Cybersecurity and cyber-attacks are time-bound concerns for most government institutions, companies, and organisations in Australia. The current situation calls for increased cybersecurity efforts for the Australian public and private sectors from the government. How can board across organisations and enterprises enhance cybersecurity for their meetings and workplaces?
The Situation of Cybersecurity in Australia
According to the Australian Cyber Security Centre (ACSC), it had received over 67,500 cyber crime reports last financial year — amounting to almost one case every eight minutes. The report shows that Australian individuals and businesses have lost almost $33 billion due to these cyber incidents.
With the threat of the COVID-19 pandemic, cybercriminals have been exploiting this period to commit ransomware by accessing COVID-related information and services for a ransom. The ransomware attack against a Victorian public health service affected four hospitals and postponed medical procedures.
The early period of 2020 has shown similar attacks targeted at software companies. Australian businesses and organisations were exposed to numerous cyber attacks linked to state-sponsored hackers who exploited security flaws and vulnerabilities of the popular software Microsoft Exchange.
Microsoft published information about the exploited vulnerabilities on its Exchange product in the first week of March 2020. The Australian Cyber Security Centre reported detecting unusual activities in the following days, with about 7,000 Microsoft Exchange servers in Australia left potentially vulnerable. Microsoft has since released emergency patches to fix the vulnerability. Still, the application of these patches will be left to businesses and organisations that may not understand the time-sensitive nature of the vulnerability or may not have the capability to do so.
With the emergence of these cyber attacks, the Australian government has refined Australia’s Cybersecurity Strategy to protect the public and private sectors better. However, cybersecurity is an increasingly time-sensitive issue, and organisations must implement their own cybersecurity methods proactively. Australian businesses should start protecting their corporate data from potential vulnerabilities, including securing remote high-level meetings.
How can companies protect digital data?
There are multiple ways to protect your digital data. It is recommended to select the tools and processes suitable for your organisational and meeting needs.
Detection Systems
Sensitive detection systems are key to quick identification of breaches and effective introduction of mitigating actions.
An effective detection system can alarm IT departments of malicious activity happening at the internal network. The timely deployment of these systems can significantly reduce the losses caused by hacker attacks. Furthermore, detection systems also help organisations and companies prepare a statement and warn stakeholders of a breach — letting all parties respond to the attack by, for example, changing their login credentials.
Multi-Factor Authentication
Multi-factor authentication should protect access to digital assets connected to the internet. This method authorises users by providing at least two pieces of evidence of their identity. Requiring multiple authentications can give a higher assurance of a user’s identity.
Sample remote access services that should have multi-factor authentication enabled:
- Email client
- Virtual private network (VPN) connections
- Online collaboration software
Multi-Level Data Encryption
Documents stored locally or on-premise, as well as on the cloud, should be encrypted with a reliable encryption method. For example, one of the recommended encryption technologies is government standard AES 256-bit encryption.
Data encryption is important for storing as well as transmitting data. Reliable data transmission encryption ensures data integrity for VPN connection and file exchange. By having multiple encryptions, files are unreadable for any parties that intercept them but become readable upon decryption by authorised parties.
Regular Software Update
Organisations must ensure that their Internet-facing digital assets are patched and updated to the latest version. When downloading updates, check also the credibility of the source.
Regular software updates, especially email and web client updates, help introduce patches to security vulnerabilities quickly. In fact, unpatched and outdated software accounts for one in three breaches — risking data leakage and other cyber threats.
Reliable Cloud Environment
An increasing number of enterprise workloads is moving to the cloud. It’s up to government organisations and companies to ensure that they partner with cloud service providers that are reliable, secure, and easy to use.
Third-Party Services
It has been estimated that as much as 60% of cyberattacks can be attributed to the exploitation of third-party vendor security vulnerabilities. Review your third-party service providers and check their security policies and procedures in case of a hacker attack.
Risk Management
Include cybersecurity and digital risk assessment in your risk management practices. Cybersecurity should become a permanent item on the board meeting agenda. Risk management is an ongoing activity and should be addressed frequently to reflect the changing attack surface that expands with every new digital asset added.
How can Australian organisations secure high-level remote meetings?
High-level meetings often access and discuss sensitive information. With the transition of face-to-face meetings to remote meetings, organisations must ensure that they equip remote meetings with software that decreases the likelihood of data breaches.
Australian organisations should have these security features for remote meeting solutions used by the workforce:
- User logs and activities. Logs help analyse any possible malicious attempt happening within a remote board meeting software.
- Session timeouts. Automatic sign-outs can prevent unauthorised parties from accessing the platform after it was accidentally left turned on.
- Role-based access control. Access control lets the administrators set up different access levels to various features in a board meeting software. This way, all important documentation is available to authorised users only.
Aside from relying on the security measures built into the remote board meeting software, you should also note the best practices in conducting remote high-level video meetings.
- Require password. Secure access to all meetings with a password. Consider one-time-passwords (OTP) and tokens.
- Check the meeting links. Upon receiving a meeting link, examine the URL. Any typos might be deliberate, redirecting the connection to an unsecured location. Furthermore, ensure it’s a trusted sender.
- Verify attendees. Check the participant list before sending out meeting invitations. Consider setting up waiting lists to ensure no one unauthorised tries to attend the meeting.
- Report suspicious activity. Whenever you see any suspicious activity, report the incident to IT teams immediately.
Increasing Cybersecurity in Australia
Australian companies, big and small, have felt the threats and consequences of cybercrimes, thus a concern that shouldn’t be pushed aside. Not following the advice and best practices on security can lead to reputational damage, litigation, and significant fines. Considering that governments and government-related organisations store highly sensitive data for thousands of people and entities, a proactive approach toward cybersecurity should become ingrained in the board’s everyday operations and top management.
Learn more about protecting your boardroom by reading our white paper: Combating Cybersecurity Risks in the Boardroom
How can a cyber attack on an exchange server affect board portals?
Most board portals, including Convene, use email as a means of notification for meetings, announcements, and reminders. This means that even though the portal itself is secured, the hackers could still access information in the email coming from the board portal to the directors via the exchange server. When assessing the impact on the board of this current or future cyber-attacks, it is important to consider what information can be contained in the emails.
- Can the directors or any of the meeting attendees email documents from the board portal or the app?
- Do the board portal emails contain potentially sensitive information about the agenda or decisions made in meetings?
- Do the board portal emails contain any password reset information that could be used to gain access to the account?
Email notifications from Convene only contain the invite to the meeting and cannot include any documents. Directors cannot send emails from their apps. If they want to share information, they can do this via a secure review room. Password reset is protected via two-factor authentication.
Learn more about what board portals or board management software do: The Beginner’s Guide to a Board Management Software
Secure High-Level Remote Meetings with Convene
Convene is a board management solution that makes meetings and managing board activities a seamless experience. With enhanced cybersecurity features, Convene allows boards and committees across Australian organisations to have full ownership of your system while protecting your corporate data.
Considering all the vulnerabilities and understanding how the design of the board portal can mitigate them is the most effective way to prevent cyber attacks. Find out more about the Convene board portal or talk to us about our security features.