For the background to this blog please read: Cyber security for all of us Part 1
The starting point for dealing with cyber security is to realise that cyber attack/breach/hack can happen to anyone – there is no discrimination: small, individual, family, church, non-profit, business and any size.
The Optus breach on September 22 was a very high profile case in Australia, while we also hear about some of the small hits everyday.
Some of the hacks relate to money, others to email, or upsetting the computer or phone systems we use, or hacks to personal or organisational identity. It’s not just about social media. Because we are all involved with digital access and information somehow – access to our banking, our post deliveries, the delivery of items bought online (internet or phone) and so many other aspects of our lives – we are all vulnerable.
Let’s start with a checklist of points to work on:
Develop some lists as follows
Be prepared for the detail, don’t scrimp because this information is vital for you and your organisation. Do not try to solve the issues at this stage, that step will follow this assessment:
1. What assets do we have – physical and digital?
2. What is required for protection each asset?
3. What is currently required for the protection of the whole entity – personal, family, church, non-profit, business?
4. Consider the access points, gateways into these assets, ie how do you/people access them?
NOTE: Weak points can be exploited from the inside as well as from external
5. Access to each asset, make some lists for these points now:
- who has access – every person and what level of access
- how do they acquire access (who approves their access and their level of access)
- how do they use that access physical and digital (eg door key, computer (whose), smart phone (whose), in-person at the bank or other institution)
- are there any extra/special requirements for the access to exercise activity, eg limited delegations of authority, limits at the bank of credit card provider, 2 or more approvals, supervision, cross-checking of reconciliations,
- procedures – how are they documented, who must know, how often are they reviewed and updated and all people informed
NOTE: Security protocols are necessary
6. How much security is enough in our context? (remember the story in our blog part 1)
7. What are our alert and warning procedures – who-informs-who-when and the timing/urgency?
8. What should we do now?
9. What measures should we have in place ongoing?
More true stories
I was on the board of a non-profit organisation and we went through this review process. It took awhile. The staff were involved in the detail and the board reviewed the progress, the overview details and the principles for implementation. One of the key areas of interest for the board were the degrees of risk and vulnerability for each asset and its access.
I was surprised at the gaps despite what seemed a thorough set of cyber security procedures. It did highlight that we needed to engage the services of an external IT company to assist with the review, and with maintaining the necessary level of cyber security.
One of the points that the recent breaches of cyber security has highlighted is that there is a lot more needed than passwords and MFA (multi factor authentication).
In our next episode, (part 3) we will look at what to do with the assessment you have just completed (checklists and notes above)