How to Spot a Dodgy Website

As anyone with a mobile phone in Australia knows, scams are on the rise. Whether it’s “mum” asking you send through a couple hundred bucks on loan for groceries, or “Linkt” asking you to top up your toll account, sometimes fraudulent and scammy characters can be hard to spot! 

According to Scamwatch Australia, over $53 million has been lost to scams in Australia already this year. Because of this, it’s more critical than ever to know how to trust a website and when a page is insecure or illegitimate.  

But don’t worry – Monocera is here to help you navigate the dodgy websites.  

How can I tell if a website is secure?

The easiest way to tell if a web page is secure may be simply checking the link. Secure websites should have https at the beginning – if the site is missing an s, this page does not use SSL to encrypt data and is far less secure than an https page.

On certain web browsers, such as Google Chrome, the browser may offer quick identifiers to demonstrate whether the site is deemed secure. In the case of Google Chrome, the web link will have a lock symbol, information symbol, or warning symbol depending on the site’s security: 

Icons representing SSL status of secure, not secure and potentially dangerous websites

Unfortunately, according to the Anti-Phishing Working Group’s report in 2022, up to 84% of scam sites now have an SSL certificate, so this shouldn’t be your sole consideration when looking for a scam site.  

How can I tell if a website is fake? 

There are multiple ways you can assess whether a website may be fraudulent or fake.  

Firstly, and we know this may seem obvious, you can google the page’s URL or name and review the results. Warning signs that the website might be fake? Bad reviews, lots of other people asking if the website is a scam, or lots of copycat websites with different URLs.  

You should also look out for any bad grammar, spelling, or phrasing within the web page’s copy. These can be sure-fire signs of a dodgy website – if not a fake or fraudulent one, then at least one that shouldn’t be trusted to give reputable information.  

Most legitimate websites will have a contact page and information on how to get in touch if you have any questions. An easy way to assess whether a website is likely legitimate is to look for this page and call the number or email the contact. If all seems above board, this is a good sign that the business is legitimate.  

 Finally, looking out for weird or invasive adverts on the web page may help you in determining whether a website is trustworthy. If the site has lots of pop-up ads, invasive ads that cover part or most of the screen, or just a large quantity of ads, these are red flags.  

What do I do if I suspect a website is fake or fraudulent?

If you come across a website that you believe is masquerading as another entity, you can head to the official website, log in to your account, or call their number. This way, you can verify that the alternate website is a fake.  

If you suspect a website is fake, a scam, or fraudulent you can report it to the Australian Cyber Security Centre (ACSC) and the Centre will look into it and take action You can also report suspected or verified scams to Scamwatch. 

Finally, if you believe a website to be dodgy, never enter any of your personal details, download any files, click on any links or attachments, or reply to requests. Exit the page immediately and contact the relevant authorities if required 

If you entered your details prior to recognising the website as dodgy, contact your bank immediately and cancel any personal identification that may be compromised.  

Monocera is here to help!

If you are unsure or want further information on potentially harmful, unsecure, or fraudulent websites, talk to our team. Monocera can support you in preventing scams or malware attacks via dodgy websites.  

Contact us today to find out more about how we can help you navigate dodgy websites.  


Chrome Coming to End of Life for Windows 7 & 8

Late last year, Google announced that Chrome will no longer be supported on Windows 7 or Windows 8/8.1.  

Their newest version of Chrome (Chrome 110) is set to be released on February 7th. This newest version will be the first to require you running Windows 10 or later to continue receiving Chrome updates. 

This is big news, with Chrome being the leading internet browser in the world – holding a global market share of nearly 66% 

What does this mean for me? 

If you run these older versions of Windows, you will still be able to use Chrome. However, you will no longer receive security and features updates, or be able to install the latest versions of Chrome.  

This is important, and we’ll explain why.  

Why you should update your operating system

With updates come improvements in security and other Chrome features. The security of your browser and by extension, your device, should not be taken lightly. 

As we’ve discussed in previous articles, cyberattacks are on the rise in Australia and don’t look to be slowing down any time soon.  

For example, a release from the Australian Parliament disclosed a report that estimated an 82% increase in ransomware-related data leaks from 2020 to 2021. Moreover, according to the Australian Cyber Security Centre, there was a cybercrime report every 7 minutes in Australia between July 2021 to July 2022.  

