Interviewer: I think the scary part of it in your business is the fact that you make one mistake, and it will probably be a big mistake.
Roger: Well, yeah. One mistake in the digital security area can lead to repercussions like you would not believe. And I don’t think really, fair enough, I’ve been accused of fear-mongering and everything else.
But I don’t think normal, everyday people, realize that the problems we’ve got is not that we’re not paying attention, it is we’re not doing anything to resolve the problems. It’s either, “It’s not my problem.” Or, “We’re too small to worry about it.” Or, “We’ve got nothing worth stealing.”
But the repercussions of just having an attacker inside your network, it doesn’t matter if it’s your home network or your work network, then you’ve got a really major problem.
Interviewer: Well, it’s interesting. I was looking at my scan file last night.
Interviewer: So every six months I go through that just to make certain there’s nothing in there that I need. I found a couple of things that really I needed to have in another area. But I was appalled by the number of times in that six-month period I’d been asked for money and all I had to do was contact this person, and press here, and “We’ll do this for you.” I was the beneficiary of an estate. It just goes on and on and on.
Roger: Or, “I’m the legal person representing x.”
Interviewer: Right. And it struck me that without the security of a good, well-planned social media approach, you could easily have those coming directly into your inbox.
Interviewer: And by mistake, press them, or just through curiosity you’ll press them and the like, and that can be a huge issue as I have seen with a couple of my clients who have just lost everything.
Roger: Yeah, well there’s a new scam I’ve just noticed recently. That’s the Google Docs, or Microsoft’s One Cloud. What people are sending you is a link to a Google Doc. Okay? You don’t know the person and it may have gone into your inbox. It may go into your Spam box.
But the fact that we are now using Google online as our document repository, or we’re using Microsoft as in OneNote and all those sorts of things, there is a really big chance that you will click on that. Because A, it probably may come in from Jess Smith instead of Jessie Smith, and you may not think “Why is his name changed?”
That initial click is what’s going to happen. What we don’t see is, I suppose a lot of people don’t see, is the fact that the cyber criminals and the digital criminals are always adapting. They’re always changing their tactics. That’s why it makes it very hard for people like us to keep on top of it.
Because when the phishing scams came out, they were all low-level, bad spelling, bad grammar, probably no chance of being opened. We’ve not got to a stage where some of the scams, as I said for Google Docs comes in, and it’s good spelling. It’s targeted at someone to open it.
It may be you’re being sent an email that says “Dear Boss. I came across this last week. I thought you might need to read it.” And that’s all it takes because that’s what the criminals want you to do. They want you to make that initial, I suppose, commitment to them. And that’s really what drives them.
Interviewer: Well, another interesting example that came up yesterday was a mutual friend of ours. And his son came to his dad and said, “What’s this about, Dad?” And Dad looked at it and it was from a person. It may have been eBay. I’m not too certain, but one—it was either from a person or eBay saying, “Just confirming you’re going to be in Toowoomba tomorrow to pick up your $28,000 Caravan.”
Interviewer: And the son had no idea what it was, of course. Nor did the father. But the father was smart enough to follow it through. And what had happened was that this young boy had been targeted by one of his “friends” who decided to teach him a lesson with talking about bullying at school.
And this chap had put in an order to buy this $28,000 Caravan to pick up today or tomorrow, something like that. And the child had no idea what was going on, so he got onto eBay. Then he got onto Google. Google went searching, and Google came back with a shopping lot of news to tell the parent that his son’s email account had been violated by this particular person.
And he had sent this extraordinary number of emails to his teacher, to the school, to other friends at school, in this case to girlfriends and everything else, with the most vile, terrible language you could ever imagine.
Interviewer: And the police are currently involved in solving this particular problem, and they’ll prosecute the person for doing it. But there’s a young person in a school, and I’m talking about 14 and 15 years of age, who decided to destroy somebody by doing this.
