Optus Data Breach - What You Need to Do

Optus Australia has suffered a major data breach, in which sensitive personal information about both past and present customers was stolen by cyber attackers. Here are some simple steps you can take to understand if you were impacted and protect yourself if you were.

Update: As of the 27th of September, the attacker has claimed to have deleted all copies of the data. Unfortunately, there is no way to verify this, and may simply be a tactic to slow people in protecting their identity. We still strongly recommend that you take appropriate steps to protect yourself in case the data has been sold or reemerges in the future.

1. Check if you were impacted
Use the chat in the My Optus app to confirm if your details were exposed. Ask them to check each email address that is associated with your account.

Optus is in the process of informing customers however they may not have current contact details, and many customers are reporting Optus emails being caught in spam and junk filters. The best thing to do is speak to Optus directly via the My Optus app and ask them to check each email address you have associated with your past or present Optus account.

2. Apply for a credit ban
If ANY of your identity documents or ID numbers were exposed, apply for a credit ban with Equifax, illion, and Experian. Credit bans prevent new credit facilities from being fraudulently taken out in your name. Fraudulent credit applications can negatively impact your credit rating, cause significant stress, and take many hours to evidence as fraudulent to businesses and debt collectors.
By default, credit bans last for 21 days and can be removed or extended if needed.
More information about credit bans can be found here.

3. Monitor your credit
If ANY of your identity documents or ID numbers were exposed, consider regularly checking your credit report and using a credit alerting service to alert you to fraudulent credit applications in your name
Monitoring your credit report and using free or paid credit alerting services will ensure you quickly become aware of fraudulent credit applications and can begin the process of preventing them early before too much damage is done.

4. Replace your Driver’s License
If your Driver's Licence number was exposed, check your state rules for replacing your Drivers Licence with one with a new licence number. It’s important to ensure you don’t just get a new card but that the license number that was exposed is changed. Eligibility for this varies depending on the state in which your licence was issued, and unfortunately, this is not possible in every state.
Optus is currently working with state licence providers for a solution for all customers.

5. Replace, Renew or Cancel your passport
If your passport details were exposed, consider a replacement or renewed passport via the Australian Passport Office. Again, ensure the new type of passport you select has a new passport number to replace the one that was exposed. Eligibility criteria for each type of new passport apply.

6. Enable Multi-Factor Authentication wherever possible
If any of your details were exposed, ensure you have Multi-Factor Authentication (MFA) in place on all your accounts, starting with the most important ones.
The details exposed in this, or other, breaches may be enough for the attacker to access your online accounts or reset your passwords, depending on the security questions each account provider has in place. MFA is a great way to prevent other people from accessing your accounts with websites and online services.

7. Be vigilant of future scams
If any of your details were exposed, be vigilant for future attempts to scam you. Exposure of your email address, physical address and phone number lets scammers know how to contact you, and exposure of your full name and date of birth allows scammers to appear to know you or appear to be contacting you from a legitimate company that holds details about you.
Be wary of anyone contacting you unexpectedly. If in doubt, ask for a reference number, hang up, find the business’s phone number on google and call them back to ensure you are speaking to a legitimate person.

8. Increased security for moving providers
To reduce the risk of an attack known as SIM swapping, where an attacker steals your phone number to bypass SMS-based MFA, Optus has implemented increased security measures for porting numbers.
If you are planning to move providers, be aware that current increased security measures mean you will need to visit a store in person with your ID to have services moved to a new provider.

9. Watch for updates
The situation is still very new, and details are emerging every day. Optus has advised they will be providing free identity monitoring services to those "most affected" by the breach but are yet to provide full details.
Optus is providing regular updates via its Media Centre, and most media outlets are following updates very closely at present.

10. Contact IDCARE for further assistance
IDCARE is Australia’s free identity and cyber support service. They have an Optus Data Breach Response Fact sheet available and can support you through this time.

This infographic is an overview of the Optus breach and what you need to do - Click to open and save the infographic.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

ZERO TRUST – A SECURITY MINDSET FOR MODERN BUSINESSES

Long before the covid-inspired work- from-home revolution, the traditional enterprise security perimeter was already disappearing. With remote work poised to be a mainstay of future business operations, and more and more businesses adopting software as a service (SaaS) subscriptions, the idea of securing a network inside four walls is no longer relevant.

While many solutions exist that attempt to draw a secure “perimeter” around outside assets, modern best-in-class cybersecurity is based on a zero-trust approach.

“Zero-trust” is one of the hottest buzzwords in cybersecurity today. The term describes a systematic approach to minimising, or even eliminating, implicit trust and instead continuously  confirming  every  digita transaction. While traditional methods aim to protect networks and assume everything within them can be trusted, zero-trust focuses on safeguarding resources.

In a recent study of IT professionals, Australian respondents were substantially more likely (88%) than their counterparts in Malaysia (75%), Singapore (65%), India (62%), or Japan (43%) to be investigating a zero trust approach. In fact, following a sharp rise in cybersecurity incidents, more than a quarter of Australian respondents had begun implementing zero-trust in 2021 alone.

