1. Spear Phishing

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation, or business. It is a malicious tactic utilising emails, social media, instant messaging, and other platforms to get users to share personal information or perform actions that can cause network/system compromises or data/financial loss. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware or ransomware on a targeted user’s device.

Typically, spear phishing is used in targeted attack campaigns to gain access to an individual’s account or impersonate a specific individual, such as a ranking official or those involved in confidential processes within the company.

2. Whaling

A whaling attack is a method used by cybercriminals to masquerade as a senior official within an organisation and directly target other ranking or important individuals. The aim of whaling attacks is typically to steal money, gather sensitive information, or gain access to their computer systems for criminal purposes.

Also known as CEO fraud, whaling is similar to regular phishing attacks in that it uses methods such as email and website spoofing to trick targets into performing specific actions, such as revealing sensitive information or transferring funds.

Cybercriminals specifically choose to impersonate someone with senior or influential roles within the organisation. Think of them as the ‘big phish’ or ‘whales’ of the company (i.e., CEO or finance managers). Impersonating people in these roles adds an extra element of social engineering, as staff may be reluctant to refuse a request from someone they deem to be important.

3. Vishing

Voice phishing (shortened to ‘vishing’) is a form of phishing that uses phones to steal confidential information. Vishing relies on convincing victims they are doing the right thing by responding to the caller. Often the scammer will pretend to be calling from the government, tax department, police or the victim’s bank.

Using threats and persuasive language, cyber criminals will make their victims feel like they have no other option but to provide the information requested. Some scammers will use forceful language that suggests they are helping the victim avoid criminal charges, while other scare tactics involve leaving threatening voicemails requesting the victim call back immediately or risk arrest, loss of funds, or worse.

The cybercriminal may ask for bank account information, credit card details, mailing addresses, tax information, or medical records. They may also ask the victim to take action by transferring funds, emailing confidential work documents, or providing details about their employer.

Once the criminal has obtained this information, they may drain the victim’s bank account, commit identity theft, use the victim’s credit card to make unauthorised purchases, or access their email accounts to trick the victim’s colleagues into giving up confidential information.

4. Smishing

SMS phishing (also known as text phishing, or ‘smishing’) is a phishing attack carried out over mobile text messaging. Victims are deceived into giving sensitive information to a disguised attacker. It occurs across many mobile messaging platforms, including non-SMS channels like WhatsApp, Facebook, Instagram or other data-based mobile messaging apps.

Cybercriminals manipulate a victim’s decision-making through three driving factors:

• Trust: by masquerading as a legitimate individual or organisations, cybercriminals lower their target’s scepticism.
• Context: cybercriminals use a situation could be relevant to targets allows them to build an effective disguise. The message feels personalised, which helps it override any suspicion that it may be spam.
• Emotion: by heightening a target’s emotions, attackers can override their target’s critical thinking and spur them into rapid action.

5. Angler Phishing

Angler phishing is a recent type of cyberattack that targets social media users. People disguise themselves as a customer service agent on social media in order to reach a disgruntled customer and obtain personal information or account credentials.

Fake accounts will answer people are airing complaints on social media, and will disguise themselves under a user handle or profile that includes the name of the financial institution with the hopes that upset victims won’t realise they are not a valid account.

Once they have baited their disgruntled victim, the fake account will offer a link they claim will take the victim directly to an agent to talk to them. However, that link will either install malware onto their computer, or lead them to a fake website that will try get information and money from them.

6. Pharming

Pharming is a type of cyberattack in which criminals redirect internet users trying to reach a specific website to a different, fake site. These fake (or ‘spoofed’) websites aim to capture a victim’s personally identifiable information (PII) and login credentials, such as passwords, social security numbers, account numbers and so on, or else they attempt to install pharming malware on their computer. Pharmers often target websites in the financial sector, including banks, online payment platforms, or ecommerce sites, usually with identity theft as their ultimate objective.

7. Pop-up Phishing

Pop-up phishing involves using fraudulent messages that pop up for users when they are surfing the web. Cybercriminals infect legitimate or otherwise trustworthy websites with malicious code that enables these pop-up messages to appear when people visit the website.

Often, these messages warn unsuspecting website visitors about the security of their computer and will prompt the visitor to either download a tool (such as an antivirus application) which is in fact malware, or to call a fraudulent number for support.

Example of successful pop-up phishing:

A potential victim was browsing the internet on his MacBook Pro, when he encountered a pop-up message alerting him to a problem with his computer. The scammers behind the pop-up provided a phone number to call for support.

The cybercriminal disguised as an ‘Apple support representative’ prompted the user to establish a remote connection so the ‘representative’ could diagnose the issue. The scammer showed the user his AppleCare had expired and required renewal for $499 and navigated the victim to a webpage requesting his credit card number for AppleCare renewal.

8. Clone Phishing

Clone phishing refers to an email that has been cloned from an original message sent by an authentic organisation. The cloned email appears to be legitimate and can trick the user into giving up information.

Clone phishing has evolved into a cyber threat that is often targeted at high-profile people such as individuals working in politics, banks, or large enterprises because clone phishing offers a way for attackers to extract sensitive, financial, confidential, or sensitive information.

Some clone phishing messages appear to be sent by a real person at the company the target works for or is involved with and is accompanied by copy and pasted content and information from a genuine message, with links or attachments that have been replaced by malware or fake website. Other spoofed emails include attachments claiming to contain important information such as invoices or shipping notices. Often, these attachments will contain malware or ransomware that compromise the victim’s device.

9. Evil Twin Phishing

An evil twin attack is a form of cyberattack that tricks a victim into connecting to a fake Wi-Fi access point that mimics a legitimate network. It is the wireless version of common phishing attacks. Once a user is connected to the ‘evil twin’ network, cybercriminals can inject malware or access the victim’s network traffic, sensitive data, and private login credentials.

The danger in evil twin attacks is that victims are often not aware they have been targeted by an evil twin attack because, for all intents and purposes, it feels no different from connecting to any other Wi-Fi network. The main difference is that once they have connected, everything they do online can be tracked and even controlled by the cybercriminal. If the victim logs into an unsecured bank or email account, the cybercriminal is able to intercept the login details and transactions.

