I have an IT vendor. Why should I use Secure Strategy?
We are independent and completely focused on providing security advice and services to reduce the risk for our clients. We work with you and your IT vendor to achieve this. Because we only focus on security, we know about the latest risks and can help you avoid them. And we don’t sell hardware or software, so you can be sure that the advice we give you is solely for your benefit.
My IT vendor looks after my firewall and server updates. Why do I need you to check them on a regular basis?
People make mistakes. We have seen misconfigured firewalls that led to systems being compromised, and poor patching and configuration of servers that allowed ransomware to be installed. Security often takes a back seat to keeping systems operational and resolving day to day issues. If we had been checking these systems we would have been able to identify these problems before they were exploited and would have saved these organisations a considerable amount of stress, disruption and cost.
My web developer/web hosting company looks after my website. Why do I need you to check it on a regular basis?
You may like to rely on your web developer or web hosting company to keep your site secure. Unfortunately, the reality can be very different.
In March 2016, Google reported that over 50 million website users had been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million. Google currently blacklists close to 20,000 websites a week for malware and another 50,000 a week for phishing.
We have seen compromised law firm websites in New Zealand trying to install malicious software on clients that visited them. And we have seen other NZ websites install ransomware onto computers (fortunately this was stopped at the client due to their intrusion prevention software).
These are the less damaging outcomes of poor website security. If your website holds confidential client data, and it is breached, you will suffer reputational damage and costs for putting it right. And from 2017, when the Privacy Act is updated, you will need to notify the relevant authorities regarding the data breach.
And if you take credit card payments via your website, and it is insecure, you will be in breach of the PCI-DSS obligations that form part of your merchant agreement with your bank. If your website is hacked, and credit card details are stolen, the penalties from your bank can be extremely high, and this is before any other costs you may be liable for.
My servers are hosted in the cloud. I don’t need to worry about security, do I?
Whilst the security of the underlying cloud platform will be the responsibility of the provider, the security of the servers you run on that platform will be your responsibility. That’s why platforms such as Microsoft Azure and Amazon AWS offer both their own and third-party anti-virus and intrusion prevention software (for an additional cost). Cloud hosted servers, and the applications they run, need the same security measures and monitoring as on-premise servers.
I only use cloud-based applications and don’t have my own servers. Doesn’t that means I’m secure?
Unfortunately not. You and your staff can still fall victim to ransomware, phishing and fraud attacks (these do affect Office 365 and Google Drive). And because additional security measures are not turned on by default for cloud-based applications, many users of those applications are not protected. We can help train your staff to spot and avoid phishing and fraud attacks and can review your cloud-based applications and recommend the security measures you should turn on to protect your data.