Outsourcing your business’ cyber security is as risky as outsourcing hotel quarantine security

There’s a major problem with the IT security of Australian businesses — we are outsourcing our cyber security to companies that aren’t up to scratch and it’s putting livelihoods at risk.

After seeing Melbourne and Victoria suffer the consequences of bungled hotel quarantine security, we know the ramifications of poor outsourcing, and outcomes can be just as extreme when it comes to cyber security.

Over 40% of Australian medium businesses make poor choices about where to outsource their cyber security.

It’s perfectly normal to outsource IT security as a business grows. Just as with lawyers or accountants, we look to specialists to help in areas we are not experts in or don’t understand.

But how do you know you’re getting a top-shelf cyber security product? 

The Australian Cyber Security Centre (ACSC) has developed a list for mitigating cyber attacks, dubbed the ‘essential eight’, and every business should treat this list like health advice for their IT.

1. Application whitelisting. Only allowing approved software to be installed or run.
2. Patching application. Keeping software such as Office and Acrobat up to date.
3. Configure Microsoft Office macro settings. Only allowing trusted macros to run.
4. User application hardening. Blocking content such as Adobe Flash and Java.
5. Restrict administrative privileges. Only allowing approved people to make changes.
6. Patch operating systems. Keeping your Windows and Mac software up to date.
7. Multi-factor authentication. Using other tools such as SMS or FaceID to approve logins.
8. Daily backups. Backing up your important information and testing it regularly.

But, on average, only one out of the eight recommendations are implemented by outsourced providers, ACSC research found.

Much like the security firms that were supposed to be monitoring hotel quarantine, the results can be catastrophic when an IT security provider doesn’t adhere to these standards. 

So, is it better to have your own internal IT security?

Not necessarily. As it stands, both camps would fail to receive a pass mark if this was a high school test.

The simplest way to think about cyber security is like digital occupational health and safety. As the importance of OH&S grew, it became necessary for companies to embed it in their culture and way of doing business.

In some industries, you cannot win work without showing compliance or adherence to OH&S standards. 

Staff education, safety inductions, testing and auditing have all become commonplace around OH&S. The best approach companies can take to their cyber security is to replicate this. 

Firstly, the responsibility begins at the board or owner level. Organisations such as the Australian Institute of Company Directors have recognised this and now offer short courses on ‘cyber for directors’.

Second is to understand your exposure. Telstra developed a security methodology called the ‘five knows of cyber security’ that helps assist teams in identifying what their potential gaps and issues might be.

1. Know the value of your data. This could be your brand and client list.
2. Know who has access to your data. Think about website companies and suppliers.
3. Know where your data is. This includes staff working from home and cloud software.
4. Know who is protecting your data. Is it internal, external, both or no one?
5. Know how well your data is protected. What level of protection do you need?

Like any risk, you can choose to accept it, avoid it, transfer it or reduce it. Ensure you have those answers first, so you create the right responses matched with a budget to address them. 

The third step to securing your company comes down to your staff.

Have you educated staff that cyber security is as much a staff responsibility as it is for them to be safe on a worksite or recognise hazards in the office?

This means ensuring passwords are strong, they’re not accessing unsafe sites or opening spam. 

The fourth step takes us back to the beginning. Should you outsource or keep IT security internal?

It comes down to finding the right provider and asking the right questions. Ask your potential provider if they adhere to the ACSC essential eight and if not, then find someone who does. 

The more businesses across Australia start to ask for this, the greater our chances of improving our cyber security posture and keeping our companies protected.