Once the cybercriminal has identified a Wi-Fi network or hotspot to spoof, they will create a counterfeit wireless access point with the same name, one that closely resembled it or a name that could tempt users (e.g., Free Wi-Fi). Open networks are a prime target as users can connect automatically with requiring a password.

10. Watering Hole Phishing

Watering hole attacks compromise users within a specific industry by infecting websites they typically visit and luring them to a malicious site. Watering hole attacks are also known as strategic website compromise attacks.

Cybercriminals attempting attacks for financial or gain or to build their botnet can achieve this by compromising popular consumer websites. They will look for a known vulnerability in the website, compromise the site, and infect it with their malware before they lie in wait for baited users.

On top of this, attackers will prompt victims to visit the sites by sending them seemingly harmless and highly contextual emails directing them to specific parts of the compromised website. Often these emails seem completely legitimate, as they are sent through the website’s automatic email notifications and newsletters that go out to their client or subscription base.

As with most cyberattacks, the user’s machine may be compromised by a drive-by-download that provides no clues to the victim that their machine has been attacked and compromised by the site.

11. HTTPS Phishing

HTTPS phishing refers to the landing page or watering hole site that a user arrives at. SSL certificates have in the past been a way to ‘prove’ that a website is trustworthy. However, now it has become relatively easy for scammers to encrypt SSL on their fake or spoofed websites. Cybercriminals can now get their own SSL certificates to secure pages used in their phishing campaigns, and can often do so without having to reveal much information about who they really are. Other criminals may abuse pages hosted on cloud services, which sometimes allow them to automatically inherit the security certificate.

Globally, cyberattacks are rated as the number one risk businesses may face, and as a result many organisations are turning to cyber insurance to provide protection against financial losses due to a cyber event.

What is cyber insurance?

Cyber insurance (also known as cyber liability insurance) policies assist in covering financial losses in the event of a cyberattack, including malware/ransomware attacks, extortion, and social engineering attacks. Having cyber insurance can potentially help in minimising business disruption in the aftermath of a cyber incident, as well as recovering the costs of dealing with an attack, such as remediation, investigations, and legal fees.

Just like many other insurance policies you may already have in place for your business, cyber liability insurance is a contract between your company and your insurer to protect against losses related to computer, network, or information security incidents.

However, it’s important to note that cyber insurance is still in its early days, and thus there may be policies or incidents that your chosen insurer does not (or will not) cover.

While your insurance may provide financial or remedial assistance, it can’t absolve you of your cyber security responsibilities. Having a cyber insurance policy is not an excuse to become lax with your cyber and information security controls and methods, so it is vitally important you maintain a cyber security posture appropriate for your organisation.

Furthermore, many cyber insurers will determine your premium costs and excess based on your cyber security posture. If you do not have minimum information security controls in place, you may find that your cyber insurance essentially becomes useless in the event of a debilitating cyber incident.

Who needs cyber insurance?

Cyber incidents can impact any company of any size, regardless of industry.

Every business could benefit from having a cyber insurance policy, but this is especially true for enterprises dealing with sensitive information (such as bank details, medical records, or personally identifiable information), as these details are highly sought after by cyber criminals. If an adversary gets access to these details, your company could potentially incur expenses associated with forensic investigations, extortion negotiations, ransom payments, credit and identity monitoring, restoration services, fines, and legal counsel fees. The estimated costs involved for a relatively minor cyber incident averages between $200,000 to $6000,000 – for SMBs, these financial losses could be crippling.

What does cyber insurance cover/include?

The coverage for your cyber insurance policy depends on your chosen insurer. Always read the fine print to ensure you’re getting appropriate coverage for your business.

You can expect most policies to include coverage for:

• Meeting extortion demands for ransomware attacks
• Notifying customers when a breach has occurred
• Paying legal fees as result of privacy violations
• Hiring computer or cyber security forensic experts to investigate and recover data
• Restoring and monitoring the identity of compromised customers
• Recovering data that has been altered or stolen
• Repairing or replacing damaged or compromised computer systems

As mentioned previously, it is vital you maintain a cyber security posture applicable to your organisation. This is because many cyber security policies exclude preventable security issues, such as poor configuration or mismanagement of digital assets and information. Other excluded issues can include:

• Cyber events caused or initiated by employees/insiders
• Incidents that occurred before the policy was purchased
• Infrastructure failures not caused by purposeful cyber attacks
• Failure to correct known vulnerabilities (e.g., a vulnerability the company is aware of, fails to address, and becomes compromised due to the vulnerability)
• The cost to improve cyber security posture, such as security hardening in systems and applications

How much does cyber insurance cost?

Usually, cyber insurance costs are based on a company’s annual revenue, industry, and size. To qualify for a policy, most insurers require businesses to submit to a security audit conducted by the insurance company. The results of the audit factors into the types of coverage, the extent of the coverage, and the cost of premiums an enterprise qualifies for.

What to do next

Before you purchase a cyber insurance policy, you should consider partnering with a Managed Security Services Provider. Your MSSP will be able to evaluate your cyber security posture, provide suggestions for improvement, and implement the relevant security controls to strengthen your cyber and information security.

Not only is this beneficial overall for the ongoing protection of your information, data, and digital assets, but it will also aide your business in getting the best insurance coverage, premium costs, and excess available.

View our IT Security Audit page for more information!

In June, Apple announced a host of new products – check out our favourite announcements below!

iOS 16

The newest operating system for iPhone introduces a huge update to the lock screen, and new sharing, communication and intelligence features that change the way users experience iPhones.

The lock screen becomes more personal, customisable and helpful with iOS 16. With a new multi-layered effect, the subjects of photos are set in front of the on the lock screen, creating a sense of depth. Users can also change the look of the date and time with expressive type stiles and colour choices. The lock screen also features widgets similar to Apple Watch faces, making it easier to get information at a glance (such as calendar events, weather, battery, alarms, and more).

Live activities has been introduced to help users stay on top of things that are happening in real time, such as sports games, workouts, ride shares, or food deliveries. Notifications have also been redesigned to roll up from the bottom screen so users have a clear view of their personalised lock screen.

iOS 16 also introduces updates to messages. Users can recall recently sent messages, recover recently deleted messages, and mark conversation as unread.

