Why Cloud Backups Are Essential for Google Workspace

By

Why do you need to backup Google Workspace?

Google Workspace (formerly known as G Suite) has become one of the most popular platforms on the market for organisations and businesses. Its suite of productivity tools (such as Calendar, Drive and Gmail) streamline daily operations and foster employee productivity, communication and collaboration. However, the major shift towards remote work (spurred by the COVID-19 pandemic) has seen collaboration tools that can be accessed remotely (such as Google Workspace) become essential to maintaining business as usual. This has also resulted in a dramatic surge of data creation.

This is where Google Workspace’s lack of a comprehensive and extended backup system causes issues. While Google Workspace does maintain a backup of primary data in the event of disaster recovery or major disruptions to business continuity, these backups expire within a set period of time and cannot be accessed to restore data upon user request. If you don’t already have a cloud backup solution for your organisation’s Google Workspace, then all of your important information, files and data are at risk.

Is your data in danger?

Let’s give credit where credit is due – Google Workspace has a reputation for being a secure, resilient and reliable platform. However, while it may be unlikely that Google will lose any of your organisation’s data, that doesn’t mean you won’t lose access to it. Google’s default data protection does not cover data loss that occurs on the user’s end. So, while Google has a responsibility to protect against loss of service (ie. hardware or infrastructure failure, natural disasters, data centre outages, etc.), your organisation is liable for the protection of your data. With this in mind, there are a number of security threats that could result in permanent data loss without a backup solution in place. These include (but are not limited to):

  • User Error: Mistakes happen, but they don’t have to be permanent. With a cloud backup system in place, you’ll be able to restore files that may have been altered, corrupted or compromised on-demand. Google Workspace only allows deleted files to be retrieved within 30 days from the Trash, so any important or older versions of files that may have been accidentally deleted could be lost forever if the user doesn’t realise their mistake in time.
  • Insider Threats: Disgruntled employees with malicious intents are a serious threat to any business, as they have a working knowledge and access to all of your systems and sensitive information. This leaves your vital data vulnerable to exploitation, theft and/or destruction.
  • Outages and Disruptions: Everybody has off days…even Google. A major, unanticipated outage in 2020 left Google users unable to use many of its services. The outage lasted several hours, impacting both individual users and businesses, who were unable to access their emails or upload files.
  • Malware and Ransomware: If there’s a vulnerability in any of your organisation’s systems or Google’s applications, then it’s only a matter of times before a cybercriminal exploits it. Hackers often disguise malware and ransomware as legitimate looking files, emails or links. All it takes is one click from an unsuspecting user and the hacker now has complete access to all of the Google Workspace data across your organisation. From there, they may choose to steal, destroy or even hold it for ransom.
  • Third-party Applications: Do you know what’s on all of your employee’s devices? Unverified third-party applications pose a serious risk to your Google Workspace applications and data. Any third-party application that inadvertently gains access to your Google Workspace has the potential to overwrite and/or corrupt vital company data.

Google Vault

Users of certain editions of Google Workspace are able to access Google Vault, an information governance and eDiscovery tool. Vault gives user’s the ability to retain, hold, search and export Google Workspace data. However, Google Vault is NOT a backup solution. Google themselves even confirm this, stating: “No. Vault isn’t designed to be a backup or archive tool.” Indeed, unlike third-party backups, Google Vault was not designed to have the capability to recover lost or corrupted data. It also doesn’t support the whole range of Google Workspace applications (such as Calendar and Contacts). Furthermore, Google Vault does not store ex-users data. This means that, once an employee parts ways with your company and their Google Workspace user account is deleted by the admin, then all of their data will be deleted alongside it. So any important projects, documents and contacts they created for your company may be gone forever.

Should you backup your Google Workspace data with a third-party cloud provider?

A third-party cloud backup system can ensure that all of your Google Workspace data is fully recoverable even in the most dire of circumstances. Benefits of third-party cloud software include:

  • Backup all your data from Gmail, Calendar, Drive, Docs, Sheets, Slides, Meet and more
  • Enhanced retention options allow you to recover data from any point in time
  • Give yourself piece of mind with automated and continuous backups

Planning for data loss isn’t paranoia, it’s good business practice!

Are you thinking about backing up your Google Workspace data? eStorm can help! Contact us at 07 3120 0640 or [email protected].

 

Mastering Microsoft Ep 9: How to Upload and Sync Files from Desktop to OneDrive

By

OneDrive is a Microsoft Office 365 application that enables you (and your employees, clients, partners and outside consultants) to access important files and documents anytime, anywhere and from any device. Uploading your files to cloud storage also helps to free up disk space on your device hard drive, giving you the freedom to install and run all your necessary applications. OneDrive also enables you to sync the entire contents of your device, allowing you to access and edit all of your files…even when you’re offline! The best part is, OneDrive will automatically update your new files and edits once you’re back online.

How to to Upload and Sync Files from Desktop to OneDrive:

  1. Install OneDrive app onto your device and follow the set up prompts using your OneDrive account
  2. Locate the file or folder you wish to upload to OneDrive
  3. Move it to your OneDrive folder
  4. To check the upload worked, open your internet browser and sign in to OneDrive online
  5. Look to see if the file or folder is there
  6. You can now access, edit or share that file using the desktop or online versions of the Microsoft Office 365 suite and all changes will be synced between your device and OneDrive online

How To Achieve ISO 27001 Certification

By

Phase 1 – Prepare a Project Plan

Gaining ISO 27001 certification can be a long and arduous task. Therefore, to save yourself time and future headaches, be sure to prepare a detailed project plan. During this stage it’s important to set expectations, so that everyone in the team is aware of their roles, responsibilities and project milestones. This is also the time to become familiar with the ISO 27001 standard and the 114 controls detailed in Annex A. Another important consideration to make is whether your team has the skills and experience necessary to achieve certification. Hiring an ISO 27001 consultant to guide you through your Information Security Management System (ISMS) journey may save you time and money in the long run. With all that in mind, it’s not hard to see that a comprehensive and diligently managed project plan can set your business up for success from the get go.

