Ask Us Anything: Cybersecurity expert Karissa Breen answers your burning online safety questions

This month we asked you for questions on cybersecurity, data protection and the best ways to protect your business. Answering your Ask Us Anything questions (in partnership with Optus Business) is cybersecurity expert and entrepreneur focused on the technology space, Karissa Breen.

We have chosen four excellent questions and we hope Karissa’s expert answers will help you create the ultimate cyber protection your business needs.

1. How can I prevent my staff from falling victim to a cyber scam? What kind of training can I give them? 

Preventing your staff from falling victim to cyber scams requires a multi-layered approach. 

Training and Awareness: Conduct regular training sessions on recognising phishing attempts, social engineering tactics, and other common scams. Use real-life examples to illustrate risks.

Clear Communication: Establish guidelines for how to handle sensitive information and communications. Encourage employees to verify requests for sensitive data through established channels. This can be as simple as calling an official phone number to verbally confirm.

Phishing Simulations: Run periodic phishing simulation tests to help staff identify potential threats and reinforce training.

Secure Password Practices: Encourage the use of strong, unique passwords and the implementation of two-factor authentication (2FA) for all accounts.

Regular Updates and Patching: Ensure that all software and systems are up to date to protect against vulnerabilities.

Access Controls: Limit access to sensitive information based on job roles. Implement a principle of least privilege. This translates to not giving every user more levels of access than they need to do their job. You don’t give the keys to the vault to the cashiers.

Incident Reporting: Create a culture where employees feel comfortable reporting suspicious emails or activities without fear of reprimand.

Use of Security Tools: Implement email filtering and anti-malware solutions to reduce the risk of threats reaching employees.

Physical Security: Ensure that physical access to sensitive data and systems is controlled, as physical security is also a part of cybersecurity.

Regular Reviews: Periodically review and update your cybersecurity policies and training materials to reflect the evolving threat landscape.

By fostering a culture of security awareness and implementing these measures, you can significantly reduce the risk of your staff falling victim to cyber scams.

2. How can you protect your data when using AI tools like Chat GPT?

“Don’t share sensitive info. Chats may be reviewed and used to train our models.”

This statement is literally inserted into the user interface of ChatGPT at time of writing! Generally speaking, there are several domains that need to be addressed to ensure data security for organisations – and even individuals.

When using AI tools like ChatGPT, it is important to take steps to protect your data. Here are some key practices.

Data Minimisation: Only share the information that is absolutely necessary for your query. Avoid disclosing sensitive or Personally Identifiable Information (PII).

Understand Privacy Policies: Familiarise yourself with the privacy policies and data handling practices of the AI tool you’re using. This will help you know how your data is stored and used.

Use Anonymisation: Whenever possible, anonymise any data you share. This reduces the risk of sensitive information being linked back to you.

Secure Connections: Ensure you’re using secure, encrypted connections (like HTTPS) when accessing AI tools, especially if you’re inputting sensitive data. So, when connecting to a website, any modern browser will warn you when your connection is insecure. By ensuring there aren’t any third-parties listening in, you’re safer (but never 100% safe) to use AI tools. Potentially otherwise, a hacker could be sitting there and feeding you information you’re assuming is scripture, or recording sensitive information.

Review Settings: Check for any settings related to data sharing or storage within the AI tool. Opt for configurations that prioritise your privacy.

Educate Your Team: If your staff is using AI tools, provide training on what data is safe to share and what should be avoided. This information should be available from your company IT or security teams, and never share anything you wouldn’t want the world to know.

Limit Usage of Sensitive Data: If you need to work with sensitive data, consider whether it’s necessary to use AI tools for that purpose or if there are safer alternatives.

Monitor Access: Keep track of who has access to the tools and the data being processed, ensuring that only authorised users are involved.

Feedback Mechanism: Use available feedback mechanisms to report any concerns regarding data privacy to the service provider.

By implementing these practices, you can enhance the protection of your data while leveraging the capabilities of AI tools.

3. What is the best anti-scam software / hardware for my phone and computer?

The best practice is to never give anything to anyone unless you have absolutely and unequivocally verified their identity and they need your details. And implementing Two-Factor Authentication or Multi-Factor Authentication (2FA/MFA). There are simple apps (Like Authy or Google Password Manager, as well as tools from Microsoft and Apple) you can use that will generate an additional code you can enter along with a traditional password. Alternatively, many online services offer SMS codes instead (Any tools that are available that offer 2FA will 99% of the time offer SMS as an alternative or the only option. You typically receive a 6-digit code by SMS to confirm your identity). This brings a huge uplift for your personal security – arguably the most bang for buck. You don’t need to use it for everything as this can generate unnecessary friction for users. But use it intelligently for anything you want to keep private from everyone.

There is also an amazingly simple device called Ýubikeys’ that are the same size as a USB key, and they also allow you to tap your phone. These work with passkeys that ostensibly perform the same function as 2FA/MFA without needing to request/receive/send the codes – plug or tap, and you’re good.

4. If my business gets scammed or hacked, am I obligated to let customers know? What’s the best way to do that?

Yes, if your business in Australia experiences a data breach that affects personal information, you are obligated to notify your customers under the Privacy Act 1988. Here are the key steps you should take:

Assess the Breach

• Determine if the breach is likely to result in serious harm to any individuals. This includes considering the type of information involved and the circumstances of the breach.

Notify Affected Individuals

• If serious harm is likely, you must inform affected individuals as soon as practical. This includes explaining what happened, the type of data involved, and the potential consequences. (See ‘Channels of Communication, below)

Notify the OAIC

• You must also report the breach to the Office of the Australian Information Commissioner (OAIC). This should be done within 30 days of becoming aware of the breach.

Communication Strategy

• Clarity: Use clear and straightforward language to explain what happened.
• Details: Provide details about the breach, including what data was compromised, how it happened, and what steps you’re taking in response.
• Advice: Offer guidance on what customers can do to protect themselves, such as changing passwords or monitoring their accounts.
• Support: Include contact information for customers to reach out if they have questions or need assistance.

Channels of Communication

• Email: Send direct emails to affected customers.
• Website: Post a notice on your website with relevant information about the breach.
• Social Media: Use your social media channels to disseminate information widely.
• Media Releases: If the breach is significant, consider issuing a press release to inform a broader audience.

Follow-Up Actions

• Mitigation: Outline the measures you are taking to prevent future breaches and improve security.
• Monitoring: If necessary, consider offering affected individuals services like credit monitoring or identity theft protection.

By following these steps, you can handle the situation transparently and responsibly, helping to maintain trust with your customers while fulfilling your legal obligations.