What is SD-WAN? SD-WAN explained

By

Software-defined Wide Area Network. Multiprotocol Label Switching. Secure Access Service Edge. Circuits, routers, interconnectivity, transport packets, overlays, and virtual private networks  – oh my! What does it all mean?

If you’re a tech expert, you probably already have a sound idea of the terms mentioned above. However, if you’re ‘technically challenged’ like myself, you’re probably sitting there scratching your head trying to decipher the jargon so you can finally get a clear picture on what exactly Software-defined Wide Area Network (SD-WAN) is, and how it can help your business.

After Googling every term related to SD-WAN and how it works (I even had to search ‘how does the internet work’, please don’t laugh), I’ve composed this blog post so ANYONE can get a grasp on the basics of SD-WAN and the monumental benefits it can have on businesses.

Let’s begin.

What is a Wide Area Network (WAN)?

I read so many informative blog posts about this topic that proclaimed ‘SD-WAN is just a more efficient type of WAN’. Now, this might be helpful if you’re someone with a basis of knowledge about the internet and what a Wide Area Network actually is.

I, however, was not that someone.

In simple terms, a switch allows us to connect multiple computers together and have them talk to each other. Maybe you’ve connected your laptop to a friend’s Wi-fi before and noticed an option appear that says ‘would you like to be discoverable by other PCs and devices on the network’. This is an example of LAN in action. You can also connect to someone’s LAN via an ethernet cable.

Ultimately, whether your LAN switch is wired or wireless is irrelevant. When computers are connected to your LAN, they break up their data into ‘packets’* of information, add the IP address of the computer they want to send it to, and send it off to the switch. The switch then looks at the destination IP* and sends it to the intended recipient’s computer. This all occurs locally (for example, in your house or office).

Now, what if instead of sharing locally, I want a computer at my house to talk to a computer at your house?

Chances are your house is too far away to connect to my switch, so we need something that can communicate between our LANs. This device is called a router. If you have Wi-Fi installed in your home, chances are you probably know what a router is. Similar to two computers on a LAN network, routers have their own public IP addresses. Through Network Address Translation (NAT), routers can tell the rest of the world that if they want to talk to a computer on your LAN, they can send the information to the router’s IP address, which will then forward the internet packets to your own device. Your Internet Service Provider will assign your router a public IP address, so it may talk to other routers around the world.

So, what is a WAN? I promise the above information wasn’t unnecessary, so here I’ll get to the point: a WAN is simply multiple LANs connected via routers (with the Internet being the most well-known example). A switch is how devices on a LAN talk to each other, and routers are how LANs talk to each other – all working cohesively to create a Wide Area Network.

Your Wireless Access Point at home is just a switch and a router bundled together (sometimes along with a modem, but this is usually separate).

*What are network packets?

A packet is a small segment of a larger message. Data sent over computer networks (such as the internet) is divided into packets, which are then recombined by the computer or device that receives them. Example: Let’s say Jane is writing a letter to John, but John’s mail slot can is only big enough to accept small index-sized envelopes. Instead of writing her letter on a big piece of paper and wrangling it into John’s mailbox, she divides the letter into small sections and writes them on index cards. She then delivers these index cards to John, who orders them so he can read the complete message. In this instance, Jane is one computer and John the other. This is similar to how packets work on the internet. Let’s suppose a user needs to load an image - the image file doesn’t get sent from the web server to the user’s computer in one piece. It is instead broken down into packets of data, sent over the wires, cables and radio waves of the Internet, and then reassembled by the user’s computer into the photo. (Hopefully that explains it a little better. It still sounds like magic to me if I’m being honest. ) Source: https://www.cloudflare.com/en-au/learning/network-layer/what-is-a-packet/

*What is an IP address?

Internet Protocol (or IP) is a long string of numbers assigned to every device connected to a network using IP as the medium for communication. Basically, it's the digital equivalent of your email or home address. Source: https://www.networkworld.com/article/3588315/what-is-an-ip-address-and-what-is-your-ip-address.html

What is SD-WAN?

So now you (hopefully) understand what a Wide Area Network is, let’s move on to what an SD-WAN is.  SD-WAN is an acronym for ‘Software-defined Wide Area Network’.

Traditionally, organisations with multiple sites (such as retail or real estate companies) used Multiprotocol Label Switching (MPLS) to connect multiple sites to business-critical applications and resources.

What is MPLS?

MPLS is a private connection that links data centres and branch offices. When data enters a traditional IP network, it moves along network nodes (such as switches or routers). Each router the data packet lands on must then make its own decision about the packet’s next destination within the network. MPLS instead assigns ‘labels’ to each packet that will send it along a predetermined path, ensuring higher quality and faster delivery speeds when it reaches its final destination.

In short: MPLS provides a private network shared among two or more locations where data traveling across the network can be labelled (e.g., voice, video, etc.) and prioritised by the routers which are configured to recognise the labels. It allows you to segregate and configure traffic-types so that better and faster routing decisions are available to the packets and applications that need higher and more stable performance metrics (such as voice and video). For example, organisations needing enhanced performance for their communications platform could use MPLS to map those labels to pathways that require real-time access (otherwise known as low latency paths – for data messages requiring minimal delay such as voice and video), or businesses could use MPLS to prevent certain types of traffic (like YouTube) from hogging vital bandwidth.

So what happened to MPLS?

These days, many traditional business-critical applications have moved to the cloud, and the unfortunate reality for MPLs is that it can’t keep up with evolving cloud technology. WAN architectures based on MPLS typically use a model where the traffic from the branch is ‘backhauled’ from the branch to the cloud via the headquarters or a centralised data centre when accessing cloud applications. The costs for MPLS become increasingly expensive when traffic is backhauled.

Enter SD-WAN!

Over the past few years, vendors and service providers have been pushing the use of SD-WAN over MPLS – and for good reason too! Software-defined Wide Area Network is a newer approach to WAN which separates the network control and management processes from the underlying hardware (switches and circuits) and makes them available as easily configurable and deployable software. SD-WAN networks can manage multiple connections (including MPLS, broadband, and LTE), and route traffic over the best path in real-time. In the case of cloud technology, SD-WAN can forward internet and cloud bound traffic directly to the branch or site without backhauling. By routing traffic over different network paths depending on priority or necessity, you can optimise application performance, guarantee call and video quality, and minimise service disruptions.