Phase 2 – Determine the Context, Objective and Scope

Your business is unique and your ISMS should reflect that. For this reason, it is important to determine the ‘scope’ of your ISMS. To do this, consider exactly what kind of data your organisation needs to protect. Depending on how sensitive this information is, your ISMS may extend to include the entirety of your organisation or be limited to a specific department, environment or geographical location. The scope will not only be determined by your needs, but also the requirements of your stakeholders (employees, governments and regulatory bodies to name a few). During this phase it is also important that you determine the organisational context, that is all internal and external factors which have the potential to impact upon your information security. This may include (but not necessarily limited to) your company structure, workplace culture, existing systems, current policies and protocols, etc. This evaluation will enable you to pinpoint your ISMS objectives, which will help to set a realistic and achievable project budget and timeframe.

Phase 3 – Conduct a Risk Assessment and Gap Analysis

It is a requirement of the ISO 27001 standard that your business conducts a formal risk assessment. In order to be in compliance, the process must be well planned, with all data, results and analysis meticulously documented. The first step in conducting a risk assessment is to establish the baseline security criteria. This refers to all legal, regulatory and contractual requirements (in relation to information security) your company has an obligation to meet. It is mandatory that your organisation compiles both a Statement of Applicability (SoA) and Risk Treatment Plan (RTA) report, as both will need be reviewed during the registration (certification) audit. Many businesses that lack the in-house expertise to effectively complete a formal risk assessment, will often choose to hire an ISO consultant to provide guidance and guarantee all requirements are being fulfilled.

Phase 4 – Implement Policies and Controls To Mitigate Risks

The risk assessment in Phase 3 will identify the gaps in your current IT infrastructure and any risks that they could possibly result in. In Phase 4, you will have to decide how you will address said risks. The SoA mentioned in the previous phase will identify and summarise the relevant ISO 27001 controls and policies, while the RTA records your organisations response to the risks identified during Phase 3. The ISO 27001 standard outlines four courses of action in dealing with risks:

  1. Modify – Minimise the possibility of the risk occurring by the implementing controls
  2. Avoid – Prevent the risk from occurring by preventing the circumstances that would enable it
  3. Share – Utilise a third party to help deal with the risk, such as outsourcing your cybersecurity needs, purchasing cybersecurity insurance, etc.
  4. Accept – Risks may be tolerated when the cost of addressing them outweigh the damage they have the potential to cause.

The response you choose for each risk will inform which policies and controls should then be implemented.

Phase 5 – Provide Education and Training

The ISO 27001 standard shares the responsibility of cybersecurity throughout the organisation. It dictates that companies foster a culture of cybersecurity awareness by providing ongoing training for all employees. This helps to both promote good habits and personal responsibility. It also ensures that each member of your organisation fully understands the importance of data security and remains vigilant in their duties.

Phase 6 – Review and Update All Evidential Documentation

As we’ve discussed, supporting documentation of all evidence is paramount to achieving ISO 27001 certification. An auditor will need to review your records in order to verify that you’ve established the necessary ISMS processes, policies, and procedures, and that they’re functioning per the ISO 27001 standard. To get an idea of how challenging this task can be, here are just SOME of the documentation required:

  • Scope of the ISMS (Clause 4.3)
  • Information security policy (Clause 5.2)
  • Information security objectives (Clause 6.2)
  • Information security risk assessment process (Clause 6.12)
  • Information security risk treatment process (Clause 6.13)
  • The Statement of Applicability (Clause 6.13.d)
  • Risk Treatment Plan (Clause 6.13.e)
  • Risk Assessment Report (Clause 8.2)
  • Definition of security roles and responsibilities (Clause A7.1.2)
  • Inventory of assets (Clause A8.1.1)
  • Acceptable use of assets (Clause A8.1.3)
  • Access control policy (Clause A9.1.1)
  • Operating procedures for Information Security (Clause A12.1.1)
  • Incident management procedure (Clause A16.1.5)
  • Business continuity strategy & procedures (Clause A17.1)
  • Statutory, regulatory, and contractual requirements (Clause A18.1.1)
  • Evidence of competence (Clause 7.2)
  • Documented information determined by the organization as being necessary for the effectiveness of the ISMS (Clause 5.5.1)
  • Operational planning and control (Clause 8.1)
  • Results of the information security risk assessment (Clause 8.2)
  • Results of the information security risk treatment (Clause 8.3)
  • Evidence of the monitoring and measurement of results (Clause 9.1)
  • A documented internal audit process (Clause 9.2)
  • Evidence of the audit programs and the audit results (Clause 9.2)
  • Evidence of the results of management reviews (Clause 9.3)
  • Evidence of the nature of the non-conformities and any subsequent actions taken (Clause 10.1)
  • Evidence of the results of any corrective actions taken (Clause 10.1.g)

While collecting and organising all of these records seems overwhelming, documentation templates and compliance automation software for ISO 27001 are available to do (most of) the hard work for you.

Phase 7 – Undergo a Certification Audit

During this phase, an external auditor will conduct a two-part audit to asses whether or not your ISMS is in accordance with the ISO 27001 requirements.

Stage One: ISMS Design Review

The auditor reviews your ISMS documentation to determine that all policies and procedures are compliant with clauses 4-10 of the ISO 27001 ISMS requirements. Any areas of nonconformity and/or potential improvement will also be identified. Any issues must be rectified and any suggested improvements implemented prior to Stage 2’s commencement.

