Secure Strategy

Criminals focus on exploiting business assets. We focus on protecting them.

Cyber security attacks are now a major risk for companies. Ransomware attacks that encrypt your files, phishing attacks that fool your staff into giving up confidential information, and fraud attacks that can lead to the loss of significant sums of money.

And focusing solely on technology for protection doesn’t work anymore. Criminals also use social engineering to bypass security controls and get to your staff.

At Secure Strategy we help you get ahead of the criminals, by working with you to identify the risk areas within your organisation. We then create a strategy you can use going forward, and recommendations to help you secure what you have now.

Cybersecurity

Why law firms are a target for criminals – and what you can do about it

The vast majority of cyber crime has a financial motive. Criminals want to make a quick return, and so will target assets that they can disrupt, and operations that they can compromise. Law firms make good targets because of:

The reliance on documents to generate revenue and provide client service. If the documents have been encrypted by ransomware, the firm grinds to a halt. The latest versions of ransomware also target databases – so the firm’s practice management system is also at risk
The amount of email correspondence received – this provides a great opportunity for phishing attacks
The number and value of funds transfers – especially if the firm is involved in conveyancing
Read More “Why law firms are a target for criminals – and what you can do about it”

Frequently Asked Questions

I have an IT vendor. Why should I use Secure Strategy?

We are independent and completely focused on providing security advice and services to reduce the risk for our clients. We work with you and your IT vendor to achieve this. Because we only focus on security, we know about the latest risks and can help you avoid them. And we don’t sell hardware or software, so you can be sure that the advice we give you is solely for your benefit.

Our Difference

Traditionally, IT security has focused on technology measures such as firewalls, anti-spam and anti-virus.

However, that’s not what criminals pay attention to. They target your business assets such as documents and other files, email, and business processes such as payment instructions.

And the world has moved on from only having business information stored in offices, and only having staff use computers in those offices. Now business data can be stored in on-premise servers and in public or private data centres, and staff often work from outside the office.

Services

Incident Response Plan

Organisations who have a cyber incident response plan are able to reduce the potential damage of an attack. They have already thought about the steps they should take, the decisions that may need to be taken, and the communications that would need to be issued.

Online Cyber Security Training

Our online cyber security course is designed to be easy to use, and can be accessed from PCs/Macs, tablets and smartphones. We offer a flexible training programme to allow staff to leave part way through and to resume later at their, or your, convenience. New staff can undertake the course as part of their induction and we can provide a report on the progress of each staff member.

Our course takes your staff through an introduction to cyber security and then provides in depth information on how to spot and protect against different types of attacks. To engage your staff we also include a lesson on how they can protect themselves at home.

Phishing Awareness Exercise

Criminals have become increasingly sophisticated in their attacks. They circumvent traditional email anti-virus measures by only downloading a virus after the email has been delivered and the staff member has clicked on a link or opened an attachment. And they change the virus code so that anti-virus on PCs and servers can’t recognise it.
They also use social engineering to increase the chance of fooling a staff member into believing the email is genuine.
A successful phishing attack can lead to encrypted files and a ransom demand or the release of confidential information (often the staff members’s login details) that can be used to launch further attacks.

Your staff are your last line of defence. Our Phishing Awareness Exercise improves their ability to spot phishing attacks, reducing the risk to your business.

Website Security Review

Criminals are constantly looking for vulnerabilities in web servers and will take advantage of them as soon as they can. The impact can be disastrous to your business. From defacement to ransomware infecting visitors to your website, through to the theft of confidential information that your clients enter. And web browsers are beginning to alert users if a website is deemed insecure.

Both the underlying web server software (Windows or Linux) and the content management system used by your web developer (e.g. WordPress) can be vulnerable. We have seen business websites infected by malware which then infected clients (and potential clients) who browsed to that site.

PCI DSS Review

If you are taking credit card payments – either via point of sale or a website – you will have signed a contract with your bank saying that you will meet your PCI DSS obligations.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, and American Express. It sets out twelve obligations that merchants must meet.

