(On Demand Webinar) – An overview of organisation protection in the digital world
[Start of transcript]
I’m just waiting for a few people to turn up, just to make sure we get everybody.
We’re broadcasting this on Periscope as well, just to be on the safe side. Let’s see if it works because I think it will be an interesting time to see if we can get this type of thing working.
Today I’d like to talk to you about how a small business can create a better framework for business, so to protect yourself in the digital world and also just to make sure that a lot of things are in place so that you don’t get targeted by not only the bad guys but everything else that is out there. So that’s the aim of the presentation, and hopefully you’ll get something out of it and you’ll be able to go to the next level and improve the security around your business and your organization.
We’ll wait another couple of minutes just for a couple of stragglers that are coming, just to make sure we’ve got everybody, and then we’ll just get stuck into it. You won’t see me. I’ll put up a slideshow that is not that much. I’m not going to baffle you with PowerPoint art, but hopefully we’ll get everybody on the same page when it comes to digital security.
Okay, I’m going to start now.
It’s Complicated out there!
We all know how complicated the digital world can be. No matter what you’re doing on it, no matter what you’re in charge of, no matter what part of it you’re using for your business, it gets pretty complicated pretty quickly. On top of that, if you’re not really careful about what is happening, you then become a target of cybercriminals and cybercrime. What we are trying to avoid is making sure that you are not in there.
Understanding the requirements of digital security
What we’re going to do today is discuss the understanding, the requirements of digital security and just give an overview of what you need to do to protect your organization in the digital world.
Roger Smith – Speaker
My name is Roger Smith. I’m a speaker. I’m also an Amazon #1 author on digital crime. I’m the CEO of R&I Consulting, and I focus on getting everyday users of the digital world to understand the dangers, and take necessary precautions. So my role is to stop smart people making dumb mistakes. That’s what it’s all about.
So this presentation, we’ll just go through:
- What the bad guys are after and why we know that
- How the bad guys get in and how they target you?
- What are the basics of digital security?
- Then we’re going to go into the 4 pillars of digital protection and what it means to an organization
- Then we’ll talk about getting the right balance and why you need to get that balance involved.
- Also then, we’ll just go into other things like you also need to look at the non-digital stuff to protect your organization.
- On top of that, at the end of it, we’ll go through what you can do now.
The digital world is used by all of us, literally. Anybody in business in the Western world now has some presence in the digital world, whether it’s just a basic email or it’s a full-blown 3,000 people using a cloud-based system all over America or Australia, in those areas. The reason why we’re going to the digital world, mainly because it’s cost-effective, and on top of that, it is low-cost.
But we use it for everything. Social media, business, networking, search, innovation, R&D. We use it on our websites and we use it for marketing and sales. It is a very interesting balance to make sure that you are—you have the convenience of the digital world but you’re also protecting yourself from the bad guys.
Exponential rise in crime
Originally, crime started with I had something that someone else wanted and they took it away from me. Then in the 1600s, 1700s, 1800s, 1900s, we had a large group of people storing their money in specific places, and that’s where we had the rise of the bank robbers and the places like Jessie James, Ned Kelly, Ronald Beats, because a group of people could steal from a larger group of people.
In 2014, we had the Target hack. It was a very small group of people stole information and money from 34 million people. This is what we’re talking about, the exponential rise in crime. Because at the moment, making sure that you are protected means also making sure that when you give your information away, that is protected as well.
What do they want?
But what do the digital criminals want? What do the bad guys really—why are they doing what they do?
Money, access to money and money under your control
Well, they need access to your money, and access to money itself, but also access to money under your control. So that access to money also means that they are looking for ways to get you to compromise your security and give them your money.
IP / trade secrets / tactics and strategies
They’re also after your intellectual property, your trade secrets, your tactics, how you work, how you do business. All of that information is really important if they were to come in and try and take over something else that you’re already doing.
One of the other things they’re most importantly after is they’re after your client information, because with the client information, they can go off and target other people. It becomes part of their social engineering component of the digital world so that they can find out all the right information about what you’re doing and what your clients are doing.