The same report offers a list of recommendations, of which the first is to “update your devices and replace old devices that do not receive updates.” 

What should I do?

The answer is quite simple – update your device to a newer version of Windows.  

While you may be able to use a different browser, our recommendation is to upgrade your operating system.  

If you use an older device that you are concerned will not be able to handle a newer version of Windows – the truth is, it’s probably time to upgrade.  

But – upgrading doesn’t need to be an expensive ordeal. In today’s market, there are countless very affordable devices that can support the latest versions of Windows.  

And believe us – the cost of a new device is far cheaper than dealing with the cost of a ransomware attack or similar security breach.  


Why You Should Keep Outlook’s New External Email Warning Tag

We’ve recently had several clients come to us asking to remove the external email warning tag on their business’ Microsoft Outlook.  

Our guidance, however, is that tag should be kept as its benefits far outweigh the cons. Let’s run through why.

What is the external email warning tag?

Put simply, external email warnings help alert users about malicious links and phishing emails sent from accounts outside your organisation.  

The external warning tag has been rolled out for both Windows 10 and 11, however, whether you have got the update or not depends on your combination of operating system and your Office version.  

These tags appear as a small ‘[External]’ message in the email subject line, or as a pop-up message before you can see the email body.  

Many of our clients find these warnings ugly or intrusive, yet their purpose is to make you pay extra attention to emails from outside your organisation and to be more aware of any potential malicious content.  

Screenshot of examples of Office external warning tag

Why is the external email warning tag important?

Despite clients being concerned about how their Outlook looks, or getting frustrated by the extra pop ups that appear, the benefits of these tags far outweigh the cons.  

Namely, the majority of email scams begin with messages from outside of your organisation. At an enterprise level, having a clear and prominent deterrent will help reduce scams, as staff are more aware from the outset of the potential phishing attempts and malicious links contained in the email.  

Moreover, external tagging helps prevent individuals and companies from falling into the trap of business email compromise (BEC).  

BEC scams are sophisticated attacks on both businesses and individuals – usually with the intent of conducting unauthorised transfers of funds.  

The majority of BEC attacks come through compromised user accounts. Having external warning tags should reduce compromise through attacks like password sprays, forcing attackers to find and employ new tactics.  

To put it simply, this external tagging helps protect your organisation. 

The cost of business email compromise

In the first half of 2022, the Australian Competition and Consumer Commission (ACCC) received over 11,000 reports of business email compromise, costing a total of $12.3 million. 

Furthermore, in 2021, the ACCC reported an 84% increase in cyber-attacks compared to the previous year.  

Every year, cyber criminals become more sophisticated and cyber-attacks are here to stay. Fortunately, prevention methods are also becoming more sophisticated and general awareness around these attacks are increasing as well.  

If you have any questions about external email tags, or how to better protect your business against cyber-attacks, get in contact with Monocera 


Configure MFA for m365

If you need help setting up Multifactor Authentication (MFA) for your Office 365 Account – This guide will walk you through the process.

Please note: Multifactor will need to be enabled on your account before proceeding. Let us know before continuing so we can set this up ahead of time.

Before you begin, you will need to download the Microsoft Authenticator App to your mobile phone. Go to the App Store (iPhone) or Google Play Store (Android) and download it.

Just get it downloading for now and we will come back to it.

On your computer, go to the Microsoft 365 Portal.

You will now be prompted to sign in, enter your email address and click “Next”.

Enter your password and click “Sign in”.

Click “Next”

Click “Next”

Click “Next”

Open the Microsoft Authenticator app on your phone that you downloaded earlier.

If prompted in this step, allow notifications and use of camera so you can scan the QR code in the next step. Then add an account, and select ‘Work or School’.

Note: Depending on your phone and app version, this process is slightly different but you should find the option to add an account pretty easily.

Once scanned, click “Next”

Approve the notification that was pushed to your mobile phone and Click “Next”

Once you’ve approved the sign in, click “Next”

Click “Done”

You have finished setting up MFA on your account.
If you are using the Outlook app on your computer or mobile phone, you should close and reopen it. If you get prompted to sign in again, enter the password and then approve sign-in from the push notification that will be sent to your phone. This can take a little while before you get prompted so keep an eye on this for the next 24 hours or so.