Wallet updates includes the introduction of Apple Pay Later, which provides US users with a secure way to split the cost of an Apple pay purchase into four equal payments spread over 6 weeks with zero interest or fees.

iPadOS 16

Major updates to iPadOS makes the iPad experience even more versatile and enjoyable. New features in Messages make it easy to begin collaborating and managing content across files, keynote, numbers, pages, notes, reminders and Safari, as well as third party apps. When changes are made to shared files, everyone can see updates at the top of the Messages thread. Similar to iOS 16, users can also edit or recall recently sent messages, recover recently deleted messages, and mark conversations as unread. Furthermore, users can begin a SharePlay session via messages so they can choose a SharePlay activity (like movies, TV shows, workouts, or games) and enjoy it together in sync while chatting via messages.

iPadOS 16 introduces Freeform, a new collaboration app with a flexible canvas, and gives users the ability to see, share and collaborate all in one place without worrying about layouts and page sizes.

Stage Manager: stage manager is the new multi-tasking experience that automatically organises apps and windows, making it easy to switch between tasks. Available on iPads enables with the M1 chip.

Notes: Notes allows users to create neater handwritten notes with the ability to automatically straighten handwriting, use iCloud passwords to lock personal notes, add screenshots in Quick Note, and use Smart Folders with filtering capabilities.

macOS Ventura

The latest version of the mac operation system has been dubbed ‘macOS Ventura’. The highlight in macOS Ventura is Stage Manager – a feature which gives Mac users an all-new way to stay focussed on tasks while seamlessly switching between apps and windows. Continuity Camera has also been introduced in the latest update, which uses iPhone as the webcam on Mac.

Updates to Spotlight includes a new design that makes navigation easier, with new features such as Quick Look for quickly previewing files. Live text allows users to search for photos by text inside images. To increase productivity, users can now take actions from Spotlight, starting a timer, creating new documents or running shortcuts.

Live text: Live text utilises device intelligence to recognise text in images across the system.

Accessibility tools: New accessibility tools include Live Captions for all audio content, type to speak on calls, text checker to support proofreading for voice over users, and more.

System Preferences: System Preferences will be called ‘System Settings’, and comes with a refreshed design that is easier to navigate

Security: macOS security introduces new tools make Mac more resistant to attack, including rapid security response that works in between normal updates to keep security up to date without the need to reboot.

watchOS 9

The latest version of watchOS introduces new watch faces to personalise and customise your Apple watch, plus a new health feature that allows users to track how long an instance of atrial fibrillation lasts. Workout App updates include richer metrics for measuring performance, Custom Workouts to create a structured workout that can include work and rest intervals.

New running metrics include stride length, ground contact time, and vertical oscillation can all be added as metrics on workout views.

Macbook Air

The all-new MacBook Air has been completely redesigned around the M2 chip. Measuring just 11.3mm thin and 1.2 kilograms, it features a durable aluminium unibody enclose that is built to last. The newest MacBook air has a 13.6inch Liquid Retina display, a 1080p FaceTime HD camera, a four-speaker sound system and up to 18 hours of battery life with MagSafe charging.

The MacBook Air also features two Thunderbolt ports, and a 3.5mm audio jack with support for high-impedance headphones. Furthermore, the Magic Keyboard features a full-height function row with Touch ID and a spacious industry-leading Force Touch trackpad.

The M2 chip takes the performance of MacBook air even further. For extensive workloads like editing complex timelines in Final Cut Pro, performance is nearly 40% faster than previous generations; applying filters and effects in apps like Adobe Photoshop is up to 20% faster than before, and even with a larger display and increased performance, MacBook air delivers the same great, all-day battery life MacBook Air fans have come to enjoy, with up to 18 hours of video playback.

Available in silver, space grey, midnight and starlight.

The Benefits of Microsoft Power Apps: How Power Apps automates and improves business workflow

What is Power Apps?

Power Apps is an app development platform enabling users to build mobile/web-based forms and applications with minimal or no coding experience necessary. Applications created in Power Apps can map to data sources and other services both within Microsoft 365 and many other CRM platforms. With Power Apps, users can unify business intelligence, processes, reporting and automation into their app, which can assist businesses in improving workflow and lowering costs.

Read on for more information on how Power Apps can automate workflows, improve business functionality, and expedite daily operations.

The benefits of Power Apps

Eliminates vendor or developer costs:

Power Apps enables businesses to build apps without any prior coding knowledge. This means you can build customised applications without the need to pay for a professional app developer. Additionally, you can free yourself from vendor lock-ins or subscriptions by creating apps that replace third-party vendor applications. The appeal of Power Apps is the fact that any staff in your organisation can potentially build apps rapidly, with an increase in ROI.

Improved automation and efficiency:

Microsoft Power Apps and Power Automate are designed to digitise manual or paper-based business processes that cost organisations valuable time. By creating an app that consolidates all data sources and reports into one dashboard, your staff are able to easily locate information and improve their workflow.

Improved business outcomes:

Digital transformation is important for businesses to invest in, and Power Apps makes it possible, faster, and more affordable. Microsoft’s Power Platform enables organisations to streamline and automate business processes to deliver improved outcomes, functionality, and business transformation.

Power Apps use cases

Employee onboarding apps

One of the best features of Power Apps is the ability to effortlessly integrate with data in Microsoft 365 applications. Using Power Apps, an onboarding app for new employees can be created to consolidate resources such as policies/procedures, contact details for other staff members, and employment forms onto a single platform so new staff members have immediate access to all the information and resources they need for a hassle-free onboarding experience. By unifying all the necessary forms and policies into one app, HR staff can easily access payment and employee forms for all new staff members.

Mobile apps & tools

Power Apps can connect and integrate with devices to utilise features such as cameras and microphones, or using in-built functions such as device location or acceleration/motion. The capabilities on mobile devices (such as phones and tablets) means businesses can create apps to better solve problems and improve user experience. For instance, real estate agents can take time-stamped and geo-tagged photos at rental inspections that are immediately stored in a connected database. Another example is manufacturing companies can build apps for quality checks, enabling employees to inspect products and capture photos to document issues.

Service request applications

Businesses can use Power Apps to create an interactive Helpdesk tool that allows users to submit service requests. Additionally, you can deploy an app that collects service requests for facility maintenance, purchase orders, human resources and much more.

Is Power Apps right for your business?