One of the things that people forget is that they’re also after your technology. They’re after your Wi-Fi system. They’re after your router. They’re after your PC. They’re after your laptop. They’re after your smart devices. Because they can then use those smart devices to target other people.
But on top of that, your technology is worth money to them. Because it’s worth money to them, they are quite happy to compromise your system and make sure that you then become non-controlled by yourself. That is why we lose control of our technology with things like malware and viruses, and worms.
What are they using to get in?
So what are they using to get in?
In most cases, the number one attack weapon of the cybercriminal, or the digital criminal, is email, because everybody’s got an email account. Email is easy enough to target. It doesn’t cost them any money.
With the rise of email, we also saw the rise of spam. In the 1990s, early 2000s, we had spam that was more interested in selling Viagra or getting a Nigerian prince’s money out of Nigeria. But then smarter criminals got hold of it and started utilizing it for other things.
Then we had the rise of the phishing email. We’ve still got phishing email like we get nowadays. The classic example is the crypto-virus. We get a phishing email that’s addressed from the APO, or the Post Office, or Internal Revenue. Because we are very willing to open and look at an email when it’s based on that.
But then again, we then had the introduction of the spear phishing. This has only been around for the last maybe six to seven years. Spear phishing is an email that comes into your system that is specifically targeted at you. Because they’re specifically targeted at you, they’ve done their research.
They know you are. They know who you are targeting. They know what your friends are. They know what your business is. They know what your hobbies are. They will write an email that is specifically aimed at you, making that idiot decision to click on the link.
But what phishing email and spam, and the spear phishing email are doing is they’re targeting exploits within your system. The exploits are pieces of code that haven’t been written properly, or they’ve been removed but they haven’t been deleted from programs. These programs that have these exploits, you know, Windows has 2 ½ million lines of code. Finding a specific error in that takes a lot of work. The trouble is, the cybercriminals have got the time and the energy to do that, and that’s what they do.
Infected web sites
But just like we have operating systems on PCs, we have operating systems on websites as well. We have the underlying operating system. The underlying operating system is what hosts the website itself. So if that gets compromised, all of the websites above it get compromised as well. They use that compromised system to actually file out malware to other people.
The Insider (malicious and unintentional)
We’ve also got the insider. The insider can either be a malicious person who doesn’t like your systems, doesn’t like you, doesn’t like your business, and they’ve been employed by you, and you’ve realized they don’t like you and they have stolen information, or stolen systems, or put malware on your system.
But there’s also the unintentional one. That person who has clicked on the link that you didn’t want them to click on. That has exposed both your PC and your business to the digital criminal. You don’t want that to happen.
What are the basics?
So what are the basics? The basics are really easy. There’s 8 of them. Those 8 basic things that you need to do will protect you in the digital world.
I’ll miss the first one, but passwords. Passwords are really important. They’re your passport to the internet. They are your passport to the internet on any number of websites that you go to. Passwords have to be longer than 8 characters. They have to be complex, so anything on the keyboard is fair game. They have to be unique for every website you go to.
That, as you can understand, that is a problem just in and of itself unless you have a system on doing it. I have a number of videos that you can watch that will actually explain how to create complex passwords that are really easy to remember.
I was talking about exploits earlier. So when an application or an operating system developed or found that they have an exploit, they will patch it. They will send out an update that will remove the capability of something being able to target that issue. Although 99.9% of exploits are benign, they can’t do anything. Maybe you can create a character on the screen, but it’s not going to cause a problem. They’re not going to allow access to the back end of the computer.
The next thing you need to do is worry about anti-virus. An anti-virus is really important because it catches that 99.9% of the viruses that have been around for a while. By catching that, it then means that you can keep an eye out for that other 0.01%, or 0.1%.
Back it UP
The problem with the digital world is it’s digital. My laptop falls in the—gets flooded out, or I drop a cup of coffee on it, or I drop my phone in the toilet, or someone steals my tablet, then all of that information that was on it is now gone. So we have to make sure that we are backing it up and backing it up in such a way that is not stored in the same place. So if I lose my phone, I have a backup of all my contacts, all my videos, all my films.
