Solution to meet recommendations from our Cyber Security Health Check
IT services - Asked by rhysteddupe@mac.com on Tuesday, 16 July, 2019 - 15:25
Hello, We recently had a CREST Cyber Security Health Check to ascertain what might be need to ensure security of our small community group's client records. We employ 5 part time staff and are run by a volunteer committee of management. We offer an emergency relief program, transport program, community meal and interest free loans scheme. Our client records are very sensitive. We have no IT staff. We are in Victoria. The audit found deficits in apps OS not being patched/updated appropriately, we needed to work on blocking insecure apps etc, we needed to work on stricter login practices, we need to implement multi factor authentication, we need to work on a more robust backup system, Staff should not use local admin logins, we need to implement application whitelisting (not sure about this one given the size of our operation and staff working across programs.), ensure our anti-virus status is kept up-to-date. So, are there any suggestions as to what we can do to meet the above, or suggestions of any businesses who may be able to help us. Apologies for the long post. Thanks in advance, Rod
Reply by Bryton Wishart from Entag on Tuesday, 16 July, 2019 - 16:17
I think the Microsoft 365 suite with the focus on the security aspect of Intune, Windows Defender Advanced Threat Protection, Cloud app Security would be a way to achieve this requirement. On top of that you are going to get MFA for services which can be used with SAML if needed. Just reach out to discuss.
Reply by Ross Gerring from Itomic on Tuesday, 16 July, 2019 - 16:17
Hello Rod, Please can you provide a little more details about the technologies behind your systems, is you know them? For example, what operating systems, e.g. Mac, Windows, or Linux? Do you use any cloud services, e.g. Azure, Amazon Web Services (AWS), Google Cloud, etc? Are any web-based CMS (Content Management Systems) involved, e.g. WordPress, Drupal, Joomla, other? Mobile phone apps? iOS or Android or both? Native apps or other? Sorry if that's getting techy! Just do the best you can. But your answers will likely make a huge difference in terms of what sort of company is a good fit to look after yours. Thanks, Ross
Reply by Ryan Tregea from Biztactix on Tuesday, 16 July, 2019 - 16:26
G'day Rod, These are very common situations that organisations find themselves in. As many of the fixes for the problems listed are quite technical, it's hard for someone on here to accurately give you the full picture of where to go. As you're based in Victoria, If you're somewhere in the Melbourne region, I'd be happy to catchup for a coffee to discuss, even if we're unable to help you, we can always point you in the right direction. https://biztactix.com.au/book-a-coffee - Best Regards, Ryan, Biztactix
Reply by Edward Hore from The Clique online on Tuesday, 16 July, 2019 - 16:27
Hi Rod, Feel free to get in contact, I am a small company re-entering the market place, I have worked in NFP for a long time and worked in government and patient environments. I would be happy to assist and come up with a solution. With regards Edward Hore
Reply by on Tuesday, 16 July, 2019 - 16:34
Hi Rod, You could start using more SaaS solutions to alleviate some of the issues the audit described. We built TidyHQ for organisations of your size - could help some of those things. With that said there is a range of other similar product that may be an even better fit and solve it in a similar way. We are also in Melbourne. Cheers, Isaak Dury CEO and Founder, TidyHQ.comReply by rhysteddupe@mac.com on Tuesday, 16 July, 2019 - 16:53
Ross asked me to elaborate a bit more. We currently run 5 windows desktop machines with one of them acting as a server. 2 run windows ten the others run Windows 7. We have a laptop running Windows 10. We have one Android Phone. We run 2 access databases for our 2 main programs, that have been designed to hold client records staff to monitor and for reporting to relevant government agencies and committee of management. We have another database to hold records of volunteers and members, and to monitor WWCCs, police checks and other relevant details. These databases were developed by a contractor for our organisation. The staff run Microsoft Office, using mainly Word, Excel and outlook. We do not use any cloud based services, apart from government portals. Our webpage platform is Squarespace. I hope that this helps. Regards Rod
Reply by Amyn Zariwala from AZTA Group Pty LTD on Tuesday, 16 July, 2019 - 16:56
Hey Rod, Let me know if we can connect over the video call to discuss your situation in detail. There are umber of SaaS solutions or cloud services in the market. We can only suggest you something more fit To your organisation once we get to know more about the gaps you have listed above. Feel free to reach out to myself on 0499 888 223. Thanks Amyn Technology Leader and Cloud Architect
Reply by Ross Gerring from Itomic on Wednesday, 17 July, 2019 - 10:13
Thanks for elaborating Rod. I think the challenge you have is deciding how much you want to focus on attempting to fix/patch the technologies you have today, versus how much you want to focus on plotting a course for a more cloud-based, SaaS (software-as-a-service) future, where pretty much everyone is heading these days for all the right reasons. And if/when you do head for the cloud, you'll need to consider whether your organisation can find suitable off-the-shelf products (like TidyHQ), or whether you need custom-coded solutions, or various combinations of the two. Our company, Itomic, is well positioned to help you move into the cloud, but almost certainly not for supporting what you have right now. Feel free to get in touch if you'd like to chat further: https://mig1.cisa.asn.au/directory/suppliers/itomicReply by Jason Ross from ethiSEC pty ltd on Thursday, 18 July, 2019 - 16:57
Hi Rod, Sounds like the Crest based Pen Test found a few issues that can be fixed simply by implementing best practices based on the ACSC Essential Eight recommendations https://www.cyber.gov.au/publications/essential-eight-explained These are all good, common-sense recommendations that will help you improve the availability and security of the data you hold. The good thing is the majority of these are practical, no or low-cost recommendations that can be performed regularly as part of a balanced IT maintenance routine. My advice is to beware of an organisation trying to simply sell you a product/solution to "fix" your identified issues. Security is so much more than a product, you need to ensure the necessary policies, procedures, and practices are implemented to ensure the implemented technology is properly maintained and validated. Cyber or information security is a very specialised field, as is Windows network or SaaS implementations for that matter. Most people here seem to suggest moving to a cloud-based solution which may be appropriate, however, if not implemented correctly you'll be no better off if not architected and implemented correctly. We believe that you may need to work with two organisations, one to architect and secure/validate and the other to supply and implement. We believe that using appropriate expertise will allow you to appropriately identify, understand and manage your risk so you can select the appropriate technology to deliver your mission. Our opinion is that most IT organisations cannot address all that is required on their own. I'd be happy to have a chat with you about this further if you like. Jason 0401 988 248