Password Management 101

Whether we like it or not, passwords are the key to almost everything we do online – from dating apps, accessing your bank to logging into your M365 account. These days especially, with accounts and signin required for almost everything, strong password management is necessary for keeping your data and personal information safe. 

In fact, new research from NordPass reveals that average person has around 100 passwords to remember. If you’re anything like us, you’re flat-out remembering your neighbour’s name, let alone the password to an account you created two years ago! 

Thankfully, password management doesn’t need to be difficult. We‘ll take you through some simple dos and don’ts of password management, and how you can make sure you stay safe online  

What makes a good password?

When it comes down to it, a good password should be two things: 

  • hard to guess; but 
  • easy to remember.  

In other words, your password is strong enough to deter hackers, but memorable enough so can avoid spending hours racking your brain for the password.  

Consider the following: 

  • Use a sentence or a phrase, like “unicornsliveinbrisbane”. 
  • Make it as complex as possible by including both uppercase and lowercase, and replacing letters with numbers or symbols, like “Un1c0rnsliveinbRi5bAN3”. 
  • While complexity is essential, length is equally as important; aim to use at least 16 characters where possible. 
  • Set up multi-factor authentication on your account – this is generally through a mobile phone app or token. Setting up MFA adds another level of protection – but we’ll touch on this later. 

Common password mistakes

Let’s also look at some things you should always try to avoid when creating passwords.  

  • Revealing your password to others. While this may seem painfully obvious, never reveal your password to anyone else. Your password is as valuable as the PIN on your bank card – so keep it to yourself. Any website or person asking for your password should be flagged as a scam immediately.  
  • Using the same password for everything. We’re all guilty of this to a degree, but avoid using the same or similar password for all your accounts. Understandably, you’re required to make passwords for almost everything these days, but ensure you keep them as unique as possible – especially the important ones! 
  • Using basic words followed by a number. Scammers are clever these days and have plenty of ways to access your account. Often, they will use dictionaries of words and commonly used passwords to try and infiltrate your account. The days of “Password1” are well and truly behind us. 
  • Basing your password on public information. By this, we mean avoid using a password that is inspired by something people can find out about you on social media. For example, using your children’s name or birthday, or having “cricketlover95” if your Facebook profile is plastered with cricket content, are probably not the most discreet choices. 
  • Saving your passwords in a “secured with a password” Word or Excel Document. This is an extremely common practice which is frighteningly simple to crack – as we demonstrated recently with a client who’d lost access to this type of document. A modern PC with the right tools can crack a standard password in around 4 days. Add a modern, high-end GPU to that and your password could be cracked within the hour.  

Ultimately, if someone can guess/has access to your passwords, it’s a bad password.  

Need some examples of what not to do? Here are the top 200 most used passwords from 2020 

The solution – password managers & multi-factor authentication

Understandably, most people cannot keep tabs on all the different passwords they have for various accounts. Unless you’re using the same or similar password for everything (not a good idea), it may feel like a nightmare trying to manage your plethora of login details 

While there are traditional password management methods (again, we’ll touch on these later), today, we have software that can do it for you.  

So, for both individuals and businesses, we always recommend employing the use of a password manager, in conjunction with multi-factor authentication (MFA).  

Password manager software

So – how on earth are you meant to remember tens (potentially hundreds) of different passwords you have scattered across the internet? 

The answer is you don’t! Using high-level encryption, password managers allow you to keep all your passwords safe and secure in one digital vault and can even generate complicated passwords for new accounts. All you need to remember is the one master password to get into your account.  

One password’s easier to remember than 100 – right? 

Our recommendation? LastPass is the password manager we recommend to our clients because it: 

  • Supports most browsers and platforms 
  • Password strength report 
  • Dark web monitoring tools 
  • Secure sharing 
  • Password inheritance 
  • Two-factor authentication 
  • Free and premium versions available. 

Multi-factor authentication

Multi-factor authentication (MFA) adds an extra level of protection to the sign-in process. Generally, MFA is done through a phone application.  

When you go to log in, you will also need to verify the login on your MFA application, using a time-based, single-use passcode.  