Stage Two: Certification Audit

The auditor will thoroughly assess your business processes and security controls against the ISO 27001 ISMS and Annex A requirements. This detailed assessment will ascertain if your organisation is in accordance with the ISO 27001 standard.

Once your organisation has passed the Stage 1 and Stage 2 audits, you’ll be issued an ISO 27001 certification that is valid for three years. 

Phase 8 – Maintain Compliance

ISO 27001 necessitates continual improvement. This means that the your ISMS must be constantly analysed and reviewed in order to maintain its effectiveness, as well as its compliance with the ISO 27001 standard. In addition, as your business grows so to do the risks. As a result, it’s of the utmost importance that you take every opportunity to make improvements to the existing processes and controls. Periodic audits are key to the ongoing monitoring of your ISMS.

Surveillance audits will need to be conducted multiple times throughout your three year certification period. The purpose of a surveillance audit is to check whether organisation are effectively maintaining their ISMS in adherence to the ISO 27001 standard. They are also done to check that all nonconformists and exceptions found during the certification audit process are resolved.

Recertification audits are done during the final year of your certification term. An external auditor will once again assess your ISMS and determine whether you meet the requirements of ISO 27001. Once completed, another three year ISO 27001 certification will be issued to you.

How long does it take to achieve ISO 27001 certification?

The timespan from the beginning of your ISO 27001 journey to reaching certification can depend on many different variables, such as the resources available, prior experience with the ISO 27001 standard, size and complexity of the ISMS, level of involvement from management, etc. Generally, most small to mid-size businesses achieve certification within 12 months. Any attempts to rush or shortcut the process often result in a sloppy ISMS that does not pass the certification audit, becoming a drain on your time and money until all issues are resolved. It should be noted that auditors look for at least two to three months of documented evidence that speaks to the maturity of your system. So once you get your ISMS up and running you should allow that window of time before seeking certification. Hiring an ISO 27001 consultant can significantly shorten this timeframe, as they have all the tools and knowledge needed to fast-track your success.

How much does ISO 27001 certification cost?

Unfortunately, there is no standardised cost for ISO 27001 certification. The overall cost can differ depending on the specifics of your business and the resources you’re willing to devote to completing this project. In trying to determine your overall budget, it is best to break down the costs into two categories:

  1. The costs of setting up the ISMS
  2. The costs of getting externally certified

The Costs of Setting up the ISMS

Setting up an ISMS that is complaint with ISO 27001 can either be done in house or with the help of a consultant. While going it alone may seem like the cost effective option, in many cases it can prolong the process and haemorrhage your finances. Fees and costs can also vary drastically between providers. However, in most cases, the main factors in determining the cost are:

  • The size of your organisation
  • Number of sites
  • The level or risk
  • The level of any pre-existing ISMS
  • The level of involvement your company has in setting up the ISMS

Something worth considering is that, while the initial setting up of an ISMS can be a costly investment, the integration of any subsequent systems will cost significantly less.

The Costs of Getting Externally Certified

In order to achieve ISO 27001 certification an accredited third-party body must conduct an audit, so this cost must also be accounted for. In Australia, certification of a single standard generally costs between $3000 to $5000 annually. Furthermore, it’s important to view ISO as an ongoing investment, factoring in the periodic audits and re-certifications.

No matter where you are in your ISO 27001 journey, eStorm can help build a path to success and the lasting effectiveness of your information security management system. View our ISO 27001 page to learn more!

Mastering Microsoft Ep 8: How to Externally Share Files in SharePoint

By

Organisations and businesses in the modern age generate a lot of data. With so much data to sift through, employees can often struggle to find the information they need when they need it. Microsoft SharePoint is an efficient and user friendly way to easily track, store and manage data. The platform stores and organises all your files for you, allowing you and your staff to easily access them whenever you need. SharePoint also features an external sharing option which enables users within your organisation to share files, folders and content with external parties (including partners, freelance consultants, vendors, clients and customers).  In this episode of eStorm’s Guide to Mastering Microsoft, we’ll walk you through how simple this process is! We’ll also show you how to revoke access to files, in the event you only want an external user to have access for a temporary period of time.

How to Externally Share Files in SharePoint:

  1. Open SharePoint
  2. Click on ‘Documents’ and locate the file you want to share
  3. Click on the ‘Share’ icon
  4. Change the link settings by clicking on the drop down menu and choosing the ‘Link settings’ option
  5. To share the file externally, you’ll need to change the ‘Who would you like this link to work for?’ option to ‘Specific people’
  6. To prohibit anyone from downloading the file to their device, switch the ‘Block download’ toggle on
  7. If you want user to not only be able to access the file but to be able to make changes to it as well, check the box next to ‘Allow editing’
  8. Once you’ve changed the link settings, click on ‘Apply’
  9. Enter the email addresses of any user you want to be able to access the file
  10. If you wish to craft your own email through your Outlook account, click on ‘Copy’, from there you can open your email account and write an email as you normally would. Don’t forget to paste the link into your email’s message!
  11. To send the link via SharePoint, simply click on ‘Send’. You can also add a brief message by typing it into the Message box

How to Revoke Access to Files in SharePoint:

  1. Click on the three little dots next to the file
  2. Choose ‘Manage access’ from the menu options
  3. Delete users by clicking on the ‘X’ next to their name
  4. When asked ‘Want to remove (insert user name here)?’ click on ‘Remove’

Phishing Attack Prevention: How You Can Avoid Becoming the Catch of the Day

By

Over 50% of IT professionals agree that phishing attacks are one of the biggest cybersecurity concerns currently affecting both individuals and businesses. Lapses in cybersecurity protocols and weak infrastructure allow phishing attacks to access highly sensitive information, including passwords, financial details and personal information. Criminals are using every communication method at their disposal, including email, social media and phone calls, to ensure their victims. Their deceptions have also become sneakier and more convincing over time, pretending to be trusted friends, coworkers, institutions and even governments. Unfortunately, one click can be all that stands between your private data and a hacker. With over 90% of data breaches being attributed to phishing attacks, it’s only a matter of time before you or your organisation becomes an unwitting target. Therefore, it’s important to know how to prevent, identify and manage any phishing attempts.