The next thing we have to worry about is firewalls. Firewalls are used to protect you from the digital world. They stop those basic attacks coming into your PC or into your business. They are there to make sure that whatever coming from inside the business goes out but everything on the outside doesn’t come back in.
There’s two that we’ve coined. Paranoia. Fear the digital world. Don’t be scared of it, but have that underlying system in place that you go, “Should I do that or shouldn’t I do that? Why am I doing that?”
The last one is common sense. Common sense is really important when it comes to making that split-second decision between clicking on that link that decrypts all your data on your PC, or not clicking on that link. Common sense is a question about “Where did they get my email address? How come they’re targeting me, and why are they sending me an email?’
What is a framework?
So what is a framework? I’d like to talk to you, the framework we’ve developed that is, I suppose, an easier way to understand how you can protect yourself. There are a number of frameworks out there. This is just a few.
- We’ve got the Control Objectives for Information and Related Technology (COBIT).
- We’ve also got the ISO 27000 Series.
- We’ve got the NIST Special Production 800 Series
These are complicated frameworks around how you do business. They want you to change your business to fit in with these frameworks. That’s where the problems really start from, because no longer can we say you are a x in this industry, so this is how you have to do business, because if everybody else is doing business that way, there’s no advantage in doing it. That’s where technology is really come into its own.
But also we’ve got the vendor-based technologies and the vendor-based frameworks. Those frameworks are things like the Cisco Security Framework that relies on Cisco products, or Strategic Framework if you’re using cloud, or an IT Security Policy, which is a really basic framework about how you are going to protect your business.
The 4 pillars of digital security
So we’ve taken all this information and we’ve tailored it down to four pillars of digital security.
What you really need to do to protect your organization
You need to worry about the technology. The technology in place of how you are going to do business. That technology makes your business so much better and makes you competitive in the industry.
You also need to have a management component. That management component takes into account all of the other components and the pillars of security.
We then have to have an adaptability component. The adaptability component is not about if something goes wrong, but it also involves having your organization able to change direction without losing impetus. So you can see an opportunity, and if you are adaptable, you can actually grasp that opportunity without having a problem.
Then the last one is we all have a government compliance component. That government compliance component is how it’s all based in the industry, or via government, or how you want to do business yourself.
So let’s just take a step back and go through each of these areas.
The technology. Literally all of the technology components of your business. So you have your operating systems, your hardware, your software, your applications, your encryption, your cloud, BYOD and how you’re going to manage it, firewalls, wireless, VPN, anti-virus, and tie it all together with best practice.
Best practice is usually created by the vendors that say “This is the best way of putting my system together.” To me, that is really important, because if you don’t have the best practice of how that system is put together, then it’s not going to work to your benefit anyway.
The second component is management. So management process that we need to know, and who is involved in what they are. So we have the three P’s – processes, policies and procedures. Because you don’t want to have your accountant come to the business and go “What is my role?” So that’s part of your procedures, part of your processes, part of your policies.
But also on top of that, you need to audit all your technology. You need to have reports coming out of your technology. And you’ve got to be very aware of the reports that come out of technology because they’re only reporting on those systems. So you need to have an overrule reporting system that will help you make decisions at the top level.
You also need training and education. Education and training are really important if you want to protect your business, because if you start training and educating your people, they will then actually come back and say, “We need to do x because x is what my education has told me.”
Then we have the adaptability. So we’re looking at risk assessment, risk management, disaster recovery, business continuity, your cyber and digital resilience and also your culture. Your culture is also just as important as everything else because if your culture doesn’t allow Joe Bob, who’s working at reception, to come to the managing director and say, “We’ve got a problem and this is why.” And the managing director actually accepting that he has a problem, then culture is going to have a big impact in protecting your organization.
And then as I said, we have compliance. Compliance is probably the most difficult component to define because all business or industries, and all organizations are unique. They are different from each other, and different from anywhere else because we are all unique and how we do business depends on who you are.