While the capabilities of the Power Apps are impressive and powerful, there are some instances where using the platform may not be the most viable option for your organisation.

Because Power Apps is a low code platform, if you intend to create elaborate and complex applications then the platform may not an appropriate solution for you. The appeal of Power Apps is that it is simple and relatively easy to create a basic app, but as the complexity of the app increases it can quickly become more difficult to manage.

How can a Power Apps consultant help you

When choosing a Power Apps consultant, check if they have any official Microsoft certifications. An experienced Power Apps consultant will be a part of the Microsoft partner program, proving they have undertaken the time to complete necessary Microsoft certificates and training to provide quality Microsoft solutions to their clients and customers.

eStorm Australia is a proud Microsoft Gold partner.

A quality Power Apps consultant or developer can assist you with the following:

Building apps:

Design and develop apps that are innovative, scalable and cost-effective

Connecting with data sources:

Successfully connect your newly built app to the right data source with proper mapping of fields

Exporting and publishing:

Export the solutions created in your developer environment and publish on Microsoft AppSource so your customers can test drive them

User adoption:

Field questions, perform troubleshooting, and encourage employees to use the app seamlessly

App planning:

Help with initial design and planning stages of your solution

View our Microsoft Power Apps Consulting & Development services: https://www.estorm.com.au/power-apps-services/

Introduction:

As cyber-attacks evolve in sophistication, regulations to secure information assets must also evolve. The financial sector is one of the more prominent targets for cyber-attacks. The key driver for this is due to the increasing usage of technology by the financial sector to improve customer service and operational efficiency. Thus, regulatory bodies must put into place heightened regulations and expectations for the affective safeguarding of information assets.

What is APRA?

Established by the Australian Government in 1998 following the recommendations of the Wallis Inquiry into the Australian financial sector and system, the Australian Prudential Regulation Authority (APRA) is an independent statutory authority which supervises institutions across the financial sector (including banking, insurance, and superannuation).

Prudential regulations concern the safety and security of financial institutions in order for the community to maintain confidence that they will meet their financial commitments under reasonable circumstances.

Under APRA’s legislation, the regulatory body is tasked with protecting the interests of depositors, policyholders, and superannuation fund members.

The ultimate purpose of the Australian Prudential Regulation Authority is to ensure the financial interests of Australians are protected and the financial system is stable, competitive and efficient.

APRA’s values:

• Integrity – we act without bias, are balanced in the use of our powers, and deliver on our commitments
• Collaboration – we actively seek out and encourage diverse points of view, to produce well-founded decisions
• Accountability – we are open to challenge and scrutiny, and take responsibility for our actions
• Respect – we are always respectful of others, and their opinions and ideas
• Excellence – we maintain high standards of quality and professionalism in all that we do

What is CPS 234? Why is it important?

APRA designed the CPS 234 Standard to ensure APRA-regulated entities are protected against cyber-attacks, threats, and risks. As an essential cybersecurity framework for Australian businesses, it also compels APRA-regulated entities to respond in a timely manner (within 72 hours) should notifiable data breaches or other incidents occur.

Financial institutions are disproportionately targeted by adversaries due to the confidential data on their networks, such as personally identifiable information and protected health information that could lead to the possibility of financial rewards. An accelerant to the increase in attacks is the increasing dependability on technology and third-party vendors by superannuation, banking, and insurance institutions.

The aim of CPS 234 is to reduce cyber risk and improve security by requiring APRA-regulated entities to; employ vendor risk management practices to reduce the likelihood and impact of incidents; maintain security capabilities that are commensurate with their information security threats and risks; and notify APRA of cyber security incidents within 72 hours.

Information Security Capability

CPS 234 requires APRA-regulated entities to:

• Maintain an information security capability commensurate with the size and extent of threats to its information assets, which supports the continued sound operation of the entity
• Assess the information security capabilities of related or third parties who manage information assets on behalf of the entity, commensurate with the potential consequences of an information security incident that could affect those assets
• Actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or business environment

To comply with this regulation, entities should assess the sufficiency of their information security capability. This includes reviewing; funding and staffing; timely access to required skill sets; and the overall breadth of the control environment (preventative, detective, and responsive).

Due to the current threat landscape, it’s important that regulated entities go beyond general security controls to more aggressive forms of information security capabilities.

These could include:

• Vulnerability and threat management/mitigation
• Situational awareness and intelligence
• Information security operations and administration
• Secure design, architecture, and consultation
• Security testing (e.g., penetration testing)
• Security reporting and analytics
• Incident detection and response (including recovery, notifications, and communications)
• Security investigations (including preserving evidence and forensic analyses)
• Information security assurances

Conclusively, under the CPS 234 standard, regulated entities must keep on top of changes in vulnerabilities/threats. This means adopting a forward-thinking approach in which entities continue to invest in resources, skills, and controls relevant to their institution and information assets and security.

What are the key requirements?

1. Information security capability – consider the adequacy and sufficiency of the entity’s information security capabilities in relation to vulnerabilities and threats, ensure adequate investment to support information security capability, and review the progress of the execution of the information security strategy
2. Policy framework – information security policies should reflect Board expectations
3. Information assets identification and classification
4. Implementation of information security controls – regularly assess and evaluate reporting of the effectiveness of implemented information security controls and the overall health and security of the entity’s information assets
5. Incident management
6. Testing control effectiveness – regularly seek assurance on the sufficiency of testing coverage across security controls and assess the effectiveness of information security controls based on the results of regular testing
7. Internal audit
8. APRA notification

Who does CPS 234 apply to?

All entities regulated by APRA are required to adhere to and comply with CPS 234 requirements.

APRA-regulated entities include:

• Banks
• Credit unions
• Deposit taking institutions (ADIs)
• Superannuation funds
• Life insurance companies
• Friendly societies
• General insurers
• Non-operating holding companies
• Private health insurers

Foreign Entities

CPS 234 also applies to specific foreign entities, including:

• Foreign ADIs
• Foreign general insurers
• Foreign life insurance companies

Compliance to CPS 234 only applies to the Australian branch of the aforementioned foreign entities, however if the Australian branch’s technology and information assets are handled and supported by the head office of the entity, the head office must provide evidence of compliance.