In short: The key difference between MPLS and SD-WAN is that it is ‘software-defined’, meaning it is far easier to configure policies across your entire network. It also improves your network performance by making it easier to utilise multiple connections rather than spending a fortune on private MPLS connections. This allows you to achieve a higher performance from you network at lower costs.

Benefits of SD-WAN:

SD-WAN allows you to use multiple connectivity types (at the same time) such as ethernet circuits, fixed wireless, and 4G/5G sims to create branch office connectivity, with the flexibility of routing different networks and services to any given location within your SD WAN solution without changes to hardware.

 

Optus Data Breach: How to protect your details

By

On Thursday 22nd September, Australian telco giant Optus revealed they had been the target of a cyber attack that has compromised the personal details of potentially 9.8 million users. If you are an Optus customer, your name, date of birth, phone number, and email addresses may have been breached. Identity documents such as driver’s licences or passport numbers may also be in the hands of the cyber criminals, paving the way for potential identity theft.

While it is as yet unclear whether the attack was financially or politically motivated, if you are an Optus customer it’s important that you take immediate action to secure your details.

I’m an optus customer! What do I do about the breach? How do I protect my identity?

First of all, don’t panic! There are actionable steps you can take to secure your most important details, such as your bank or Medicare accounts. Follow the below steps to ensure you are protecting your details to the best of your ability.

Change your bank login details

Scamwatch has advised Optus customers to change their bank logins. Changing your password is crucial, however we also recommend updating your username or associated email for the ultimate protection.

Update your email password

We advise updating your email password and any other accounts that use the same email and password combination that you used for your Optus account. Choose a strong password with multiple lowercase, uppercase and special characters. You can use this free password generator to help you out!

Enable multi or two factor authentication

Most apps and accounts provide the option to enable multi or two factor authentication. Check within your account or app for the option to enable it (this can usually be found within the Account, Password, or Security settings). Multi or two factor authentication provides an extra layer of password and login protection. With MFA or 2FA enabled, in order to successfully login and access your account you will need to supply a confirmation code/PIN that is generally sent to your personal device via text, email or both. It’s important to enable multi or two factor authentication because cyber criminals will not be able to proceed past the authentication method even if they have the stolen password and email combo for your account. Plus, you will also most likely receive a notification of the attempted login so you can track suspicious activity on your account!

Place limits on your bank account

Place smaller limits on your bank account until you can confirm your bank or login details were not compromised. This will prevent cyber criminals from moving large amounts of money out of your account.

Monitor for suspicious or unusual activity

Keep an eye out for suspicious purchases, login attempts, emails, or other unusual activity across your accounts.

Watch out for scams

Optus has advised customers to only contact the company via their app or official phone number. Scammers may impersonate Optus and target customers via email or text, so be wary of any correspondence that claims to be from Optus – particularly if they are asking you for money or to provide personal information.

Data Sovereignty in the Cloud: Are you compliant?

By

What is data sovereignty?

Data sovereignty is the notion that data is under the jurisdiction in which it is collected or processed and must remain within its borders. In simpler terms, this means the legal rights of data subjects (any individual whose personal information is being gathered, retained, or processed) and data requirements will depend on the location in which the data is stored. Therefore, organisations will have different responsibilities depending on their geographical locations.

In short: Data sovereignty is the principle that a country has complete control over its data. For example, let’s suppose a Canadian organisation’s information resides in a data centre located in France. In this case, the data now falls under French laws and not Canadian laws despite the data belonging to the Canadian entity.

But how does this apply to cloud backups?

 

What is data sovereignty in the cloud?

Now that we’ve explained the concept of data sovereignty as a whole, let’s delve into data sovereignty in the cloud. Cloud data sovereignty is the notion that data stored in the cloud is subject to the laws, regulations or other jurisdiction that has authority over the relevant cloud infrastructure. In other words, cloud data sovereignty refers to the ways in which regulatory laws or other policies may impact data stored in the cloud, depending on the country or region where your cloud data is hosted.

Example: A company operating out of Australia chooses a cloud provider that hosts client data within the European Union. Because the Australian entity’s data is stored within the E.U., the company may now be subject to E.U. data regulations, such as the General Data Protection Regulation (GDPR).

To make matters more complicated, cloud vendors typically don’t inform customers of the regulatory stakes of selecting one cloud region versus another – of which most organisations are not aware of. While ‘the cloud’ may seem intangible, but it is very much grounded and geolocated within the borders of countries. Therefore, if you’re backing up your data to a cloud service (which is more than likely in today’s technological landscape) your data is being stored in a data centre – but the question is: where?

As cloud computing because the norm, it’s important for organisations to implement data protection strategies that takes data sovereignty into consideration. Not knowing where your data is being stored can land you in hot water – particularly if you’re in violation of local privacy regulations and legislation.

When considering where to store your data – whether on-premises, within a data centre, or with one or more cloud providers – you should consider where the data will be stored and what laws, compliance, or regulations will apply to it.

 

Data sovereignty vs localisation vs residency

The terms Data Sovereignty, Data Localisation and Data Residency are a source of confusion for businesses managing data, who may believe they are interchangeable. Here is an overview of each term to clear up misinterpretations:

Data Residency:

Data residency refers to the geographical location where businesses specify their data is stored. Usually this is for regulatory or policy reasons. As an example, a data residency policy may require proof from a business they aren’t conducting too much of their core activities outside of that country’s border – including data processing.  In this example a business will then implement data residency that sets restrictive data management workflows on their operations and cloud providers.

Data Sovereignty:

Data sovereignty is a governmental policy or legislation noting data is subject to the data and privacy laws of a specific geographical location.

For example, Australia’s Privacy Principles dictates that personal data kept in Australia must meet the thirteen standards specified by the APP, including how data is used and collected and person’s right to access their data.

Data Localisation:

People often use data ‘sovereignty’ and ‘localisation’ interchangeably, but they are in fact separate terminologies. Data localisation is by far the most restrictive of the three. In some cases, data localisation legislation only requires that copies of relevant data remain within the country’s borders, guaranteeing the government can audit data on its citizens with due course.

 

Why does it matter?

There is an adage ‘ignorance is no excuse for the law’. It’s important you know where your data is stored, because if it is stored in a country that is not your own you are still subject to that country’s laws. Consequences such as having your data being seized or accessed by the government of that country are completely plausible.

Consider this: An Australian entity uses a cloud provider based in the U.K., with customers in the EU and the U.S. It is plausible that data collection via a website may occur in Italy, California, and even Australia. Therefore, collected data will be subject to the data sovereignty rights of Italy, the United States, and Australia – but since the data is stored in the U.K., it is ALSO subject to the data sovereignty laws in the U.K. It gets confusing, right? 

