The top five questions asked at security education and awareness presentations

Online security can be frustrating and confusing for end users, leading to a greater number of successful cyber-attacks. Attackers are increasing their sophistication in line with advancements in online technology and things go wrong when the end user is confused – attackers prey on this confusion and supplement it with fear. Many issues relating to cyber security can be avoided by demystifying some of the threats, methods, motives, and by providing simple advice for online safety. That’s where security education and awareness presentations come in.

The team at Asterisk deliver many education and awareness presentations to clients covering information security policy and demystifying online threats. These presentations also educate users on security controls (both technical and non-technical) that they can apply easily at home and in the office.

From C-level executives to IT Managers, support desk, workshop and administrative staff, everyone has a question to ask. Here are the top five questions we are regularly asked at security education and awareness presentations:

Q: “How do I make my passwords secure?”

A: We recommend using passphrases instead of passwords. A passphrase is a group of words together such as “Sunny Commodore Apple Polyester” that is easy for you to memorise but hard for attackers to crack. The trick is to make sure the words are random, anything that would be obvious to people you know or who follow your public social media accounts, such as your favourite sports, animals, or TV shows should be avoided.

Where you can, we also recommend turning on multi-factor authentication, so your account will perform a second check (or factor) before letting you in. The most common second factor used for personal services is to send an SMS to your mobile phone. This means that even if your password is guessed or cracked, the attacker won’t be able to get into your account without the second factor – your phone.

If you would like to read more about passwords we recommend the NIST guidance which is available here.

Q: “Are password managers safe to store all my passwords?”

A: Generally yes, password managers are a safe place to store your passwords, as long as you choose a good one! There are a number of free and subscription-based password managers on the market so we recommend reading reviews before deciding which one to use. Some products allow you to sync your passwords across all your devices so you can have access on your desktop, laptop or phone, and others will include a secure password generator that will create strong passwords for you. Remember, your password manager is only as secure as your master password. We suggest you always enable two factor authentication and use a strong passphrase rather than a password to access your password manager.

Q: “Are banking apps on my phone safe to use?”

A: Yes, if they are installed from the genuine app store (Apple App Store, Android Marketplace, Google Play Store, etc) and the bank is a major player in the Australian market. Always use trusted apps and never install an app from a website or email link. The bank should be listed as the app publisher or seller. If you have any suspicions about the authenticity of a mobile banking app, contact your bank for verification.

Also, remember not to store any of your banking passwords or other information that could be used to access your bank accounts on your device.

Q: “Is it safe to use Public or “Free-Wifi” when available?”

A: Connecting to public free Wi-Fi use comes with several risks. Public WiFi networks are generally not encrypted, which means anyone nearby with some basic monitoring tools can see the information passing between your device and the access point you are connected to. In our opinion, the safest option is to not use these networks at all, but if you do find yourself needing to connect to a public wi-fi network, consider using a trusted virtual private network (VPN) to encrypt the information that is moving across your connection and never log in to online banking sites or websites that store your credit card information.

It’s also good practice to turn off Wi-Fi or Bluetooth connections when not in use, which is also great for your battery life!

Q: “Can I use the same strong password on many sites?”

A: Reusing the same password across different accounts is never a good idea. If one site is breached or someone gets hold of that password, they can use it to access multiple accounts. You should always use unique passwords for your work and personal accounts and be extra careful with sensitive accounts like online banking or accounts with a lot of personal information like MyGov. If you think your password may have been compromised or you notice anything suspicious, change your password immediately and report it where appropriate. Password managers can assist with keeping track of different passwords and generating strong passwords that are less likely to be guessed or cracked.

 

Security education and awareness presentations are not just “one size fits all”. Surveys are conducted to identify gaps in staff knowledge, then training content is tailored to cover those gaps and fit the culture of the business. By undertaking training, staff can learn how to work safely online and create a culture of security – both at work and at home.

For more information about on how a security education and awareness presentation can benefit your organisation, contact the team at Asterisk on 1800 651 420 or contact@asteriskinfosec.com.au

 

Notifiable Data Breach Scheme

What is it?

The Notifiable Data Breach (NDB) Scheme is an amendment to the Privacy Act 1988 that comes into effect from 22 February 2018. The NDB scheme sets out the obligations of organisations to notify individuals after a data breach has disclosed their personal information and that disclosure is likely to cause serious harm to the individual. Notification of the breach must also be provided to the Office of the Australian Information Commissioner (OAIC).

Who does it apply to?

The scheme applies to all entities that are currently subject to the Privacy Act – as a general rule, this includes all Australian government, business or not-for-profit organisations with an annual turnover of $3 million or more.

What needs to be addressed?

To ensure that applicable organisations are able to respond appropriately in the event of a breach, the following needs to be addressed:

• The ability to identify and respond to security incidents in a timely manner;
• Implement processes to assess if a breach is likely to cause serious harm to individuals;
• Develop a communication plan for notifying relevant parties;
• Ensure your notifications meet minimum requirements as defined by the OAIC;
• Implement remediation activities to avoid the incident reoccurring in the future.

How to notify?

When an organisation suspects or has confirmed that a data breach has occurred, it will need to promptly notify individuals that are likely at risk of serious harm. The Commissioner must also be notified as soon as practicable with a statement outlining the data breach.

Notifications must include the following information:

• The identity and contact details of the organisation;
• A description of the data breach;
• What personal information has been breached;
• Steps that individuals should take in response to the data breach.

How to comply?

General guidance is provided by the OAIC and can be found here: https://oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

If you need assistance with meeting your notification obligations, Asterisk can assist with implementing incident detection and response procedures and communications plans to ensure your organisation is ready to take action should a breach occur.*

* If you have not yet sought legal advice on your organisation’s exact eligibility and obligations under the Privacy Act, Asterisk recommends consulting an appropriate legal professional to ensure all legal requirements have been considered.