Third-party

As of July 2020, third parties handling the assets of APRA-regulated entities will also need to comply with the standards outlined in CPS 234 and prove compliance to the security controls when requested.

Who is responsible for compliance?

Ultimately, the Board is responsible for CPS 234 compliance, and must ensure the entity’s information security is maintained and managed based on the size and the threats to information assets.

However, the Board can delegate responsibilities to sub-committees, management committees and other individuals within the institution. The most important thing is to clearly define the information security roles and provide direction on the responsibilities of all parties who have an obligation to maintain information security.

What’s the difference between APRA CPS 234 and ISO 27001?

If you’re seeking to meet APRA CPS 234’s key requirements, you might consider achieving ISO 27001 at the same time.

The key difference between ISO 27001 and CPS 234 is the way they are regulated and enforced. ISO 27001 is an official certification that can be renewed every three years, and requires a series of internal and external audits, whereas CPS 234 does not have official certification or accreditation. The Australia Prudential Regulatory Authority has a number of formal and non-formal enforcement tools at their disposal, which includes working in co-operation with APRA-regulated entities to identify and rectify cyber and information security issues.

While APRA CPS 234 provides guidance for safeguarding information assets it does not seek to be all-encompassing. APRA expects that regulated entities will implement appropriate information security controls informed by contemporary sound industry practices, including in areas not explicitly addressed by the standard. Additionally, CPS 234 is not intended to replace or endorse existing industry standards and guidelines. A regulated entity would typically use discretion in adopting industry standards and guidance it considers fit-for-purpose in specific control areas.

ISO 27001 certification can facilitate the implementation of the requirements outlined in APRA CPS 234. Recognised globally, ISO 27001 offers the ultimate security and protection for your information assets. Achieving certification can also set you apart from other regulated entities, as it proves your organisation is dedicated to the development, improvement and protection of your sensitive data and information.

How to get started:

eStorm Australia has extensive experience with helping businesses in the financial sector achieve both ISO 27001 certification and compliance to the standards of APRA CPS 234. View our ISO 27001 services for more information: https://www.estorm.com.au/it-support-services/iso-27001-services-consulting/

Or contact at our friendly staff at:
Phone: 07 3120 0640
Email: [email protected]

A lot can change in a decade, and this is especially true when it comes to technological advancements in the digital and cyber sphere. However, with new technology comes new avenues for cyber attackers to infiltrate your systems, extract your data, and spread malicious code across your network. The sophistication and quantity of cyber-attacks in 2022 is a concern for many organisations across the globe, and the International Organization for Standardization (ISO) has addressed these concerns by introducing a new iteration of the ISO 27002 standard.

Last updated in 2013, the newest version of ISO 27002 was published in February 2022 (with a revised version of ISO 27001 expected to be released in October of this year). The primary purpose of ISO 27002:2013 was to provide a set of supporting controls for ISO 27001 certification that would protect the information and assets of an organisation.

While ISO 27002:2013 was primarily focussed on information security, the evolving cyber security threat landscape compelled the need for ISO 27002:2022 to broaden the scope of controls in a way that also encompass cyber security, information privacy, and vulnerability management.

ISO 27002 is not a certification in and of itself – instead, consider it as guidance for achieving ISO 27001 certification. It supports organisations in meeting the requirements of ISO 127001 Annex A and should be used as a reference for determining and implementing the controls that achieve the best information security practices for your organisation.

We can expect a revised version of ISO 27001 that reflects these changes by October 2022.

What are the changes?

The name:

The name of the standard has been amended to the following:

PREVIOUS (ISO 27002:2013): “Information technology – Security techniques – Code of practice for information security controls”

CURRENT (ISO 27002:2022): “Information security, Cybersecurity and privacy protection – Information security controls”

The control structure

The number of controls in ISO 27002:2022 has decreased from the 114 controls in the 2013 edition to 93 controls in the 2022 version. These controls are now grouped into 4 different ‘themes’ rather than the previous 14 clauses. These 4 themes are sequentially supported by a collection of searchable attributes that can be assigned to each of the controls.

The new themes aim to help group the controls according to whom is responsible for them.

The 4 themes:

• Organisational controls (37 controls): Pertaining to policies and procedures
• People controls (8 controls): Pertaining to the staff and employees within your organisation
• Physical controls (14 controls): Pertaining to the safe management of your organisation’s facilities/offices/storage/equipment
• Technological controls (34 controls): Pertaining to the security of your IT infrastructure

Attributes:

The use of attributes is not mandatory, however attributes can be used to filter, sort or present controls in different views for different audiences, making it easier to categorise and keep track of the controls.

Here are some examples of how attributes can help organise different aspects of your controls. For instance, control types can be attributed as preventative, detective, or corrective. Or they could be attributed to different cyber security concepts, such as identification, protection, detection, response, or recovery.

Essentially, attributes allow you to quickly align your controls with common industry languages and standards and distinguish them from other standards.

The controls

A concerted effort was made to avoid control redundancy, thus you’ll find that the revised ISO 27002 standard has 21 fewer controls than its predecessor. Some controls from the 2013 edition were removed, 24 controls were merged, and 11 new controls were introduced to reflect the current information security, physical security, and cyber security landscape.

The new controls are:

• Threat intelligence: understand adversaries and the methods of attack that are relevant to your organisation’s IT infrastructure, networks and systems.
• Information security for the use of cloud services: security strategies for cloud initiatives (from introduction of new cloud solutions to ongoing operations and exit strategies) must be assessed and considered comprehensively
• ICT readiness for business continuity: Your business processes and ability to recover operational capabilities should dictate the requirements for your IT infrastructure and landscape
• Physical security monitoring: the use of alarms and monitoring systems to prevent unauthorised physical access
• Configuration management: the hardening and security configuration of IT systems and networks
• Information deletion: compliance with data deletion policies and procedures
• Data masking: techniques such as anonymisation and pseudonymisation to mask data and reinforce data protection
• Data leakage prevention: compliance with best practices to prevent data being leaked
• Monitoring activities: network and application security monitoring to detect anomalies
• Web filtering: to prevent users from viewing URLs containing malicious code
• Secure coding: use tools, comments, track changes and avoid insecure programming methods to secure coding

FAQs

Should you wait for ISO 27001:2022 before commencing certification?