Security Awareness Training

Firewalls, anti-virus and anti-spam can only provide limited protection. Criminals constantly change their virus files and delivery mechanisms to stay two steps ahead of security software companies. And they also use social engineering and email communications that appear genuine to convince users to download ransomware, provide confidential information such as usernames and passwords, and to pay money as part of fraudulent transactions.

External Vulnerability Scan

Human error is a major cause of cyber security incidents. Misconfiguring a firewall or forgetting to apply the latest patches to a server or website can lead to systems being compromised, with the potential for ransomware infections or the theft of confidential data. Hackers constantly scan for ways through firewalls, and for vulnerabilities in servers.And lists of vulnerable servers are sold on the dark web.

We can give you peace of mind by regularly checking for errors so that they can be resolved quickly before hackers and other criminals take advantage of them. Our scanning tools are constantly updated to look for the latest vulnerabilities.

Independent Security Review

Most businesses know about cyber security risks. They know they should do something to protect themselves. But they are unsure of the steps to take.

Our Independent Security Review takes a strategic look at your business assets and procedures and determines whether you have reasonable protection in place based on the risk profile of your organisation and current best practice for your industry. We then provide recommendations on areas that should be secured now, and guidance to help you in the future.

Articles

Communicating after a data breach

May 30, 2019 by securestrategy

As the recent issues around the pre-release of Budget 2019 details have shown, good communication after a security incident is crucial. Poor communication will make the situation much worse. Treasury appears to have made a few mistakes: They rushed to…

What’s the real risk?

February 25, 2019 by securestrategy

It seem that if you follow cyber security news there are new software vulnerabilities announced every day. The media tends to report on these without any context, and can even talk up the dangers. This can give the impression that…

Board expectations for cyber security

January 28, 2019January 28, 2019 by securestrategy

As we all come back from the Christmas break and gear up for another year of activity, it’s timely for boards to consider the state of cyber security in the organisations they are responsible for. Here is a simple checklist…

Multi-factor authentication made easy

May 21, 2018May 21, 2018 by securestrategy

It’s multi-factor not multi-app Many of you will I hope have implemented multi-factor authentication (MFA) when using remote access. If you haven’t then please see my article here and then get your IT team to set it up. The majority…

Cyber Insurance – check the fine print

May 15, 2018May 16, 2018 by securestrategy

Why should my business have an Independent Security Review When we provide Independent Security Reviews for clients, the first thing we do is sit down with them to understand their business, what type of information they hold, where they store it, what…

Privacy Update – May 2018

May 15, 2018May 16, 2018 by securestrategy

2018 is going to be an interesting year for privacy, both in NZ and internationally. There are three main reasons. Australia – Mandatory Reporting of Data Breaches This came into effect on the 22 February 2018. If you have a business…

Happy Clients

Our firm engaged Secure Strategy to conduct a cyber security audit. Simon made the process as easy as possible. He was very thorough and presented his report in an easy to understand format. Simon also came and verbally reported to the partners on the results of his audit. He made a number of recommendations and explained the risks attached to each one. We were then able to action those areas simply and easily and with an understanding of why these changes needed to be made. I am very happy to recommend Simon to other organisations.

Pam Brian, White Fox and Jones

We had identified that one of our Arrow websites was hacked. To immediately mitigate the problem we moved to a provider with better security. However we had no assurances that our sites were protected. We consulted with Secure Strategy to analyse our websites and provide an independent review of their security.

Security Strategy was easy to deal with. After an initial consultation, the analysis of our websites was completed shortly after. The report delivered was thorough and provided security risks in terms of priority. Arrow IT was able to then engage with the website host to mitigate security flaws.

Providing assurances that our sites are protected using ‘best in breed’ IT security is extremely important to Arrow. Our sites are used primarily to market the company brand and our intellectual property must be protected. Secure Strategy has assisted in the support of this strategy.

If you are looking for fast, friendly, independent advice on security, I would suggest using Security Strategy.

Wayne Broekhals, Arrow International