RUSH Digital’s CTO and founder Danushka Abeysuriya has watched with growing horror the recent spate of cybersecurity attacks directed at New Zealand businesses.
He doesn’t usually write content focused on helping everyday citizens with personal tech issues, his day job is leading RUSH’s team of engineers who last year developed the celebrated Covid app we use every time we leave the house, but after a year of looking at this issue for RUSH he sat down and penned a “No BS Checklist for cybersecurity” – included below.
RUSH works with clients like Google, ASB, eRoad, Spark and the Starship Foundation, bringing to life digital experiences that differentiate their clients from their competitors. When it comes to cybersecurity Danu believes that a small amount of learning and effort will limit the extent of a hack, ransomware or a data-leak affecting your work and personal life. You don’t need to be a tech guru to keep yourself or your business safe.
Danu quotes Richard Branson – “like him or loathe him, he once famously said “…the art is to protect the downside.” I’ve used that to great effect in my career and in business. It applies to cybersecurity too.”
I reached out to Danu to find out more.
You say that over the past two years, you’ve learned a lot about cyber security – not just in a business setting, but personally as well. What have you drawn from those experiences?
When I was starting my journey as a computer programmer and software engineer, hacking was something that was something that was cool and interesting. And as an entrepreneur, you always like to bend the rules and test limits. Hacking is kind of a manifestation of that, so there’s always been this natural interest in it, but I guess what’s kept me on the straight and narrow is having personal ethics behind the work I do so that I’m not building or using tech in an exploitative manner.
I think the biggest thing that I’ve learned is that if you don’t spend time thinking about cybersecurity every day, you miss opportunities to improve and when you think about cybercrime, security is really about staying ahead of the criminals, right? So continuous improvement becomes more important.
There are different levels of sophistication; there are really targeted things that you hear about, stuff out of spy movies, where you’ve got big companies getting hit and big threat actors attacking oil pipelines and things like that. Then there’s the more mundane day-to-day stuff, where everyday small businesses and individuals are suffering ransomware attacks and being asked for a couple thousand dollars to give their data back or being scammed out of their savings.
These day-to-day attacks are the ones that the general public and small business owners need to watch out for and have been on a dramatic rise recently. The types of attacks I’ve seen have become really automated are opportunistic in the way that they rely on things like computers not being updated, bad passwords, and taking advantage of a lack of simple cybersecurity habits. The message here is: If you are thinking proactively, you can easily avoid these attacks and they don’t require massive effort or complexity, they just require a little bit of focus on your cybersecurity habits.
Looking at it another way, it’s the same as your health. If you don’t think about your fitness or health daily, then it’s more likely to suffer. If you proactively think about your health, your routine, what you eat, everyday then it’s fair to say that you’re likely to have better health. With cybersecurity, proactivity goes a very, very long way.
How devastating can a cyber-attack be for a business and what should businesses do now to avoid future attacks?
When businesses are dealing with customers, they represent trust and no business wants to lose the trust of their customers or their employees. Cyberattacks are a real threat to that trust model and they are hard to control. But you can do things to limit the chance of a cyber attack, and if something does happen, limit the extent of the damage.
The first thing to acknowledge is that the world and technology change rapidly. During the pandemic people are working remotely, and criminals use that opportunistically to exploit weaknesses that businesses wouldn’t necessarily have planned for.
Businesses should be doing more planning and drills; what happens if we are hit with a cyber attack? What will we do? This will flush out things you’ve not considered and also give you a good feel for where you need to improve, or even how exposed you might currently be.
I would also recommend that businesses consider governance around how to continuously improve and stay up to date with understanding the current security landscape. It’s moving much faster than it used to, so doing a “project” is not the approach any more – it’s an every day, every quarter thing now.
Previously, cybersecurity was something built into a lot of the software that businesses used and there was a level of understanding that was okay for the time. But I think now the market, the environment, and the threat landscape has changed so much that we have to proactively go out and seek to understand what are the real threats in today’s cybersecurity landscape? And then, finding out how they translate to my specific business to take proactive measures to mitigate risk.
In short, businesses need to be more proactive about cybersecurity, assign responsibility to an individual, and talk about it at all levels; at the governance level, at the board level, the management team level, middle management and execution team level.