But the alert parent was onto it so quickly, and of course an immediate email was sent out by Google, and by him, so it was two separate emails, explaining what had happened. But that’s just one of the dangers we face, and people take no notice of it.
Interviewer: They should.
Roger: Yeah. Well, the other thing is, for instance, going back to that example, is the chances are now that anything that young boy does with that email address is going to be suspect. It doesn’t matter whether it’s above board or below board. So that’s one problem.
All of the problems that email address has created now becomes a bigger problem because they can now, as you said, they bought a Caravan in his name. Have they opened accounts in his name, bank accounts? That type of thing is very important as well.
With an email account with Google, you’ve also got things like if the account has been compromised, you can actually get at all the other information that correlates to that person, where they live, date of birth, if they’ve got a driver’s license, their phone number.
So you’ve now got really a blueprint of that person which they can use for anything they want to use it for. Now it’s lucky it was only one person against one person, because if that had been a criminal gang, then they would have had even bigger problems.
Interviewer: So a criminal gang would have had the ability and the willingness to distribute that same information to 500 other people?
Roger: 500-10,000. Yeah. And then you can use that. See, the digital criminals not only are after the email address. If they’ve compromised your email address, there’s a really good chance that they’ve compromised the computer that that email address is on as well.
From that, because the actual technology that we use to communicate and do whatever we want to do, and play games and everything else, is a valuable commodity to the criminal enterprise. Because from that technology, they can launch other attacks.
They can use that information that is there. And they can then go from where they’re focusing on you to focusing on your friends, your family, to the next level. And that, as we all know, three levels of separation, and we’re probably closer to other people that we don’t know.
(On Demand Webinar) – An overview of organisation protection in the digital world
[Start of transcript]
I’m just waiting for a few people to turn up, just to make sure we get everybody.
We’re broadcasting this on Periscope as well, just to be on the safe side. Let’s see if it works because I think it will be an interesting time to see if we can get this type of thing working.
Today I’d like to talk to you about how a small business can create a better framework for business, so to protect yourself in the digital world and also just to make sure that a lot of things are in place so that you don’t get targeted by not only the bad guys but everything else that is out there. So that’s the aim of the presentation, and hopefully you’ll get something out of it and you’ll be able to go to the next level and improve the security around your business and your organization.
We’ll wait another couple of minutes just for a couple of stragglers that are coming, just to make sure we’ve got everybody, and then we’ll just get stuck into it. You won’t see me. I’ll put up a slideshow that is not that much. I’m not going to baffle you with PowerPoint art, but hopefully we’ll get everybody on the same page when it comes to digital security.
Okay, I’m going to start now.
It’s Complicated out there!
We all know how complicated the digital world can be. No matter what you’re doing on it, no matter what you’re in charge of, no matter what part of it you’re using for your business, it gets pretty complicated pretty quickly. On top of that, if you’re not really careful about what is happening, you then become a target of cybercriminals and cybercrime. What we are trying to avoid is making sure that you are not in there.
Understanding the requirements of digital security
What we’re going to do today is discuss the understanding, the requirements of digital security and just give an overview of what you need to do to protect your organization in the digital world.
Roger Smith – Speaker
My name is Roger Smith. I’m a speaker. I’m also an Amazon #1 author on digital crime. I’m the CEO of R&I Consulting, and I focus on getting everyday users of the digital world to understand the dangers, and take necessary precautions. So my role is to stop smart people making dumb mistakes. That’s what it’s all about.
So this presentation, we’ll just go through:
What the bad guys are after and why we know that
How the bad guys get in and how they target you?
What are the basics of digital security?
Then we’re going to go into the 4 pillars of digital protection and what it means to an organization
Then we’ll talk about getting the right balance and why you need to get that balance involved.
Also then, we’ll just go into other things like you also need to look at the non-digital stuff to protect your organization.
On top of that, at the end of it, we’ll go through what you can do now.