This article will cover everything businesses need to know about zero-trust and why it should form a key part of their cybersecurity strategy.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Passwordless authentication is accelerating quickly, especially now that Google, Apple, and Microsoft have fully committed to this future by agreeing to adopt passwordless standards and implement it in the near future. It’s well known that few users of any system follow password best practices, and modern malicious attackers have advanced password-cracking techniques at their disposal.

As large leaks of password databases become more common, weak and repeated passwords present a growing issue for businesses, while password volume and complexity have becomes a growing frustration for users.

Passwordless authentication aims to solve these issues by removing the need to remember login information, while maintaining a high level of data security. In a passwordless system, users prove their identity using one or more methods like biometrics and one-time codes.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

The primary cyber threats faced every day by employees are phishing attacks. Phishing is a form of social engineering used to steal data or compromise usernames and passwords of employees. An attacker will send an email, instant message, text message or social media message impersonating a trustworthy source, such as a reputable business or even another employee.

Their intent is to trick the recipient into clicking on a malicious link to either install malware such as ransomware or provide details which would allow the attacker to gain access to corporate data and circumvent other cybersecurity defences. Once access is established, it is generally a matter of time before a data breach occurs, which can be devastating to a business.

Between 86% and 90% of cyberattacks start with, or involve, users and user behavior. This was found by Kaseya and Cisco.

Business Email Compromise (BEC) attacks, which focus exclusively on exploiting the ‘human factor’ are now the leading cause of cyber-related financial loss for Australian businesses. BEC attacks only account for 7% of all cybercrime, but the average successful attack costs the victim organisation $50,673 (ACSC 2020-2021 cybercrime report)

Also in the cybercrime report, the ACSC found the average costs of each successful cybercrime in Australia to be $8,899 (Small businesses, 1-19 staff), $33,442 (Medium businesses, 20-199 staff) and $19,306 (Large businesses, 200+ staff).

In a separate report, the ACSC found that 62% of SMBs (<200 staff) had been the victim of a cybersecurity incident. These stats make a strong case for cyber risk mitigation investment, and user training is a important pillar of a cyber risk mitigation strategy.

ACSC: Cybercrime reports and average reported loss by organisation size for financial year 2020–2021

Download the whitepaper to read more on how you can ensure your staff are prepared and trained to handle cybersecurity threats.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

DATE(S) ISSUED:

18/08/2022

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.

For full details and actions to protect your devices and systems, follow the link to the Center for Internet Security or reach out to our friendly cyber experts below.

DETAILS:

• macOS Monterey is the 18th and current major release of macOS.

• iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.

• iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
  Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

To discuss cybersecurity protection strategies for your business, reach us here https://www.advance.net.au/contact

Or call us on +618 8238 6500

As of 2022, ISO27001 is the most well-known information security standard, however few people outside of compliance experts know what it entails.

ISO27001 (full name, “ISO/IEC 27001:2013 – Information technology – Security techniques –   Information security management systems Requirements”) is an international standard for information security management.

Because of this status as a standard, organisations can undergo a process to obtain an ISO27001 certification from an external auditor. The resulting certificate can be used to evidence to external parties that the business has implemented rigorous information security controls in line with an internationally recognised specification.

Such a certificate can lead not only to the opening of new markets and increased competitive advantage, but also to reduced costs and improved performance in information security.

However, ISO27001 can be a time- and resource-consuming certification to achieve, and some organisations have found better outcomes by targeting their budget more directly at implementing security controls, rather than achieving certifications.

In this paper, we look at what ISO27001 requires of organisations, and investigate if Australian SMEs should consider the certification process. We not only discuss the standard and what it entails but also look at and compare other standards such as Essential 8 and NIST.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Meals on Wheels SA centralises its IT environment to better coordinate thousands of daily deliveries

Almost everyone has heard of Meals on Wheels. It was first formed in South Australia (SA), in 1954. Founder Doris Taylor MBE, wheelchair-bound from an accident as a teen, empathised with the challenges of those returning home from the hospital. She noted, in the elderly in particular, that they had trouble shopping and preparing meals for themselves, often depriving them of the ability to live independently.  Meals on Wheels was her remedy. Nearly seventy years on, more than 50 million meals have made their way into SA homes. The organisation is currently providing 4,300 meals per day to customers across the state.

 Key Challenges

• The state-wide operation included a vast degree of variation among branches

• There was no single payments system and accounting was resource-intense

• COVID-19 caused a surge in demand that could only be met by a centralised model

In every other Australian state, Meals on Wheels operates as several independent entities. However, Meals on Wheels SA is a state-wide association with 80 branches. Some were established under the state-wide model, while others were independent organisations incorporated into the association - the latter managed their own affairs, with committees, treasurers, bank accounts and chequebooks. Add to this that many pre-dated the internet, set up without the benefit of computerised systems, and you get an idea of the variation within the Meals on Wheels model.

Even so, it’s a model that has served the community well for 50 years. Testimony to its success is the tenure of its volunteers. Among seven thousand volunteers, the average age is 75. David Smith, Executive Manager, Corporate Services for Meal on Wheels, recalls the first time he attended an annual award ceremony recognising long term volunteers; “There were 40 people who had been volunteering for 40 years,” he says. 

