Incident Response Plan

Below are some tips for creating an effective CIRP:

Keep a hard copy of your response plan and include important contacts such as your MSP, Insurance provider and the Australian Cyber Security Centre. During a cyber-attack, you may be unable to rely on Digital copies.
Prepare and train your staff to respond when a cyber security incident occurs. Ensuring staff act quickly to an incident is integral to preventing or reducing data losses and breaches.
Educate employees on identifying a cyber event and provide training on preventative measures such as the Essential Eight for your staff to decrease your risk.

At GCIT, we specialise in providing Cyber Security peace of mind to our clients using best practice security measures and customised support. Our services help industry-specific occupations utilise the best security practices without interfering with your business’s daily operations or productivity. To find out how GCIT can help your business contact us at 1300 369 111.

December 12, 2022/0 Comments/by Shona Robinson

Why the Essential Eight is vital for your business

Cyber security, Essential Eight, Malware and Security Threats, Virus

Cyber Security incidents can have a detrimental impact on Australian businesses. With the increased reliance on internet-enabled services, companies are more vulnerable than ever. This has made them ideal targets for financially motivated cybercriminals with the issue being compounded, as many small businesses need more resources or time to create a comprehensive cybersecurity plan.

In the last twelve months, there has been an increase in the number and sophistication of cyber threats in Australia. The Australian Cyber Security Centre (ACSC) received over 76,000 cybercrime reports over the 2021-2022 financial year, an increase of nearly 13% from the previous year. For small businesses, the cost has also increased, costing on average over $39,000 per cybercrime reported. The cost of a cyber incident is not just monetary. It can cause irreparable damage to your consumer trust and compromise customer, business, and employee data.

For small and medium-sized businesses, it is essential to have cyber security mitigation strategies to help decrease the instances and impact of cyber incidents. The Australian Cyber Security Centre recommends the Essential Eight Framework to mitigate the risk of cyberattacks on Businesses.

What is the Essential Eight?

The Essential Eight is a framework recommended by the Australian Cyber Security Centre to help organisations protect themselves against cyber-attacks. It is designed to protect Microsoft Windows-based networks and systems. However, its principles can be applied to several situations and devices. In addition, it includes several mitigation strategies to reduce the risk of cyber threats significantly. This makes it the ideal starting point for many small and medium-sized businesses. The Essential Eight outlines several steps you can incorporate into your organisation’s existing systems to improve security and stability.

When implementing the Essential Eight, the first step is determining the maturity level you need. There are four levels, Level Zero through to Level Three. A Maturity Level of Zero signifies that an organisation has weaknesses or holes in their cyber security strategy. Grades One through Three recommend security measures of increasing strength and complexity to improve an organisation’s cybersecurity.

How to incorporate the Essential Eight into your business

If your business does not employ the Essential Eight, we recommend starting with Level One. Below are the critical components of this framework.

Apply application control

Application Control prevents unauthorised applications from being installed or run on a company computer. It’s a zero-trust security approach designed to protect against malware and untrusted applications. For example, in a Medical Centre, this could involve allowing access to only your practice management software, such as Best Practice or Medical Director, and related tools.

A practical method of implementing application control is to use Windows Defender Application Control (WDAC). This tool is included in Microsoft 365 Business Premium, a component of all GCIT-managed service plans.

Patch applications

Patch management ensures that all systems are up to date with available security patches promptly. Patches are necessary to close vulnerabilities or bugs in your software. This would involve updating programs such as Microsoft 365 with the latest updates.

Most business-specific software will deliver communications when updates are available. However, it’s the responsibility of the Business owner or IT Service Provider to ensure these are applied promptly. Patches and updates should be applied within two weeks of release or within 48 hours if a security exploit exists.

Configure Microsoft Office macro settings

Microsoft Office applications can create and execute macros to automate routine tasks. A macro is a sequence of automated actions that can replace mouse clicks and keystrokes to complete complex tasks. While these can be helpful tools, macros can also contain malicious code used by attackers to run harmful code or download malware.

We can manage the risks of Office macros using Attack Surface Reduction Rules in Microsoft Defender for Business, a Microsoft 365 Business Premium component.

User application hardening

Application Hardening involves reducing vulnerabilities in the applications your company uses. In the context of the Essential Eight’s Level One maturity model, Application hardening refers to security settings in the web browser. Specifically:

Web browsers do not process Java from the internet.
Web browsers do not process web advertisements from the internet.
Internet Explorer 11 does not process content from the internet.
Users cannot change web browser security settings.

