The Bottom Line

Cyber Security

Taking Cyber Security seriously DOESN'T mean you have to start wearing a tinfoil hat.

That's right. Despite scary and emotive headlines warning us of potential disaster from cyber attacks, the reality of staying cyber-secure is less about 'the rise of the machines' or 'being hacked by foreign governments', and more about taking sensible precautions, and teaming up with the right allies to guard your blindspots.

Yes, your business is at risk. We all are. If you engage in any kind of digital or online activity, you are vulnerable. But that doesn't mean you need to panic.

In this edition of The Bottom Line we hone in on some specific areas where you should be investing your time and attention to put you in the best position to protect yourself from the fallout of a cyber attack, and provide some sensible advice on how to partner with experts to optimise your security position in terms of cost, resource, time, and protection.

If anything in this edition of The Bottom Line raises concern or curiosity for you, reach out. Great outcomes start with great conversations!!

Something just for....you!

For the CEO

The simple mistakes that could cost your company dearly

Good cyber hygiene is the responsibility of everyone in a business, at every level – from the CEO down. While applying patches and updates in a timely manner to address known vulnerabilities may be the remit of a specific team, we’re all accountable for minimising business risk.

So, what are three basic hygiene measures we should all be aware of – and take personal responsibility for?

1. Spoofing – think before you click

While spoofing attempts range from texts to phone calls, email (phishing) remains one of the most popular spoofing methods. Industry reports estimate that 3.4 billion spam emails are sent daily.

And when in a hurry, it’s easy to overlook the tell-tale signs that this isn’t your beloved CEO requesting you to download and pay the attached invoice, the bank warning you that your password has been compromised and you need to update it via the attached link, or that a supplier has just sent you 250,000 rolls of hand towels – please confirm the order by logging in.

While these may seem like obvious scams, the average click-through rate for a phishing campaign in 2021 was 17.8%. Add a phone call, and that skyrockets to an average click rate of 53.2% (300% more effective). Most marketing departments would be envious of those results.

Researchers from Stanford University and a leading cybersecurity organisation say around 88% of all data breaches are caused by employee mistakes. That moment’s inattention – or the failure of your business to educate your people - can expose your business to irreparable harm by sharing login details, diverting funds, and inviting in malware.

2. Device locking – just do it

Yes, this is such a basic recommendation that you’d imagine that everyone does it.

Yet, Statista reports that as of 2021, only around 65% of users protect access to their smartphone using a PIN, passcode or fingerprint recognition.

Given that most smartphones, tablets, and laptops come ready-equipped with a selection of security settings. As setup only takes moments, there’s little excuse for leaving a device unprotected should it be lost, stolen, or left unattended.

3. Wi-Fi warning

We all understand the frustration of not being able to get online. But free Wi-Fi hotspots (think café, airport, or hotel lobby) should come with a public health warning. Especially if you intend to access personal or business accounts or sensitive data without using a VPN.

Mimecast reports that ‘around 50% of Americans regularly use Wi-Fi hotspots for financial transactions, while 18% use public Wi-Fi for remote work.’ This is despite potential dangers, including identity and password theft, malware infection, business email compromise, snooping for confidential data and more. And I’m sure that Kiwis and Aussies are no better.

There are many cybersecurity dos and don’ts that are common sense. But when frustrated or in a rush, it’s all too easy to take a risk that can invite disaster to your doorstep – and being the CEO doesn’t make you immune or absolve you from blame.

At Fusion5, we naturally have our own cybersecurity policies in place to protect our business, our people, and our customers. If you’d like to know how we approach any specific issues, just ask. We’re happy to share.

For the CDO

Exactly who is responsible for protecting your cloud data?

Answer: (A) You, (B) your technology partner, or (C) your cloud service provider? Or someone else altogether?

It’s not unusual for businesses who have moved to the cloud to pat themselves on the back and say, “Job well done; our data is now safe. Phew.”

Unfortunately, that’s not true. Just ask Facebook who had the personal data of over 530 million users stolen back in 2019. Or Alibaba who had more than 1.1 billion pieces of user data impacted after an attack in 2019. And LinkedIn, who had 700 million member profiles scraped from the cloud and shared on a dark web forum.

But who is responsible for the safety of your data once it’s in the cloud? The bad news is that it’s not the job of your cloud service provider (CSP) to secure your cloud-hosted data from attack. Even the most robust CSP can’t overcome human errors that originate at your end.