MFA is a great way to boost security on all your important logins. Moreover, if you are thinking of using a password manager to store all your login details, we strongly recommend adding MFA protection.  

What do we recommend? For us, we can’t go past the Microsoft Authenticator.  

Microsoft Authenticator is a trusted MFA, backed by Microsoft’s encryption. Moreover, it is super easy to download and use – meaning you can get started with it today! 

There are, however, plenty of alternatives out there. Spend some time doing your own research to find the best MFA solution for you/your organisation. 

Traditional password management methods

Traditional methods of password management are the more analogue techniques that you may or may not still use.  

These methods include things like:  

  • Writing passwords down on sticky notes, post-its, etc.  
  • Keeping a master spreadsheet of all passwords.  
  • Sharing them to your colleagues/family/friends over email or text.  
  • Repeatedly using the ‘forgot password’ option.  

These techniques are surprisingly still common amongst businesses and individuals. Traditional techniques are, in general, far less secure than more modern, digital methods 

Pros and cons of traditional password management techniques

Let’s be real – the cons of traditional methods far outweigh the pros. Especially with things like sending passwords over the email or having a spreadsheet saved locally, it is far better to keep your passwords stored safely in a digital vault.  

In saying this, the only upside of keeping your passwords written down is that no hacker will be able to access it. Unless, of course, you misplace it, or it falls into the wrong hands. 

Ultimately, we strongly recommend that any individual or business consider securing their passwords through digital manager software 

More questions?

Do you have any more questions on password management, or online security in general? Don’t hesitate to reach out to Monocera at [email protected] or by calling 07 3369 1415.  

If you’re looking for more online safety tips, why not check out our article on the Essential Eight baseline mitigation strategies, as recommended by the Government.  


Microsoft Teams: More Than Chat

The outbreak of COVID-19 may have shifted the way we work forever. Or, at the very least, it sped-up existing trends. Businesses have had to adapt to support their employees working remotely. As a result, team chat applications are, in many ways, becoming the modern office. 

Understandably, social distancing and self-isolation laws were a boon for communication and collaboration software. Zoom, one of the early players in the uptake, saw itself become the fifth-most downloaded app worldwide in 2020.  

Since then, Zoom has been rivalled by Microsoft Teams and Slack as some of the most popular chat technologies for businesses. But, for business managers looking to invest in collaboration software, they may be wondering which is their best option. 

On the surface, these applications may seem very similar; they all offer a chat function, as well as video and audio calls. But… scratch a little deeper and you’ll find some notable differences! 

Microsoft Teams is our service of choice for several reasons. It offers so much more to your business than simple collaborative chat and can truly enhance and simplify the way you work in a rapidly changing landscape.  

But don’t just take our word for it; let’s get into five of our favourite things about Teams.  

Internal and external collaboration 

Microsoft Teams makes collaborating with your employees and colleagues simple through slick chat, video and call. However, one of the niftiest features is how easy it is to collaborate with those people outside of your business or organisation. 

If you need to collaborate with your clients, contractors or partners, you can generate guest accounts for Teams. Your external stakeholders are then able to interact and collaborate with your team live and in real time.  

Alternatively, you can find, call, chat and set up meetings with external stakeholders who also use Teams through external access. With more and more businesses making Teams their platform of choice, this makes collaborating externally easy.  

Essentially, Teams can help put an end to email ping-pong and having to scroll through never-ending email threads.  

Office 365 integration 

It should come as no surprise that Teams integrates seamlessly with Microsoft Office 365. Outside of the ubiquitous 365 applications like Word, Excel and PowerPoint, Teams also integrates fully with OneNote, SharePoint and Outlook.  

Integration as a buzzword is all the rage these days. But what does it actually mean?  

For example, you can share an Excel spreadsheet within Teams that you’ve been working on and have your colleagues edit it together, live and in real time. All your edits will be automatically saved to the SharePoint — so they’re available at any time, from anywhere.  

Another real-world example: through Teams’ seamless integration with Outlook, you can send and join Teams meetings directly though the email platform. Your calendar is then automatically updated in both Teams and Outlook, meaning you’ll never miss an important meeting again — well, in theory at least.  