COVID-19 caused a surge in demand

When COVID-19 arrived in early 2020, hitting Australian businesses hard, Meals on Wheels wasn’t one of them. “Quite the opposite,” Smith says. A surge in demand for meal services presented the organisation with the challenge of meeting it with maximum efficiency.

Growing fast in a controlled way required digitising and automating financial processes. It also called for complete compliance with Work health and safety (WHS) standards which view volunteers as employees, governed by the same safety rules. This includes 75 to 90-year-old volunteers who'd never had to think about them before during their working lives. “They've always stood on a ladder on top of a table to change a light bulb, so why would they not do it now?” says Smith. 

Finally, the model needed to flexibly accommodate digital and non-digital interaction. Any assumption that in time everyone will become comfortable with internet-based services doesn’t take into consideration the aging population. “Just because you are computer literate now, it doesn't mean that when you're 85 or 90 you're somehow going to be magically better. And so this market for people who are getting older, and some of their capacities have diminished, they're always going to need a meal delivered to their house,” says Smith.

Meals on Wheels SA contacted Advance Business Consulting to help them cut through these requirements to arrive at a system that would allow them to grow securely with a fraction of the effort while getting more from their technology and data.

The challenge of connecting everyone

Creating a common organisational infrastructure was a priority. But not every branch had a physical office to call their own, and a few smaller branches had been relying on their own computers to log into Meals on Wheels. Smith leaned on Advance’s consultancy services to design an infrastructure capable of accommodating what Smith refers to as the “lowest common denominator of what you need a computer to be.” In this way, it would be embraced by everyone, regardless of their circumstance.

Security was top of mind. “If you have to put a secure internet connection in a branch and a managed computer, and that computer is only going to be used for one hour, twice a week, it's quite a big investment for a very small use case. Also, you don't know who's going to be using it. It might be 20 different people in a branch,” says Smith, who looked to Advance to propose the most viable security strategy.

Opportunity to streamline payments processes

Digitising and automating payments within one simple payment system was identified as an excellent way to inject efficiency into operations. In the past, Central Office would invoice the branches for meals delivered, and reimburse costs incurred by them. If those costs had been incurred directly by Central Office and not the branch, which sometimes happened, another invoice would be issued for the money to be returned. A reconciliation was completed every three months on a simple electronic cash book, to check the accuracy and retrieve surplus funds advanced but not used. There was also an exercise of distributing funds from more profitable branches to those who needed “propping up” to ensure equity across the model. Accounting in this way took time and resources that Meals on Wheels decided it would prefer to apply to service excellence.

Solutions:

• Advance standardised how branches connected to Central Office

• World-class security was built in via VPN enabled teleworker devices

• M-Files automated important processes like payments and reimbursements

One simple means of connecting

Advance migrated Meals on Wheels from Telstra 4g connections to a Cisco Meraki SD-WAN with Teleworker VPN, which has proven to be incredibly successful. Teleworker devices are not carrier dependent, for one thing, which supports the association’s need for flexible connectivity, as well as delivering world-class security. In this model, secure corporate LAN connectivity is extended to employees at remote sites via Meraki APs (access points), without needing them to install VPN software on their devices themselves. It can all be done centrally, keeping things simple. 

Added security benefits are realised through Meals on Wheels’ ability to whitelist applications, making them unavailable to users on their devices, as well as best-in-class anti-virus software. This provides better protection from hackers. “Meals on Wheels is a very well-known name, which unfortunately makes us an obvious target for cybercrime,” says David.

A unified payment system

Improving the efficiency of the outgrown payment system began with eliminating the need for branches to pay their own invoices. “How do you get at branches to be able to effectively send invoices into Central Office if they want to send them by fax, which some still do?” says Smith. “But of course, that really just pushes the workload elsewhere.”

Advance suggested M-Files, a document management system for coordinating the right information to the right people at the right time. This immediately gave branches the ability to scan an invoice, sign to confirm goods had been received, and be paid automatically. Where branches don’t always have a reliable internet connection, M-Files helps with that too: “M-Files was great because we could actually fall back to a mobile phone to do the same thing,” says Smith. “And in a couple of cases we still do use the fax, but what it means is no longer needing branches to pay any bills”

Verifying and reimbursing drivers

Additionally, M-Files was set up to support driver reimbursement. Volunteers are paid a fee per delivery for their petrol and wear and tear. “They used to be paid in cash. The driver could take the money and if they didn't, it got flipped into a bucket and then banked as a donation,” says Smith. M-Files has automated the entire process with a workflow that lets Meals on Wheels collect a declaration from drivers with their bank account details for payment. Stored securely in M-Files, it can be centrally and accurately managed. 

“We realised while we're doing this, it would be useful to check that the person we're paying a driver reimbursement to is actually a volunteer,” says Smith, explaining that people used to get roped in to be a deliverer and stay for 10 years when they're not actually on the books. If they're not registered, it means they haven't had a police check. “Right through this process, we found little added gains from simply just trying to improve a process,” Smith says.

Compliance is much easier

Driver verification is one aspect of compliance, but it’s not the only one to benefit from the new technology-enabled operational model. Meals on Wheels can now issue communications on things like Work health and safety rules to employees and volunteers with minimum effort and feel confident they have been received.