Let’s take a closer look.

If you are on a public cloud like Microsoft Azure or Amazon Web Services (AWS), then they own the infrastructure, physical network, and hypervisor (a program used to run and manage one or more virtual machines on a computer). And they’re responsible for securing them. Imagine they are your landlord and maintain the property, as well as provide burglar alarms and sprinklers. However, as the tenant, you still own the workload operating system, the apps, the virtual network, and access to your tenant environment/account - and the data. You’re liable for safeguarding your belongings, locking the front door when you leave, and not handing out access keys willy-nilly.

Likewise, if you’re a SaaS customer, then your vendor is primarily responsible for their platform - including its physical, infrastructure and application security. What they don’t own, though, is your data. And they’re most definitely not responsible for how you use (or even abuse) your applications. It’s your role to prevent or reduce the risk of data breaches through malware insertion, accidental exposure, or exfiltration (aka data extrusion, data exportation, or data theft).

Of course, if you host all of your own software applications on-premises, then all security issues and responsibilities are your own.

All of this isn’t helpful if you are feeling insecure about your data in the cloud. What is helpful, though, is looking at protecting your data (and applications) as a team effort. If you apply all of the same security measures to the cloud that you enforced with your pre-cloud infrastructure, you are off to a good start.

As a team, you need to determine who controls each component of the cloud infrastructure, as this will vary by cloud model (e.g., SaaS, PaaS, IaaS, etc.). It’s worth making a list – from data to devices to data centres and working through it carefully – so you know where responsibility is shared or falls entirely in your court.

So, the answer to the initial question about who is responsible for the safety of your data in the cloud is? Yes, it’s (D), everybody, all the time.

For the CFO

The cybersecurity checklist for CFOs

Due to the risk posed by cybercrime to businesses worldwide, CFOs have a more comprehensive range of responsibilities than ever before.

A weak cybersecurity position is a significant business risk across all organisations. Few finance professionals are unaware of the catastrophic devastation that can be wrecked should they fail to pay attention to a rapidly evolving threat landscape – from significant fines, huge ransom demands, through to the losses incurred if unable to transact.

However, as a CFO, you are more uniquely positioned than just about anyone else in the business to understand the financial (rather than technical) consequences of a security breach. Which means that if you’re not already playing a role, then you need to become proactive in countering and mitigating the challenges posed.

So, what specifically could (or should) you be doing?

Ensure that your organisation cybersecurity strategy keeps your financial data adequately protected, so it can’t be held to ransom under the threat of disclosure to competitors, or details on sold via the dark web
Make sure that your finance team are trained to recognise direct personal attacks in the form of phishing using spoofed email addresses, malicious links, and PDFs, and more.
Comply with applicable NZ and Australian cybersecurity compliance legislation to reduce the likelihood of crippling penalties
Tick all the cybersecurity insurance boxes and control your costs by meeting insurer requirements such as having a robust business continuity plan, incident response plan, security awareness and training, and various other technical controls
Ensure cybersecurity is represented at the governance level and positioned as a business and commercial risk
If you are responsible for ESG reporting, don’t underestimate the value of cybersecurity as a strategic differentiator

It’s important to treat your cybersecurity strategy as way to protect your business assets by minimising risk. It’s all a matter of perspective. Much like regarding a fire alarm and sprinkler system as a value-add to your business – whether it’s ever used or not.

So, where to from here?

CFO Magazine says that “a 2019 study revealed that while 55% of Australian and New Zealand CFOs and finance leaders identified cybersecurity as a ‘high’ or ‘very high’ risk to their organisations, the strategic direction for cybersecurity is set by the IT community (44%).” They add: “These statistics demonstrate that CFOs must lock arms with the CISO to understand how cyber risk affects the overall business.”

Active engagement in the strengthening of your cybersecurity posture is now part of the remit for any modern CFO. And that means taking your place alongside the other C-suite leaders in your organisation - including the CEO, CISO and CIO - to effectively manage risk.

For the CISO

DIY cybersecurity vs outsourcing? Which way should you jump?

As cybercrime continues on its dramatic upwards trajectory, addressing cybersecurity risks and challenges remains a pressing consideration for every CISO. No one is exempt. Businesses and organisations of all sizes must commit to protecting their data or face disaster – one way or another.