These settings can be implemented using Security Baselines in Microsoft Intune, another inclusion in Microsoft 365 Business Premium.

Patch operating systems

A patch is a security update that fixes vulnerabilities. Like Application Patching, timely Operating System patching ensures your operating system has all current security updates installed.

Patches need to be constantly monitored to ensure systems are up to date. Security updates can be deployed per workstation using Microsoft Update settings. However, your IT provider can also manage them with a Remote Monitoring & Management (RMM) tool. Like many IT service providers, GCIT offers services to control Operation System patching through our RMM tool.

Restrict administrative privileges

Administrative Privileges allow a user to create, delete and modify files, settings, programs and other user accounts. A user with administrative privileges can significantly change an IT environment’s configuration and security posture. Administrative rights also allow users to elevate their operations and access sensitive information. Without restrictions on user accounts, malware and malicious code can cause much more damage, especially if the user that triggered it is an admin.

Restricting admin privileges also creates a more stable and predictable workspace, as fewer users can make significant environmental changes. Your IT Provider should regularly audit your environment’s permissions through consistent access reviews. They should also use the just-in-time access approach, ensuring users have the least possible privileges to perform administrative tasks for only the needed time.

Implement multi-factor authentication

When a user logs in to an account, multi-factor authentication requires multiple forms of authentication to prove their identity. This may come in the form of a password plus a generated code sent via SMS, email or authenticator app, or a secondary device that is already logged in and may need to approve access. An example is Apple’s multi-factor authentication which allows users to sign into their accounts using a password. They can then approve this action on an authorised apple device such as an iPhone.

Multi-factor authentication is one of the most effective security measures a business can implement. When implemented correctly, it can make stealing credentials that can cause further malicious activities considerably more difficult. Microsoft reports that multi-factor authentication prevents 99.9% of identity-based cyberattacks. This effectiveness, combined with its ease of use, makes multi-factor authentication a vital first line of defence for any organisation.

Create regular backups

Businesses need to ensure they back up business-critical information. Backups are not just for quick recovery in the event of a disaster but can also be an operational requirement for some industries. For instance, general practices require it to achieve accreditation from the Royal Australian College of General Practitioners (RACGP).

Backup is the process of copying files or databases to ensure their preservation in the event of equipment failure, security and cyber breaches or other disasters. Businesses should check their backup system regularly, including testing its ability to recover data. The loss of critical data can impose a high financial and operational cost on your business. However, having a business continuity plan with a reliable and frequently tested backup procedure can mitigate some of these effects.

Conclusion

Protecting your business from cyberattacks is one of the most important steps to improve your business’s stability, improve customer trust, and ensure continued operations. However, it’s important to note that the steps outlined above cannot entirely remove the threat of a cyberattack. Still, they can mitigate the risk and hopefully decrease any attack’s severity and long-lasting impacts.

At GCIT, we are specialists in providing Cyber Security services to numerous businesses across Queensland and New South Wales. Our Award-winning cybersecurity experts can take the stress out of IT Security and make sure your data is secure.

Contact GCIT to find out how we can help your business or organisation protect against cyberattacks.

December 2, 2022/0 Comments/by Shona Robinson

How do I stop phishing emails?

Exchange, Malware and Security Threats, Microsoft 365, Microsoft Cloud App Security

What are phishing emails?

Phishing emails are fake messages, designed to look legitimate.

They cost businesses around the world billions of dollars each year. And they get opened by about 30% of people. These emails will generally impersonate a person or company that you trust or deal with, and attempt to trick you using one of three things:

They’ll use a fake person – someone pretending to be someone you know, so that you share information or transfer money into an attacker’s bank account.

They’ll set up a fake site – So that you enter your private information, like passwords or credit card details, or provide a rogue app with permission to access your data.

They’ll create fake attachments – attackers will disguise malware in fake invoices and shipping notification to remotely access your computer or encrypt your files.

How can I prevent phishing emails with Microsoft 365?

To give our teams the best chance of avoiding phishing emails, not only do we need to make people aware of the methods above, we need to configure the features in Microsoft 365 that address them. Starting with Office 365 Advanced Threat Protection

Start with Office 365 Advanced Threat Protection

This is your companies primary defence against phishing emails. While all Office 365 plans come with a built-in anti-phish policy, it’s not even close to what’s offered in Office 365 Advanced Threat Protection, also known as Office 365 ATP.