Essentially, Teams and Office 365 talk to each other in a way so that you can switch between different applications seamlessly and your work is kept up to date across all platforms. Plus, with the Teams mobile app, you can collaborate on the go!  

man-working-from-home

Security 

Central to keeping your business happy and productive is knowing all your hard work and information are kept safe and secure. Teams has got you covered.  

While we know not everyone gets as excited by phrases like ‘two-factor authentication’ and ‘data encryption’ as we do, but it’s important!  

All your files stored in SharePoint are backed by SharePoint encryption. The same goes for OneNote — all your notes being backed by OneNote encryption.  

Team’s authentication process is secure without being tedious. Teams’ modern authentication process will detect if you have already entered your credentials elsewhere, and you won’t need to re-enter them to start the app. 

In addition, network communications in Teams are encrypted by default – requiring all services to use certificates and by using OAUTH, TLS and Secure Real-Time Transport Protocol.   

What does this all mean in English? Teams keeps your stuff safe!  

Industry-specific services 

Teams also offers services tailor-made for specific services. If your business operates within one of these industries, Teams may be able to streamline and simplify how you work.  

While every business is unique, there are several developer templates specifically designed to suit your industry. There are templates for: 

  • Government departments and agencies 
  • Retail companies 
  • Teachers and other education professionals 
  • Healthcare workers
  • Frontline shift workers 

Work in retail? You can download a retail template that allows your staff to leave shift handover notes. If you’re an education professional, you’re able to download a template which automatically set up a OneNote Class Notebook and Assignments app.  

Teams bots 

Teams users can enhance their experience by easily downloading and installing bots. These basic artificial intelligence bots can help you complete simple tasks as well as maintain employee engagement.  

A few of our favourite bots:  

  • Polly helps to poll your team members and keep track of employee engagement. Not sure what to do for team lunch? Let Polly take care of it for you and pitch some ideas to your colleagues.  
  • Stats bot is a simple analytics bot that you can schedule to deliver reports directly to you via sources like Google analytics. Stats bot can often be a great addition to anyone working in digital marketing or SEO.  
  • Who bot lets you keep track of everyone in your organisation by collecting their data across the Office Suite. For example, if you want to find out who knows about next month’s KPIs, you can literally search “who knows about next month’s KPIs” and Whobot will do the rest.  
  • Growbot helps generate that warm-fuzzy feeling amongst your co-workers by encouraging team members to let each other know they’re appreciated. Growbot also stores data so you can keep track of the positive feedback for each team member.  

Our recommendation 

While we are clearly big Teams fans, we understand that every business has unique needs. We get that at the core of every organisation is its people, and people are inherently — well, unique! 

If you ever want to explore options best suited to augment your business, reach out to us. We’re always happy to listen to your situation and walk you through your options.  


Email Phishing Scams: Protecting Yourself Online

Have you ever found an email that claimed to be from your bank or telco but seemed a bit off? Ever received a phone call, apparently from the ATO, that was a weird, pre-recorded voice telling you that your tax file number is suspended? Our money’s on, yes. 

Hopefully, you recognised these communications for what they are — scams, in particular, phishing scams.  

Unfortunately, however, Australians fall prey to phishing scammers every day, and cases are growing. In 2020 alone, Australians lost a record amount of over $851 million to scammers.  

To help better protect you from online scammers, we’ll go through some traits that phishing scams have in common, so you know which warning signs to look out for.  

What are phishing scams? 

Phishing scams are a popular way for scammers to try to gain access to your financial and personal details. Specifically, scammers will try to gain access to things like bank account numbers, passwords and credit card numbers.  

Scammers will typically pretend to be from a legitimate business or organisation like a bank or the ATO. You may be contacted via email, phone call or text message or even over social media.  

While phishing scams are varied, they all share common elements. By understanding what these elements are, and knowing what to look out for, you can better protect yourself online.  

Phishing scams: things to look out for 

1 – The message is sent from a public email domain 

Always confirm that the email you receive comes from a private email domain. If you get contacted by someone claiming to be your bank, but their email address ends with something like @gmail.com or ‘@live.com’, it is major red flag.  

Only very small private businesses would ever use a public email domain. Unless the email address finishes with a nice and clean ‘@legitbank.com.au’ or something similar, don’t trust it. 

2 – The message contains typos 

Poor spelling and grammar are another major warning sign. 

