October is Cyber Security Awareness Month, and this year’s overarching message, “Building our cyber safe culture”, is a reminder that security is not just a technology problem. It’s about people, processes, and everyday choices that either strengthen or weaken our defences.
Now that I have set the tone in such a formal manner, it’s time to roll up our sleeves and have a frank conversation. The three controls that the Australian government is pushing with cybersecurity awareness month are not new, far from it. In fact, their mere implementation can save not only organisations from cyber threats, but individuals as well. But, for some reason, the take-up of these controls is not seeing the traction they deserve. I cannot tell you why, but I can tell you why they are so important.
When software updates pop up on our devices, it’s tempting to click “remind me later.” But behind those pop-ups are security patches designed to stop known vulnerabilities from being exploited. What does this mean in layman terms? Well… someone found a weak spot in the software and the update fixes that weak spot so criminals can’t use it to break in. No one is perfect, and most technology is still being coded by humans and humans make mistakes, they may miss things, or their code may lack new security controls and coding practices, making it not as secure as it was a day ago, week ago or even a year ago.
Weak or reused passwords remain one of the easiest ways into an organisation and personal accounts. In fact, when someone says their Instagram or Facebook account has been hacked, it generally means they had a weak password in place, or they are using the same password across all accounts. If you think you are safe, just go to https://haveibeenpwned.com or https://www.avast.com/en-au/hackcheck and do a search under your email address to see if you have been in any known breaches. The longer you have had your email, the more likely you will show up in breach (note: this will not show you all breaches, just the breaches that have become public). Still not convinced, then go to http://www.dehashed.com/ and you might even get a refresher of what your passwords are. In fact, there are multiple sites out there that you can search to see if your email has been compromised, just make sure you choose a legitimate service, and not a fake service trying to harvest your details. I know, you cannot trust anyone these days.
Finally, Multi-Factor Authentication (MFA) remains one of the most powerful defences available. MFA is like putting a second lock on your front door. Normally, you log in with just a password, but if someone steals or guesses that password, they can walk straight in. MFA adds a second step, like a one-time code sent to your phone, a tap on an authenticator app, or a fingerprint scan. This means even if a threat actor has your password, they still can’t get in without that second key.
It is very important to remember that MFA codes are like your bank card pin number, you should never give them to anyone. No bank, IT helpdesk, or delivery company will ever need your one-time code. The reason I mention this, is that we are now seeing, threat actors calling, texting, or emailing people and pretending to be trusted organisations, trying to trick them into reading out their code. If you share it, you’re effectively letting them straight into your account even though you have MFA turned on. If you ever get an unexpected MFA request or someone asks for your code, treat it as a red flag and report it.
I know we have all reached our tethers with talk on Medibank, but the reality is, thanks to this and other major cyber events, cybersecurity has come front and centre for many organisations, although I am not too sure if it helped individuals that much.
Looking at the three controls that are in the spotlight this month, the Medibank breach provides some context on the severity of not implementing these controls. Let me explain.
At Medibank, the breach began when a contractor’s credentials, saved in a web browser and synced to a personal device, were stolen by malware. Those stolen details were then used to log into Medibank’s VPN, a system that did not require multi-factor authentication. With no second layer of verification to stop them, the threat actor was able to move through the network, access internal systems, and exfiltrate hundreds of gigabytes of customer data before being detected. A number of controls could have helped prevent the attack. For example, regular configuration reviews and updates could have caught the weak VPN setup and outdated security controls before they were exploited. Enforcing strong password policies and discouraging saving credentials in browsers, would have reduced the risk of theft. But most importantly, enabling MFA could have blocked the intrusion entirely, even if the password had been stolen.
The Medibank case reinforces the concept that basic controls work. Keeping systems updated, using strong and unique passphrases, and enabling MFA across all critical systems are simple but powerful measures that dramatically reduce the chance of a breach, and can turn a headline-grabbing disaster into just another blocked attempt.
Technology can only do so much. Depending on what article, or piece of research you read, 60-75% of organisational breaches occur due to people. We click on links, reuse passwords, and even turn off security controls because they are annoying. Anyone who knows me, knows that I am passionate about security awareness and that I truly believe that to build a cyber safe culture, we need to normalise talking about cybersecurity at every level of the organisation and in our personal lives.
But culture-building should not stop at the office door. Many of the most vulnerable people, like older relatives, children just starting to explore the internet, or friends who don’t work in tech-savvy industries, often fall victims to threat actors because they have less exposure to security awareness education. Talk to them about:
Cybersecurity is a familiar topic within organisations and boardrooms. While we cannot go a day without hearing of someone who has been swindled out of some form of savings, whether it be through an online market place, or someone calling pretending to be a bank. The reality is, a single click, a reused password, or a missed software update can bring an organisation to a standstill, or leave a retiree without their superannuation. I do not claim to have all the answers, but I know that we must continue to build a cyber safe culture in the work place and at home, by taking small, consistent actions that add up to stronger resilience over time. Building a cyber safe culture today will make you and your organisation more resilient against both todays and tomorrow’s threats. So, remember my favourite sayings:
If you need help with security awareness or just want a health check of security controls, reach out to Morrisec. Together we can build a cyber aware and secure culture.