Outcomes:

• Closing the branch bank accounts saves $50,000 per year

• New employees can be onboarded, from anywhere, in moments

• Centralised management of data drives compliance across 80 branches and 7000 volunteers

When you no longer need to pay for anything by cash or cheque, you don't need money. Meals on Wheels has been able to close all its bank accounts. This simple act is saving of $50,000 per year in bank fees and transaction costs. 

Security concerns are alleviated through central controls configured by Advance that let Meals on Wheels whitelist applications and prevent people from running programs that are not supposed to.

The project, which began pre-pandemic, turned out to be well-timed since it allowed Meals on Wheels to rapidly transition to a work-from-home strategy during COVID-19 restrictions with the Meraki teleworking devices. “When our staff had to work from home, it was a trivial matter to give them a network device with a SIM card in and connect them and get them working. It was an accidental benefit that really set us in good stead.”

Since kicking off its transformation, Meals on Wheels SA has gone from strength to strength, most recently introducing a new ERP system, Pronto, for dealing with manufacturing, and other important resources, with efficiency, and creating a host of web applications using low-code development tool Intrexx, provided by Advance.  

With the expansion of services no longer a heavy lift, the sky is the limit.

CONTACT US

For any further information regarding how Advance can help implement a successful digital process in your industry, get in touch with us here. We’re here to help!

KEY TECHNOLOGY PARTNERS

Don't Get Hooked - Phishing

Did you know that you will receive an average of 14 phishing emails this year?
Did you also know that 90% of cybersecurity incidents start with a phishing email?
Are you confident you can spot 100% the signs, 100% of the time? Because even highly trained cybersecurity experts still occasionally fall for well designed Phishing emails…

Look out for:

• Urgency – Phishing emails will often use urgency and importance to make their victims act quickly without thinking through the consequences. A link to an overdue bill or outstanding payment, a document with details of a payment about to be made from your bank account, these are all examples of ways phishing emails will try to make you act quickly, before you notice it’s a phishing email.

• Senders – To try and make an email appear legitimate, the sender may try to fool you into think they are a legitimate contact. They might change the first name associated with their email account, such as Ebay (ebay@gmail.com) , or create new email addresses that look like legitimate ones (can you tell the difference between accounts@microsoft.com and accounts@mcirosoft.com?)

• Look closely at the Domain – Phishing emails will try to hide the actual website they are trying to send you to, such as using shortening services, like https://bit.ly/3JMHq9k, or by hiding the real link behind a legitimate looking one, such as www.microsoft.com.

• Too short or too long – Phishing emails usually go one way or the other, either overloading you with information to make you believe its real, or giving you so little information you feel you need to click the link or open the attachment to understand what’s going on. An example might be an email from a known sender that just says ‘here’s your bill’, with an attachment. Many recipients will open the attachment to understand what the bills is for.

• Requests for password or payment – Phishing emails are usually trying to obtain either your password, payment information or personal information. Be suspicious of any email that requests these, or links to a website that requests them.

Be on the lookout for anything suspicious. Double check everything, use google rather than the links in the email, and if it still seems suspicious report it to IT!

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

In 2021 we held our Innovators 2021 event focussed on client stories about how they tackled COVID-19 and what role technology played during this unique time. You can read the recap and watch the full video of the event here.

Continuing on from the event, we sat down with 1834’s CEO Andrew Bullock to write up this customer story. This case study outlines what 1834 Hotels do, the challenges in managing data and how a business intelligence tool can streamline reporting to free up staff and automate daily business tasks.

Click on the case study below

To discuss how to capture, manage and understand your data, leave your details below and an expert will get in touch with you.

Or call us on +618 8238 6500

Did you know cybercriminals are now targeting your mobile phone?

Cybercriminals love banking details, saved passwords, business data and even personal photos (to copy, delete then sell back to you), all of which can be found on our phones these days.

Unfortunately, many of the tools that protect computers aren’t switched on by default on phones, and that makes them the perfect target for cybercriminals.

We’ve all seen the SMS messages claiming to be ‘missed calls’ or ‘package tracking’, but which actually spread viruses, but how many of us have installed anti-virus on our phones?

Did you know almost 230,000 phones get infected with viruses each and every day? That’s more than 80 million a year…

How to keep your phone secure:

• Pin Codes – The Pin code to your phone is like the keys to your front door, and all your filing cabinets. If your phone is ever lost or stolen, the PIN code will stop anyone accessing or using it, but it will often act as the key to unlocking any files which are accessed remotely. Make sure a 6-digit pin code, or long password, and Face/Fingerprint ID are set up on your phone.

• Anti-Virus – Viruses exist on phones just like they do on computers. There are many different options from different vendors around to help protect your phone, install one ASAP!

• Updates – While operating system and app updates are annoying, they are also essential. Each time you see one that means the developer has found a problem that cybercriminals could exploit, so install them as soon as you can.

• Fake Apps – One sneaky way cybercriminals will try to get viruses onto your phone is to create fake apps. They will find a real company that doesn’t have an app, and use its name and logo on an app created by the cybercriminal. Unsuspecting users think they are downloading an app from a well known company, when in fact it’s a virus.

• Corporate Data – While we understand its well meaning, only set up your work emails and access corporate systems with your personal phone if your IT department allows it.

