Policy Number: 00142021SR
Policy Date: February, 2022
Purpose of the Policy
This policy provides guidelines for the avoidance of cyber security issues and attacks against Strong Room. It covers what should be done should a cyber security attack occur on Strong Room cyber assets.
This policy is to protect against cyber security breaches by staff and affiliates that might threaten the cyber security of Strong Room.
Common Infiltration Methods and How to Avoid
Brute force: An exhaustive search for authenticated access credentials
Make your passwords impossible to replicate – use software that generates one off passwords. Do Not use the same password for multiple sites. Do not use common dates such as birthdays or anniversaries. If you are going to generate your own password, it is recommended that you use a sentence such as IHateTuesdaysWhenItRains#8.
The use of a password safe to generate and record passwords is highly recommended.
Worms: A dangerous infiltration method that can be sent through files on a computer
The best way to avoid worms infiltrating your computer is to avoid clicking on links directly from emails – it is best to copy the link and paste it into your browser to stop the download of malware onto your computer.
Links in emails should never be trusted and users shouldn’t open links from any sources you haven’t checked first or do not know the source of.
Staff should get into the habit of checking the link url to see if it looks like an unfamiliar service or website or has a weird name, or worse, has a similar name to a real name: eg. login.commbanke.io
Flooding: Stops communication by overflooding the network to the point that it is brought down.
This issue is caused by a targeted and organised attack from experienced hackers and is not an assault on your personal computer but an attack on the company’s systems.
The only thing that will avoid this kind of attack is the installation of robust malware protection software such as Bitdefender or Windows Defender.
Eavesdropping: Decoding communication packets that we send amongst the team
This would require hacking of internal communication systems such as Slack or Discord.
Again, it is imperative to have robust malware protection software – as sanctioned and enforced by Strong Room, implemented in your systems.
Social Engineering: Attempting to impersonate someone to gain access from another person.
This can be avoided by ensuring all business communication is of a professional standard – when a communication is unusually worded or suspiciously casual, it is the employee’s duty to check with the sender to ensure that the communication did in fact come from them.
If the sender has been impersonated, it is the employee’s responsibility to report the impersonation to the Chief Technology Officer immediately to communicate to staff that the account has been hacked and to address the security issue as a matter of priority.
Lost or stolen equipment
Should you lose or have equipment stolen, it is your responsibility to report it immediately to the Operations Manager or the Chief Information Officer so that steps, such as disabling the phone’s sim card, can be taken to protect Strong Room assets.
Should you get malicious emails from a known address
You should immediately notify the Chief Technology Officer or Head of Operations who will take the necessary action.
- Your screens/computer should lock after no more than five minutes of inactivity and should require a password to unlock – this applies to all computers at all times.
- Ensure when you are working on Strong Room’s IP you are not in a place that is easily seen by others in the surrounding area, your screen should not be easily visible at any time you are working on Strong Room information.
- Do not, at any time, insert a USB drive into your computer unless you are certain of its contents and origins.
Your contract is clear about the protection of Intellectual Property at Strong Room, it is your responsibility to ensure that data is secure at all times.
The use of password lockers
The implementation of the KeePass password locker is a requirement across the business.
KeePass is where all logins and passwords should be stored, where possible, utilise the password generation feature to ensure that your passwords are not easy to infiltrate.
At no stage should your KeePass file be sent or shared to a personal email address or to anyone internal or external to the company.
The sharing of your password safe at any time or for any reason will result in immediate and serious disciplinary action.
Should there be any breach of this policy, the Chief Technology Officer and Head of Operations should be informed immediately via this form.
Should the threat be serious, this will be escalated to the E-Safety Commissioner as per Australian legal requirements.