Given the complicated and often confusing landscape data sovereignty in the cloud exposes, it is important for organisations to stay aware and compliant.

 

Key considerations & best practices

Before you contemplate on compliance, regulations and rules, first you should consider how and where to store your data – such as on-premises or in the cloud. If you have chosen the cloud, data sovereignty becomes more complex. Generally, when utilising the cloud you will need to choose options for replications and backups of your data, which are often stored in other geographical locations. Your chosen cloud provider may or may not allow you to select the region where your backups or replicas will be stored. When choosing your provider, ensure you have the ability to specify the region in which your data will be stored and understand the regulatory requirements of each region.

 

Cloud vs. On-premise Backups: Which is better?

By

The daily operation of your organisation relies on access to business-critical data and applications. So, what happens when access to this data is lost, corrupted or temporarily unavailable due to a service outage? The unfortunate reality is that data loss is more common than you’d think, and the costs due to downtime can be crippling. That’s why we believe preparing for data loss isn’t paranoia, it’s good business practice.

Storing important files, applications, emails, and documents in the cloud means that no matter what happens to your local files, you can restore your data to a point in time before corruption or data loss occurred.

Data and files have always been the backbones of businesses, for as long as businesses have existed. Once upon a time, our organisational data was physically held in filing cabinets or piled in boxes in a dingy room in the back of the office. Back then, company data was constantly in danger of going missing, being incorrectly filed, or was at the mercy of natural disasters. We’ve come a long way from filing cabinets and physical documents. These days, most of our data is stored on servers, hard drives, or in the cloud. But with these technological advancements, our data is now under more threat than ever. Not only do we also experience data loss due to natural disasters and incorrect filing (how many times have you thought ‘now where on earth did I save that document!?’), we must also defend against ransomware/malware attacks, accidental deletions/damage, server outages, and a whole host of other potential threats that are waiting to snatch away your data and remove it from existence, oftentimes with devastating results.

 

What causes data loss?

As mentioned, there are several ways your data can disappear from the ether, with the most common being:

Human error:

Humans make mistakes. Sometimes they’re little mistakes that can easily be rectified and other times they’re big ones (such as hard deleting folders or files). No matter the size of the mistake, human error can result in overwriting important files and deleting information that is essential to your business.

Human error can also result in other forms of data loss such as spillage, drops, or other accidents that could damage devices/servers.

External security threats:

Viruses, malware, and ransomware are the biggest threats to your data. Malware can slow down your systems and steal or corrupt your data. Worse still, ransomware does the same with the added threat of holding your data ransom until you pay a hefty fee.

Outages:

Power outages can completely halt business operations by shutting your systems and devices down without warning. This not only results in the loss of unsaved data but can also corrupt files due to improper shutdown procedures.

Theft:

Many businesses assign laptops to their employees and allow them to take their devices with them when they leave the office. This, of course, can result in the loss or theft of company property. If their unbacked-up files on lost or stolen devices, you can say goodbye to those files forever.

 

How to protect your data

So how do we lessen the impact in the event of data loss? The biggest defence against human error and external threats are to backup your data. And I don’t just mean save your files on a hard drive or a USB and tuck it away into a ‘safe’ place – that solution is simply not viable for organisations storing valuable data. As a business owner, you absolutely need a diligent backup program with multiple backup and recovery points. This brings us to the 3-2-1 backup rule.

What’s the 3-2-1 backup rule?

The 3-2-1 backup rule has met with some controversy in recent years, with some claiming it is outdated, while others insisting that it is still relevant and useful for today’s landscape. The truth of the matter is that although the 3-2-1 may be the bare minimum for organisational backup plans, it still sets a solid foundation for the prevention of data loss.

The rule goes like this:

3 COPIES OF YOUR DATA

2 BACKUPS ON DIFFERENT MEDIA (for example, on your computer, external hard drive, or on-premises server)

1 BACKUP OFFSITE (e.g., in the cloud, or in an offsite server or data centre)

3: Keep three (3) copies of data

Keeping three copies of data is the bare minimum required to ensure that you can recover in any failure scenario, keep recovery objectives low and avoid a single point of failure. The more backup copies you have, the less likely it is that you would lose them all at once. Having a single backup stored in the same location as the primary data means that any disaster that hits your production can also affect your secondary copies.

2: Store two (2) backup copies on different storage media

Having all your backups on the same type of storage media makes it more likely that both devices would fail at about the same time due to a defect or simple wear and tear. To abide by this rule, you must store your primary data and backup copies on at least two different storage media, including internal or external hard drives, NAS, tape, and others.

1: Store one (1) backup copy offsite

Keeping your backups in a single place is not recommended since it’s possible for them to be wiped out in a natural disaster or building emergency (such as a fire). For this reason, this strategy dictates that you should store one or more backup copies in a remote location. A remote location in this case could be a physical offsite storage or in the cloud.

Following the 3-2-1 backup rule, it is advised that businesses should have both an on-premises

and cloud-based backup solution.

Let’s delve into what these solutions are.

On-premises backups

Every business likely uses some form of on-premises (or on-site) backups. On-premises backups simply refer to the storing of data locally on various devices. These devices can include hard drives, disks, USBs, network attached storage (NAS), or servers.

Security:

Businesses in highly regulated industries (such as healthcare or finance) prefer on-premises backups because the solution ensures no third party has access to critical data or information. Furthermore, onsite backups mean data is rarely sent out over the internet, and stays secure behind your firewall.

Control:

In a similar vein, because your data is stored onsite you have complete control over your backups. You can choose when data is backed up, how often backups occur, and what/when information gets backed up. Also, you can scale up or down with hardware as your business develops and changes.

Accessibility:

Having your data stored on-premises means you can quickly access files whether you are online or offline.

Scalability/costs:

On-premises backup solutions are often scalable, but the costs depend on how much data you need to store. In most instances, there may be significant costs involved up-front – particularly if you need to purchase a NAS or server. However, self-managing your on-site backup system can be cost-efficient in the long run as you will not need to pay a monthly fee to a third party. On the other hand, if you require a complex backup system, it can become costly to maintain and upgrade as you will need an inhouse IT technician or a Managed Service Provider (MSP) managing your servers. 

Risks:

Because your backup solution is physically stored in your office, the major risks involved are due to irreparable damage to the system (whether accidental or purposeful) and disasters (floods, fires, etc.).