Once you’ve purchased Office 365 ATP, you should jump into the Security and Compliance centre and check out your anti-phishing policy.

Its default controls are pretty good for detecting phishing emails that impersonate your users, your domains and external contacts. It develops an understanding of how your users and their contacts interact, the addresses and sending infrastructure they use, and identifies anything out of the ordinary. If it detects an impersonation attempt, the message is either quarantined or delivered with a warning.

You can enhance your protection by adding users in roles like CEO or CFO to the targeted user protection feature. You can also add external domains, that you frequently interact with, to the targeted domains feature.

Use a mail transport rule to warn on external impersonation

You can configure a mail rule that applies a warning to messages where an external sender uses a display name that matches someone internally in your company. We have an example rule on our website that has been pretty popular amongst smaller organisations.

So that helps address fake senders, how about fake attachments and fake websites? Office 365 ATP addresses these with the Safe Attachments and Safe Links policies.

Detect malicious attachments with Safe Attachments policy

The safe attachments policy can protect your users from malware sent by phishing emails, like the COVID-19 phishing campaign that used Excel files to install a malicious remote access tool. The Safe Attachments feature analyses your attachments in a separate environment, running a bunch of checks for malware then blocking the email or removing the unsafe attachment.

Detect malicious websites with a Safe Links Policy

The Safe links policy scans your URLs in emails for links to malicious sites. If a malicious website is detected, Safe Links blocks users from visiting it.

Remove phishing emails from mailboxes after delivery

These tools work by analysing messages for known malware, bad links or untrusted senders and stopping them arriving. But what happens if a bad email gets through, and the system doesn’t realise until later?

You should configure Zero Hour Auto Purge. Zero Hour Auto purge removes bad messages from your mailboxes retroactively and sends them junk, quarantine or deleted items.

Set up Office 365 ATP and Exchange Online Protection with recommended best practices

I’ve just discussed four different security policies in a few minutes. If you’ve spent any time looking at ATP or Exchange Online Protection policies, you’ll probably notice there’s a lot of policies, and most of them are already set up. Should you change anything or leave them as they are?

It would help if you changed them, and Microsoft has two levels of recommended best practices that they say will prevent most unwanted messages from reaching your team.

These two levels are called Strict and Standard. In our experience, Strict is very strict, but it’s a good starting point that you can enable first, and adjust later.

Test users by simulating a phishing campaign

Once your policies are set up, you should test your users. If you purchase Office 365 ATP Plan 2, you can run attack simulations against your team. Attack Simulations can help you identify and find vulnerable users before a real attack impacts them.

Protect your accounts if your team gives up their credentials

But what happens when messages get through? What happens when users get duped and provide their login details to attackers?

Protect your accounts. If a user enters their credentials into a fake website, we need to make sure an attacker can’t use these credentials alone to log in. All Office and Microsoft 365 plans allow you to configure multi-factor authentication; this will ensure that attackers can’t log in without having access to an additional form of verification such as a phone or authentication token.

If you have a plan that includes Azure Identity Protection, you should set up a sign-in risk policy to monitor for unusual logins. These policies use machine learning to detect suspicious activity and can temporarily block sign-ins and accounts if something’s amiss.

Monitor for unusual applications with access to your users’ data.

Now that accounts are getting more secure by default, attackers are requesting access to user data via apps. And it’s worse if they manage to trick an admin user because then attackers can have longstanding access to an entire organisation that persists even when passwords are changed.

It can be challenging to detect if a user clicks a phishing link and provides a rogue app with access to their mailbox, OneDrive or SharePoint data. So you use Microsoft Cloud App Security to get alerted to unusual oAuth applications with access to your teams’ information.

Be extra vigilant if your data has been exposed in the past

Take extra care if you, or companies you regularly interact with, have been breached before. If attackers have had access to your company data and know who usually communicates with who, and for what purposes, they will try to exploit that information by setting up fake emails to hold their fake conversations with their fake invoices to get your real money.

Need help with phishing in Office 365 or Microsoft 365?

If you need assistance setting-up these policies in your organisation or need a hand cleaning up after a successful phishing attack in Microsoft 365, we’d be happy to help. Reach out to us via chat, or using the form below.

May 27, 2020/0 Comments/by Elliot Munro

What’s causing Australia’s Data Breaches?