How Does Phishing Work?

A phishing scam will attempt to persuade the intended target to undertake an action (such as open an attachment, click on a link, fill out a form, or reveal personal information), by posing as a trustworthy individual or reputable organisation. Once the action is completed, a number of consequences may result. A cybercriminal will most likely use a phishing scam to try to:

  • Gain total control of your device and its contents by infecting it with malware
  • Access private information that can be used to steal your money and/or identity
  • Obtain log in details for your online profiles including email, social media, banking, online shopping and other platform accounts
  • Trick you into willingly sending money or other valuables through deception

Phishing attacks can take many forms. Some are swift and encourage you to urgently complete a specific action, while others can be a long drawn out process, building a connection with the intended victim over an extended period of time. Only after a trusting relationship has been established (and the victim is lulled into a false sense of security) does the scammer take advantage of the situation.

Unfortunately, even if you exercise extreme caution, it can be the people closest to you who pose the most danger. If someone close to you has their email, contact list or social media compromised by a phishing attack, then the hacker may hijack their account. From there, it’s an easy feat for the hacker to spam friends, family and coworkers with phishing messages seemingly from an account they know and trust.

Types of Phishing Attacks

The sad truth is that cybercriminals who use phishing attacks are good at what they do. They’re savvy liars, who know how to craft believable stories and design legitimate appearing communications. They’re so good that over 40% of employees have admitted to not following best practice guidelines and engaged in some for of dangerous action while online (ie. clicking on an unfamiliar link, downloading a file or exposing personal data). If you’re an act first and think later kind of person, then you’re an easy target for phishing scams.

The good news is that phishing is much easier to recognise once you know what to look for. Although phishing attacks can take many forms, they most commonly fall into one of the following categories:

  • Phishing emails are carefully designed to resemble a valid email address, individual, company or organisation. It may include personal information the cybercriminal has gathered about you (such as your name, employer or geographical location), in order to appear more legitimate. It will likely also include a request to follow a link, open an attachment, change a password, send a payment or reply with private information.
  • Phone/Voice phishing (vishing) occurs when a scammer impersonates a person or company over the phone. They may use a number of methods to call your number directly, such as Voice over Internet Protocol (VoIP) technology. In other cases, a fisher might try to mask their own phone number by sending out an automated message that redirects the intended victim. In any case, the visher will say and do everything they can to keep you on the phone. The longer you talk to them, the more likely you are to fall into their trap.
  • SMS phishing (smishing) is very similar to vishing, but will take place over text exchanges and messaging apps.
  • Social media phishing involves cybercriminals either posting or directly messaging phishing links on social media platforms. The links can take a variety of forms: fake news articles, free giveaways or sketchy “official” charitable organisations with urgent requests. Referred to as “clickbait”, the links will be as sensationalised and dramatic as possible in order to entice people. If any of your social media contacts fall for the trap, then the scammer can then impersonate them and use their account to spread the nefarious link.
  • Clone phishing takes place when an existing message from a legitimate contact is duplicated, with all of the original attachments and links replaced by the scammer. While this method most commonly appears in email attacks, it has also been used by social media and SMS phishing scams.
  • Domain spoofing is a popular technique used to impersonate brands, businesses and organisations. Cybercriminals will mimic valid email addresses by using a domain that very closely resembles the one used by the real company. For instance @netflix.com may be modified to @netflix-support.com in order to fool Netflix subscribers. Alas, people who fall for this scheme may not realise their mistake until it’s too late.
  • Email account takeover takes place when a cybercriminal acquires the email credentials of an executive member of an organisation. They use this to impersonate them and target any colleagues, team members, clients and customers who have dealings with this individual. The scammer capitalises on their high profile and position of authority, sending out phishing emails to other targets who report to and/or trust the original email account holder.

How to Spot a Phishing Email

Approximately 3.4 billion spam emails are sent out every day! While spam filters may stop many phishing attempts from reaching your inbox, there are bound to be some that slip through. Scammers are also continually updating their tactics, doing everything they can to disguise themselves and their intentions. Below are some red flags that can help you spot any phishing emails that have managed to slip into your inbox:

  • Warnings of suspicious activity and/or log-in attempts that have been noticed on your account
  • Claims that you have an outstanding payment and/or that you need to rectify your payment information
  • Requests to confirm your account by disclosing personal information
  • Attachments/downloads (such as fake invoices or receipts)
  • Statements that you’re eligible for some form of government refund and/or scheme
  • Offers coupons/vouchers for free items/services to be redeemed
  • Spelling errors and poor grammar
  • Unprofessional or amateur looking graphics
  • Generic greetings instead of your name (such as Dear Customer or Dear Sir/Madam) 
  • Unfamiliar links

What To Do If You Receive a Phishing Email

Unfortunately, many of us don’t think twice when opening emails in our inboxes. In fact, one third of all phishing emails are opened by their recipients! While simply opening the email may not have any ill consequences, it drastically increases the probability that you’ll click on a malicious link or download, whether unintentionally or because curiosity got the better of you. For this reason, if you come across a suspicious looking email than we recommend you follow these simple steps:

  1. Delete the email immediately without opening it. Not all phishing emails require you to click on or download something, some can infect your device just by being opened! It’s better to be safe than sorry.
  2. Block the sender of the email. If your email provider allows you to manually block incoming emails from specific accounts/domains then be sure to add the sender to your blocked list. If you are using a shared account or someone else has access to your inbox, then this is especially important.
  3. Consider purchasing extra security to help monitor for phishing emails, such as antivirus software.