You have some great tips on passwords – there’s a trend (e.g. Microsoft) – towards a passwordless future – what’s your view?
Passwords were appropriate back when the internet was slow, you had to physically connect and you could turn your internet off; you weren’t always connected. There were bandwidth and capability limits on top of that as well, and many products ran on your computer rather than in the cloud through a browser.
I think passwords are outdated now and they do need to go. The best thing that we can do is use something like what Microsoft is pushing which is having a second personal factor of authentication, because that adds one element that passwords don’t have to the security model: a physical and in-moment awareness of authentication, bridging the digital and real world. It’s not perfect yet but changes are trending the right way – however our future with passwords is going to be around for a while because there’s just so many services so it’s going to take time to move software away from that old system.
In the meantime, we really need to think hard about our password hygiene and quality.
Always-connected devices like routers or webcams – what should we be aware of there?
Routers are really interesting because they’re basically the wall between the open internet and the devices on your home or office network. I think routers especially in a business setting are a much more tempting target – cyber criminals know they are going to get far more mileage attacking a business router than they will with a personal individual.
Because it’s the thing that holds back free access into your network, it can be a critical failure point. I believe, in general, a lot of people don’t think hard about their home routers because they tend to be issued from an ISP, a user installs it, and probably sticks with the ISP for two or three years until another great deal comes along. However what this means is some of these routers have not had their software has not been updated for a very, very long time.
There was a study done by a German Research Institute where they investigated around 130 models of home routers that were available on the market, and they found that every single one of those routers had critical vulnerability in its firmware So statistically speaking, everybody who’s got a router right now has a potential vulnerability that can be exploited.
I think the best thing that we can do is, insist that router manufacturers approach security much more rigorously. There is precedent for this in the US.
As consumers we need to be more aware. When we’re looking to buy a router or when we’re deciding to change from one ISP to another, ask them what their policy is around router updates. “Is my router going to keep being updated automatically?” “Are you guys going to take responsibility for that?” Because if there was a ransomware attack or your privacy was breached due to your router being a soft target, you end up “holding that baby”, as it were and I don’t think that that’s fair.
No matter if you’re an individual or business, you need to invest in having better antivirus and security software than the one that just ships with your computer or phone. By not having that line of defence or having that “fence” be only waist high, you’re making it easier for hackers to get in and you never want to have a situation where your network is exposed to the internet, because it just makes it so much easier for a compromise to happen.
Cybercriminals or hackers want to go for people who don’t look like they’re paying attention to their cyber security. So even the habit of keeping your router up to date can be an important deterrent. If it looks like you’re keeping things up to date, a hacker or their hacking scripts will see that this is a new router, it’s the latest firmware, this person’s obviously taking care of their cybersecurity, they’re probably going to have long passwords, they’re probably going to be using a password manager, they probably got antivirus installed. Let me not bother with this person and move on to the next one.
NZ businesses have been the brunt of many attacks recently – on banks, hospitals, the NZX. I use a MacBook Pro and an iPhone – I don’t really need to worry about this do I?
Macs and iPhones are extremely vulnerable to different threats than those for a Windows user. The iPhone is arguably the most critical piece of tech in someone’s life because of the way that Apple has constructed the services, so a breach in an iPhone is worth orders of magnitude more than a breach on any other model of handset.
If a cybercriminal were to crack an iPhone, they would potentially unlock that entire person’s life potentially accessing email, messages, documents, photographs, backups, and apps that would at the minimum allow you to impersonate an individual to an exceptional degree, and also make getting the data back if held for ransom, that much more important. So while it might be harder to break into an iPhone, if it’s compromised, it’s much worse.
Mac’s are part of the ecosystem as well, and if you’re an Apple user, your Mac is probably your weakest point because it can harbour malware and pass it on to other users because you don’t have a strong antivirus running because many Mac users do not think it’s important.
As a business, how high a priority is cybersecurity at RUSH – and – generally speaking – what sort of budget should business owners set aside for this?
For RUSH, cyber security is one of the most important organisation-wide priorities that our business has.
Recently we’ve been going through the work of aligning for an ISO 27001 certification so we really understand the importance of the trust our customers need to have in us as a software company. We’re building products that our customers’ customers need to trust, and as such, we need to respect that as a really critical business priority.