 

Cloud Backups

Most businesses across the globe are now implementing cloud-based backup solutions to further protect their data. Cloud backups refers to the process of digitally storing a copy of data in an off-site location (in the cloud). Whether private or through a third party, cloud backups do offer many benefits that you cannot get with on-premises backups.

Security:

The level of security depends on whether you’re relying on a third party or a private cloud solution. Private cloud is maintained on a private network where the hardware/software is dedicated to a single organisation – it is a secure and high-performance solution available for businesses that need data stored within a secure environment. This solution would suit highly regulated organisations.

On the other hand, third-party vendors may not be suitable for businesses that house confidential data, as your critical data may be accessed by the vendor. However, for most businesses this isn’t a problem. Good third-party vendors offer safe and reliable backup solutions that provide more than adequate security for your data. In both instances, cloud backup solutions have the added benefit of being out of reach from natural disasters or damage that could occur to on-premises systems.

Control:

Most cloud backup vendors offer businesses complete control over their data, with automated backups, multiple recovery points, and immutable storage.

Accessibility:

Cloud backups are user-friendly and accessible from anywhere, at any time. However, in periods of outages (i.e., with your internet or backup provider) your data may become momentarily inaccessible, resulting in downtime.

Scalability/costs:

Like security, the cost of cloud solutions depends on a number of things, like whether you require private or public cloud, but generally you are only charged for the space and bandwidth you require. The major benefit in this realm is the flexibility and ease with which you can scale your backups, and the lack of maintenance costs – there are generally no up-front costs (except perhaps in the case of private cloud), and maintenance of the cloud servers is the vendor’s responsibility.

Risks:

Like any solution, cloud backups aren’t perfect. They are still at risk of data loss due to malware and ransomware infections, particularly if you have not set up recent and recurring disaster

recovery points.

 

Why not both?

Why not both indeed! Leveraging both on-premises and cloud-based backups gives your business the best of both worlds; on-premises backups that are secure and easily accessible, plus the added security and peace of mind of having cloud backups to fall back on in the event of damage/disaster in your office.

Referring to the 3-2-1 rule, leveraging both cloud and on-premises backups give you the ultimate security. While this may seem costly, utilising both forms of backups can save your business in the long run by improving efficiency, reducing downtime, and perhaps most importantly, saving your skin in the event of a malware or ransomware attack, which commonly costs businesses millions of dollars to rectify.

We wholeheartedly believe that preparing for data loss isn’t paranoia; it’s good business practice! As the saying goes, you’re better safe than sorry, and when it comes to your data, safety should always be at the forefront of your mind.

OUR BACKUP SOLUTIONS:

  • CLOUD SOLUTIONS
  • VEEAM
  • BARRACUDA
  • NEXTDC
  • PRIVATE CLOUD
  • HYBRID CLOUD
  • ON-PREMISE
  • SYNOLOGY
  • BARRACUDA
  • VMware
  • SERVER CONFIGURATION
  • NAS CONFIGURATION

eStorm Achieves ISO 27001 Certification!

By 

-

eStorm Australia is proud to announce we have been awarded ISO 27001 certification

In an ever-evolving security landscape, it’s becoming increasingly important for organisations to implement robust systems and processes that protect and secure sensitive data and information assets. ISO 27001 is the global benchmark for Information Security Management Systems (ISMS). Developed through a partnership between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 encompasses 114 security control methods that address people, policies and technology. Additionally, the ISMS provides a framework for organisations to implement a best practice approach to their information security.

As leaders in the technological space, eStorm pursued ISO 27001 certification to prove to our clients our commitment to securing, improving and protecting not just our own information assets, but the sensitive data and assets of our customers and clients. Certification is a critical milestone for our organisation, forming the basis for continually improving and refining our system to respond to ever-evolving changes in the digital landscape. The certification process involves an extensive independent expert assessment of the standards to ensure that our systems effectively identify and manage security risks.

Attaining ISO 27001 certification means we have formally achieved the most globally recognised level of industry-standard security practices. The process has helped us reinforce a strong security culture and aligns us with worldwide government standards regarding our implementation and approach to risk management.

The journey towards certification was oftentimes demanding, tedious, and challenging, but it was also incredibly insightful. With the hurdles towards certification in our rear-view mirrors and the certification officially under our belts, we can now confidently provide the guidance and experience needed to help our clients reach the ISO 27001 finish line and ace their own audits.

 

 

Check out some of our previous ISO 27001 posts:

How to Achieve ISO 27001 Certification 
ISO 27001: Why You Should Be Certified
ISO 27002 Update: Everything You Need to Know

 

 

11 Types of Phishing Attacks

By

1. Spear Phishing

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation, or business. It is a malicious tactic utilising emails, social media, instant messaging, and other platforms to get users to share personal information or perform actions that can cause network/system compromises or data/financial loss. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware or ransomware on a targeted user’s device.

Typically, spear phishing is used in targeted attack campaigns to gain access to an individual’s account or impersonate a specific individual, such as a ranking official or those involved in confidential processes within the company.

 

2. Whaling

A whaling attack is a method used by cybercriminals to masquerade as a senior official within an organisation and directly target other ranking or important individuals. The aim of whaling attacks is typically to steal money, gather sensitive information, or gain access to their computer systems for criminal purposes.

Also known as CEO fraud, whaling is similar to regular phishing attacks in that it uses methods such as email and website spoofing to trick targets into performing specific actions, such as revealing sensitive information or transferring funds.

Cybercriminals specifically choose to impersonate someone with senior or influential roles within the organisation. Think of them as the ‘big phish’ or ‘whales’ of the company (i.e., CEO or finance managers). Impersonating people in these roles adds an extra element of social engineering, as staff may be reluctant to refuse a request from someone they deem to be important.

 

3. Vishing

Voice phishing (shortened to ‘vishing’) is a form of phishing that uses phones to steal confidential information. Vishing relies on convincing victims they are doing the right thing by responding to the caller. Often the scammer will pretend to be calling from the government, tax department, police or the victim’s bank.

Using threats and persuasive language, cyber criminals will make their victims feel like they have no other option but to provide the information requested. Some scammers will use forceful language that suggests they are helping the victim avoid criminal charges, while other scare tactics involve leaving threatening voicemails requesting the victim call back immediately or risk arrest, loss of funds, or worse.

The cybercriminal may ask for bank account information, credit card details, mailing addresses, tax information, or medical records. They may also ask the victim to take action by transferring funds, emailing confidential work documents, or providing details about their employer.

