Feels like I need to get myself an umbrella because I’m over getting caught in the rain.

– Cybersecurity victim

Install AV. Cross fingers. Bury head in sand.

This is a true story. Many moons ago we had a meeting with a GP from a small practice in the Western Sydney suburbs. We were called in as they had just been hit with ransomware. Their workstations across the entire network had been encrypted. They had minimal protection besides a standard Anti Virus/anti malware platform which was recommended by the techie nephew of the owner, which was no match for the malware which affected their systems. It took days to recover from their offsite backup. The practice had to close it’s doors until their systems were operational again. This compromised the health and safety of their patients, not to mention the loss of reputation to their business.

Worse still, this was the second time that it had happened in 6 months.

There are two things to consider here.

1. No security solution is ‘set and forget’. They always require human intervention
2. Doctors, nurses and clinical staff are not often well versed in these types of viruses and infections

When it comes to cybersecurity there’s an expectation that your users will take some responsibility for their actions and ensure that their security platform is up to date, be careful of all incoming emails and websites

I once held a cybersecurity training session for staff of a national supply chain provider educating them on the importance of cybersecurity, and what to look out for. The next day a member of accounts receivable opened an email personally addressed to her from Australia Post as they were expecting a personal delivery to their work address. The email was fraudulent. Their workstation was encrypted. They took it out the back and ran it over, and replaced it with an etch-a-sketch. Well, not really. But we learned that despite their best intentions, sometimes users still make mistakes.

What do we suggest?

Well, we still recommend user training above all else. There’s plenty of free material available to educate users, including “The Little Black Book of Scams” published by the ACCC which is available for free by request. We recommend holding internal education campaigns regularly, and internal marketing efforts focused on the impacts of cybersecurity not just on internal staff, but on clients, vendors, suppliers and any other stakeholders in the business.

Additionally, as with all business functions it is important to have an owner of the cybersecurity business function, somebody who oversees this function and ensures that it is compliant, updated and enforced. This person can monitor the incoming alerts and threats, run education campaigns and simulated targeted attacks to test vulnerabilities and ensure that any new threat vectors.

Meh, too hard.

That’s cool too! Junius Solutions offers a Managed Security as a Service platform to oversee the cybersecurity protection layer over your organisation. By implementing, managing and monitoring the deployment of industry leading security tools and practices we can ensure that a certified cybersecurity professional is overseeing your organisation and can respond to threats appropriately.

Scoping out a Managed Security as a Service engagement can be very much a ‘how long is a piece of string’ conversation depending on your risk appetite and any compliance standards you might want to adhere to. We are well versed in the ASD Essential 8 and NIST cybersecurity guidelines, and have frameworks to protect your organisation depending on your risk appetite.

Along with this, Junius Solutions has a team of consultants and security experts who can teach you the basics or deep-dive to full cybersecurity audit depending on your requirements.