We have invested heavily in ensuring that we have some of the best tools available to our team, and quality control mechanisms from a security perspective, as well as maintaining a security capability, just to protect our team and protect our customers, not as a service offering. We’re not trying to fit it into our business model as a revenue generator, it’s a cost that we see as a critical investment for our businesses longevity.
As Founder and CTO my role also includes acting as Chief Information Security Officer, I have board representation, hold position in our management team, and also execute with customers and operational teams – I have a huge amount of respect for delivering that security responsibility.
The best way for business owners to know what budget they need for cyber security is to first do a risk assessment. Model out some of the typical cyber event scenarios that could happen in your business and work with a professional assessor to evaluate what real world implications those would have.
For example how would the Privacy Act affect your business in a scenario where you may have leaked some private information? Once you then look at those risks and estimate the cost to your business for each event, it starts to give you an idea of how it would affect your continuity and reputation and give you an indication of how much you should invest in cyber defences. Some businesses may not need to prioritise certain defenses and not others because they don’t store certain types of information or don’t use certain tools, but you absolutely must do the basics and then level up as required for whatever it costs.
It’s a dollars to risk exercise, which can be done a few hours spread across a couple of weeks with a little bit of advice from some security professionals.
How would regulation help everyday citizens manage their cybersecurity?
I think regulation can really help by mandating standards. Some governments around the world require suppliers to be ISO standards certified, there are now privacy protection policies which give individuals the right to have businesses delete their data, and the right to not supply data to get access to a service, or limit how that end especially know how that data is used, and where it ends up.
I think GDPR is a great model as it strikes a fair balance between individuals needing to be in charge of their own data and personal details and the business has obligations to respect the fact that they are storing that information. A “Digital Security Act” could be a simple piece of legislation based on the essentials of ISO27k that all small businesses could implement cost effectively. This would be a big win for everyone’s security.
Should using a VPN be part of people’s cybersecurity toolkit?
VPN is great for privacy and they definitely help security a lot; if your connection is encrypted it means that no one can snoop on it as easily which is valuable when you’re transmitting sensitive information.
If I was to think about one of the areas that causes the most problem, though, which is emails accidentally clicking on phishing links to malware, then there’s a little bit more value for the everyday individual to be had from something like DNS protection.
Phishing relies on people not paying attention and accidentally passing on or entering your details, so a DNS firewall service like NextDNS or CloudFlare protects users by improving bad links, domain checks and AI threat protection.
The combination of VPN and a DNS firewall would give you the maximum amount of protection – if I had to pick between the two, I would say for the home user, a DNS firewall on a desktop computer but for a laptop or phone, I would be getting a reputable VPN and a DNS firewall (to keep you protected in Cafe’s and on other people’s networks you inadvertently join).
You don’t usually write content focused on helping everyday citizens with personal tech capability, what’s piqued your interest in this issue of cybersecurity?
The thing I’ve enjoyed the most about implementing improved security in the business is that we are immersed in it everyday and we can obviously all see the potential, but sometimes there are quick wins that people share with their families, for example critical iOS updates, and that feels great as a company leader to know that the things we do at work are helping not only our customers and our people, but their families and friends.
The journey that I’ve gone through with RUSH’s security programme has been an incredible amount of work for myself and the security team – and I thought “wow, cyber security must be absolutely overwhelming for anybody who just wants to use a computer to check their email”. Why should they have to worry about all this stuff? Cybercriminals have chosen to use their capabilities to exploit people who aren’t asking for it. Do we just say it’s up to each individual to learn how to keep these things secure? We just spent a year looking into all of this stuff, so the best thing to do is actually to keep everybody safe by sharing the knowledge and making cyber safety easier.
And the reason I wrote a checklist is because I’m 100% sure that people want to keep their family and friends cyber safe, but maybe they don’t have an easy tool to be sure that they’ve done enough or a simple way to help.
What’s your view on the big cloud services, data centres so much of the internet depends on now – a breach there could be catastrophic couldn’t it?
I think the advantages we get with having the might and capability of these tech companies developing infrastructure, commoditising it and making it more available is hugely valuable to society, if deployed for the right reasons.