Once the criminal has obtained this information, they may drain the victim’s bank account, commit identity theft, use the victim’s credit card to make unauthorised purchases, or access their email accounts to trick the victim’s colleagues into giving up confidential information.

 

4. Smishing

SMS phishing (also known as text phishing, or ‘smishing’) is a phishing attack carried out over mobile text messaging. Victims are deceived into giving sensitive information to a disguised attacker. It occurs across many mobile messaging platforms, including non-SMS channels like WhatsApp, Facebook, Instagram or other data-based mobile messaging apps.

Cybercriminals manipulate a victim’s decision-making through three driving factors:

  • Trust: by masquerading as a legitimate individual or organisations, cybercriminals lower their target’s scepticism.
  • Context: cybercriminals use a situation could be relevant to targets allows them to build an effective disguise. The message feels personalised, which helps it override any suspicion that it may be spam.
  • Emotion: by heightening a target’s emotions, attackers can override their target’s critical thinking and spur them into rapid action.

 

5. Angler Phishing

Angler phishing is a recent type of cyberattack that targets social media users. People disguise themselves as a customer service agent on social media in order to reach a disgruntled customer and obtain personal information or account credentials.

Fake accounts will answer people are airing complaints on social media, and will disguise themselves under a user handle or profile that includes the name of the financial institution with the hopes that upset victims won’t realise they are not a valid account.

Once they have baited their disgruntled victim, the fake account will offer a link they claim will take the victim directly to an agent to talk to them. However, that link will either install malware onto their computer, or lead them to a fake website that will try get information and money from them.

 

6. Pharming

Pharming is a type of cyberattack in which criminals redirect internet users trying to reach a specific website to a different, fake site. These fake (or ‘spoofed’) websites aim to capture a victim’s personally identifiable information (PII) and login credentials, such as passwords, social security numbers, account numbers and so on, or else they attempt to install pharming malware on their computer. Pharmers often target websites in the financial sector, including banks, online payment platforms, or ecommerce sites, usually with identity theft as their ultimate objective.

 

7. Pop-up Phishing

Pop-up phishing involves using fraudulent messages that pop up for users when they are surfing the web. Cybercriminals infect legitimate or otherwise trustworthy websites with malicious code that enables these pop-up messages to appear when people visit the website.

Often, these messages warn unsuspecting website visitors about the security of their computer and will prompt the visitor to either download a tool (such as an antivirus application) which is in fact malware, or to call a fraudulent number for support.

Example of successful pop-up phishing:

A potential victim was browsing the internet on his MacBook Pro, when he encountered a pop-up message alerting him to a problem with his computer. The scammers behind the pop-up provided a phone number to call for support.

The cybercriminal disguised as an ‘Apple support representative’ prompted the user to establish a remote connection so the ‘representative’ could diagnose the issue. The scammer showed the user his AppleCare had expired and required renewal for $499 and navigated the victim to a webpage requesting his credit card number for AppleCare renewal.

 

8. Clone Phishing

Clone phishing refers to an email that has been cloned from an original message sent by an authentic organisation. The cloned email appears to be legitimate and can trick the user into giving up information.

Clone phishing has evolved into a cyber threat that is often targeted at high-profile people such as individuals working in politics, banks, or large enterprises because clone phishing offers a way for attackers to extract sensitive, financial, confidential, or sensitive information.

Some clone phishing messages appear to be sent by a real person at the company the target works for or is involved with and is accompanied by copy and pasted content and information from a genuine message, with links or attachments that have been replaced by malware or fake website. Other spoofed emails include attachments claiming to contain important information such as invoices or shipping notices. Often, these attachments will contain malware or ransomware that compromise the victim’s device.

 

9. Evil Twin Phishing

An evil twin attack is a form of cyberattack that tricks a victim into connecting to a fake Wi-Fi access point that mimics a legitimate network. It is the wireless version of common phishing attacks. Once a user is connected to the ‘evil twin’ network, cybercriminals can inject malware or access the victim’s network traffic, sensitive data, and private login credentials.

The danger in evil twin attacks is that victims are often not aware they have been targeted by an evil twin attack because, for all intents and purposes, it feels no different from connecting to any other Wi-Fi network. The main difference is that once they have connected, everything they do online can be tracked and even controlled by the cybercriminal. If the victim logs into an unsecured bank or email account, the cybercriminal is able to intercept the login details and transactions.

Once the cybercriminal has identified a Wi-Fi network or hotspot to spoof, they will create a counterfeit wireless access point with the same name, one that closely resembled it or a name that could tempt users (e.g., Free Wi-Fi). Open networks are a prime target as users can connect automatically with requiring a password.

10. Watering Hole Phishing

Watering hole attacks compromise users within a specific industry by infecting websites they typically visit and luring them to a malicious site. Watering hole attacks are also known as strategic website compromise attacks.

Cybercriminals attempting attacks for financial or gain or to build their botnet can achieve this by compromising popular consumer websites. They will look for a known vulnerability in the website, compromise the site, and infect it with their malware before they lie in wait for baited users.

On top of this, attackers will prompt victims to visit the sites by sending them seemingly harmless and highly contextual emails directing them to specific parts of the compromised website. Often these emails seem completely legitimate, as they are sent through the website’s automatic email notifications and newsletters that go out to their client or subscription base.

As with most cyberattacks, the user’s machine may be compromised by a drive-by-download that provides no clues to the victim that their machine has been attacked and compromised by the site.

 

11. HTTPS Phishing

HTTPS phishing refers to the landing page or watering hole site that a user arrives at. SSL certificates have in the past been a way to ‘prove’ that a website is trustworthy. However, now it has become relatively easy for scammers to encrypt SSL on their fake or spoofed websites. Cybercriminals can now get their own SSL certificates to secure pages used in their phishing campaigns, and can often do so without having to reveal much information about who they really are. Other criminals may abuse pages hosted on cloud services, which sometimes allow them to automatically inherit the security certificate.

What is cyber insurance and do you need it?

By

Globally, cyberattacks are rated as the number one risk businesses may face, and as a result many organisations are turning to cyber insurance to provide protection against financial losses due to a cyber event.

What is cyber insurance?

Cyber insurance (also known as cyber liability insurance) policies assist in covering financial losses in the event of a cyberattack, including malware/ransomware attacks, extortion, and social engineering attacks. Having cyber insurance can potentially help in minimising business disruption in the aftermath of a cyber incident, as well as recovering the costs of dealing with an attack, such as remediation, investigations, and legal fees.