Malware and Security Threats, News

Australia’s reported data breaches increased by 19% in the last quarter of 2019. In this short post, we break down what caused them and how you can protect your business.

Australian organisations are now subject to Notifiable Data Breach laws. These laws attempt to drive better security standards for protecting personal information, and they require organisations to disclose breaches to the Office of Australian Information Commissioner (OAIC).

Companies who fail to disclose may be subject to hefty fines which also extend personally to company directors.

Want to protect sensitive information in Microsoft 365? Download our free Microsoft 365 Data Protection guide.

Find out more

How were Australian companies breached?

The OAIC releases a quarterly report on reported data breaches. The latest contains records up to December 2019 with a total of 537 reported breaches which break down into the following categories:

Malicious or criminal attack – 64%
Human Error – 32%
System Fault – 4%

To adequately protect your business against data breaches, you need to implement a system that addresses all three categories.

Protecting your organisation against malicious or criminal attacks

Let’s look at the methods hackers used to breach Australian businesses.

Of the ‘Malicious or criminal attack’ category, 74% of breaches involved compromised credentials. These are known as identity attacks because they use a compromised identity to gain unauthorised access. According to Microsoft, by implementing Multi-Factor Authentication across all users, an organisation can defend itself against 99.9% of identity-based attacks.

Ransomware and Malware made up another 16% of ‘Malicious or criminal attack’ breaches. These can be prevented by implementing a capable desktop and email threat protection engine such as:

Office 365 Advanced Threat Protection
Microsoft Defender Advanced Threat Protection.

Protecting your organisation against human error related breaches

Of the ‘Human Error’ category, 42% of breaches occurred using email. An example of this might be sending sensitive data to the wrong recipient. Companies can prevent this kind of breach by implementing a system which scans outbound email.

If the system determines that the email contains sensitive information, it can immediately block the mail delivery or alert a team member.

Protecting your organisation against System Fault breaches

Protecting your organization against system fault breaches relies on a combination of luck and due diligence. According to the OAIC, these types of breaches involve ‘disclosure of personal information on a website due to a bug in the web code, or a machine fault that results in a document containing personal information being sent to the wrong person.’

To defend against system faults, we recommend storing your sensitive data with reputable vendors only and choosing an IT partner who will regularly monitor and maintain your systems.

How can we help secure your environment against data breaches?

We use a combination of Microsoft 365 Business Premium and Microsoft Cloud App Security to implement enhanced cybersecurity for small businesses.

It’s not enough to simply buy the Microsoft licenses and apply them to your users.

To be effective in the modern threat landscape, these systems must be configured and monitored with policies applied and adhered to.

Want to learn more about protecting your data against breaches in Microsoft 365? Download our free guide on which features you should configure, or get in touch today.

April 22, 2020/0 Comments/by Elliot Munro

Office 365 ATP can now be integrated into your SIEM

Exchange, Malware and Security Threats, Microsoft 365, Office 365

Office 365 Advanced Threat protection and Office 365 threat intelligence logs can now be integrated into your SIEM solution.

Threats discovered by these services can be made available on the audit.general workload of the Office 365 Management APIs.

What are the Office 365 Management APIs?

The Office 365 Management APIs are essentially the API version of the Office 365 Unified Audit Log

To get your Office 365 ATP info into your SIEM, you’ll need to have the Unified Audit Log enabled for your tenant. Unfortunately, it’s not enabled by default.

How to enable the Office 365 Unified Audit Log

The Office 365 Unified Audit Log is an important and useful tool which can help you secure your Microsoft Cloud environment. If you’re a Microsoft Partner, we have a longer article on enabling this for your customers’ tenants here, but to enable it for a single tenant, you have two options.

Enable the Office 365 Unified Audit Log via the Security and Compliance Center

You can log into the Security and Compliance Center at protection.office.com as a global or security administrator.
You’ll find the setting under Search and Investigation, Audit Log Search.
If the audit log isn’t enabled, click Start recording user and admin activities

Enable the Office 365 Unified Audit Log via Powershell

Connect to Exchange Online via Powershell
Type: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Connect your SIEM to the Office 365 Management APIs

Once the audit log is enabled, threats discovered by Office 365 ATP and Threat Intelligence will be available on the audit.general endpoint of the Office 365 Management API. For more information on setting this up, see the official Microsoft documentation here.

October 30, 2018/0 Comments/by Elliot Munro