IT Security

Why is this item important?

IT security and backup protect your business from data and financial loss.

Unless the setup and management of your IT security and backup systems are clearly documented, it is impossible for you to adequately review them – which is something you should do at least annually. Failing to have adequate backup and security in place can leave you vulnerable to extended downtime and financial loss.

How can I tell if I meet this item in my business?

• You will be able to provide documentation detailing all the systems you have in place for both backup and IT security.
• Your documentation will include a schedule for testing and evidence that these systems have been tested and reviewed in the last 12 months.

What do I need to do to meet this item?

For backup, work out what data and systems you need to protect. Don’t just think about your data, think about planning disaster recovery on your critical systems. Critical systems are those that effect your whole business or multiple people at a time if they are down or not functioning correctly. Then set up backup systems to protect these areas and document what they are and how they work.

For security, a multi-layered approach is required to ensure all areas of your business are property protected. You need to think about all the IT entry points into your business from email through to laptops out in the field. Once your IT security is set up, document how it is done. Often this involves multiple software platforms and support providers, so documenting this is important.

For both areas it is worth investing in an IT specialist to assist you with setting up appropriate systems.

Why is this item important?

Cyber criminals love what business has to offer; and SMEs can make easy targets because they often don’t have all the best protections in place.

You might assume that just because you’re not storing credit card details or banking passwords you’ve got nothing worth stealing. This is untrue. All sorts of information your business stores makes you a target for malicious activity, including: credit card information; intellectual property; and personal information related to clients, contractors and employees (contact information, DOB and banking details).

43% of cyber crime targets small and medium businesses, and 60% of those seriously affected go out of business within 6 months. Investing in a solid baseline of network security will help your business avoid having to spend even more when faced with a network compromise.

How can I tell if I meet this item in my business?

You will have a comprehensive cyber security programme in place including, at minimum:

• advanced firewall or UTM
• fully up-to-date software and operating systems with the latest patches applied
• up-to-date, enterprise-grade antivirus software
• email filtering
• multifactor authentication for access to important business apps
• organisational policies and procedures regarding online safety, supported by regular training.

What do I need to do to meet this item?

IT security is not a “set and forget” commodity. You need to constantly review your technology against the present and emerging threats. At least every 6 months, review any risks you have in your technology and assess where you need to take action to reduce the risk.

Engage an IT professional to perform a comprehensive security audit. They will be able to create a detailed inventory of all the business assets that you need to protect, identify the threats to those assets, and advise on the best methods for protecting them; and your business.

Any security measures you apply should be enterprise-grade and supported by cyber security policies and procedures, as well as regular staff training.

Why is this item important?

There are any number of ways that important data might be lost. Intentional or accidental deletion, malicious activity, hardware or software failure, power failure or natural disaster; the ways in with data loss can occur are numerous.

Significant loss of data could mean substantial downtime, productivity loss or worse – business closure!

Test your backup system regularly to ensure that it restores all information correctly; and to demonstrate exactly how much time it takes to restore your data.

How can I tell if I meet this item in my business?

• You receive regular information from your backup system on the success or failure of any backup it performs.
• You perform a full backup restore at least once per quarter and test it to confirm it works.
• You can restore lost files quickly and easily when you need to.

What do I need to do to meet this item?

An effective strategy requires an investment of time and money as well as effective implementation. You should have specific backup policies on all your servers and backup devices to ensure that there is a consistent and reliable method for recovering data.

Backups should be running frequently and regularly without any human input. They should be secure, and held in a separate location to the original data.

Proper monitoring is required to know your backup is working. Test backup files regularly to ensure they are good. This can involve an automated system that verifies each backup file to ensure it works properly with a manual recovery of files at regular intervals. Good backup systems send out email alerts so you can see whether they are working or not.

Why is this item important?

Antivirus software is only one weapon in the armoury your business needs to protect itself from cyber crime.

As Australians become increasingly security aware, and IT networks harder to breach, cyber criminals are using social engineering techniques to manipulate human trust and elicit information in order to bypass security protocols that can’t be breached by technical means.

The main threats to your business now come from cyber criminals who uses publicly known network vulnerabilities and social engineering, rather than malware.

How can I tell if I meet this item in my business?

On top of enterprise-grade antivirus protection, you will also have:

• a password manager to maintain a strong, unique password for every account you log into
• two factor authentication to protect sensitive information like banking and payroll
• antispam settings to stop cyber attacks from entering your network via email
• a firewall or Unified Treat Management system (UTM)
• a secure, automated, off-site backup system.

What do I need to do to meet this item?

Engage an IT professional to perform a comprehensive security audit. They will be able to create a detailed inventory of all the business assets that you need to protect, identify the threats to those assets, and advise on the best methods for protecting them; and your business.

Any security measures you apply should be enterprise-grade and supported by cyber security policies and procedures, as well as regular staff training.

Why is this item important?

Passwords provide the first line of defence to your business computers and electronic devices. It’s important that you use strong passwords that are hard to guess.

If passwords are too simple, hackers can easily guess or gather them, giving cyber criminals free access to your systems. Once they’re in, you have a major problem. The stronger and more complex your passwords, the safer your network will be from a cyber attack.

How can I tell if I meet this item in my business?

• You have a password policy that requires all staff members to use complex passwords (numbers, upper case, non-alphanumeric), 10 characters long, and change them every 3 months.
• The policy is enforced at the system level, and therefore must be adhered to.
• Every employee that accesses a system has their own unique login. No logins are shared.
• Employees do not use the same password for multiple logins.
• Employees receive regular training in online safety and password security.

What do I need to do to meet this item?

Review or create your password policy and make sure that it is stored in an accessible location and all staff are familiar with it. Provide training and assistance to staff in enacting the policy and perform regular checks to make sure the policy is being followed by all staff.

Your password policy should explain:

• how to store passwords correctly
• how often you need to update passwords
• the importance of having unique passwords for different logins.

You may need to engage an IT professional to assist you in policy enforcement at the systems level.

Why is this item important?

Cyber crime is a profitable and growing industry, and everyone’s a target.

It doesn’t matter how much technological protection you apply to your business systems, there is always the potential for an employee to become the unwitting source of a security breach.

For example, by not following dedicated IT and information security policies, not being informed of how much of their digital footprint has been exposed online, or simply being taken advantage of.

How can I tell if I meet this item in my business?

• Staff are confident in their ability to recognise potentially fraudulent emails and other kinds of scam activity.
• Staff do not engage in risky online behaviour.
• Staff share information and warnings on any cyber threats they have been exposed to, or risky behaviours they have observed.

What do I need to do to meet this item?

Provide a clear and open channel of communication for staff where they feel comfortable in questioning and/or escalating any risky activity or potential threat they have identified.

Develop or acquire resources to deliver induction and regular training to all staff about:

• their computer rights and responsibilities
• their network access and use
• acceptable online practices when using email, work computers and devices
• maintaining good passwords
• recognising and responding to fraudulent emails
• reporting suspicious online activity.