Just like many other insurance policies you may already have in place for your business, cyber liability insurance is a contract between your company and your insurer to protect against losses related to computer, network, or information security incidents.

However, it’s important to note that cyber insurance is still in its early days, and thus there may be policies or incidents that your chosen insurer does not (or will not) cover.

While your insurance may provide financial or remedial assistance, it can’t absolve you of your cyber security responsibilities. Having a cyber insurance policy is not an excuse to become lax with your cyber and information security controls and methods, so it is vitally important you maintain a cyber security posture appropriate for your organisation.

Furthermore, many cyber insurers will determine your premium costs and excess based on your cyber security posture. If you do not have minimum information security controls in place, you may find that your cyber insurance essentially becomes useless in the event of a debilitating cyber incident.

Who needs cyber insurance?

Cyber incidents can impact any company of any size, regardless of industry.

Every business could benefit from having a cyber insurance policy, but this is especially true for enterprises dealing with sensitive information (such as bank details, medical records, or personally identifiable information), as these details are highly sought after by cyber criminals. If an adversary gets access to these details, your company could potentially incur expenses associated with forensic investigations, extortion negotiations, ransom payments, credit and identity monitoring, restoration services, fines, and legal counsel fees. The estimated costs involved for a relatively minor cyber incident averages between $200,000 to $6000,000 – for SMBs, these financial losses could be crippling.

What does cyber insurance cover/include?

The coverage for your cyber insurance policy depends on your chosen insurer. Always read the fine print to ensure you’re getting appropriate coverage for your business.

You can expect most policies to include coverage for:

  • Meeting extortion demands for ransomware attacks
  • Notifying customers when a breach has occurred
  • Paying legal fees as result of privacy violations
  • Hiring computer or cyber security forensic experts to investigate and recover data
  • Restoring and monitoring the identity of compromised customers
  • Recovering data that has been altered or stolen
  • Repairing or replacing damaged or compromised computer systems

As mentioned previously, it is vital you maintain a cyber security posture applicable to your organisation. This is because many cyber security policies exclude preventable security issues, such as poor configuration or mismanagement of digital assets and information. Other excluded issues can include:

  • Cyber events caused or initiated by employees/insiders
  • Incidents that occurred before the policy was purchased
  • Infrastructure failures not caused by purposeful cyber attacks
  • Failure to correct known vulnerabilities (e.g., a vulnerability the company is aware of, fails to address, and becomes compromised due to the vulnerability)
  • The cost to improve cyber security posture, such as security hardening in systems and applications

How much does cyber insurance cost?

Usually, cyber insurance costs are based on a company’s annual revenue, industry, and size. To qualify for a policy, most insurers require businesses to submit to a security audit conducted by the insurance company. The results of the audit factors into the types of coverage, the extent of the coverage, and the cost of premiums an enterprise qualifies for.

What to do next

Before you purchase a cyber insurance policy, you should consider partnering with a Managed Security Services Provider. Your MSSP will be able to evaluate your cyber security posture, provide suggestions for improvement, and implement the relevant security controls to strengthen your cyber and information security.

Not only is this beneficial overall for the ongoing protection of your information, data, and digital assets, but it will also aide your business in getting the best insurance coverage, premium costs, and excess available.

 

View our IT Security Audit page for more information!

Our favourite WWDC22 Apple Announcements

By

In June, Apple announced a host of new products – check out our favourite announcements below!

iOS 16

The newest operating system for iPhone introduces a huge update to the lock screen, and new sharing, communication and intelligence features that change the way users experience iPhones.

The lock screen becomes more personal, customisable and helpful with iOS 16. With a new multi-layered effect, the subjects of photos are set in front of the on the lock screen, creating a sense of depth. Users can also change the look of the date and time with expressive type stiles and colour choices. The lock screen also features widgets similar to Apple Watch faces, making it easier to get information at a glance (such as calendar events, weather, battery, alarms, and more).

Live activities has been introduced to help users stay on top of things that are happening in real time, such as sports games, workouts, ride shares, or food deliveries. Notifications have also been redesigned to roll up from the bottom screen so users have a clear view of their personalised lock screen.

iOS 16 also introduces updates to messages. Users can recall recently sent messages, recover recently deleted messages, and mark conversation as unread.

Wallet updates includes the introduction of Apple Pay Later, which provides US users with a secure way to split the cost of an Apple pay purchase into four equal payments spread over 6 weeks with zero interest or fees.

 

iPadOS 16

Major updates to iPadOS makes the iPad experience even more versatile and enjoyable. New features in Messages make it easy to begin collaborating and managing content across files, keynote, numbers, pages, notes, reminders and Safari, as well as third party apps. When changes are made to shared files, everyone can see updates at the top of the Messages thread. Similar to iOS 16, users can also edit or recall recently sent messages, recover recently deleted messages, and mark conversations as unread. Furthermore, users can begin a SharePlay session via messages so they can choose a SharePlay activity (like movies, TV shows, workouts, or games) and enjoy it together in sync while chatting via messages.

iPadOS 16 introduces Freeform, a new collaboration app with a flexible canvas, and gives users the ability to see, share and collaborate all in one place without worrying about layouts and page sizes.

Stage Manager: stage manager is the new multi-tasking experience that automatically organises apps and windows, making it easy to switch between tasks. Available on iPads enables with the M1 chip.

Notes: Notes allows users to create neater handwritten notes with the ability to automatically straighten handwriting, use iCloud passwords to lock personal notes, add screenshots in Quick Note, and use Smart Folders with filtering capabilities.

 

macOS Ventura

The latest version of the mac operation system has been dubbed ‘macOS Ventura’. The highlight in macOS Ventura is Stage Manager – a feature which gives Mac users an all-new way to stay focussed on tasks while seamlessly switching between apps and windows. Continuity Camera has also been introduced in the latest update, which uses iPhone as the webcam on Mac.

Updates to Spotlight includes a new design that makes navigation easier, with new features such as Quick Look for quickly previewing files. Live text allows users to search for photos by text inside images. To increase productivity, users can now take actions from Spotlight, starting a timer, creating new documents or running shortcuts.

Live text: Live text utilises device intelligence to recognise text in images across the system.

Accessibility tools: New accessibility tools include Live Captions for all audio content, type to speak on calls, text checker to support proofreading for voice over users, and more.