Whether you should wait for the ISO 27001:2022 update or commence certification now depends on how urgently you need accreditation, and the current cyber risks or compliance requirements your business is facing. If you require certification urgently, then we would recommend commencing ISO 27001 implementation as soon as possible. The way you build and operate your ISMS will remain the same even after the update, so once the revision has been released you can simply map the new controls to the old Annex A controls. If getting certified is not a matter of urgency, then you’re more than welcome to wait until October for the release however we would suggest that you preemptively begin complying to the controls that address gaps and risks in your business and information security.

What if you’ve already begun the ISO 27001 process?

If you have already begun, or are nearing the end of, your certification process your Statement of Applicability (SoA) must continue to refer to the ISO 27002:2013 annex controls up until the point that ISO 27001:2022 is released. The nature of the changes are moderate which means that the effort to align with the new standard should be minimal.

What changes should you expect to make once ISO 27001:2022 is published?

When ISO 27001:2022 is published you can expect to make the following changes:

• Adjusting information security procedures and policies
• Aligning risk management processes with the new controls
• Updating your Statement of Applicability

How quickly will you need to transition once ISO 27001:2022 is published?

Traditionally, organisations have been given a two-year transition period to revise and align with a new version of a standard, so you should have plenty of time make the necessary changes to your ISMS.

Wherever you are in your ISO 27001 journey, eStorm provides a number of services that can fast-track your certification with minimal disruptions to your daily operations. View our ISO 27001 services here: https://www.estorm.com.au/it-support-services/iso-27001-services-consulting/

The DESE ISMS Scheme – A Quick Overview

The Department of Education, Skills and Employment’s (DESE, ‘the Department) new Information Security Management Scheme calls for all providers of employment skills, training, and disability employment services to gain ISO27001 and Right Fit for Risk accreditation.

The objective of this scheme is to ensure that providers are in compliance with the Departments contractual and legal obligations. These obligations aim to ensure the department’s IT environment and confidential data are being managed responsibly via an Information Security Management System (namely, ISO 27001 and the Australian Governments Information Security Manual).

Recognising the baseline requirements of ISO 27001 do not entirely cover the specific and evolving legal requirements for providers, the Department has introduced several new mitigation strategies to bridge these security gaps. These new requirements are referred to as ‘Right Fit for Risk’.

Right Fit for Risk does not undermine or diminish the existing standards for ISO 27001, but rather supplements the baseline requirements to create an Information Security Management System that is specific to the needs and obligations of the Department’s providers.

Under the RFFR, providers with a caseload larger than 2000+ per annum are required to attain certification to the Department’s contractual requirements Statement of Applicability. Certification allows organisations to tender for deeds and provides assurance that government data and personal information is handled securely.

See our RFFR & DESE ISMS Scheme Services here

What is ISO 27001?

The gold standard of Information Security Management Systems is ISO 27001, which is recognised globally and covers 114 security control methods. This ISMS contains all the resources, systems, tools, policies, controls, communication protocols and processes that manage information security in an organisation.

As mentioned, the Department has recognised that there are requirements specific to their providers. Specifically, the DESE ISMS Scheme calls for all providers to implement the clauses in Annex A of ISO 27001 (in other circumstances, these clauses can be omitted at the discretion of the organisation). Otherwise, the ISO 27001 certification process is the same for both providers under this scheme and other businesses.

Accreditation for ISO27001 can be an arduous and time-consuming process, but the benefits of gaining certification are ultimately worth the hassle. On top of securing your organisation’s data and systems, becoming ISO 27001 accredited can open new market opportunities by demonstrating your commitment to protecting customer and client information.

What is RFFR?

The DESE Information Security Management Scheme customises the baseline requirements of ISO 27001 with additional controls set by the Australian Government’s Information Security Manual (ISM).

The scheme, as mentioned, incorporates all the baseline requirements of ISO 27001, HOWEVER you must also develop a Statement of Applicability that considers the specific security risks and needs of your organisation, and the applicability of controls outlined in the Australian Information Security Manual.

Your Statement of Applicability should address RFFR core expectations, such as the Australian Cyber Security Centre’s Essential Eight strategies, personnel security, and data sovereignty.

What is a Statement of Applicability?

As part of the Right Fit for Risk and DESE ISMS Scheme, organisations are required to submit a Statement of Applicability (SOA).

The SOA is a central document that outlines and defines how your organisation has implemented information security. In order to prepare your SOA, you should start off by listing the controls from the Australian Governments Information Security Manual and determine whether they are applicable; which risk or business requirement drives it; and how it will be implemented.

The Right Fit for Risk DESE ISMS Scheme Accreditation Process

The Department is the accrediting authority for this scheme; thus, organisations are required to check in at 3 milestone points throughout the accreditation process.

Milestone 1:

Business Maturity Assessment

Milestone 1 determines how your organisation uses information and manages security. The initial maturity of your organisation’s information security is assessed against the ASD Essential Eight maturity model.

You should work closely with DESE through this process as the Department will provide the guidance and approach needed to advance to further milestones.

Milestone 2:

Statement of Applicability and ISO 27001 Accreditation

Milestone 2 requires the implementation of a customised Information Security Management System PLUS full accreditation of ISO 27001.

This means that in addition to the 114 annex A controls in ISO 27001, your scope should incorporate the controls defined in the Australian Governments Information Security Manual.

You must also submit a Statement of Applicability that, as previously mentioned, determines whether controls in the ISM are applicable to your organisation and how you have implemented these controls.

Tips for achieving this milestone:

• Perform a gap analysis to highlight areas where your information security controls are inadequate
• Perform a threat/risk assessment to identify risks and validate whether the solutions you have already implemented are working as intended
• List the controls in the Australian Governments ISM and justify your reasons for applying or not applying them into your ISMS. If you do not have a justifiable reason for not implementing a certain control, you should consider taking the steps to implement it
• Employ the services of a Managed Service Provider to assist with ISO 27001 implementation. While oftentimes costly, an MSP will speed up the accreditation process exponentially (sometimes by up to 6-12 months)

Milestone 3:

RFFR Accreditation

To pass milestone 3 you’ll need to demonstrate the effective implementation of the ISMS and applicable controls. Ensure you have incorporated the RFFR requirements into your ISMS and scope and taken all the ISM controls into consideration. You should also make your certification body aware of the customised nature of the ISO 27001 certification so you can gain the appropriate accreditation.