If a scammer texts or emails you pretending to be a trusted organisation, pay attention to any typos or grammatical errors. Also, check that you are addressed by your proper name, in the same style that the legitimate institution usually uses when corresponding with you.  

Pay attention to words that seem slightly out of context but still make sense. Major institutions pay big money to ensure their communications are correct and professional. So, if you read an email that reads like it’s been dragged through Google Translate backwards, be very wary.  

3 – You’re asked to update or confirm details 

A key element at the centre of phishing scams is the scammer trying to access your details. They may disguise this as asking you to ‘update’ or ‘confirm’ your login details.  

Common examples of this include the scammer claiming that their organisation is verifying all customer information, due to a technical glitch. Alternatively, the scammer may claim that there has been ‘suspicious activity on your account’ and the bank needs to investigate.  

Finally, be cautious of any site that asks you to provide details you don’t normally give. 

4 – Website address looks slightly different 

Phishing scams are intended to look legitimate. Scammers may set up a fake website that looks almost identical to its counterpart; however, the address will be slightly different. 

Pay attention to multiple letters in the address or slightly different spelling.  For example, ‘legitbank.com.au’ may be spelled ‘legittbank.com.au’ in a scam.  

Check whether the website is secure. You can generally tell secure websites apart from non-secure sites as they use ‘https:’ instead of ‘http:’. In addition, check for a closed padlock or key icon in the corner of your browser window.  

Any legitimate business that stores confidential information will be encrypted so your details are kept safe. 

5 – Suspicious links or attachments 

Phishing scams can be done over email, phone or social media. Regardless of their delivery method, they all aim to gain access to your personal information.  

One common method for this is through tricking people into downloading attachments or clicking on dodgy links containing malware. Unfortunately, some people may not realise the attachment contains malware until it’s far too late.  

Therefore, never open any attachment or click on any link unless you are convinced that it comes from a legitimate source. In general, if it smells a bit off, it usually is — especially on the internet.  

6 – You’re asked to respond quickly 

The final thing to look out for is the scammer asking for an immediate payment or response.  

If you receive a suspicious call from someone claiming to be from your bank, ask for their name and number and confirm with the bank yourself. If they claim there is no time and you must pay immediately, you are almost certainly dealing with a scammer.  

Banks are committed to your information being secure and will usually never deny a request to verify their security. 

Email-phishing-scam-victim

What do I do if I receive a phishing email? 

If you suspect you have received a phishing email, text or social media message, delete the correspondence immediately. Do not click on any links or attachment in the email and block the contact.  

It may also be worth getting in contact with your bank to confirm no suspicious activity has been recorded on your account.  

Reporting a phishing scam 

The best way Australians can help fight back against scammers is to report any scams they come across. There are several places to report incidents of phishing, and you may want to report it to more than one, depending on your situation.  

Banking and credit card scams  Your bank or financial institution 
Fraud and theft  Your local police service – call 131 444 to make a non-urgent report. 
Tax related scams  Australian Taxation Office 
All scams  Scamwatch 

 

When reporting scams, it is best to act as swiftly as possible. If a scammer gains access to your credit card or bank account information, call your bank as soon as you can to have your account frozen. Depending on your bank and how quickly you report the crime, you may be able to have the unauthorised transactions reversed.  

How can I protect myself against phishing scams? 

The best way to prevent yourself being a victim of a phishing scam is to protect your personally identifiable information. Your personally identifiable information includes things like your email address, phone number and postal address.  

Here are a few simple things you can do:  

  • Use strong passwords and don’t use the same one for all your accounts. 
  • Make sure your computer and mobile devices have the latest updates. 
  • Only shop on secure websites. 
  • Avoid using public Wi-Fi. 
  • Avoid turning on your mobile’s hotspot in public. 
  • Shred letters from your bank or employer that contain personal information. 

For a more detailed description on protecting yourself and your organisation from scammers, check out our article on the Essential Eight. 

Where can I find more information? 

For up-to-date information on scams in Australia, head to scamwatch.gov.au or subscribe to their scam alert emails.   

For more general information on scammers, download the Australian Competition & Consumer Commission’s (ACCC) ‘The Little Black Book of Scams’.  