So all of these framework components make your framework a lot better and a lot easier to understand. It also means you’re going to be making decisions based on fact, not on what’s coming out of the back end, not coming from the IT department saying everything’s rosy.
But as I said, most frameworks are created by companies, and they usually say, “Buy my widget because my widget is the best and it will protect you, and you will be secure.” What a load of poppycock. There’s no silver bullet in the digital world. There’s no way of significantly protecting yourself by using a product.
From Cisco all the way through to D-Link and TP-Link, there is a way around every system. You might not be able to get through a FortiGate, or a Juniper, or a Fortinet firewall, but there are ways around it. That’s why you need to have a framework in place.
By having this attitude that “My widget is the best,” we’re not having a holistic impact on your business. We are not protecting the business. That is also what this is all about.
A Framework has to have certain features
But a framework has to have certain features to make it all work. It has to have features to a level where we are making sure that everything we’re doing for the framework is actually helping the framework.
The framework has to be agnostic
It has to be agnostic. It doesn’t matter whether you’ve got a Cisco firewall, a FortiGate access point, you’re using Symantec on the inside to protect yourself at endpoint protection level. All of those components have to work together. It doesn’t matter whether it’s a FortiGate firewall or a Cisco firewall. It is a firewall, second-generation firewall that does x. So it doesn’t matter what the hardware is.
Your framework has to be understandable
It has to be understandable. All the people in the organization has to understand why you are doing something to make sure your business is protected, and what is in place. We have to have some sort of puzzle that we keep putting a little bit together and making it so that everybody understands that the firewall is there for a reason. The reason why we’ve got these policies is there for a reason, so it has to be understandable by everybody involved.
Your framework has to support your business
One of the things we find in most technology companies is they want your business to change to support their technology. To me, it’s the other way around. The framework has to support your business, and it has to support your business to a level where you don’t have to change how you do business.
Because if you change how you do business, you don’t have the alacrity to go we can swivel on a pin to change direction. So the technology has to be in place to make sure that you can do that swivel if you need to. So it has to support your business, not the other way around.
Your framework has to be manageable
It has to be manageable. What I mean by manageable, someone has to know where all the bits go together and what bits are doing what. Your framework, whether it’s either your technology or it’s adaptability, has to be something that you know “This is what we do. We have a business continuity plan, and this business continuity plan does x.” That is really important for what we’re trying to do with this framework.
Your framework has to protect
Most importantly, your framework has to protect. We know there’s no such thing as 100% security, but we can try for it. That’s what this is all about, trying to make yourself as secure as both your money and your capability, and your team, can make you. So it has to protect you.
Your framework has to be cost-effective
And because we’re trying to protect you, we’re not going to go out and buy—if we’ve got an income, let’s say we’ve got a revenue of $100,000 a year, we’re not going to go out and buy a $50,000 firewall. So we have to have some cost effectiveness in place to make sure that we are getting the best bang for our buck.
Your framework has to build defense in depth
We all know what the old castles used to be, and why they were built, and what stopped them from being as efficient as what they used to be. Originally, the medieval castle was designed to protect the Lord who was in the castle itself. It lasted up until we started creating cannons and we started firing cannonballs at each other. But your framework has to build defense in depth. The thing about a castle was you had a moat. You had a drawbridge. You had high walls. You had people behind those walls. Because you had people behind those walls, if they got through the first levels of security, then they were up there with the people who were trying to attack you.
Each component has to support the other parts of the framework
Most importantly, no matter what we’re trying to do with the framework, each component has to support the other components of the framework itself. So we need to have the right technology in place to make sure that we can have the right management planes in place, and to assist in working out what risk is involved.
Each additional component has to be stronger than its predecessor
And one of the things that we push is if you’ve got a system in place for the moment and you don’t want to spend lots of money when you do spend money, that you don’t replace the NetCom router with another NetCom router. You go to the next level. So you replace it with a Linksys, for instance. More expensive, but it does a lot better.
Your framework has to be stable
But most importantly, your framework has to be stable. It has to allow you to do things that if you unplug things and plug things in, it’s not going to cause the whole system to fall out. That is very important to making sure that your business can do business.