In the late 90s businesses spent a lot of time surviving, keeping their infrastructure alive, not focused on solving the one problem that they really wanted to solve, which might have been, for example, making accounting software really beautiful and easy to use (hello Xero!) – imagine if they had to physically manage all their hardware during that insane growth period from ‘09 through today. The Cloud has given them more than just “keeping the lights on.”
I think what the cyber security landscape highlights is that in order to capitalise on that rapid growth potential, you need to comprehensively account for the security of your infrastructure, and thankfully the cloud providers do understand how important that is. They work very hard to try and stay ahead of the cybercriminals, they invest heavily in cybersecurity and provide guidelines for how you should be configuring all your services. So the responsibility of security isn’t just squarely on the individual. In that light, the benefits we get from the cloud, especially when managed properly are great and shouldn’t be discouraged.
On another issue – why can’t a vaccine passport be a part of the Covid app RUSH has developed?
Putting the vaccine passport in the NZ COVID Tracer App, at face value, might make a lot of sense.
The rapid digitisation of a health related digital product was a really big step for our Government, and also our society – we previously hadn’t had that before at that scale. The pillar of that product has been its privacy-preserving ability; the entire design of the product down to the software source code, which is open sourced and independently verified for security and privacy, was to ensure that users could keep all of their recorded data on their own device without ever identifying who they are. It’s the promise we made to society and NZ COVID Tracer App users.
Now, think about the use case of a vaccine passport – I have to be able to store my vaccine record in a way that definitely identifies me.
Even if we were to design the software to have the ability to anonymously store some data and not others, it’s much harder to communicate to people. The NZ COVID Tracer App communication has been really consistent; it’s privacy preserving, does not identify who you are, all your data stays on the phone, etc. If we change that communication to say it can identify you in this instance, for this reason and not in others, it could lead to a lot of confusion.
The delineation of responsibility makes communication and use a little bit clearer. People can choose to contact trace anonymously on one app, and they may choose to or not, store their vaccination record digitally on another product, and that makes decisions easier to manage for individuals.
Apple & Google are also of the same view that keeping scanning apps and passport apps seperate is the right thing to do.
Finally Danu – you’ve said that technology can “make you a better person” if you harness its power correctly… can you talk a little about that?
I could talk about this for days! The analogy I always go to is… picture a hammer. It’s a tool. A hammer can easily inflict harm and damage, but it’s original intended purpose is to make and create and do things like build shelter. Technology is one of those dispassionate tools. It doesn’t know the difference between right and wrong. That’s up to us. Technology has many wonderful use cases that are human friendly so technology can benefit us and make us better if we align it to a set of values that improve society.
In terms of enhancing humans… that’s really, really interesting. If you are on a bicycle, you can travel much further and much faster, given the same amount of energy as if you ran. Computers can also do that, because they can do things like calculations, even put civilians in space. Imagine if we had SpaceX when Albert Einstein was alive, we could have put him in a spaceship, sent him into space, and got him to observe the theory of relativity directly. What would have that unlocked? If we work towards creating technology that fills gaps and amplifies strengths that humans have, we can enhance ourselves to be the best versions of ourselves.
Danu’s No-bull checklist for keeping cyber safe
Thanks to Dermot Conlon (DevSecOps/Kordia) and Ian White from ZX Security for peer reviewing this.
Must-do cyber checklist
You should be able to tick EVERY box here. No tick-y, no Secure-y! I have provided recommendations for software to use alongside this checklist in the following section.
- I use long PINs (6 numbers or more) and long passwords or passphrases (15~20 characters) that have numbers, symbols and letters for at least:
- All my email accounts, including that hotmail account you signed up for in high school
- All my banking and finance related accounts
- All my work logins
- All my social media accounts
- Every single one of my passwords or pass phrases is not easily guessable. Use a passphrase if you’re not great with password managers, or remembering passwords (though, a good password manager really helps with this!).
- I use a password manager to securely generate them or make sure my passphrases are really unique.
- I don’t use famous quotes, names of famous people or sports teams
- I don’t use personal details of mine or people that are close to me – these are details like mine or my partner’s birthday, names or addresses. This data is very easy to get (or be hacked) and hacking using password guessing works so well it is collectively embarrassing as a species. This type of data leaks from the most innocuous places like that Facebook Quiz to find out “if your IQ is higher than your friends!,” maybe it was that cheap Insurance quote you filled out online but never bought…5 years ago.