• Encryption – Encryption is a way for your phone to lock all your files while you are not using them. When switched on it means that data stolen from your phone is useless without your password.

• Lost device features – Switch on any ‘find my device’ and remote wipe features. That way if you lose your phone you can track it, or at least wipe it so no one can access all your banking details and personal photos.

Modern phones are really just small laptops, and therefore are vulnerable to the same issues, such as links from unknown senders, malware and viruses. Given how much our smart phones can access, and how much personal data they hold, we all need to be sensibly cautious in protecting our phones from cybercriminals.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Log4Shell, or Logjam, is the name security researchers have given the disclosed vulnerability that threw security experts into crisis mode in early December. The name comes from the software package which has the vulnerability, which is called Log4j and is a part of the very common programming framework, Java.

In short, it is an extremely easy-to-exploit vulnerability that affects millions, if not billions, of devices, systems and programs worldwide, making it a very serious concern in the world of cybersecurity.

In this whitepaper we explore what the vulnerability is and why is caused such great concern.

WHAT IS IT?

The vulnerability exists within a standard way for systems to record information about what they are processing, known as logging. A computer may log information entered by users, such as usernames or clicks, or system data, such as error messages and error times. These logs can then be used later to troubleshoot issues, or better understand how the computer is working.

The Log4Shell vulnerability exists because when a specific, malicious combination of text is logged, the logging computer sees the text as a command to be executed rather than information to be entered into the log. The malicious command tells the computer to connect to a separate, external computer and download a program. If the attacker has written the text correctly, this second computer will be one they control, and the program it downloads will be anything the attacker chooses, likely something malicious.

To continue reading, donwload the whitepaper below:

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

In today’s digital and interconnected world all organisations, regardless of their industry or size, are becoming more cyber security aware. But without a large team of experts to guide them, how do they know if they’re doing the right things, and how do they know if they’re doing them well enough?

To help answer these questions, the Australian Government has produced a framework called the Essential 8 which organisations can use to identify, implement, and mature their cyber security and cyber defence strategy.

Since the Essential 8 was introduced, there has been a growing trend to use it not only to improve organisations’ cyber security, but also to evidence cyber security maturity externally. The Essential 8 already form the basis of mandatory cyber security requirements for all 98 non-corporate Commonwealth entities, and various state and federal government policies have been implemented to enforce regular assessment, adherence reporting, and minimum achievement standards against the Essential 8 for suppliers within the public sector.

Such a level of supply chain transparency is also becoming more commonplace in the private sector, with more and more B2B procurement processes taking into account cyber security maturity and following the government’s lead in using the Essential 8 as a reference point with which to measure it.

Whether to improve their own cyber defences, to become eligible for public- sector procurement or to become more competitive in private-sector procurement, business leaders need an understanding of the Essential 8 as it is quickly becoming the de facto standard for measuring and evidencing cyber security in Australia.

This paper explains the Essential 8 framework in plain English so business leaders from all background can gain a working knowledge of how these cyber strategies and maturity criteria can be used to improve defences and gain advantage over competitors.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

The best way to set a strong password is to use a password manager, which we covered in a previous blog. If, however, this is not possible, the below represents the best advice on how to create strong passwords you can easily remember.

Years of ‘at least 8 characters, must include lower case, upper case, numbers and special characters’ have actually made our passwords less secure and easier for criminals to guess.

While creating these passwords is better than using a single word, the complexity leads to them being hard for the human brain to remember, and result in passwords being written down and reused with only minor changes. Both of these factors greatly undermine a password’s security.

There is a much better way to create passwords that are easy to remember, but still long and strong, which is a Passphrase. A Passphrase is a short phrase in place of a password.

It’s unlikely most people could remember lots of different 20 random character passwords, but most people can remember lyrics from their favourite songs, which will contain more than 20 words and hundreds of characters.

To create a passphrase, try this:

First, take six random words, for example: ‘crystal apple long truck high jump’

Next, create a picture of the words in your head, like so:

Finally, make it unique by adding in the name of the service in a random way:

‘crystal apple long truck Facebook high jump’ or ‘insta crystal apple long truck high jump’.

Now you have a password that’s quite easy to remember, but also 40 characters long and almost impossible to guess.

Even using the best modern computers and techniques, it would take a guessing program longer than the life expectancy of the earth to guess that password!

So, next time your asked to create or change a password, think passphrase.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

There are several methods criminals could use to obtain a password/passphrase, they include:

• Brute forcing - This is the term given to the method discussed earlier of using a computer program to make lots of random guesses very quickly. This is the primary reason we need long and complex passwords/passphrases, as it makes this process much harder, and take much longer.

• Phishing - Pronounced ‘fishing’, is a social engineering technique where criminals create emails and websites, often using well-known brands, such as google, amazon or financial institutions. They then trick users into entering a username and password, which is then sent to the criminals rather than the legitimate organisation.

• Breaches - A breach is when a criminal gains access to a website or system’s list of usernames and passwords, often through a security flaw. When this happens the criminals usually gain access to every username and password registered with that website.
  This doesn’t just happen to small websites that can’t afford good security, some recognisable names have suffered very large breaches of varying severity.