Tips To Protect Yourself From Phishing Attacks

Even for the most cautious person can still fall victim to a phishing attack. As cybercriminals employ more sophisticated tactics and find new ways to create increasingly convincing communications, it’s more important than ever to take preventative steps to avoid becoming the catch of the day.

Here are some basic measures you can use to avoid being scammed:

Be cautious when giving out personal information

A good general rule is never give out your information to a person or website you don’t 100% trust. Be sure to thoroughly verify that every website and/or company you give your information to is both genuine and secure. If the URL of the website doesn’t start with “http” or have a closed padlock icon nest to it, then under no circumstances should you enter your details.

Never trust alarming messages

Phishing scammers are known for trying to scare their victims into handing over their information. No matter what a communication says, it’s important to remember that most reputable organisations (such as governments, banks, insurance companies, etc) will never request account or other sensitive information via email. If you receive a worrying email, delete it and contact the company directly to confirm whether they sent it.

Avoid clicking on embedded links

It’s generally not a good idea to click embedded links in emails, even when you know the sender. At the very least you should hover over the link to see if the destination is what it claims to be. However, in some cases the attack is so sophisticated that the destination URL is indistinguishable from the genuine site. Rather than click on the link, visit the site directly through use your search engine to find the site and visit it directly.

Don’t download any attachments

Never open an attachment from a suspicious or strange email. Many will be mislabelled as Word, Excel, PowerPoint or PDF file types in order to trick you into downloading malware or something else nefarious.

Install anti-phishing add ons

Most internet browsers these days have add-ons available that can discern malicious websites and alert users to known phishing sites.

Install firewalls

Firewalls act as a shield between your device and a cyberattack. A combination of desktop and network firewalls is one of the most effective ways to reduce the chances of a phishing attacks infiltrating your environment.

Regularly update your software and operating systems

Look, we’re all guilty of ignoring update notifications at some point or another. However, patches and updates are necessary to ensure your device can withstand the latest cyberattack methods. Older operating systems and internet browsers some of the most common targets for phishing attacks, so make sure you update, update, update!

What Is a VPN? An Introduction To Virtual Private Networks

By

What is a VPN?

A virtual private network (better known as a VPN), is one of the easiest and most effective ways of protecting your anonymity online. Connecting to a secure VPN server masks your internet protocol (IP), as it encrypts your internet traffic in real time. This ensures that your identity and online activities are virtually untraceable from third parties, including hackers, governments and internet service providers (ISPs). VPN services protect your network connection when using public networks, providing greater privacy for your personal data and information.

Why should you use a VPN?

If you value online privacy and security, then you should strongly consider employing a VPN every time your device is connected to the internet. Using an unsecured internet connection (whether it’s one set up by an ISP or a public Wi-Fi network), exposes your personal information, private data and browsing habits to cyber criminals.

When utilising an internet connection provided by an ISP, your network traffic is routed through your ISP’s servers. This tracks your IP address and catalogues everything you do online. While your ISP might not seem nefarious, they could very well be sharing  your browsing preferences with advertisers, law enforcers, governmental bodies and other third parties. Furthermore, if your ISP falls victim to a cyberattack, then your personal and private data will likely be compromised as well.

Public Wi-Fi networks that don’t require a password to access are even more dubious, as any strangers using the same network can snoop on your online session. You never know who could be eavesdropping and you may inadvertently give them the perfect opportunity to steal your passwords, personal data, banking and payment details, etc. Even just the smallest bit of information is all cyber criminals need to commit identity theft and/or financial fraud.

This is where a VPN comes in. VPNs hide your IP address, while also scrambling your data so that no one else can read it. This maintains your anonymity when web surfing, downloading files and commenting on forums. It also ensures that your private activities stays private, including sending emails, online shopping, paying bills, accessing medical records, etc. VPN apps also run in the background of your device, giving you peace of mind without disrupting your online activities.

How does a VPN work?

When you connect to the internet via a VPN, the network redirects your IP address through a remote server run by the VPN host. This creates a data ‘tunnel’, wherein your local network is the entrance and exits through a node in a location which could potentially be thousands of miles away. This means that the VPN server now becomes the source of your data, so the websites you visit can only see the IP address of the VPN server and not the IP address of your device. So while your internet traffic still passes through your ISP, your internet activity will appear to originate from VPN’s server IP address, which safeguards your browsing history from both your ISP as well as any websites who record search histories and track locations. VPN service providers typically have servers across the globe that are shared amongst multiple users and are frequently changed for security reasons. In addition, VPNs also work as a filter, encrypting your data and making it incomprehensible. This renders it entirely useless to your ISP, as well as any third parties who may seek to steal it. While this is a basic overview of how VPNs operate, a comprehensive VPN solution should perform all of the following tasks to protect itself (and you) from being compromised.

  • Encryption of IP address: a VPNs number-one job is to conceal your IP address from any and all third parties. This guarantees all information you send and receive online can only be seen by you and your VPN service provider.
  • Encryption of protocols: a VPN should also prevent you from leaving a digital footprint. Encrypting cookies, as well as your browser and search history, stops unwanted third parties from accessing your confidential and personal information.
  • Kill switch: a sudden interruption to your VPN connection results in an interruption to your secure connection. A VPN that can automatically detect sudden downtime is able to reduce the risk of your data being compromised by terminating preselected programs.
  • Two-factor authentication: a VPN that requires multiple authentication methods increases the difficulty for third parties to trespass on your network connection. This may include a combination of multiple passwords, verification codes and/or authenticator apps.

What are the benefits of using a VPN?