We’re often asked what we think is the best way to protect businesses – and at what point DIY cybersecurity stops becoming a viable option. We say it depends on several factors, but full disclosure here – cybercrime is at such a level that we would only rarely suggest keeping it in-house.

With 54% of companies saying their IT departments lack the sophistication to handle advanced cyberattacks, and 68% of business leaders feeling their cybersecurity risks are increasing, DIY cybersecurity has become increasingly difficult to manage effectively without the right resources, strategy, or budget.

The number of unfilled cybersecurity jobs worldwide grew 350% between 2013 and 2021. That is, from 1 million to 3.5 million. And it’s predicted that by 2026, the same number of jobs will still be open. Resources are at an all-time low, and salaries are at an all-time high, meaning few small or medium businesses can afford cybersecurity specialists (if they can even attract them).

If this isn’t a problem, then count yourself lucky and then ask your specialist/s if they can single-handedly manage all of your cyber security requirements. And as cybercriminals never sleep, neither can they. They need the capability and capacity to implement, manage, and maintain an ongoing programme of monitoring, patching, penetration testing and more – all while staying on top of the latest trends and developing new strategies.

If it is a problem, then consider engaging a partner who offers a range of cybersecurity managed services to meet your requirements. This way, you’ll not only have skilled resources with on-the-ground experience and multiple internally recognised certifications on tap but the latest monitoring tools and platforms to detect, mitigate and even pre-empt attacks. And as they do nothing but cybersecurity, there are no distractions – they are 100% focused on your safety.

Additionally, as cybercrime increases, so do the number of regulations designed to protect the data you gather and retain, and the penalties for breaches are high. The compliance needed to make your business secure is often complex. It requires specialist expertise and knowledge to manage and drive an improved security posture.

That’s not to say you’re bulletproof just because you use cybersecurity-managed services. It may sound like a cop-out – but data breaches are always possible (especially as 82% of data breaches are attributable to human error within an organisation). However, a dedicated cybersecurity partner has the tools and experience to respond, mitigate, and remediate the impact of an attack on your business – around the clock, year in, year out. Like cyber criminals, we never sleep.

For the CTO

Is zero trust the answer to safeguarding your business?

A 2022 Forrester Opportunity Snapshot says that 83% of Australian and New Zealand firms say zero trust is the future of their organisation’s security.

Yet, despite this enthusiasm, Forrester also reports that 48% of zero trust leaders felt that “their stakeholders struggled to understand the business value of adopting a Zero Trust approach.”

How did we get to the point where zero trust became a thing?

In the past, the normal approach to network security was to trust all users and endpoints within your organisational perimeter, but verify them. However, this put your organisation at risk from internal bad actors as well as external bad actors using legitimate but stolen user credentials for their own malicious purposes.

With the event of the pandemic came a new raft of challenges posed by remote workers, hybrid cloud environments and ransomware threats. For many, their security perimetre started to look like the Wild West – full of bullet holes and baddies.

So, that was then. What about now?

By comparison, zero trust is an approach which stops users (from inside or outside your network) from accessing your applications or data unless they first pass through a process of authentication, authorisation, and continuous validation for security configuration and posture. Unless they meet all these conditions, they do not pass ‘go’.

In recognition that these days there is no traditional network edge, the zero-trust model turns around the traditional approach from the simplistic ‘trust but verify’, to ‘continuously verify multiple times and ways in real time, evaluate the risks, assume there’s an attacker already lurking in your environment, and never, ever implicitly trust!’ So, it’s quite the turnaround.

The zero-trust concept actually dates back some 20 years, but the term wasn’t popularised until 2010 when used in a presentation by a Forrester Research analyst. Things started to really heat up though when in their 2021 "Zero Trust Adoption Report, Microsoft said: “96% of 1,200 security decision-makers who responded said zero trust is critical to their organizations' success.” The report pointed out the need for increased security, compliance agility, speed of threat detection, and remediation as top drivers for adopting zero trust.

Winning hearts and minds through business value

It’s important to realise that zero trust is a philosophy. It’s not a product. And like many philosophies, it can take some time and effort to gain mindshare.

So, what will help sway the minds of your stakeholders? Perhaps knowing that business benefits range from a more empowered employee experience, to improved monitoring and alerts, to streamlined security policy creation, and the improved ability to prevent data loss or theft, might bring a smile to their faces.

If you’re thinking about a zero-trust strategy – from architecture to implementation - feel free to ask us where to start.