  • Facebook - 540,000,000 user records breached

  • eBay - 145,000,000 user records breached

  • Equifax - 147,900,000 user records breached

  • LinkedIn - 165,000,000 user records breached

  • Yahoo - 3,000,000,000 user records breached

• Criminal Collaboration - after one of the above techniques has been used successfully, criminals will often sell and share the usernames and passwords they have gained access to. In some cases, these are then compiled into large databases that contain millions of stolen email address and password combinations. Many times, these large databases will be published publicly online, giving access to anyone and everyone.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Password Managers

Password managers are growing in popularity, and are highly recommended for all business and users.

Password managers randomly generate very complex, very long and unique passwords. They store them securely, along with other account details, so the user doesn’t need to remember them on each login. Password managers will also automatically prefill account and password information, greatly improving the experience of users who regularly login into multiple different websites or systems.

Once set up, the user will only need to type one password and then enjoy a seamless, one click login experience while simultaneously getting the benefit of very secure passwords.

Key features of a good password manager are:

• ‘No Trust’ architecture – this means all data is encrypted before leaving the device, so even if the password manager infrastructure suffers a breach, the criminals can’t read any passwords.

• Generate passwords – In order to be effective a Password Manager must generate long, strong, unique and random passwords.

• Multifactor Authentication – As a Password Manager will hold all passwords, it is critically important that it is highly secure. A good password manager will have the option for MFA to be used on every login.

• Breach Monitoring – No matter how strong a password is, accounts can be compromised if passwords are given to the wrong person as a result of being tricked. Good Password Managers will monitor various dark web and underworld websites, and notify the user if their email addresses are included in the data criminals are exchanging

Unfortunately, password managers don’t always work for every corporate and personal application. They also need an initial password or passphrase from the user, and so the ability to create and remember strong passwords is still an extremely important skill for all users.

Why do you need different passwords?

There are many ways that a criminal could come to learn a password through no fault of the users. Once a criminal has a password, the length and complexity no longer matter.

As soon as the criminal has a password, they will begin trying it on as many systems as possible to see if the user has used the same password on facebook, Instagram, Hotmail, gmail, and so on.
Often this will be automated, with the email address and password combination tried on thousands of websites within seconds.

Other times the process my be more targeted, with the criminal using the email address to locate the user on LinkedIn, finding out where they work, then attempting to use the user name / password combination to access corporate data.

The uniqueness of the password prevents this, and ensures tthat if a password does become known, the breach is contained and the criminal only has access to a single system where the password was first set.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Welcome to the recap of Innovators 2021, our second event focussing on innovation and digital transformation in South Australia.

This year was a little different! Disruption from the COVID-19 pandemic over the past two years has affected every business in some way and technology has been a part of the solution in helping businesses to operate and survive.

Challenges can lead to new opportunities and we heard of some bold decisions that had a big impact on business operations.

This year we also added a live stream to the event to allow people to watch the presentations from anywhere, including guests from interstate and you can watch the recording above or by clicking here.

Our speakers included local business leaders:

• Andrew Bullock - Managing Director at 1834 Hotels

• David Smith - Manager Corporate Services at Meals on Wheels SA

• Peter Crescitelli - Manager – Technology & Information Security at MIGA

• Emcee and panel discussion led by Troy Forrest - Managing Director at Strategy Road

A few of the key takeaways:

• Andrew shared how he was able to reduce the complexity of his business, improve business intelligence reporting with automation and this has enabled 1834 Hotels to separate themselves from their competitors.

• David explained that implementing an Intelligent Information Management System allowed his group to digitise their financial model, saving his business $50K per year while increasing efficiency and security.

• Peter detailed how he has been able to move the legal arm and Operations arm of his group to a paperless system. This has allowed his business to have a foolproof auditing system which is extremely important for anyone in a heavily regulated environment.

Here at Advance, we have been working with clients for over 20 years to help them integrate data, provide insights with leading BI tools and automate processes with content management.

if you would like to know how we can assist you, get in touch with us here or:

• sales@advance.on.net

• (08) 8238 6500

If you would like to learn more about the benefits of using an Intelligent Information Management System, you can watch a short video below about M-Files, a key technology we use internally and a foundation to managing content and digitising any business.

A little more about the speakers:

1834 Hotels

Andrew also leveraged the disruption to implement a new core business system during an interrupted period in the accommodation industry. 1834 Hotels also strengthened business intelligence to automate reporting, freeing up staff from manual spreadsheets and found new insights from daily agile reports and dashboards.

Meals on Wheels SA

David was also able to simplify and streamline financial processes to improve efficiency and compliance. Meals on Wheels automated a manual business process to enable a robust system for processing accounts payable invoices and volunteer reimbursements. This also delivered transparency and an audit trail. The new business process has reduced duplication and has made the role of Branch Treasurer much less onerous.

Medical Insurance Group Australia

Peter and the team at MIGA further digitised manual paper-based processes across their Claim Management and Accounts Payable business functions to deliver efficiency and compliance for MIGA. The operational efficiencies have delivered a great customer experience for internal & external stakeholders. MIGA’s strategy will continue to look into optimising these processes and expanding document management to other areas of the business.

Our event was held at Electra house, live-streamed using www.streamadelaide.com.au

For any further information regarding SA Innovators 2021 or how Advance can help implement a successful digital process in your industry, get in touch with us here.

