If you’re like most of us, then you’re probably juggling a lot of passwords. It’s not just your social media accounts that require passwords—you need one for every website, app and service you use. It can be a nightmare to remember them all.

The good news is there are tools out there that can help manage all those passwords for you. Our favourite is LastPass.

LastPass is an online password manager that allows users to not just store their passwords but also payment details, shipping addresses, insurance numbers.. anything that is important and hard to remember without jotting it down (please don’t!). It will save your important information, but will also auto fill your forms to save time.

LastPass is useful as it offers browser extensions that:

• automatically fill in your passwords

• allows you to log into sites without having to enter your details

• allows you to generate strong, randomised and unique passwords for all your accounts notifying you if you’ve used the same password for multiple accounts

• warn you if your email address(es) has been involved in a known data breach; store other digital records like your insurance numbers, and much more

How safe is it?

LastPass is extremely secure. It has a zero-knowledge policy, meaning that all information stored on LastPass’ servers is totally encrypted. No one else—not even LastPass employees—can see it.

The company also offers strong end-to-end encryption. This means that your information is encrypted before it leaves your device in transit and at rest, protecting you from man-in-the-middle attacks.

It's true LastPass itself has suffered from seven security incidents in the last eleven years. As we always say, everything is hackable and how a company responds to a Cyber incident is just as important as the preventative Cyber Security measures they have in place, and all seven were handled swiftly and well.

It's finally here!

The new .au domain has been released and it's a huge deal for Australian businesses.

This is an exciting opportunity to catch up with our international counterparts, to pick up domains we may of missed out on and to shorten our domain name. But we also know that there are risks involved, like the possibility of hackers purchasing your domain and creating a copycat of your site.

Its important to act now to apply for Priority Allocation, or your .au domain name will be available to the public from 20 September 2022. Unlike .com.au domains, .au do not require ABN or ACN checks, so more vulnerable to scammers

For the same reasons, we also strongly recommend you register .com and .net domains. Of course, there are other domain extensions, but these are the most obvious ones, and the ones most likely for scammers to purchase in the attempt to pretend to be you.

We can help you prepare for the release and avoid this from happening in the first place. We'll make sure your website is secure, so when you launch your new .au domain, you can focus on what matters most: serving your customers and getting all the great benefits the .au can bring.

Another day another data breach.

Medibank recently came forward and admitted that the hacker who had breached their systems had access to the data of all 3.9 million of their customers.

Specifically, the accessed data includes:

name
address
date of birth
phone numbers
Medicare number
policy number
and in some cases, claims data.

It seems the hacker gained access via compromised credentials from someone high up with a high level of access.

This goes to show how easily this can happen.

Even with Cyber Security in place, people are always the weakest link, which is why regular Security Awareness Training for you and your team is such an important part of any Cyber Security strategy.

If you're running a business, you would know the importance of business continuity and disaster recovery planning.

This is a perfect topic to discuss seeing this is Cyber Security awareness month, and backups and disaster recovery are an important part of your Cyber Security planning.

For those of you leveraging the cloud, is your only backup saving files to cloud storage?

It's a common misconception that cloud storage is a suitable backup solution i.e. your only backup is you synching or storing your files in OneDrive, Dropbox, Google Drive, Box etc.

Why is this not considered a backup?

A backup should allow you to recover any file or files from any historic point in time with ease and speed.

The issue with just relying on cloud storage as a backup is that you can inadvertently delete or move things like files and folders, and with it lose your file revision history.

If you're using Microsoft 365 or Google Workspace, there's more data to protect than just the files stored in cloud storage like Onedrive and Google Drive. Emails, messages, chat history, to name a few.

Just ask the IT team at KPMG who because of a blunder deleted the personal chat histories of 145,000 Microsoft Teams users.

The data was unrecoverable.

There are third-party backup providers who can back up your cloud storage automatically.

Consider it a cloud to cloud backup.

Platforms like Microsoft 365, if set up correctly with the right policies in place can protect and retain data even if deleted. However, restoring files isn't necessarily that quick or straightforward.

A good third party cloud backup solution will provide the simplicity of backup restores when needed. However, not all are created equal, and some don't offer granular restores of data, nor do they back up everything.

Are you using cloud storage as your only backup? Do you back up your cloud storage?

One of the most common hacks we see with small to medium businesses are email breaches.

How does this happen?

Someone is using the same password for their email account as they are for another service, say Dropbox, who are then involved in a data breach.

Your details including your password are stolen and published on the Dark Web for hackers and scammers to purchase.

Calling them hackers is actually too much of a compliment, so lets call them scammers.

Now the scammers have your password. They manually try and access your email account. If you don't have multifactor authentication enabled on your account, then, boom, they are in.

So now these scammers, sit, wait and watch. They might be pulling 12 hour shifts, just watching many different breached email accounts.

So what are they looking for? Invoices you send out.

They then put a rule in place on your emails, so that any correspondence between you and your clients or customers is hidden in a folder. Then they doctor the invoice and make a slight change. The bank account details.

Soon after they'll send your client(s) a new invoice and let them know that the account details have changed. They will often send several follow up emails asking your client(s) for payment.

If your client doesn't suspect anything, they might pay the invoice. The scammers will usually transfer the money immediately, and then often it's gone.

You might be thinking that you don't send invoices. If that's the case, the scammers will often leave, but not before they send a phishing email from your email to all your contacts in the hope they'll get into other accounts.

Rinse and repeat.

Here are the lessons learned.

1) Enable MFA for any account that offers it. NBot all MFA is created equal. e.g. we've seen cases of breached emails with MFA and push notifications turned on.

2) Review your processes. You should have a process in place for when a supplier changes their bank details.

Do you have these things in place in your business?