The Little Black Book of Scams is available in several different languages and is internationally recognised as a helpful tool for individuals and small businesses to protect themselves against online scams.   

Can Monocera help protect me? 

Of course!  

While we’re not bodyguards or private detectives, we do know a thing or two about protecting your information online. So, if you have any further questions on email phishing scams, or phishing scams in general, reach out by calling us on 07 3369 1415 or by emailing [email protected] 


Essential Eight: How to Stay Safe Online

As our society becomes increasingly dependent on information and communications technology (ICT), the potential threat to our cyber security only increases. Whether it be email scams, identity theft or data breaches, the importance of your organisation protecting themselves online has never been higher.  

To help combat this, the Australian Government’s Cyber Security Centre has released ‘the Essential Eight’. The Essential Eight are a series of baseline mitigation strategies to combat cyber security incidents.  

Sound a bit confusing? Don’t stress – we get it. We’re here to translate all the digital mumbo-jumbo into everyday English.  

In this article we’ll briefly go over what count as cyber security incidents, explain each of the eight and the importance of keeping your organisation safe online.  

What are cyber security incidents? 

Before we jump into it, let’s quickly define what we’re talking about. Cyber security incidents, also known as cybercrime, refer to a wide range of situations.  

The Australian Federal Police outline the term cybercrime as describing both:  

  • crimes directed at computers or other ICTs (e.g. computer intrusions and denial of service attacks), and 
  • crimes where computers or ICTs play a central part in the offence (e.g. online fraud).  

Moreover, the Australian Cyber Security Centre lists some of the more common types of cybercrime, including:  

  • Identity theft and fraud (e.g. criminals gaining access to your information to steal money or other benefits) 
  • Online fraud (e.g. criminals pretending to be your bank to gain access to your credit card information) 
  • Cyber-enabled abuse (e.g. bullying or harassment online) 
  • Online image abuse (e.g. intimate images or videos being shared without the consent of the person pictured) 
  • Affected devices (e.g. your smartphone being infected by malicious software).  

So, while there is a wide scope of cyber security incidents, they all revolve around an offence conducted through, or targeted towards, computers or other ICTs.  

The thing is, cybercrime is often a lot more nefarious than being catfished on a dating app. Being a victim of cybercrime can have devastating financial and social consequences.  

The Essential Eight 

The best way to mitigate against potential security threats is to protect yourself. Just as you would lock your doors and windows when you leave your house or install CCTV, so should you do everything you can to protect yourself online.  

There are several different mitigation strategies that can help protect you against cyber security incidents. While no single strategy is guaranteed, having several strategies working at the same time is the best way to protect yourself and your information.  

To make things easier, the Essential Eight is recommended by the Government as a baseline to protect against cyber security incidents. We’ll go through each of these one-by-one below.  

Essential_Eight_security_laptop

Strategies to prevent malware delivery and execution   

Application control 

Application control is an approach designed to protect you against malware executing on certain systems. Implementing application control properly ensures only approved and trusted applications can interact with your device.  

In simpler terms, it stops your device interacting with malicious code and downloading suspicious applications. 

Windows 10 includes two technologies that can be used for application control. Depending on your organisation’s specific scenarios and requirements, you can use: 

  • Windows Defender Application Control; and 
  • AppLocker. 

Through effective application control, all non-approved applications are prevented from executing with your computer or device.  

Patch applications 

Patches are a set of changes to an application or its supporting data that updates, fixes or improves said data. If a security risk is detected in the application, the vendor may release a newer, updated version of the application.  

Security breaches or vulnerabilities in an application may be used to execute malware on your system. Therefore, if a risk is detected, it is recommended you patch or mitigate the at-risk computers within 48 hours.  

Best practice is to continually update applications and always use the latest version of applications. 

Configure Microsoft Office macro settings 

The ubiquitous Microsoft Office suite may be used to deliver malicious code into your organisations system through macros 

Macros are a small program or script that helps automate common or repetitive tasks. For example, you might record a macro in Word that inserts your entire address when you press a custom key combination. Alternatively, an Excel user might record a macro that formats the data in a specific column of their spreadsheet.  

So, in order to protect your computer, configure your Office setting to only allow vetted macros from trusted locations or those that are signed with a trusted certificate.  