Finally, your framework has to work
And finally, your business framework has to work. If you haven’t got all the components in place, and they’re not all acting holistically, then your framework’s not going to work and it’s not going to protect you at all.
Getting the balance right
So it’s very hard to understand how we get the balance right. The balance is very important and it does depend on how much money you’ve got and how much you want to throw around.
Is there a problem with SME’s?
So, is there a problem with SME’s and how we protect digital security? Well, yes there is. Because an SME has a number of problems just in its inherent capability itself.
Lack of money
We have a problem with money. As I said, if you’re $100,000 business, you’re not going to spend $50,000 on securing that business itself. You might spend $5,000, and if there’s only two or three of you, $5,000 will probably do the job. But because you lack the funds to be able to put a security system in place and create a framework, there are other ways around the framework itself.
Lack of expertise
We also lack the expertise. We don’t understand things like threat intelligence. We understand endpoint protection because that’s usually an anti-virus system. But we don’t understand identity management. Or we don’t understand incidence response or anomaly detection.
Because these are words that are thrown around by vendors that really mean the threat intelligence of you being attacked is probably about 60%. That’s not including a targeted attack on you yourself. How are you managing your identity and your internal people? What usernames and passwords are you using? Those are the things that we just haven’t got the expertise to manage.
Lack of time
And also, we all know that time and money is absolutely annoying when you’re in a small business because when you are in a small business then you have a problem with making sure that the time and the money that you have are focused on the business itself. Because if you don’t focus on the business, the security doesn’t bloody matter anyway. So you have to focus on money, time and the find out how you can cover the expertise.
It’s just not digital
But it’s not just about digital. The digital component, yes is very important. But also, your non-digital stuff. Have you got locks on your phones? When your phones are sitting in the café, are they locked? Do they wipe themselves if someone puts the passcode wrong five times? That is not a digital solution. It is a physical solution. You have locks on your doors and windows. You have internal doors on specific offices. These are not digital, but they’re just as important to protecting your business.
What you can do now
So what can you do now?
Well the first thing you can do is go back to your office and do a risk analysis. Work out what your risks are. Work out what risks are being created by having not the right technology in place.
Upgrade all non-business related components to business systems
The second thing you need to do is find some money to upgrade all your non-business related components to business systems. That includes getting a decent firewall or getting a decent access point.
Educate your people
The other thing you need to do is educate your users. Because if you educate your staff, then as I said before, it will be delivered to your business tenfold because you have people who are actually looking at the issues.
This increases awareness. What you really need is for people to be very aware of what’s going on.
Here are some simple things to do
And there’s some simple things you need to do.
Put some posters up around your organization. If you’ll send me an email, I’ll quite happily send you a PDF of 10 of them that you can put up. Get them printed at Officeworks, off you go.
Initiate a training and education program. I’ll just explain between training and education. Education is when you take everybody and uplift their level to a different level from what they are. So you’ve got to educate them inside of digital security. But training is usually based on getting someone to understand the complexities of a piece of technology. That training is really important as well.
You also need to run competitions, because competitions increase awareness within your organization as well. Make it fun. Don’t bore people with, “Yeah, you’ve got to have a complex password of 25 characters.” But if you have a competition that runs, the first person who gets the answer every day gets a $5 card from somewhere, and the person who does it the most during the week gets a $30 whatever, then you will see that your awareness will increase across the board.
So thank you very much. If you need to get in contact with me, drop me an email at email@example.com, or give us a phone, or jump on the website. You can also follow us on LinkedIn, Twitter, Facebook, Google +, all of those places.
And thank you very much for your coming to the webinar. Much appreciated. This will be uploaded to Google Hangouts and also to YouTube in the next half hour, so if you want to re-watch it you can. And if you have any questions, just pop them into the system and the system will actually tell me if you’ve got a question.
Okay. We don’t seem to have any questions, which is really nice. So thank you very much. I will talk to you next time.
[End of transcript]
Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework. Rapid Restart Appliance Creator. He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.