What you need to know about cyber security
We focus on what you need to know about Cybersecurity in New Zealand, based on the common misconceptions people have about cybersecurity. There is still a tendency for businesses and even larger organisations to defer cybersecurity risks rather than address them. Like most uncomfortable truths the key to success is identifying and tackling the risks head on.
Cybersecurity can be cheaper and easier than you may think
Cybersecurity isn’t a battle won overnight, it’s a constant struggle.
Techtonics specializes in cybersecurity, so you don’t have to, making it easier for you and your staff to get results without focusing a huge amount of resources and effort to get those same results.
You might be surprised how easy it can be to identify your current security posture and build your cybersecurity defenses at a rate appropriate to your business. Each defensive layer (defense-in-depth) and reactive mechanism you put in place works together to keep your business resilient and as safe as possible.
Cyber security is not an all or nothing construct, so talk to us about how we can help you take measured steps forward to securing your businesses environment.
Attackers don’t discriminate - everyone is at risk.
Many have the mindset that attackers only focus on specific entities, therefore small organisations are unimportant and relatively safe. This is not the case – globally, 43% of breach victims are small businesses (Verizon). Bad actors/hackers automate the vast majority of their attacks, spamming anything with an internet connection.
Automated attackers don’t care how important your data is, or where you’re physically located, they’re in it primarily for profit through using your resources and stealing your data and selling it off or ransoming it back to you or disruption/denial of your services to your customers.
The best means of defense against automated and targeted attacks is to make it as hard as possible to breach your defenses, making it uneconomical and unattractive to target you.
The graphic on the right from Rapid 7’s Quarterly Threat Report shows breaches by industry, which demonstrates that attackers don’t discriminate.
Passwords just aren’t enough:
Automated attacks can guess (brute force) passwords at a rate of 10,000 to 1 billion passwords per second
Phishing attacks are slowly declining but 62% of businesses experienced phishing and social engineering attacks in 2018 (Cybint Solutions). These attacks focus on harvesting credentials (log ins and Passwords) through fake enticing login pages.
People often use the same passwords for different websites and services, making them all vulnerable if a single password is gleamed or guessed.
Credential dumps are commonly available on websites and the dark web, attackers will then try those credentials across multiple sites/services.
Attackers who have gained access to your network will often source and sell credential data.
It’s not if, it’s when you experience a breach
It’s an uncomfortable truth that defense isn’t enough, every organisation should have a strategy in place to identify and manage breaches. Just like for a physical break-in (breach) to your facilities, it’s best to have the technologies, processes and procedures (TPP’s) in place before it happens.
We can assist you put in place technologies that identify and inform when a break-in does happen, what happened and what was impacted. Additionally, provide you with mechanisms to lock it down to limit exposure. This can include using deception technologies such as honeypots, dummy user credentials and data or automatic disconnection of user workstations or servers that have been breached.
Having TPPs in place create a proactive environment for your technology team or cybersecurity provider limit your exposure and remediate as necessary. This should include the ability to provide accurate detailed information to your board, clients, insurance providers, NZ CERT and New Zealand Police.
Generally, businesses are already late starters to limiting their exposure to breaches, knowing what has/is happening to their environment and reporting instances to client and authorities as required. The time is now (never too late) for action to be taken.
Cybersecurity is an integral part of your people and processes, not just technology:
Cybersecurity isn’t limited to technology and those systems connected to the internet.
People drive your business – they use technology and processes to meet the businesses goals and objectives. It’s important to understand that all three areas (People-Technology-Processes) are vulnerable to cybersecurity attacks and threat actors. Therefore, protecting any one area in isolation is akin to locking your doors yet leaving your windows wide open.
Investing in a strong security culture and cyber awareness training across your staff will provide benefit to the business and reduce losses from breach activity.
Techtonics focuses on identifying and applying mitigation against threats across people, technology and process. Helping you establish and continually build your organizational cyber resilience.
Cybersecurity isn’t as scary as it sounds
Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.
Cybersecurity is premised on ‘absolute security is absolutely impossible’ so it is essential businesses understand there is always risk and establish defense in depth via mechanisms that provide visibility, early warning, management, response and reporting of breaches.
Cybersecurity planning starts by providing information on where you are relative to cyber resiliency (the ability for your business to keep going despite being attacked), and a prioritized roadmap to get to where you need to be.