Multi-Factor Authentication (MFA) or Two Factor Authentication (2FA or TFA) is when a secondary (or more) authentication method is used to verify the users identify. This is normally carried out by validating the user has something physically (such as a smart phone, token, smart card etc) or that they are something (such as biometrics including fingerprint and face scan technologies). Modern MFA techniques leverage smart phones and one-time codes via SMS or app-based login approval.

It’s now commonly accepted that modern MFA techniques block 99.9% of attempts to take over an account, but why is this?

In traditional criminal investigations, investigators often look at three key elements, means, motive and opportunity.

Unfortunately, with account take over, particularly when the system is internet based, all that is required to carry out an attack is an internet connected device, anywhere in the world. This means that billions of people have both the means and the opportunity to commit account take over attacks.

Multi Factor Authentication combats this problem by requiring a secondary verification method which is much harder to fake from different physical locations.

When a Modern smart phone is used for MFA, a third verification is often added, seamlessly to the user. Most modern phones will require either a pin code or face/fingerprint scan to unlock them, and in doing this the user has provided a third identity verification.

It may not seem like a much, but by glancing at an iPhone and pressing the accept button within an authentication app, the user attempting to login has verified that their face biometrically matches the face of the approved user, and they have performed this biometric check on the only device in the world that will allow access.

Defeating MFA is not completely impossible, but in most cases gaining access to an account protected by MFA becomes far too hard for an attacker, and they look for easier targets.

The usual process of a criminal breaking into an account would involve them using a list of a million or more-email address, along with a database of billions of possible passwords and using a high powered computer to attempt combinations over and over again until one works.

When an account is protected by MFA, breaking into that single account would require targeted physical action, such as pickpocketing a device or sim-swapping, then the attacker would have to overcome the devices biometric verification, only then could the criminal begin attempting to guess the password, and each guess would take several seconds, rather than millions per second for non-MFA protected accounts. Its for these reasons that MFA is able to block 99.9% of attempts to illegitmately access accounts.

Almost no criminals have the means to overcome MFA, and even those that do know that they will have much more lucrative results pursuing the other 999,999 accounts, each of which can be targeted in a matter of hours, rather than spending many weeks trying to break into a single MFA protected account.

MFA should be set up where ever it is available, but if that is not possible at the very least it should be enabled for a users more important accounts, such as internet banking and email.

It’s not something often considered, but most modern online system rely on email accounts as a backup verification. If the user forgets their password, the ‘I’ve forgotten my password’ functionality will send a message with password reset instructions to the users’ emails address.

If a criminal were to gain access to an email account, they can use it to reset many other passwords and ultimately gain access to many other accounts. This is why it’s important to have a very strong password/passphrase, which is not used anywhere else, and to enable MFA for email accounts.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

While there are many new safeguards designed to prevent password guessing, the length, complexity and uniqueness of a password are still important factors to make an account secure.

Computer programs designed to guess passwords work by harnessing new technologies to make millions of guesses per second. The longer and more complex a password the more guesses are required before the correct combination is found.

Modern password guessing programs will also try dictionary words, common variations and commonly used passwords, which makes unique passwords important.

Many safeguards have been developed to protect against these guessing methods and are often extremely effective where they are implemented.

In some cases, systems may only allow three incorrect login attempts, or there may be inherent limitations, such as bandwidth and processing power, that stop multiple login attempts.

Additionally, new cryptographic storage techniques are making it harder for attackers to guess passwords, even in ‘offline’ attempts.

Unfortunately, while these safeguards are very effective when implemented, they are not implemented universally, and are not completely full proof.

Individuals should never rely on security features which may or may not be present.

It is for this reason that making passwords long (lots of characters), strong (using lower case, upper case, special characters, and numbers) and unique (only used for one system/login) is still an important baseline for personal security.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Alert, but not Alarmed

We are all on the front lines in the fight against cybercrime, both at work and at home.

It's increasingly common for criminals to lock either your work or personal files, then demand a ransom payment in return for unlocking them.

This is called a ransomware attack and there are some very easy steps you can take to protect yourself and your family.

What are the signs of a Ransomware attack?

• Dodgy Emails - Criminals usually try to put Ransomware onto your computer through illegitimate websites, or infected attachments. Be very wary of emails from people you don’t know or didn’t expect, particularly if they contain links to other websites or attachments.

  If you've recently received an email from someone you don't know, or that didn’t look quite right and have already opened the link or attachment, be alert.

• File names - If your file names, or the three letters after them (example.txt) are changing, this could be a sign your files are being locked

• Cant access files - If you are unable to access files this could be a sign they have been locked

• Ransomware Notice - Once a certain number of files are locked, the criminal will display a notice, usually asking for urgent payment, and usually asking for an online currency such as bitcoins.

What should I do if I notice the signs?

• Immediately power off - Once the computer is completely powered off, no more files can be locked, and the ransomware cannot spread to other computers in your home or office

• Remove any network cables - To ensure the ransomware cannot spread once the computer powers on again, remove any network cables. For WIFI laptops, switch any physical WIFI buttons to the off position.