User application hardening 

Flash, ads and Java are popular ways for malicious code into your system.  Therefore, it is recommended that you uninstall Flash and block ads and Java while browsing the internet. In addition, configure Office so it disables Flash content.  

Strategies to limit the extent of cyber security incidents 

Restricting administration privileges 

If you work in an organisation, it is recommended you restrict administration privileges to specific systems and applications based on a user’s specific duties.   

For example, don’t give someone in marketing the administration privileges for the accounts department. After all, administrator accounts have full access to information and systems and are seen as the ‘keys to the kingdom’.  

Limit the number of people that have admin privileges – the fewer keys there are, the fewer opportunities there are for attacks.  

Patching operating systems 

This is essentially the same as the earlier recommendation on updating at-risk applications. In short, make sure your operating system is always up to date and never download unsupported versions of your OS.  

Multi-factor authentication 

Multi-factor authentication is another line of defence protecting you and your organisation’s information and data. It is recommended that multi-factor authentication is used by all users to access important information.  

Multi-factor authentication builds on the old password model and adds another security element, such as Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards.  

There are several popular and free multi-factor authenticator apps, including:  

  • Google Authenticator 
  • Microsoft Authenticator.  

Strategies to recover data and system availability 

Daily backups 

Regularly backing up important data, software configuration settings are key to recovering your data in the event of a breach. It is also important you store backups for at least three months or greater and that backups are stored offline.  

As with any protection equipment or procedures, it is important you test your full restoration of backups. Just as organisations practice fire drills, so too should you practice restoring backed up information – at least every quarter or when important changes occur.  

Why is cybercrime prevention so important? 

As more of our lives become dependent on the internet and ICTs, the opportunities for criminals to take advantage of unaware or unprepared people.  

Consider this – the Australian Cyber Security Centre receives one cybercrime report every ten minutes from individuals and businesses. If the police reported a car being stolen every ten minutes, would you leave your car unlocked, with the keys in the ignition and parked on the street? Probably not.  

Another thing to consider is the role of cyber-attacks in a changing political climate. In June of 2020, the Prime Minister Scott Morrison released a statement disclosing the fact that Australian governments and businesses had been the target of a ‘state-based attack’.  

While we aren’t telling you to start Doomsday prepping, what we are saying is that cybercrime is here to stay.  

The good news is, just as cyber criminals are becoming more sophisticated, so too are the strategies and applications that protect individuals and businesses.  

We get that for a lot of people, all this seems very complicated and convoluted. That’s why we’re here to help translate it all into plain English and make sure you and your business are best protected – especially if you aren’t super tech-savvy.  

If you want to find out more about cyber security incident prevention, give us a call on 07 3369 1415 or by heading to our contact us page.  

Stay safe out there! 


Configure MFA for o365

If you need help setting up Multifactor Authentication (MFA) for your Office 365 Account – This guide will walk you through the process.

Please note: Multifactor will need to be enabled on your account before proceeding. Let us know before continuing so we can set this up ahead of time.

Before you begin, you will need to download the Microsoft Authenticator App to your mobile phone. Go to the App Store (iPhone) or Google Play Store (Android) and download it.

Just get it downloading for now and we will come back to it.

On your computer, go to the Office 365 Portal.

You will now be prompted to sign in, enter your email address and click “Next”.

Enter your password and click “Sign in”.

Click “Next”

Select “Mobile app” from the dropdown menu
Select “Receive notifications for verification”
Click “Set up”

Open the Microsoft Authenticator app on your phone that you downloaded earlier.

If prompted, you can skip add account when you first open it. Along the way you will be prompted to allow access to the phone camera and other features, make sure you accept both of these permissions or you won’t be able to scan to QR code in this step. Next add an account. Depending on your phone and app version, this process is slightly different but you should find the option to add an account pretty easily. Choose the option to scan QR code. Choose “Work or School” Now scan the QR code on your computer screen. Once scanned, click “Next”

Click “Next”

Choose the country code and enter your mobile number so you can still access your account if you get locked out.
Click “Next”

Click “Finished”

You have finished setting up MFA on your account.
If you are using the Outlook desktop app on your computer, you should close and reopen it. If you get prompted to sign in again, enter the password and then approve sign-in from the push notification that will be sent to your phone.


Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google