System Preferences: System Preferences will be called ‘System Settings’, and comes with a refreshed design that is easier to navigate

Security: macOS security introduces new tools make Mac more resistant to attack, including rapid security response that works in between normal updates to keep security up to date without the need to reboot.

 

watchOS 9

The latest version of watchOS introduces new watch faces to personalise and customise your Apple watch, plus a new health feature that allows users to track how long an instance of atrial fibrillation lasts. Workout App updates include richer metrics for measuring performance, Custom Workouts to create a structured workout that can include work and rest intervals.

New running metrics include stride length, ground contact time, and vertical oscillation can all be added as metrics on workout views.

 

Macbook Air

The all-new MacBook Air has been completely redesigned around the M2 chip. Measuring just 11.3mm thin and 1.2 kilograms, it features a durable aluminium unibody enclose that is built to last. The newest MacBook air has a 13.6inch Liquid Retina display, a 1080p FaceTime HD camera, a four-speaker sound system and up to 18 hours of battery life with MagSafe charging.

The MacBook Air also features two Thunderbolt ports, and a 3.5mm audio jack with support for high-impedance headphones. Furthermore, the Magic Keyboard features a full-height function row with Touch ID and a spacious industry-leading Force Touch trackpad.

The M2 chip takes the performance of MacBook air even further. For extensive workloads like editing complex timelines in Final Cut Pro, performance is nearly 40% faster than previous generations; applying filters and effects in apps like Adobe Photoshop is up to 20% faster than before, and even with a larger display and increased performance, MacBook air delivers the same great, all-day battery life MacBook Air fans have come to enjoy, with up to 18 hours of video playback.

Available in silver, space grey, midnight and starlight.

What are the benefits of Microsoft Power Apps?

By

The Benefits of Microsoft Power Apps: How Power Apps automates and improves business workflow

 

What is Power Apps?

Power Apps is an app development platform enabling users to build mobile/web-based forms and applications with minimal or no coding experience necessary. Applications created in Power Apps can map to data sources and other services both within Microsoft 365 and many other CRM platforms. With Power Apps, users can unify business intelligence, processes, reporting and automation into their app, which can assist businesses in improving workflow and lowering costs.

Read on for more information on how Power Apps can automate workflows, improve business functionality, and expedite daily operations.

 

The benefits of Power Apps

Eliminates vendor or developer costs:

Power Apps enables businesses to build apps without any prior coding knowledge. This means you can build customised applications without the need to pay for a professional app developer. Additionally, you can free yourself from vendor lock-ins or subscriptions by creating apps that replace third-party vendor applications. The appeal of Power Apps is the fact that any staff in your organisation can potentially build apps rapidly, with an increase in ROI.

Improved automation and efficiency:

Microsoft Power Apps and Power Automate are designed to digitise manual or paper-based business processes that cost organisations valuable time. By creating an app that consolidates all data sources and reports into one dashboard, your staff are able to easily locate information and improve their workflow.

Improved business outcomes:

Digital transformation is important for businesses to invest in, and Power Apps makes it possible, faster, and more affordable. Microsoft’s Power Platform enables organisations to streamline and automate business processes to deliver improved outcomes, functionality, and business transformation.

 

Power Apps use cases

Employee onboarding apps

One of the best features of Power Apps is the ability to effortlessly integrate with data in Microsoft 365 applications. Using Power Apps, an onboarding app for new employees can be created to consolidate resources such as policies/procedures, contact details for other staff members, and employment forms onto a single platform so new staff members have immediate access to all the information and resources they need for a hassle-free onboarding experience. By unifying all the necessary forms and policies into one app, HR staff can easily access payment and employee forms for all new staff members.

Mobile apps & tools

Power Apps can connect and integrate with devices to utilise features such as cameras and microphones, or using in-built functions such as device location or acceleration/motion. The capabilities on mobile devices (such as phones and tablets) means businesses can create apps to better solve problems and improve user experience. For instance, real estate agents can take time-stamped and geo-tagged photos at rental inspections that are immediately stored in a connected database. Another example is manufacturing companies can build apps for quality checks, enabling employees to inspect products and capture photos to document issues.

Service request applications

Businesses can use Power Apps to create an interactive Helpdesk tool that allows users to submit service requests. Additionally, you can deploy an app that collects service requests for facility maintenance, purchase orders, human resources and much more.

 

Is Power Apps right for your business?

While the capabilities of the Power Apps are impressive and powerful, there are some instances where using the platform may not be the most viable option for your organisation.

Because Power Apps is a low code platform, if you intend to create elaborate and complex applications then the platform may not an appropriate solution for you. The appeal of Power Apps is that it is simple and relatively easy to create a basic app, but as the complexity of the app increases it can quickly become more difficult to manage.

 

How can a Power Apps consultant help you

When choosing a Power Apps consultant, check if they have any official Microsoft certifications. An experienced Power Apps consultant will be a part of the Microsoft partner program, proving they have undertaken the time to complete necessary Microsoft certificates and training to provide quality Microsoft solutions to their clients and customers.

eStorm Australia is a proud Microsoft Gold partner.

 

 

A quality Power Apps consultant or developer can assist you with the following:

Building apps:

Design and develop apps that are innovative, scalable and cost-effective

Connecting with data sources:

Successfully connect your newly built app to the right data source with proper mapping of fields

Exporting and publishing:

Export the solutions created in your developer environment and publish on Microsoft AppSource so your customers can test drive them

User adoption:

Field questions, perform troubleshooting, and encourage employees to use the app seamlessly

App planning:

Help with initial design and planning stages of your solution

 

View our Microsoft Power Apps Consulting & Development services: https://www.estorm.com.au/power-apps-services/

 

What is APRA CPS 234 and how do you comply?

By

 

Introduction:

As cyber-attacks evolve in sophistication, regulations to secure information assets must also evolve. The financial sector is one of the more prominent targets for cyber-attacks. The key driver for this is due to the increasing usage of technology by the financial sector to improve customer service and operational efficiency. Thus, regulatory bodies must put into place heightened regulations and expectations for the affective safeguarding of information assets.

 

What is APRA?

Established by the Australian Government in 1998 following the recommendations of the Wallis Inquiry into the Australian financial sector and system, the Australian Prudential Regulation Authority (APRA) is an independent statutory authority which supervises institutions across the financial sector (including banking, insurance, and superannuation).

Prudential regulations concern the safety and security of financial institutions in order for the community to maintain confidence that they will meet their financial commitments under reasonable circumstances.

