ASD to SMBs: here's a plain English guide to self defense

Sergey Khakimullin |

The Australian Signals Directorate (ASD) has published new guidance to help small and medium businesses (SMB) protect their networks from ransomware, phishing and other threats.

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) thought the ASD's advice was good enough to direct SMBs in the US to view a guide from the Australian Cyber Security Centre’s (ACSC) mdash; a unit of ASD mdash; about protecting SMBs against common cybersecurity incidents, such as ransomware and phishing attacks.

Cybersecurity is not easy, but at the same time ACSC says it “doesn’t have to be difficult”.

If an authority like ACSC can help explain cybersecurity concepts and terms in a way that can be understood by people who don’t spend their lives analyzing hacking techniques and the latest vulnerabilities affecting Windows, Android, macOS, iOS and the apps that runs on them, SMBs might have a better chance of protecting themselves.

“There are simple measures that if understood and implemented, can significantly avoid, or reduce the impact of, the most common cyber security incidents,” ACSC says.

As ACSC outlines, the threat of malware poses a bigger threat to the economy if small businesses don’t implement the right defenses. But these businesses also need to understand the risks and impact to them.

“We understand that owners and operators of small businesses don’t have much time to spend on understanding the complexities of the internet or establishing complicated responses to potential risks. But we also know that cyber security will underpin Australia’s economic prosperity, and will allow small businesses to grow, innovate, and find new ways of creating value for their customers.”

The document takes SMB owners through the basics of cybersecurity terminology and mitigations in plain language that larger organizations would have specialized information security staff to translate. On one hand, the document doesn’t contain groundbreaking detail, yet it does fill an information gap in a generally underserved sector of the commercial world.

Yet no matter what size a business, the threat of business email compromise attacks are real and often start with phishing, which ACSC points out is pronounced “fishing”; a concept that’s obvious to industry insiders but foreign to many SMB owners.

“Pronounced ‘fishing’, they are emails from individuals or organisations you ‘think’ you know. They mimic phrasing, branding and logos to appear ‘real’, before conning users to click on a link or attachment,” explains ACSC.

“Here, they defraud users by asking them to provide or confirm their personal information, such as passwords and credit card numbers, or to pay a fake account. They can also send an attachment, designed to look genuine, with malware inside.”

The document could serve as a key reference for any SMB that’s experienced an attack, helping them navigate the terms used in the vast amount of research and reports about information security attacks.

For example, “spear phishing” is summarized as “high sophistication, less targets”, while “whaling” is differentiated as “high sophistication, less and high value targets”.

As a reporter for tech publications, it’s easy to assume everyone knows about ransomware, but not everyone does. The document also explains what ransomware is, why it’s emerged and who are the targets.

“Ransom, an age-old and effective crime, is now being committed online. Ransomware offers cyber criminals a low-risk, high-reward income. It is easy to develop and distribute. Also in cyber criminals’ favour, most small businesses are unprepared to deal with ransomware attacks,” ACSC says.

The ACSC also recommends keeping age operating system of devices up to date, ensuring automatic updates, implementing automatic backups, and multi-factor authentication as well as explaining what these terms mean and why they’re important. Again, the information is not new for industry pros, but it could help the majority of the community that is not.

Copyright © 2019 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.