Using a VPN comes with a number of benefits, which include (but are not limited to) the following:

Protecting Your Devices

Keep your devices safe from cyber attacks by using a VPN. Anything that can be used to access the internet including desktop computers, laptops, tablets and even smart phones, can be exploited by cyber criminals looking to profit off your personal information. A VPN can shield your data and keep it away from prying eyes.

Protecting Your Browsing History

It’s no secret that everything you do on the internet is being watched. ISPs, websites and internet browsers keep track of everything you do and tie that information back to your IP address. Your data is then qualified, quantified and exploited. Beyond feeling violated that others may be privy to potentially embarrassing private information (such as medical conditions), it’s just plain annoying. Targeted ads are everywhere these days and they often lead to consumers being scammed, ripped off or worse.

Disguising Your Whereabouts

Your IP address links everything you’ve searched, clicked on, posted, watched and downloaded on the internet to your location and device. Think of it as the return address you’d put on the back of a letter. VPNs allow you to do all these online activities anonymously, by disguising your own IP address with that of the VPN server. Not only does this protect your privacy, but it halts the viewing, collection and sale of your search history.

Secure Transfer of Data

When working away from the office you may still need to access important files on your organisation’s network. Depending on the work you do, these files may contain sensitive information that must be protected at all costs. To access them, you’ll need a fast, reliable and secure VPN connection. Using a VPN that connects to private servers and uses encryption methods can minimise the risk of data leakage.

Get Access to Geo-blocked and Regional Content

As we’ve discussed, your IP address is a unique number that identifies you, your device and geographical location. You can customise your VPN connection to make it appear as if you’re in any one of the countries the VPN service provider has servers in. Streaming services such as Netflix often have different catalogues of content depending on your region. Using a VPN to change your location enables you to access a wider range of titles. Furthermore, some websites may geo-block their products and content, prohibiting certain countries or restricting access to specific locations. With VPN location spoofing, you’ll never again have to miss out because of where in the world you call home.

Prevent Price Discrimination

Price discrimination refers to the practice of varying the price of products or services based on the consumer’s location, previous purchases on the platform (first-time vs repeat customers, etc), and online shopping preferences (reseller websites like eBay, fast fashion brands, luxury and designer labels, etc). These factors are considered by automated algorithms, who then determine the pricing. By inhibiting these algorithms from accessing your internet history and cookies, VPNs can save consumers from being grossly overcharged.

Avoid Censorship

Certain countries restrict (or even prohibit) their citizens ability to freely explore the internet and easily access information. For tourists trying to find their way around, search for recommendations, and get in touch with friends and family back home, this can cause a lot of frustration. However, a VPN can circumvent censorship and internet blocks, giving you access to all the resources you may need while abroad. It is important to remember that it is the user’s responsibility to carefully research the country’s laws, as using a VPN may not always be legal.

Prevent Data Throttling

Some ISPs include ‘data caps’ in their terms and services. This means that once you’ve consumed a predetermined amount of your available data, your ISP will slow your internet service down. This is known as ‘data throttling’. VPNs can help you avoid reaching data caps altogether, as it bars your ISP from determining how much data you’re using.

Avoid Bandwidth Throttling

Similarly, ‘bandwidth throttling’ refers to an intentional slowing down of your internet speed by your ISP, or by anyone else who has control over your Wi-Fi network’s performance. Bandwidth throttling is often triggered by visiting certain websites or engaging in specific internet activity. Once again, a VPN encrypts the internet traffic coming from your device, so your ISP will be unable to see the data going to and from your device. This means that they will not be alerted to either of these scenarios and you can avoid having your bandwidth throttled.

Network Scalability

It’s not just everyday users who can benefit from employing a VPN, but businesses as well. VPNs can provide flexible network scalability for companies struggling with the costs of expanding their operations. For example, a VPN server can provide a number of remote employees simultaneous access to on-site information, devices and applications. Adding additional employees is simple, all you need is the bandwidth and login credentials.

Reduce Support Costs

A VPN set up that also incorporates cloud computing architecture can save businesses considerable time and money on support services. For example, when businesses outsource their server needs to a VPN service provider, that provider then becomes responsible for optimising the server’s performance, ongoing maintenance and cybersecurity measures. As VPN service providers support a large number of clients, the cost per client is relatively low and are generally more cost-effective than placing the burden on an internal IT support team. However, businesses should still be sure to find a VPN service provider who suits their individual needs. This may include carefully checking the level of service they offer, as well as what kind of hardware they use.

What to look for in a VPN service provider

There’s a lot to consider when choosing a VPN service provider. Although there are many great VPN choices that can help protect your security, privacy and anonymity online, it’s important to do your homework and find one that caters to your specific needs. Here’s a few questions to help you determine which VPN service provider is right for you:

Will they respect your privacy?

If you want a VPN that values your privacy, then you should ensure that your VPN service provider has a no-log policy. A no-log policy guarantees that your online activities will never be monitored and recorded, not even from your VPN service provider.

Are their cybersecurity protocols up-to-date?

Some VPN service providers have stronger, more current security protocols in place. It’s important to know how well equipped your VPN service provider is to defend against cyberattacks and how often they perform cybersecurity risk assessments.

Do they set data limits?

Bandwidth is often the deciding factor for a lot of users searching for a VPN service provider. Their services need to match your needs, so if you spend a lot of time and data on the internet then make sure you’re going to get full, unmetered bandwidth without data caps.

Where are the servers located?

This ones a no-brainer. If your IP address to appears as if it’s located in a specific country, then you need to make sure the VPN service provider has a server in that country.

Do they enable VPN access on multiple devices?

The average consumer typically accesses the internet from multiple personal devices and all of them need to be able to use the VPN at the same time.

What’s the bottom dollar?