Under APRA’s legislation, the regulatory body is tasked with protecting the interests of depositors, policyholders, and superannuation fund members.

The ultimate purpose of the Australian Prudential Regulation Authority is to ensure the financial interests of Australians are protected and the financial system is stable, competitive and efficient.

APRA’s values:

  • Integrity – we act without bias, are balanced in the use of our powers, and deliver on our commitments
  • Collaboration – we actively seek out and encourage diverse points of view, to produce well-founded decisions
  • Accountability – we are open to challenge and scrutiny, and take responsibility for our actions
  • Respect – we are always respectful of others, and their opinions and ideas
  • Excellence – we maintain high standards of quality and professionalism in all that we do

 

What is CPS 234? Why is it important?

APRA designed the CPS 234 Standard to ensure APRA-regulated entities are protected against cyber-attacks, threats, and risks. As an essential cybersecurity framework for Australian businesses, it also compels APRA-regulated entities to respond in a timely manner (within 72 hours) should notifiable data breaches or other incidents occur.

Financial institutions are disproportionately targeted by adversaries due to the confidential data on their networks, such as personally identifiable information and protected health information that could lead to the possibility of financial rewards. An accelerant to the increase in attacks is the increasing dependability on technology and third-party vendors by superannuation, banking, and insurance institutions.

The aim of CPS 234 is to reduce cyber risk and improve security by requiring APRA-regulated entities to; employ vendor risk management practices to reduce the likelihood and impact of incidents; maintain security capabilities that are commensurate with their information security threats and risks; and notify APRA of cyber security incidents within 72 hours.

Information Security Capability

CPS 234 requires APRA-regulated entities to:

  • Maintain an information security capability commensurate with the size and extent of threats to its information assets, which supports the continued sound operation of the entity
  • Assess the information security capabilities of related or third parties who manage information assets on behalf of the entity, commensurate with the potential consequences of an information security incident that could affect those assets
  • Actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or business environment

To comply with this regulation, entities should assess the sufficiency of their information security capability. This includes reviewing; funding and staffing; timely access to required skill sets; and the overall breadth of the control environment (preventative, detective, and responsive).

Due to the current threat landscape, it’s important that regulated entities go beyond general security controls to more aggressive forms of information security capabilities.

These could include:

  • Vulnerability and threat management/mitigation
  • Situational awareness and intelligence
  • Information security operations and administration
  • Secure design, architecture, and consultation
  • Security testing (e.g., penetration testing)
  • Security reporting and analytics
  • Incident detection and response (including recovery, notifications, and communications)
  • Security investigations (including preserving evidence and forensic analyses)
  • Information security assurances

Conclusively, under the CPS 234 standard, regulated entities must keep on top of changes in vulnerabilities/threats. This means adopting a forward-thinking approach in which entities continue to invest in resources, skills, and controls relevant to their institution and information assets and security.

 

What are the key requirements?

  1. Information security capabilityconsider the adequacy and sufficiency of the entity’s information security capabilities in relation to vulnerabilities and threats, ensure adequate investment to support information security capability, and review the progress of the execution of the information security strategy
  2. Policy frameworkinformation security policies should reflect Board expectations
  3. Information assets identification and classification
  4. Implementation of information security controls regularly assess and evaluate reporting of the effectiveness of implemented information security controls and the overall health and security of the entity’s information assets
  5. Incident management
  6. Testing control effectiveness – regularly seek assurance on the sufficiency of testing coverage across security controls and assess the effectiveness of information security controls based on the results of regular testing
  7. Internal audit
  8. APRA notification

 

Who does CPS 234 apply to?

All entities regulated by APRA are required to adhere to and comply with CPS 234 requirements.

APRA-regulated entities include:

  • Banks
  • Credit unions
  • Deposit taking institutions (ADIs)
  • Superannuation funds
  • Life insurance companies
  • Friendly societies
  • General insurers
  • Non-operating holding companies
  • Private health insurers

Foreign Entities

CPS 234 also applies to specific foreign entities, including:

  • Foreign ADIs
  • Foreign general insurers
  • Foreign life insurance companies

Compliance to CPS 234 only applies to the Australian branch of the aforementioned foreign entities, however if the Australian branch’s technology and information assets are handled and supported by the head office of the entity, the head office must provide evidence of compliance.

Third-party

As of July 2020, third parties handling the assets of APRA-regulated entities will also need to comply with the standards outlined in CPS 234 and prove compliance to the security controls when requested.

Who is responsible for compliance?

Ultimately, the Board is responsible for CPS 234 compliance, and must ensure the entity’s information security is maintained and managed based on the size and the threats to information assets.

However, the Board can delegate responsibilities to sub-committees, management committees and other individuals within the institution. The most important thing is to clearly define the information security roles and provide direction on the responsibilities of all parties who have an obligation to maintain information security.

 

What’s the difference between APRA CPS 234 and ISO 27001?

If you’re seeking to meet APRA CPS 234’s key requirements, you might consider achieving ISO 27001 at the same time.

The key difference between ISO 27001 and CPS 234 is the way they are regulated and enforced. ISO 27001 is an official certification that can be renewed every three years, and requires a series of internal and external audits, whereas CPS 234 does not have official certification or accreditation. The Australia Prudential Regulatory Authority has a number of formal and non-formal enforcement tools at their disposal, which includes working in co-operation with APRA-regulated entities to identify and rectify cyber and information security issues.

While APRA CPS 234 provides guidance for safeguarding information assets it does not seek to be all-encompassing. APRA expects that regulated entities will implement appropriate information security controls informed by contemporary sound industry practices, including in areas not explicitly addressed by the standard. Additionally, CPS 234 is not intended to replace or endorse existing industry standards and guidelines. A regulated entity would typically use discretion in adopting industry standards and guidance it considers fit-for-purpose in specific control areas.

ISO 27001 certification can facilitate the implementation of the requirements outlined in APRA CPS 234. Recognised globally, ISO 27001 offers the ultimate security and protection for your information assets. Achieving certification can also set you apart from other regulated entities, as it proves your organisation is dedicated to the development, improvement and protection of your sensitive data and information.

 

How to get started:

eStorm Australia has extensive experience with helping businesses in the financial sector achieve both ISO 27001 certification and compliance to the standards of APRA CPS 234. View our ISO 27001 services for more information: https://www.estorm.com.au/it-support-services/iso-27001-services-consulting/

Or contact at our friendly staff at:
Phone: 07 3120 0640
Email: [email protected]