See our RFFR & DESE ISMS Scheme Services here

Here’s a not-so-fun fact: 95% of organisations have Office 365 mailboxes that are harbouring malicious emails. Many of these socially engineered attacks can slip through your existing defences, landing in your users’ inboxes and leaving your organisation open to potential risks. Furthermore, viruses and phishing attempts can slip through your gateways and, if left undetected, can cause millions of dollars in loss of revenue.

This is why it’s vitally important for organisations to assess and understand their email security vulnerabilities, and ensure that you and your users are fully protected against hacking attempts.

Biggest threats to your email accounts:

There are many threats that could potentially compromise your email accounts, with the most prevalent being:

1. Business Email Compromise Attacks

A Business Email Compromise (or BEC) attack occurs when a scammer impersonates a high-level executive. They can then trick colleagues, customers and partners into transferring funds, participating in seemingly legitimate transactions, or disclosing sensitive data.

 2. Phishing Attacks

Phishing is the practice of sending fake communications (most commonly emails) that seemingly come from reputable sources with the intention of tricking the receiver into supplying private, commercial or financial information or installing malware. 

3. Malware Delivery

In email scams, malware is always hidden in malicious links and attachments that may look legitimate and reliable but will execute viruses on your devices once opened.

How to combat threats with an Email Threat Scanner

In conjunction with Barracuda, we are offering a free security assessment of your Office 365 environment. Using artificial intelligence and API integration with Office 365, Barracuda Email Threat scanner can quickly and efficiently discover email attacks currently sitting in your mailboxes.

What threats can Barracuda ETS identify?

ETS scans Office 365 environments to identify phishing and other cyber fraud threats that may already exist in your inbox. It allows you to identify:

• Spear phishing
• Business email compromise
• Conversation hijacking
• Brand and domain impersonation
• Extortion
• Scamming
• URL phishing

ETS also reviews high risk employees (those who may be receiving more attacks than others) and detailed threat insights that can be filtered based on individual threat types (such as phishing or BEC).

How does it work?

Contact us for a personalised email threat scanner link! Once we’ve provided you with the link, it takes less than a minute to set up, with no impact on your email performance. Once your scan is complete, we can review the results and discuss how to enhance your email security posture with additional user awareness training and advanced threat detection tools.

Regular Backups

Hi everyone, and welcome to the final episode of eight weeks of the essential eight! In this episode we’ll be discussing regular backups, why they’re considered essential, and how you can achieve maturity level one. Let’s begin!

The ACSC defines this strategy as: Regular backups of important new/changed data, software, and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.

Why regular backups?

If the mitigation strategies you have meticulously put in place fail, or things go completely sideways due to a catastrophic event, backups are vital for the continuation of your business operations.

Data and files have always been the backbones of businesses, for as long as businesses have existed. Once upon a time, our organisational data was physically held in filing cabinets or piled in boxes in a dingy room in the back of the office. Back then, company data was constantly in danger of going missing, being incorrectly filed, or was at the mercy of natural disasters.

We’ve come a long way from filing cabinets and physical documents. These days, most of our data is stored on servers, hard drives, or in the cloud. But with these technological advancements, our data is now under more threat than ever. Not only do we also experience data loss due to natural disasters and incorrect filing (how many times have you thought ‘now where on earth did I save that document!?’), we must also defend against ransomware/malware attacks, accidental deletions/damage, server outages, and a whole host of other potential threats that are waiting to snatch away your data and remove it from existence, oftentimes with devastating results.

What causes data loss?

As mentioned, there are several ways your data can disappear from the ether, with the most common being:

HUMAN ERROR:

Humans make mistakes, and sometime human error can result in overwriting important files and deleting information that is essential to your business. Human error can also result in other forms of data loss such as spillage, drops, or other accidents that could damage devices/servers.

EXTERNAL SECURITY THREATS:

Viruses, malware and ransomware are the biggest threats to your data. Malware can slow down your systems, and steal or corrupt your data. Worse still, ransomware does the same with the added threat of holding your data ransom until you pay a hefty fee.

OUTAGES:

Power outages can completely halt business operations by shutting your systems and devices down without warning. This not only results in the loss of unsaved data but can also corrupt files due to improper shutdown procedures.

THEFT:

Many businesses assign laptops to their employees and allow them to take their devices with them when they leave the office. This, of course, can result in the loss or theft of company property. If their unbacked-up files on lost or stolen devices, you can say goodbye to those files forever.

How to protect your data

So how do we lessen the impact in the event of data loss? The biggest defence against human error and external threats is to BACK UP YOUR DATA. And I don’t just mean save your files on a hard drive or a USB and tuck it away into a ‘safe’ place – that solution is simply not viable for organisations storing valuable data.

As a business owner, you absolutely need a diligent backup program with multiple backup and recovery points. This brings us to the 3-2-1 backup rule.

WHAT’S THE 3-2-1 BACKUP RULE?

The rule goes like this:

3 COPIES OF YOUR DATA
2 BACKUPS ON DIFFERENT MEDIA (for example, on your computer, external hard drive, or on-premise server)

1 BACKUP OFFSITE (e.g. in the cloud, or in an offsite server or data centre)

Following the 3-2-1 backup rule, it is advised that businesses should have both an on-premise and cloud-based backup solution.

Now let’s delve into maturity level one requirements:

Maturity Level One Requirements

Requirement 1:

Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.

This one is self-explanatory – you should be backing up your data regularly, with multiple disaster recovery points to fall back on in the event of malware or ransomware attacks. At the end of the day, the regularity of your backups is up to you, but as a general rule of thumb, you should make sure you are backing up your data daily and retaining your data for a period of 3 months or more.

Requirement 2:

Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.

Whether your backups are on an on-premise server or in the cloud, you should be testing the accessibility of your data regularly. In the event of a disaster, you need to be able to recover and restore your data from a period before the event occurred. Every 3 months, perform a disaster recovery exercise to ensure that your backups are working correctly and you can access files that are essential to your business.

Requirement 3:

Unprivileged accounts can only access their own backups, so obviously users who have standard user accounts should not be able to access any backups that they have not backed up themselves. This is because standard user accounts can be vulnerable to attack, so it’s best to have important backups well out of reach of your standard accounts.

