After any public security breach Expert is contacted by concerned clients wanting to know how safe their website is. This is a perfectly normal response and we are always very pleased to provide assurances that our clients’ website security is paramount.
But many people don’t know what they don’t know, so I thought it might be timely to write a blog about how Expert manages security for our clients.
Prevention is Better than Cure
Primarily we work on the premise of ‘prevention is better than cure’ and so our systems have been set up with this in mind. In addition to our 24/7 monitoring, we constantly work on improvements to our hosting environment to ensure we stay ahead of future and potential threats, breaches and attacks. We host software applications that we have created for some very high-level clients in NZ and overseas, and the robustness of their systems have a flow-on benefit to all of Expert’s clients’ websites and software applications that we host on our servers.
Expert’s Peace of Mind Statement
All services we are directly responsible for are monitored in real-time 24/7, so in the event of a failure - anything from a client’s website going down or their domain name expiring - clients can rest assured that we know about it and are working on getting things back-up behind the scenes.
We also believe strongly in redundancy, ensuring that should the unthinkable happen we can get things back up in a few short minutes. For extra peace of mind, we operate our cloud environment out of two separate geo locations with near real-time replication between both Wellington and Auckland.
Finally, as a stop-gap, we perform daily backups of the entire environment with off-premise storage of removable media which protects clients’ data, not just from natural disaster but also infiltration disasters such as hackers deleting replicated servers and any online backups.
Cyber Security – unlearned lessons
Several events in recent years have raised concern for anyone using technology in their organisation (and who doesn’t?) regarding Cyber Security. In early August 2019 the NZ Institute of Directors website was breached, resulting in their website being taken down for several days. If you visit the IOD website you’ll see that they offer a huge amount of resources concerning being protected from a cyber-attack, however as recently as 14 April 2022 they were still being attacked, this time a security breach affecting payments when using a credit card on their website.
In case it’s been taken down before you got to see it, here’s what it said …
The IoD website has recently experienced a security breach. Currently this is affecting payments when using a credit card on the website. If you wish to book a course or event, an invoice will be sent to you and payment can be made via internet banking or our phone credit card payment service 0800 846 369. IoD Leadership Conference bookings are not affected. IoD members can find the latest updates on the breach here.
No-one is safe
In late August 2019 the Ministry of Culture and Heritage’s website was also breached, resulting in the Government reviewing whether the supplier of their website was on the government’s Certified Supplier list. Apparently, this breach wasn’t “…a targeted attack on the site, but rather an opportunistic find of information that wasn’t as secure as it should have been”.
Another very high profile breach occurred at the Waikato District Health Board in 2021 which had very dire consequences, and even the NZ Stock Exchange, NZX, was brought to its knees in 2020 by a cyber-attack.
Other high profile New Zealand organisations hacked in 2021 and 2022 include the following:
Expert’s Approach – strong passwords and user names are king
As a result of breaches such as these, Expert reminds clients how we manage cyber security and how well protected our clients are using MoST.
The security of any system can only go so far, and usually any weakness in security is usually due to the user of the system having a weak or guessable username and password.
If a user has an obvious username and a weak password and has administrative privileges, then chances are this is how a potential hacker will have access to users’ data. To reduce the chances of this occurring, users should have defined roles setup to minimize the impact of what a user can access should their account be compromised.
MoST is not an opensource platform so is significantly less susceptible to being hacked, as any potential security flaws are not published for the general public to carry out research on how to exploit it. Furthermore, common exploitation applications will not work as they do not know how to interact with the MoST product.
To date the system has never been compromised, which we put down to our vigilance and periodic third-party security audits.
DDOS (Distributed Denial of Service) Protection
As mentioned above, in September 2020 the New Zealand Stock Exchange (NZX) was under a DDoS (Distributed Denial of Service) attack and the news media was full of stories regarding distributed denial-of-service attacks. As a result, Expert received a lot of contact from our clients who were concerned about their own websites.
First off, a DDoS attack does NOT affect the security of your website but is more the result of security issues with other people’s computers. The security of these computers is compromised, allowing software to be installed that allows them to function as a drone for a malicious attack on an internet accessible device such as a firewall, web server, mail server, etc.
The attack is the equivalent of what happens to city traffic in morning peak hour. The city is flooded with more cars attempting to enter the city than the roads into the city can handle, resulting in severe congestion and gridlock.
At Expert, we have an arrangement with our upstream network provider to detect and filter out traffic for DDoS attacks, ensuring that DDoS traffic is routed into a black hole never to be seen again.
Ransomware
We also have processes in place to protect data from ransomware attacks. These processes are also tested and updated regularly.
Prevention From Attack is Your Best Insurance
It can’t be stressed enough how important it is to ensure your data is kept safe and free from attacks by the bad guys. Everyone thinks it won’t happen to them, but it could. And it could happen more than once - just ask some of the above organisations if you don’t believe me.
I’ve always been a huge believer in having insurance cover to protect the things I value, and while I resent what it costs to be insured, I work on the theory that if you have it, you won’t need it. I doubt that there is effective, affordable insurance cover available for cyber-attacks, and even if there was it wouldn’t cover the time and customers you’d lose while you’re dealing with getting things fixed and up and running again.
The only thing you can depend on is ensuring you have the safest systems in place from Day One. But even then, nothing is infallible or guaranteed safe, no matter how hard we try.