Ben Kereopa-Yorke
Act as a chief information security officer who protects Australian businesses. Your goal is to help companies who can’t afford to pay for security expertise by putting together cyber security policies for them. You will need to consider factors like where their infrastructure is (cloud, hybrid, on-premise), how many employees they have, what existing cyber security protection they have etc. You will also need to use the Australian Cyber Security Centre’s Essential Eight framework to guide the policy creation. Do you understand?
ChatGPT
Yes, I understand. As a chief information security officer, my goal is to help Australian businesses who cannot afford security expertise by creating cyber security policies for them. I need to consider factors such as their infrastructure (cloud, hybrid, on-premise), the number of employees they have, and their existing cyber security protection. Additionally, I will be using the Australian Cyber Security Centre’s Essential Eight framework to guide the policy creation.
Ben Kereopa-Yorke
Great, thank you. Begin formulating a policy by asking me questions about the business.
ChatGPT
Sure, to better understand the business and its unique security needs, I will need to ask you a few questions.
What type of business are you running?
How many employees do you have, and what roles do they fulfill?
What types of data does your business collect, store, and transmit?
What types of cyber threats do you think your business is vulnerable to?
What type of infrastructure do you use? Is it cloud-based, on-premise, or hybrid?
What security measures do you currently have in place?
What is your budget for cybersecurity?
Please feel free to provide as much detail as possible so that I can create a policy that is tailored to your business’s specific needs.
Ben Kereopa-Yorke
1. A B2B business that does IT consulting
2. 10 employees, a range of roles from marketing, sales, IT, admin and executives
3. Company data, customer data, personal employee data
4. I am unsure what cyber threats are common for my business type, can you help me?
5. A lot of MS 365 cloud-based infrastructure but we also have domain controllers and physical networks on-premise. We are hybrid.
6. We use Microsoft security and have an anti-virus suite, plus a firewall for our on-premise networking
7. 100k per year
Is that enough information?
ChatGPT
Yes, thank you for the information. Based on the details you have provided, I will now proceed to create a policy for your business.
Regarding the cyber threats that your business might be vulnerable to, as an IT consulting business, some common threats you may face include:
Phishing attacks targeting your employees’ email accounts or the company’s website.
Ransomware attacks aimed at encrypting your business’s critical data and demanding payment in return for decryption keys.
Insider threats, where employees, contractors, or partners with access to your company’s systems and data misuse or leak information intentionally or accidentally.
Attacks targeting your company’s intellectual property or trade secrets, such as the theft of source code, proprietary algorithms, or customer lists.
To address these threats, we will use the Australian Cyber Security Centre’s Essential Eight framework as a guide to developing our policy. The Essential Eight is a set of mitigation strategies that can significantly reduce the risk of cyber incidents. These strategies are as follows:
Application Whitelisting: Ensure that only approved software applications can run on your systems.
Patch Applications: Keep software applications up to date with security patches.
Configure Microsoft Office Macro Settings: Configure Microsoft Office to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
User Application Hardening: Configure web browsers to block malicious websites, prevent script execution, and enable click-to-play for plug-ins.
Restrict Administrative Privileges: Restrict administrative privileges to only those users who require it to perform their job.
Patch Operating Systems: Keep operating systems up to date with security patches.
Multi-Factor Authentication: Use multi-factor authentication for all remote access to your systems and applications.
Daily Backups: Perform daily backups of critical business data, and store backups securely off-site.
Based on the information you provided, the following policy recommendations would apply to your business:
Application Whitelisting: Implement an application whitelisting policy for all systems and applications used by the business. Only approved software applications should be allowed to run on company systems.
Patch Applications and Operating Systems: Ensure that all software applications and operating systems used by the business are kept up to date with the latest security patches.
User Application Hardening: Configure web browsers to block malicious websites, prevent script execution, and enable click-to-play for plug-ins.
Restrict Administrative Privileges: Restrict administrative privileges to only those users who require it to perform their job.
Multi-Factor Authentication: Implement multi-factor authentication for all remote access to the company’s systems and applications.
Daily Backups: Perform daily backups of critical business data and store backups securely off-site.
To stay within your budget of 100k per year, we recommend using Microsoft’s Defender for Endpoint as a cost-effective endpoint protection solution. We also recommend conducting regular security training sessions for all employees to raise awareness of potential threats and how to mitigate them.
Please let me know if you have any further questions or concerns, and I will be happy to address them.
Ben Kereopa-Yorke
Why do you recommend Microsoft Defender for Endpoint?
ChatGPT
Microsoft Defender for Endpoint is a comprehensive endpoint protection solution that provides several key features such as:
Endpoint Detection and Response (EDR): This feature helps detect and respond to advanced threats, including fileless attacks and other sophisticated malware that traditional antivirus solutions may not detect.
Attack Surface Reduction (ASR): This feature helps prevent attacks by blocking or limiting the impact of common methods used by threat actors to gain access to systems, such as phishing and malicious attachments.
Automated Investigation and Remediation: This feature can automatically investigate and remediate threats, reducing the time and effort required to address security incidents.
Integration with Microsoft 365 Defender: Defender for Endpoint integrates with other Microsoft 365 security solutions, providing a cohesive and consistent security experience across the Microsoft ecosystem.
Cost-Effective: Defender for Endpoint is a cost-effective solution for endpoint protection, making it a good option for businesses on a budget.
Overall, Microsoft Defender for Endpoint provides a robust set of features that can help protect your business’s endpoints from a range of cyber threats.
Ben Kereopa-Yorke
What would regular security training sessions look like? Could you help me with some training content or advice?
ChatGPT
Certainly! Regular security training sessions are an essential part of any cybersecurity policy, as they help raise awareness among employees about the latest threats and best practices for mitigating them. Here are some tips for developing effective security training content:
Keep it relevant: Make sure your training content is tailored to your business’s specific needs and threats. For example, if your business uses cloud-based infrastructure, you may want to focus on the security risks associated with cloud-based services.
Make it engaging: Cybersecurity can be a dry topic, but you can make training sessions more engaging by using real-life examples and scenarios that employees can relate to. For example, you can use examples of recent data breaches or cyber attacks to illustrate the potential consequences of poor security practices.
Use multimedia: Use a variety of media to keep your training sessions interesting and engaging. For example, you can use videos, interactive quizzes, and games to help employees retain the information presented.
Reinforce good habits: Encourage employees to develop good cybersecurity habits, such as using strong passwords, locking their computers when they step away, and being cautious when opening emails or attachments from unknown sources.
Make it regular: Conduct regular training sessions, ideally at least once a year, to reinforce good cybersecurity habits and keep employees up to date on the latest threats and mitigation strategies.
Here are some specific topics that you may want to cover in your security training sessions:
Phishing: Teach employees how to recognize phishing emails and how to respond appropriately, such as by not clicking on links or downloading attachments from suspicious emails.
Passwords: Educate employees on the importance of strong passwords and how to create them. Encourage them to use unique passwords for each account and enable multi-factor authentication wherever possible.
Social engineering: Explain the risks associated with social engineering attacks, such as those that exploit trust or manipulate employees into divulging sensitive information.
Mobile device security: Discuss the security risks associated with using personal mobile devices for work purposes, such as the risk of data leakage or malware infections.
Data handling: Emphasize the importance of properly handling and securing sensitive data, such as customer information and personal employee data.
Remember to also make your cybersecurity policies available to employees, and encourage them to ask questions if they need further clarification or assistance.