If cost is an issue then the good news is that there are free VPNs out there. However, it’s good to keep in mind the old adage, “you get what you pay for.” While you might not be handing over cold, hard cash, you’ll most likely endure frequent advertisements or may even have your personal information sold to third parties. Typically, free VPNs don’t offer the best cybersecurity protocols, variety of server locations, highest bandwidths, fastest connection speeds or support. If you’re going the free route, make sure you’re extra vigilant when choosing a VPN service provider.

Mastering Microsoft Ep 7: How to Set Up Rules in Microsoft Outlook

By

Emails have fast become the primary mode of communication for most businesses. However, a mismanaged email inbox can have devastating consequences. Urgent communications, important meetings and client inquiries can often be buried under a mountain of other, less crucial messages. Creating rules in Outlook can help rectify this problem. Rules care one of the most efficient ways to manage your inbox, as they allow you to move, flag and respond to incoming emails automatically. Rules teach Outlook what to look for and how to organise messages based on parameters set by the user.

How to Set Up Rules in Microsoft Outlook:

  1. Right-click on an existing message
  2. Scroll through the options until you find ‘Rules’, then select ‘Create Rule’
  3. Set the rule conditions, as well as what happens to the messages the condition applies to. For this example, we moved all messages from.a specific contact to a specific folder. To do this I checked the box next to ‘From’ and ‘Move the item to folder’
  4. Click on ‘select folder’, then either choose a folder or create a new one by clicking on ‘New’
  5. Once you’ve selected or created the desired folder, click ‘OK’
  6. To apply this rule to emails currently in the inbox, as well as to future emails, click on ‘Advance options’
  7. Click ‘next’ until you reach the final ‘Rules Wizard’ screen
  8. Check the box next to ‘Run this new rule on messages already in the current folder’, then click ‘Finish’
  9. All emails that meet the conditions of the rule will now transfer to the folder you selected

Mastering Microsoft Ep 6: How to Set Up an Automated Out-of-Office Email in Microsoft Outlook

By

Going on vacation or a temporary leave of absence? Keep your clients, coworkers and business partners in the know with an automated email reply. This lets every person who tries to contact you via email that you’re temporarily unavailable ,and that you’ll respond to any inquiries as soon as you return.

How to Set Up an Automated Out-of-Office Reply in Microsoft Outlook

  1. Open Microsoft Outlook
  2. Click on ‘File’
  3. Click on ‘Automatic Replies’
  4. Select ‘Send automatic replies’
  5. Check the box next to ‘only send during this time range’
  6. Fill in the time and dates you’re going to be out of office
  7. Write your out-of-office email, you can craft specialised messages for people within and outside of your organisation
  8. Click ‘OK’
  9. To turn off your automated out-of-office email, open ‘Automatic Replies’ again and select ‘Do not send automatic replies’

Resilience In A Cyber World: Our Inside Look at the 2022 Australian Cyber Conference

By

The 2022 Australian Cyber Conference has kicked off in Canberra and eStorm is there to give you insider access! Held by the The Australian Information Security Association (AISA), the three day event started yesterday the 31st of May, and will run until the 2nd of June. The goal of the conference is to raise awareness and promote a better understanding of cyber security issues in the community.

With over 7700 members, the AISA is the premier industry body for information security professionals in Australia, and has played an essential role in developing the information security sector. As a nationally recognised not-for-profit, the AISA aims to protect the safety of the Australian public, by aiding businesses and government organisations in advancing their cyber security knowledge and adopting better cyber security practices. The AISA advocate for inclusivity and have strived to make this conference a safe and enjoyable environment for all.

This year, the AISA have developed a robust event program that caters to a diverse range of specialisations. The Australian Cyber Conference 2022 itinerary includes keynotes, panel sessions and live demonstrations spearheaded by leading authorities in the IT industry. By learning from experts in the field, attendees are gaining valuable insights into managing current threats and preparing to face future challenges.

Delegates from a broad variety of industries are in attendance. The lineup includes company directors, managers, public servants, lawyers, risk professionals, software architects, and cyber security consultants. Professionals working in everything from education, finance, government, healthcare, manufacturing, mining, and transportation sectors are there to learn, share their own expertise, and network with cyber security practitioners. With a variety of activities planned to take place, including interactive workshops, plenary sessions and social events, this conference is shaping up to be a can’t-miss event for anyone working in the current business climate.

Here’s a few behind the scenes moments we’ve managed to capture so far!

How Not-For-Profits Can Improve Their Cybersecurity Without Breaking The Bank

By

Cyber crime is a serous threat to organisations across all sectors. Unfortunately for not-for-profits, cyber criminals are opportunists and are indiscriminate in their attacks. Additionally, unlike for-profit businesses, not-for-profits generally don’t have the funds or resources to spend on IT departments or elaborate cybersecurity systems. So we’ve put together this list of useful tips to help not-for-profits increase their cybersecurity…without breaking the bank!

Restrict Access

One of the easiest ways not-for-profits can improve their cybersecurity is restricting access to information. By limiting the number of people who can access sensitive information, not-for-profits can greatly reduce the chances of any cybersecurity breaches and data leaks. As a general rule, every staff member, volunteer, donor, client and external partner should only need to access to the resources pertaining to their individual roles. High-level access to confidential information and essential digital resources should only be granted to a few trusted personnel.

Protect Devices

The best way to protect devices is to only conduct official not-for-profit business on them. That means not engaging in activities such as surfing the net, online gaming, downloading videos, etc. Separate computers, mobile devices and online accounts should be allocated for personal and business use. This is of paramount importance when individuals outside of the organisation have access to the device, especially children or other family members. Sensitive business activities such as online banking and record keeping should only be carried out on organisational devices. Likewise, any confidential information should never be sent to personal email addresses. Therefore, it is best to avoid connecting any untrustworthy hardware into computers, mobile devices or networks. However, if this is not a feasible option, disabling the “AutoRun” feature for the CD, DVD and USB drives can prevent malicious programs from installing.