- Every single one of my pass phrases is unique. Imagine if the same key for your front door also started your car and opened your office. Losing one key, risks losing many things. Don’t risk it.
- I don’t share my passwords. Not even with my cute grandson who might later lose it without your knowledge. If you’re not sure if you’ve shared a password, just change it to be safe.
- I have enabled Multi-Factor Authentication (MFA) and I have printed my MFA backup codes for my accounts. Store them somewhere safe, Store them with your passport for example – but remember, if you lose your passport, you better invalidate those codes… fast! I personally keep them in a separate location to any of my IDs.
- I use a Password manager. They help generate secure passwords, store passwords, and make password management a heck of a lot easier. Password managers also make using passwords easy – you don’t have to remember them all, it just fills them in for you.
- I use a reputable Internet Security suite that has Antivirus, a Firewall, and Disk Encryption on all my computers, tablets and phones. Yes, even on a mac.
- I have signed up my email address to Mozilla Monitor. This free service monitors the dark web for your email account and lets you know if it was involved in data leak or hack on one of the online services you use – https://monitor.firefox.com/ – you don’t have to use FireFox to use the service.
- I have a good password and PIN code setup on my personal and work computers and my phone, and all my devices auto-lock after a few minutes. These devices are gateways into your digital identity and hence now, much of your life. These passwords offer more protection if you get Malware but also if you lose a device or it is physically stolen. Make sure they are properly protected. It sucks to lose a device, then realise it was unlocked for anyone to pry.
- I keep my devices and software up to date. Software providers and hardware providers regularly release fixes to security issues. Keep your devices up to date, it’s really important. Turn on auto-update if it’s available. Don’t put off installing updates and take a note when there hasn’t been an update for a while – it could mean something isn’t working.
- I have a backup service like Microsoft OneDrive, Google Drive or Apple iCloud enabled on my phone and computers. This is the simplest mitigation against malware that encrypts and ransoms your data. Unfortunately this doesn’t stop hackers threatening to leak the data on the public internet, so you still want to avoid Malware!
Keeping safe checklist
- I’m aware that if I get a Social media message, email or call about something that is too good to be true, it probably is. Yes that’s right, no one wants to give you $10,000 for free. No, there wasn’t an error, and yes, it is suspicious that they want to give you money but are asking for you to give them money first.
- I’m aware that if I get a Social media message, email or call from the “IRD”, “your bank” or “your insurance” company, there is no harm asking if you can call back. Hang up and Get the number from their official website. If it was a scam, tell your service provider and report it online at https://cert.govt.nz to help other kiwis.
- I know what to do if I get into trouble. Shutdown any affected devices immediately if you have concerns about your device. If a password is involved, change your affected passwords immediately – and I mean the second you realise. It’s common for an automated script to be doing the hacking, it moves quickly, you need to be quicker. Contact your Bank immediately if needed. Call Netsafe toll-free 0508 NETSAFE (0508 638 723) or text 4282 to get support and help.
Should-do cyber checklist
- All my important passwords are not more than a year old. Data from hacks and leaks can take years to be exploited. Changing your passwords helps protect you by making your “old” passwords useless if they did happen to leak.
- I don’t provide my real details if they aren’t needed. Does your favourite online shoe store reeeally need to know your birthday?
- I delete old accounts or request my data to be deleted. You can do this under your rights provided by The Privacy Act 2020 (in NZ), and generally GDPR compliant services. Check in the profile or account page for a “delete” button. They can’t steal your data if it doesn’t exist!
- I avoid using SMS for 2 factor authentication where possible. SIM-jacking is unfortunately pretty easy, using a Rolling Authentication code or “Temporary One Time Passcode” (TOTP) is a better option.
- Keep your home (and office) router updated. Oftentimes the security quality varies from brand to brand between routers and that scarily, home routers are notoriously insecure – a 2020 report found out of 127 different models of routers every single one had notable security flaws. While most are configured to not be accessible via the internet, that assurance is only as firm as our knowledge of an exploit that bypasses that. The best thing is to keep them up to date and configured correctly. For this I do recommend getting a good aftermarket router from the likes of DrayTek, Peplink, AVM and ASUS which have firmware auto-update features and internet security capabilities.
- For more help and general awareness, there are some great guides on CERT NZ and Netsafe NZ