• Contact support - In the workplace, the IT department should be made immediately aware. At home, you will need to contact whoever does your IT support. You may want to call a professional.

• Don't Pay - If you do pay the ransom, you are relying on the criminal's good nature to unlock the files, which is unlikely to happen. Even if it does, you will then be marked as someone willing to pay ransoms and be targeted again in the future.

Is there anything I can do to reduce the risk of this happening to me?

Absolutely, in many cases, these are done for you by the IT team, but at home, you will need to do them yourself:

• Install Patches - Your operating system and any programs you have installed will often need updating or patching. These are very important, as it is the manufacturer fixing problems that criminals may exploit. You should make sure all of your software is regularly patched, and allow the patches to install as soon as possible.

• Anti-Virus - Ensure you have Anti-Virus software installed and running, and that it is up to date

• Backups - While these won’t protect you from getting ransomware, they will make it very easy to recover your locked files without paying a ransom. Where ever possible backups should be stored separately, so criminals cannot erase them if they do gain access to your computer.

• Block Macros - Microsoft Office Macros are a very common way for criminals to gain access to your computer. Having these switched off by default helps protect you against this form of attack

• Administration Privileges - Accounts with administrative privileges can install and run applications (and ransomware). While it's inconvenient to have to switch to a different account each time you want to install new software, it can protect you from a criminal installing ransomware in the background while you are unaware.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500

Who Am I Really Speaking To?

Email-based scamming has quickly become the leading cause of financial loss Australian businesses and individuals, with criminals now $132,000,000 each year.

This CyberGuide will show you how to protect yourself and your family by identifying the warning signs and commonly used scams.

Email-based scams have grown in popularity recently due to the speed at which criminals can run them, along with the lucrative returns they generate.

What is an Email Scam?

Often called Email Compromise or Business Email Compromise, email scams are where a cybercriminal uses social and technical tricks to make a person think they are exchanging emails or text messages with someone they already know. The cybercriminal then uses the trust of the relationship to have bank details updated, or initiate the transfer of funds, goods or gift cards.

What Are the Common Scams?

The false invoice:

John recently paid his builder for some renovation work. Later he found out that his builder had not received the payment. When they checked, the invoice and bank details John had paid had not been sent by the builder. Instead, it was sent by criminals who had used a fake email address that looked very similar to the builders.

Supplier Impersonation

Jane works in the finance team. She received a routine email from a regular contact at a long-standing supplier advising of a change in their bank details. Jane checks the email address and it is correct and has been used many times in the past, so she makes the change.

In fact, Jane’s regular contact has unknowingly had her password stolen, and criminals have logged in to her email account. The next legitimate payment to the supplier will be sent to the criminal's bank account.

CEO Fraud

Gary is the executive assistant to the CEO and just received a text message from a number claiming to be the CEO’s personal mobile. The message says that his boss is out with some potential new clients and urgently needs some iTunes gift cards to give them to seal the deal. Can Gary please buy some, SMS the codes and expense the cost tomorrow.

Of course, the phone number does not belong to his boss, and his boss did not make the request. Instead, the gift cards will go to the criminals to be sold on the black market.

Employee Impersonation

Linda from the Payroll team has received a request from an employee to have their bank details changed in the Payroll system. What has happened is a criminal has covertly gained access to the employee's user name and password and is trying to divert the employee’s next salary payment to the criminal's bank account.

What are the warning signs to look out for?

• An unforeseen change of bank details - Criminals often target changing bank details because there is no immediate payment involved, so often does not trigger alarm bells.

• An urgent payment request or threats of serious consequences if payment isn't made - urgency is very often used because it makes the intended victim rush and not consider the possibility of a scam.

• Unexpected payment requests from someone in a position of authority - Criminals will often use the authority of the CEO or CFO to get potential victims to skip approvals and due process and rush payments.

• An email address that doesn't look quite right, such as the part after the @ not exactly matching the supplier's normal email addresses. - Criminals will create new email addresses with small changes to impersonate legitimate contacts, such as @Mircosoft.com instead of the @Microsoft.com, or replacing the letter L with the number 1.

• Personal or unrecognised email addresses or phone numbers - Criminals will create hotmail and gmail addresses using the first and last name of the person they are trying to impersonate and trick the potential victim into believing it is a personal email address.

• Personal Information - Criminals will often use social media to gain information about a person they are trying to impersonate and relay it to the potential victim to build trust. Information such as close contacts, home location or current holiday location is used most commonly.

Criminals will often combine multiple of the above techniques, such as waiting for the CEO to post holiday pictures on Facebook, then using a fake email with the CEO's first and last name to request the urgent change of a suppliers bank details.

 What can you do to prevent email scams? 

• Look out for the warning signs and be aware.

• Don’t be afraid to use a phone call to verify identity – Almost 100% of email scams can be prevented with a simple phone call. use your contacts or corporate directory (don't trust the signature in the suspicious email) to call them and double-check they did send the email you received.

• Always check the full email address on suspicious emails, can you spot any minor changes?

• Don't be rushed, take your time, follow all the correct processes and think about the possibility of scammers.

• Report any suspicious emails to your IT and Security teams.

To discuss cybersecurity protection strategies for your business, leave your details below and an expert will get back to you.

Or call us on +618 8238 6500