Top Tips from Nugit’s Data Security Partner Horangi.
Paul Hadjy explains what you can do to keep your business cyber safe in this 2 minute video.
Cyberspace can be a brutal place. With security breaches, hacks and phishing scams catching out even the biggest businesses, system security is something that none of us can afford to ignore. We invited Data Security expert Paul Hadjy, CEO & co-founder of Horangi (Nugit’s Data Security Partner) to pass on some important tips for helping to keep your business secure in cyberspace.
Paul explains “I think the most important thing for a company of any size is ingraining that security is important and that even though you’re small it can still happen to you so be careful. Also, it’s crucial to have some sort of plan in place.”
“Microsoft last year put out a statistic. About 60% of small businesses that receive a cyber attack actually go out of business within a year.”
Meet the Expert - Paul Hadjy
With a wealth of Data Security Expertise under his belt, Paul Hadjy is a handy man to know. He's had a number of impressive roles including BD / Deployment Strategist Lead @ Palantir, Head of IT, Special Projects and Information Security @ Grab, CEO & Founder @ Pandoros.
After spending years working all over the world for these widely respected Data Organisations, Paul and his co-founder decided to set up Horangi.
Now a highly regarded global company themselves with 7 Global Offices, Horangi builds security products that deliver incident response and threat detection for businesses worldwide. With cybersecurity breaches, prevention is definitely better than cure. Horangi help businesses to check the security of all their online systems and processes as well as being on hand 24 7 to help minimise the damage and help companies regain control should the worst happen.
Check out Horangi Cybersecurity Products
So, let's get down to business. We asked Paul "What are the most common security mistakes that businesses are still making?"
FAIL #1 - NO 2 FACTOR AUTHENTICATION
Jargon Buster: 2 Factor Authentication (2FA) is a security mechanism that requires two types of credentials for authentication
What the expert says: “One thing we always recommend when we come into an organisation if it’s not already enabled is 2-factor authentication. So you guys have probably used it before but basically, it’ll send you a text message or some sort of notification on your phone that someone’s trying to access your account, prior to you logging in. I think that’s the biggest mitigator of risk for any company to implement. And usually, if you use G-suite or something like that it’s very easy to turn on and reduces your risk by a good 95%. So definitely turn on 2FA, for everything if you can.”
Read more about 2 Factor Authentication
FAIL #2 - NO THIRD PARTY PENETRATION TESTS
Jargon Buster: A Penetration Test (or pen test) is an authorized simulated cyber attack on a computer system, performed to evaluate the security of the system.
What the expert says: “A lot of companies don’t do things like Pen testing right. They don’t have a third party checking. Any organisation, when you get big enough, you need to have someone externally checking this stuff. A lot of the regulations in Singapore and other countries require it now.”
FAIL #3 - NO CLOUD CONFIGURATION CHECKS
Jargon Buster: Configuration checks are a series of rules used to monitor compliance with your security policies.
What the expert says: “Some companies have no configuration checks in place and no policies so they don’t have a specific process that they follow when they’re implementing products on the cloud.”
Make sure everyone in your business follows clear procedures and checks when implementing new products. This will ensure all your products adhere to security policies, eliminating human error. Security is not a one-off effort. It takes a systematic approach to consistently produce and maintain a secure system.
FAIL #4 - NOT FOLLOWING PDPA REGULATIONS
Jargon Buster: PDPA is the Data protection law that comprises various rules governing the collection, use, disclosure and care of personal data.
What the expert says: “Singapore just released PDPA a year and a half ago now, so a lot of the regulations in there in terms of disclosure are catching out a lot of companies. For example, a business may have been breached in the past but never reported it, so if the PDPA finds out they will fine you.”
“I think the PDPA wants to know ‘Have you taken reasonable mitigation and worked to have processes in place to mitigate the threat as much as possible?’ There’s always a chance that something's going to happen, even if you spend millions of dollars on security, but as long as you’re following processes and procedures to try and solve the problem I think that's what they’re looking for.”
Find out more about PDPA regulations.
FAIL #5 - POOR PASSWORD MANAGEMENT
What the expert says: “For individuals to control their cybersecurity I think that password management is one big thing. Don’t use the same password on every system that you log in to. Generally speaking, you need to use different passwords in different environments. You can use a piece of software to help you manage that as well because it’s impossible to remember them all. There’s a lot of password managers out there. You can try Last Pass or I think Chrome has it’s own plugin now. Macs have password management for you also.”
So you’ve probably seen lots of simple mistakes but what about a more creative hack you’ve seen?
“I’m not able to talk about a lot of the most creative system breaches we’ve seen, but here’s a pretty creative one.”
“We worked with a business that was a cryptocurrency company. Originally they called us because they were getting hacked at the time so they needed us to help them through that, which is essentially incident response. So we helped them recover from the hack over a period of 3 days but essentially what they had done (which I’d never recommend doing) is they completely outsourced the development of their software to a country and an organisation that they’d never met. Through a lot of research, we actually found out that the hacker had attacked that organisation in a different country and then was retroactively using different user accounts because that organisation didn’t have good security. They ended up losing a couple of million dollars in cryptocurrency in a matter of days.”
If the worst does happen and you do find out your data’s been compromised or something’s been deleted or breached what should you do?
“If you have a decent size business you should definitely consult with an external firm. Mainly because one thing that’s really important when revealing a breach is knowing what was lost. So for example, a lot of companies that I’ve worked with previously in terms of investigating the breach… Maybe they lost the individuals' name and they lost the password but the password was encrypted. So what that means is the hackers have an encrypted password but you can’t actually do anything with that as long as they didn’t get the encryption key. So as long as you can prove that the encryption key wasn’t taken then you can sort of mitigate a lot of the badness of the attack.”
What’s your view on on-premise Vs cloud when it comes to data?
“I think from a security perspective, as long as you take the right precautions and use the right procedures the Cloud is often more secure than on-prem, mainly because when you’re on-prem in a growing company actually keeping up with some of the difficult things that actually someone like AWS or Google Cloud will take care of is very difficult and takes a large IT team to support.”
How about Bug Bounty programmes? What are they and how do they work?
“A lot of the larger companies these days will have a Bug Bounty Programme. It’s essentially a way to work with researchers and allow them to do testing to try to uncover vulnerabilities in your system security. It means that if someone discovers a vulnerability they have a way to contact you prior to selling that or exploiting it even. So we have our own bug bounty programme for example, where the researchers can contact us and we send them free stuff or money. A lot of the bigger companies, like Uber and Apple will pay hundreds of thousands of dollars for these vulnerabilities. There’s a whole business where researchers will do this to companies that provide bug bounty programmes.”
Nugit are proud to work with Horangi as our Data Security Partner.
You can find out more about their products and services at Horangi.com