Requirement 4:

Unprivileged accounts are prevented from modifying or deleting backups.

Similar to requirement 3, standard user accounts should be denied access to the settings or modifications of your backups. This is so if an adversary happens to gain access to a standard user account, they won’t be able to delete or modify your settings, thus rendering your backups useless.

Where do you start? 

There’s a good chance your business already has cloud backups and on-prem backups, buti f you don’t, there are a whole host of solutions available to you.

Here are a couple of our recommendations:

• Veeam
• Barracuda
• Synology
• Or our own cloud backup solution, which can guarantee the safety of your cloud data in our Tier 3 Data Centre.

And that’s it for regular backups!

But before you go, since this is the last episode of this series, I’d like to offer everyone watching a 15% discount on eStorm’s cyber security audits and assessments. During the audit we can assess your essential eight implementation and give you detailed recommendations on how to improve your cyber security position.

Thanks for watching, and as usual, if you have any questions please feel free to contact me. Farewell, until we meet again!

Hi everyone and welcome to episode 7 of eight weeks of the essential eight. In this episode we’re going to discuss multi-factor authentication (AKA MFA), why it’s considered essential, and the maturity level one requirements.

The ACSC defines this strategy as:

Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.

What is Multi-Factor Authentication?

MFA is ‘a method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier’.

In simpler terms, MFA is the act of using multiple verification methods to verify a user’s credentials. It adds another layer of security by forcing users to provide another means of identifying oneself.

Let’s imagine you’re a bartender. Someone approaches you asking for a martini (shaken, not stirred) and claims to be over the age of 18, but they’re acting a little suspicious and the felt moustache above their lips is hanging slightly askew. So, you ask for ID and everything seems to check out – the ID card looks legitimate and the photo resembles them exactly.

But we all know that licences can be forged or stolen, and identities can be faked with moustaches purchased from costume stores.

The digital world faces much of the same challenges (minus the fake moustaches). Think of your password and username as your ID – this too can be stolen or forged by adversaries, and it’s easier than you may think. Phishing scams and data breaches both pose serious threats to the security of your login details and information, but multi-factor authentication can offer much better guarantees. In fact, a striking statistic is that MFA prevents 99.9% of identity attacks if implemented correctly.

MFA is based on a combination of different authentication factors. An authentication can come in many different forms, such as a password, a pin, an SMS code, or facial recognition, but these on their own are not enough to secure your account against cyber attackers. You need to use at least two different authentication factors for it to pass as MFA. These factors are; biological (who a user is), knowledge (what a user knows), and possession (what a user has).

Here are a few examples of each factor:

1. The knowledge factor:

   This factor is based on what the user knows. Some examples would be things like a four-digit pin, passwords, or information like your mother’s maiden name, or a previous address.

2. The possession factor:

   This factor is bason on what the user has. The user must have something specific in their possession, such as an SMS code sent to their phone, a software or hardware token, or a security badge.

3. The biological factor:

   This factor is based on what the user is. Examples of biological verification methods can be retina scans, fingerprint scans, facial recognition, or digital signatures

By applying two or more of these different authentication factors, you make is significantly harder for adversaries to gain access to your devices, networks, systems, and sensitive information. This is because even if an attacker does happen to gain your password and username (whether through a phishing attack, data breach, or other means) they can’t surpass the second authentication method, as they’re unable to verify something the authenticated user has (such as an SMS code) or something the user is (such as a fingerprint scan).

Ideally, MFA should be implemented for all user logins (including office computers). If this is impracticable, then you should at least ensure MFA is being used by all users who have access to sensitive data and information, have admin privileges, or have remote access. Which brings us to maturity level one requirements.

Maturity Level One Requirements:

Requirement 1:

Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.

When users are, for example, accessing your network remotely, they must be using Multi factor authentication in order to verify and approve their access to your network remotely.

Requirement 2:

Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s sensitive data.

An example of third-party facing services that store your organisation’s data would be a cloud service (whether that be Microsoft, Google, or AWS), thus users should be using MFA when requesting access to your sensitive data.

Requirement 3:

Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s non-sensitive data.

You should be enabling MFA on ALL of the applications your users are accessing, including emails, Adobe, social media accounts, and any other web applications your employees are using. You’ll find that most apps will offer MFA, so check the web apps and internet-facing services your organisation uses for the option to enable MFA in their settings. Then go ahead and enable it for those that do!

Requirement 4:

Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.

This one might not apply for a lot of organisations, but in short, you are expected to enable MFA by default on your internet-facing services that are used by non-organisational users, such as clients or customers.

Let’s use a university as an example. Each student is given an email account that is activated by the school. MFA should, by default, be enabled for students who are logging into their accounts, with the option to opt-out if they choose.

Where do you start?

Let’s face it; MFA is going to be annoying and time consuming for your end users. Every time they log into your cloud environment or access your network remotely, they will need to follow the MFA login process. Every. Single. Time. It’s not fun, but it is necessary, and unfortunately it’s something that they’ll need to get used to.

The first step is to take a look at your cloud environment. Now most major cloud services (including Office, SharePoint, Google Cloud, Azure and AWS) offer basic MFA features in their settings. Make sure to enable this in your admin panel for the users in your organisation. I’ve included a few MFA setup tutorials Microsoft, Google, Azure and AWS below:

Microsoft Office/SharePoint Tutorial

Google Cloud Platform Tutorial

Azure Tutorial

AWS Tutorial

You can also consider using Microsoft Authenticator or Google Authenticator, available for iOS or Android devices. With Microsoft Authenticator, users can receive sign in notifications through their mobile that they can approve or deny, or use the app to generate OATH verification codes.

Learn more about Microsoft Authenticator

When it comes to a robust and powerful MFA security platform, we recommend Duo. Duo natively integrates with any application or platform, including Microsoft, Software as a Service tools, or on-premise environments. But perhaps most importantly, it can be used to add multifactor authentication to your VPN or remote access client. Using the one security solution, you can consolidate all your MFA requirements and easily deploy it across your applications, cloud environments, VPN or remote access clients, and devices.

Learn more about Duo!

And that’s it for multifactor authentication! As usual, if you have any questions please don’t hesitate to contact me and I will see you next time!