The digital world is used by all of us, literally. Anybody in business in the Western world now has some presence in the digital world, whether it’s just a basic email or it’s a full-blown 3,000 people using a cloud-based system all over America or Australia, in those areas. The reason why we’re going to the digital world, mainly because it’s cost-effective, and on top of that, it is low-cost.
But we use it for everything. Social media, business, networking, search, innovation, R&D. We use it on our websites and we use it for marketing and sales. It is a very interesting balance to make sure that you are—you have the convenience of the digital world but you’re also protecting yourself from the bad guys.
Exponential rise in crime
Originally, crime started with I had something that someone else wanted and they took it away from me. Then in the 1600s, 1700s, 1800s, 1900s, we had a large group of people storing their money in specific places, and that’s where we had the rise of the bank robbers and the places like Jessie James, Ned Kelly, Ronald Beats, because a group of people could steal from a larger group of people.
In 2014, we had the Target hack. It was a very small group of people stole information and money from 34 million people. This is what we’re talking about, the exponential rise in crime. Because at the moment, making sure that you are protected means also making sure that when you give your information away, that is protected as well.
What do they want?
But what do the digital criminals want? What do the bad guys really—why are they doing what they do?
Money, access to money and money under your control
Well, they need access to your money, and access to money itself, but also access to money under your control. So that access to money also means that they are looking for ways to get you to compromise your security and give them your money.
IP / trade secrets / tactics and strategies
They’re also after your intellectual property, your trade secrets, your tactics, how you work, how you do business. All of that information is really important if they were to come in and try and take over something else that you’re already doing.
One of the other things they’re most importantly after is they’re after your client information, because with the client information, they can go off and target other people. It becomes part of their social engineering component of the digital world so that they can find out all the right information about what you’re doing and what your clients are doing.
One of the things that people forget is that they’re also after your technology. They’re after your Wi-Fi system. They’re after your router. They’re after your PC. They’re after your laptop. They’re after your smart devices. Because they can then use those smart devices to target other people.
But on top of that, your technology is worth money to them. Because it’s worth money to them, they are quite happy to compromise your system and make sure that you then become non-controlled by yourself. That is why we lose control of our technology with things like malware and viruses, and worms.
What are they using to get in?
So what are they using to get in?
In most cases, the number one attack weapon of the cybercriminal, or the digital criminal, is email, because everybody’s got an email account. Email is easy enough to target. It doesn’t cost them any money.
With the rise of email, we also saw the rise of spam. In the 1990s, early 2000s, we had spam that was more interested in selling Viagra or getting a Nigerian prince’s money out of Nigeria. But then smarter criminals got hold of it and started utilizing it for other things.
Then we had the rise of the phishing email. We’ve still got phishing email like we get nowadays. The classic example is the crypto-virus. We get a phishing email that’s addressed from the APO, or the Post Office, or Internal Revenue. Because we are very willing to open and look at an email when it’s based on that.
But then again, we then had the introduction of the spear phishing. This has only been around for the last maybe six to seven years. Spear phishing is an email that comes into your system that is specifically targeted at you. Because they’re specifically targeted at you, they’ve done their research.
They know you are. They know who you are targeting. They know what your friends are. They know what your business is. They know what your hobbies are. They will write an email that is specifically aimed at you, making that idiot decision to click on the link.
But what phishing email and spam, and the spear phishing email are doing is they’re targeting exploits within your system. The exploits are pieces of code that haven’t been written properly, or they’ve been removed but they haven’t been deleted from programs. These programs that have these exploits, you know, Windows has 2 ½ million lines of code. Finding a specific error in that takes a lot of work. The trouble is, the cybercriminals have got the time and the energy to do that, and that’s what they do.
Infected web sites
But just like we have operating systems on PCs, we have operating systems on websites as well. We have the underlying operating system. The underlying operating system is what hosts the website itself. So if that gets compromised, all of the websites above it get compromised as well. They use that compromised system to actually file out malware to other people.
