Cyber security for Australian businesses is an issue whose prominence and importance seems to just keep rising. The threat to the Australian government and business sectors is ever-present and, when major cyber attacks are underway, the need for strong cyber security is even more acute.
Sean Dendle, founder and CEO of managed IT services company Cymax, has a saying: “IT departments have to get it right every time, hackers have to get it right only once.”
In essence, cyber security experts like Sean can’t rest on their laurels. They must remain proactive and vigilant when it comes to keeping the criminals out of client systems. And, if you’re a client for a managed IT services supplier, you have a lot of responsibility here too.
When you’re an executive immediately upstream of an IT team, a lot depends on you knowing what cyber security questions to ask your IT manager.
You need to know how to ask questions that cut through the tech jargon. Questions whose answers give you a better understanding of what your cyber security posture actually means. Questions like the 12 that follow …
1. Do we restrict administrator permissions?
Restricting administrative permissions involves only granting the required access to effectively perform your duties. Restricting access minimises the attack surface and impact should a system become compromised. This ensures that should an adversary gain access to an account, they’re not gaining access to an entire system.
The answer you want to hear is: Yes, we restrict permissions to A, B and C.
2. How frequently are our systems patched?
“Patches are released to resolve bugs and security holes in an operating system and applications,” Sean explains. Ensuring patches are applied in a timely, consistent manner is essential to the security of any system.
If you are on a Microsoft system, you should be aware of “Patch Tuesday” a slang term that arose in reference to Microsoft’s tendency to roll out patches each Tuesday (USA time).
The answer you want to hear: Yes, we patch according to a schedule of X, because Y. While we appreciate the line of business applications need to be tested against new patches, if security patches are not applied to your systems within 14 days of release, you could be leaving your systems compromised.
3. How are our macro settings configured?
Macros are little packets of instructions that can run within applications to help automate tasks. They’re extremely useful in that function. Sadly, hackers can also use them to deliver and execute malicious code on a system.
The answer you want to hear: Yes, our macro settings are configured to: block macros from the internet, only allow vetted macros from trusted locations and limit the write access of specific macros.
4. Does our endpoint security provide proactive protection against exploits?
This is essentially asking whether your antivirus software is equipped to handle potential exploits in a proactive manner. Hackers have evolved over the years, and so has antivirus. Your systems should be monitoring for processes that are trying to circumvent the vulnerabilities in operating systems. If they find one, then the right endpoint security can proactively block an attack even though the antivirus is not aware of it.
“Think of proactive protection against exploits like having a good immune system that blocks infections, rather than having a good medical emergency team – the antivirus software – that first must let an infection in to diagnose it and then know how to treat it.”
The answer you want to hear: Yes, our system goes beyond antivirus and offers proactive protection against exploits. We are using product ____.
5. Do we have file encryption?
File encryption ensures any sensitive documents and data can’t be read or accessed outside of specific environments.
“If you’re sending sensitive info out of the organisation, you can have it encrypted so only the intended recipient can see it,” Dendle says.
“Probably 99 percent of organisations, however, do not have file-level encryption – they are relying on hope.”
The answer you want to hear: Yes, not only do we employ file encryption, we have a policy enforcing its use.
6. Do we have disk encryption?
While many operating systems offer disk encryption capabilities, the unfortunate reality is just as many IT departments simply don’t configure them. This matters, because disk encryption ensures cyber security when a piece of hardware falls into the wrong hands. Research from the US has found that nearly 90 percent of IT practitioners have had to deal with the theft of a laptop.
“If you have your laptop stolen, without disk encryption all of your company sensitive information can be easily downloaded, copied, searched and read,” Sean says.
“If you think just because your laptop has a login password that you’re safe – no: getting around it is a piece of cake.”
The answer you want to hear: Yes, we have BitLocker encryption configured and enforced as a company-wide policy.
7. Do we employ content filtering?
Content filtering is the practice of blocking access to certain pieces of web content. In security terms, it means blocking users from navigating to potentially unsafe or malicious content. Your business should employ content filtering to help mitigate the risks associated with internet access.
The answer you want to hear: Yes, we have a comprehensive content filtering system.
8. Do we use Applocker?
Applocker is a Microsoft tool that helps you control what applications can be used within your environment. You can deploy it to create rules that allow or deny apps to run based on different circumstances according to factors like what users are trying to access the application, what files are being read and where the app is running from.
The answer you want to hear: Yes, we are using Applocker or product _____ for whitelisting applications.
9. Do we enforce password complexity?
This one’s self-explanatory. More complex passwords are a crucial tool in securing your data. By enforcing the use of complex passwords you’re making sure your system isn’t at the mercy of an easily guessed admin password. You should also ensure your users aren’t using default passwords.
The answer you want to hear: Yes, we have password complexity rules that stipulate A, B and C.
10. Do we employ two-factor authentication?
Passwords are just one wall in the path of malicious hackers. To better secure your login data, your company should employ two-factor authentication. This is the practice of sending a key or passcode to a phone or email to, in essence, authenticate the login.
In effect, this means your authentication runs not only on who you are – your username – and something you know – your password – but also something you have – such as the authenticator app on your phone.
The answer you want to hear: Yes, we are using two-factor/multi-factor authentication … here is how it works..
11. Does our firewall provide next-gen sandbox and intrusion prevention?
Sandboxing is a crucial way to stop the execution of malicious files.
“It essentially allows your firewall to pre-download a file to confirm and validate its benign nature, prior to it being available to an end user,” Dendle says.
A sandbox is a digital space where you can safely see if a file “behaves itself”. This capability is what is denoted by the term “next-gen”.
The answer you want to hear: Yes, our firewall is capable of sandboxing and has proactive intrusion prevention.
12. Do we know what the RTO and RPO are for our backups?
RTO stands for Recovery Time Objective – it’s how long it takes your secondary systems to come online in the event your primaries fail. It also refers to how much time an application can be down without causing significant problems for an organisation.
RPO stands for Recovery Point Objective – that is, how much data is lost in the event of a failure. For example, if you have an RPO of 24 hours, the worst case scenario would be losing a day’s worth of data.
The answer you want to hear: Yes, our RTO and RPO are X and Y and each is matched to the business’ disaster recovery strategy. It should be the management or executive team that dictate the required RTO and RPO. It’s the IT department’s responsibility to align to the RTO and RPO.
Ask the experts
Now you know 11 important questions you should be asking your IT manager, it’s time to ask them. Armed with the answers, you’ll be in a better position to secure your company against cyber attacks.
But knowing what to ask is just step one, once you get your answers you might well find that your IT team needs a hand.
If they do, why not get in touch with Cymax. See how we can better secure your business against cyber threats.