For the HR Leaders

Why cyber awareness training needs to be part of your onboarding process

Human error has been consistently reported as one of the biggest threats to organisational cybersecurity. And since it’s easier (as well as less expensive and damaging) to pre-empt errors than to fix them, it’s logical to introduce cybersecurity awareness and training from the outset – regardless of whether an employee is new, returning to the workforce, or been-there-done-that.

Cybersecurity training ranks right up there with making sure a new employee understands the importance of not sharing confidential company information with friends over a beer, or failing to lock office doors if they’re last out.

While your HR team are undoubtedly experts at bringing new employees up to speed on company policies and procedures, it’s a good time to rope in your IT team (who live and breathe protecting your systems, networks, devices on a daily basis) to guide the delivery of cybersecurity training.

So, what’s important?

Keeping your business and its data and networks safe is a team effort and requires ongoing vigilance – so everyone has to get on board from the outset.

The best starting point is WHY being cyber savvy is so important and the consequences to the business and jobs if there’s a breach. Once employees understand the ‘why’, it’s easier to launch into HOW they can become be part of the solution. And then WHAT they need to watch out for – from dubious emails changing supplier bank account numbers, seemingly genuine phone calls asking for password verification, to logging on to lookalike ecommerce websites or leaving laptops un-screen locked and unattended, to using public Wi-Fi – and more!

With 75% of security breaches now attributed to successful phishing trips, any employee who uses email as part of their job becomes the weakest link in your defences. That’s why teaching your employees how to spot suspicious or ‘too-good-to-be-true’ emails (even before your IT team does) will pay off – big time. While newbies are often the most vulnerable to phishing, they can also - in time - become the most valuable weapons in your cyber defence arsenal.

And password training deserves a special mention too. Given that the majority of corporate data breaches involve stolen login credentials (IBM’s Cost of Data Breach Report for 2021 reports that compromised credentials accounted for 20% of data breaches), using lightweight (1234), predictable (password1), or recycled passwords (same-everywhere) is a mistake not just restricted to rookie users.

Onboarding is a bigger topic than ever, but maintaining cyber security and awareness is a team effort that should start the day a new employee walks in the door and continue right through to offboarding.

Spotlight on... Cyber Security

For a 'real talk' about the threat and impact of cyber attacks on Australian and New Zealand businesses, we put the spotlight on Fusion5's CISO Adam van Vliet, and GM of Enterprise Cloud and Security (including Fusion5's Security Centre), Kris Jackson. From the importance of being able to 'filter out the noise' so you can identify genuine threats quickly, to discussing the common things that businesses get wrong when attempting to improve their security, in just under 10 minutes, you'll be in a more informed position than when you woke up this morning!

00:18 Why is Cyber Security growing in importance, and, what is the biggest concern businesses have relating to Cyber Attacks.
00:54 What are the most common vulnerabilities that put businesses at risk of Cyber Attack?
02:04 What do businesses typically struggle with when it comes to Cyber Security?
03:48 Why did you develop the Fusion5 Security Centre, and what do you do for customers?
06:22 Why should businesses consider partnering with a Cyber Security specialist?
07:30 How should you structure your business for Cyber Security success?

Upcoming events

We regularly host online and in-person events to help people stay aware of the latest innovations and opportunities that exist to improve your business.

In addition to the events advertised below, we also have the following coming up in July.

12th July - Taking the sting out of Holiday's Act Compliance (NZ Only)
20th July - Do more with less - unlocking the untapped potential of your Enterprise Service Management platform
26 July - Better reporting and smarter decisions with NetSuite Analytics Warehouse

Please check the AU and NZ events page regularly as we'll post these events there when they are open for registrations, or let your Account Manager know that you're interested.

Latest news, insights, and resources

Blogs, eBooks, videos... we publish interesting, entertaining, and educational bits and pieces all the time — here's a selection of our latest offerings.

Blog

Navigating the tech turbulence: Understanding CrowdStrike outage

Learn practical tips to enhance security, maintain operational stability, and prepare for future challenges amidst the Crowdstrike Outage.

Blog

Make managing your contact centre less of a 'thing'

Blog

Six tips to get started changing your ERP

Blog

10 things you’ll love about Dynamics 365 Finance & Operations

While it’s easy to say all businesses are the same, I must say, hand on heart, that the food manufacturing and distribution industry is unique. And it’s exciting to see how well it’s supported by Microsoft Dynamics 365.