Install Cybersecurity Software and Encryption Tools

Antimalware, firewalls, network monitors and intruder detection systems are great cybersecurity programs that can help stop unauthorised access to networks, as well as alert users of any strange activity. They are also great deterrents, as they hinder employees and volunteers from misusing not-for-profit devices and networks. However, it is important to do due diligence when installing any software, program or application. Proper research should be done prior to any downloads, especially when using freeware or shareware. Never download from an unknown or suspicious web page. Regular updates are also crucial to ensuring an up-to-date cybersecurity system. Newer versions of software typically include more effective security policies and protocols. Vendors may also release patches to address potential security vulnerabilities within their software. In addition, encrypting data and software applications (especially those that are cloud-based), is an effective method in guarding valuable information. This helps reduce the risks of exposure, manipulation and data theft.

Be Cautious When Using The Internet

Caution should be exercised when conducting any and all online business. A secure browser connection is a must and will be indicated by a small lock icon visible in either the window’s lower right hand or upper left corner. It is also recommended that the web browser cache, temporary internet files, cookies and internet history be cleared as often as possible. Erasing this data (especially when it includes commerce or internet banking details) prevents it from being stolen if the system is compromised by a cyber attack. Also remember to never respond to any suspicious pop up windows! Pop up blockers can halt any harmful pop ups, while still permitting ones from trusted websites to appear.

Use Effective Passwords

User authentication and account security is the first line of defence against cyber attacks. Every member of a not-for-profit organisation should have a unique username and password they use to access devices and applications. Although many devices already come with a default administrator and password, these details are easily discovered by cyber criminals and pose a major security risk. As such, all default passwords should be changed at the earliest opportunity. All passwords should follow best practices guidelines, which are as follows:

  1. Contains at least 8 characters, including upper and lowercase letters, numbers and at least one special character.
  2. Passwords should be changed ever 3 months.
  3. Old passwords should never be reused.

It may also be worthwhile investing in a password management application to create, remember and automatically fill in passwords. However, for some not-for-profits, passwords alone are not secure enough. This is usually the case when accessing highly confidential information such as financial details, health records and government documents. In these situations, a multi-factor authentication (MFA) login method can add another layer of user verification. An MFA requires additional tokens to prove user identity at login (in addition to their regular password). This can come in the form of geolocation, biometrics, or a one-off security code sent to an appointed e-mail account, phone number or authentication app.

Encourage a Culture of Cybersecurity Awareness

The fact of the matter is that the most commonly exploited weakness in cybersecurity is human error. From negligence to an honest mistake, most data breaches could be prevented by fostering a culture of cybersecurity awareness and providing ongoing training. Phishing attacks are one of the biggest cyber threats not-for-profits face, as cyber criminals will attempt to cajole not-for-profit members into revealing confidential information or installing malware through duplicitous means. It is of vital importance that all staff and volunteers be instructed on how to recognise scam emails and other fake communications. Furthermore, every member of a not-for-profit should be educated in cybersecurity best practices, the steps they can take to mitigate risk, and the importance of following data protection guidelines.

Never Disclose Private Information

Beware of social engineering. Social engineering is a type of cyber attack that involves manipulating people into divulging sensitive information, which is then used to gain physical or electronic access to IT systems and private data. The more a cyber criminal knows about an IT system, the easier it is to hack into it. To avoid this happening, never give out information relating to the following; usernames, passwords, operating systems, firewalls, internet browsers, applications, software, programs or anything else that has to do with the organisation’s IT environment.

Regularly Update Your Cybersecurity

According to The Nonprofit Technology Enterprise Network, a shocking 70% of not-for-profits have never assessed their cyber risk profile. Cybersecurity assessments uncover the weaknesses in an organisation’s network and system security. They analyse the potential threats, likelihood of attack and resulting damage. Without knowing the risks, how can you defend against them? For this reason, cybersecurity assessments should be carried out annually. While there are self-assessment resources available to not-for-profits, only an outside expert can give an unbiased perspective. You can read more about cybersecurity assessments here.

Implement an Information Security Management System

Implementing an Information Security Management System (ISMS) can greatly diminish the threat of cyber attacks. A variety of approaches can be taken when implementing an ISMS and will depend on a number of factors including; the risk severity, level of cybersecurity needed, potential fallout caused by a security breach, etc. Once in place, an ISMS can shield information from unauthorised access. ISO27001 is the internationally recognised gold standard for ISMS and is applicable across all business models. Containing 114 controls over 14 sections, obtaining an ISO27001 accreditation can be an arduous task. It requires external auditing and typically takes an internal team many months to achieve full implementation and certification.  However, the ISMS.online platform accelerates this process, saving time and money. ISMS.online even offer a 25% discount for not-for-profits. 

In 2022, The Department of Education, Skills and Employment’s (DESE) introduced the Information Security Management Scheme, which requires providers of employment skills, training, and disability employment services to gain ISO27001 and Right Fit for Risk (RFFR) accreditation. Failure to secure these certifications can result in the loss of future tenders and funding. You can read more about Right Fit For Risk here.

Back-up Everything

Maintaining a reliable back up system eliminates the danger of losing data, even in a worst case scenario. It ensures that all organisational information is readily available, even when affected by cyber attacks, accidental deletion, hardware failure and even natural disasters. A cloud-based storage system that secures information outside of a physical location also guarantees that, even if every device onsite fails at once, important data can still be recovered.

Concerned about your cybersecurity or looking to implement an ISMS? Contact the friendly eStorm team at [email protected] or 07 3120 0640.