The Insider (malicious and unintentional)
We’ve also got the insider. The insider can either be a malicious person who doesn’t like your systems, doesn’t like you, doesn’t like your business, and they’ve been employed by you, and you’ve realized they don’t like you and they have stolen information, or stolen systems, or put malware on your system.
But there’s also the unintentional one. That person who has clicked on the link that you didn’t want them to click on. That has exposed both your PC and your business to the digital criminal. You don’t want that to happen.
What are the basics?
So what are the basics? The basics are really easy. There’s 8 of them. Those 8 basic things that you need to do will protect you in the digital world.
I’ll miss the first one, but passwords. Passwords are really important. They’re your passport to the internet. They are your passport to the internet on any number of websites that you go to. Passwords have to be longer than 8 characters. They have to be complex, so anything on the keyboard is fair game. They have to be unique for every website you go to.
That, as you can understand, that is a problem just in and of itself unless you have a system on doing it. I have a number of videos that you can watch that will actually explain how to create complex passwords that are really easy to remember.
I was talking about exploits earlier. So when an application or an operating system developed or found that they have an exploit, they will patch it. They will send out an update that will remove the capability of something being able to target that issue. Although 99.9% of exploits are benign, they can’t do anything. Maybe you can create a character on the screen, but it’s not going to cause a problem. They’re not going to allow access to the back end of the computer.
The next thing you need to do is worry about anti-virus. An anti-virus is really important because it catches that 99.9% of the viruses that have been around for a while. By catching that, it then means that you can keep an eye out for that other 0.01%, or 0.1%.
Back it UP
The problem with the digital world is it’s digital. My laptop falls in the—gets flooded out, or I drop a cup of coffee on it, or I drop my phone in the toilet, or someone steals my tablet, then all of that information that was on it is now gone. So we have to make sure that we are backing it up and backing it up in such a way that is not stored in the same place. So if I lose my phone, I have a backup of all my contacts, all my videos, all my films.
The next thing we have to worry about is firewalls. Firewalls are used to protect you from the digital world. They stop those basic attacks coming into your PC or into your business. They are there to make sure that whatever coming from inside the business goes out but everything on the outside doesn’t come back in.
There’s two that we’ve coined. Paranoia. Fear the digital world. Don’t be scared of it, but have that underlying system in place that you go, “Should I do that or shouldn’t I do that? Why am I doing that?”
The last one is common sense. Common sense is really important when it comes to making that split-second decision between clicking on that link that decrypts all your data on your PC, or not clicking on that link. Common sense is a question about “Where did they get my email address? How come they’re targeting me, and why are they sending me an email?’
What is a framework?
So what is a framework? I’d like to talk to you, the framework we’ve developed that is, I suppose, an easier way to understand how you can protect yourself. There are a number of frameworks out there. This is just a few.
We’ve got the Control Objectives for Information and Related Technology (COBIT).
We’ve also got the ISO 27000 Series.
We’ve got the NIST Special Production 800 Series
These are complicated frameworks around how you do business. They want you to change your business to fit in with these frameworks. That’s where the problems really start from, because no longer can we say you are a x in this industry, so this is how you have to do business, because if everybody else is doing business that way, there’s no advantage in doing it. That’s where technology is really come into its own.
But also we’ve got the vendor-based technologies and the vendor-based frameworks. Those frameworks are things like the Cisco Security Framework that relies on Cisco products, or Strategic Framework if you’re using cloud, or an IT Security Policy, which is a really basic framework about how you are going to protect your business.
The 4 pillars of digital security
So we’ve taken all this information and we’ve tailored it down to four pillars of digital security.
What you really need to do to protect your organization
You need to worry about the technology. The technology in place of how you are going to do business. That technology makes your business so much better and makes you competitive in the industry.
You also need to have a management component. That management component takes into account all of the other components and the pillars of security.
We then have to have an adaptability component. The adaptability component is not about if something goes wrong, but it also involves having your organization able to change direction without losing impetus. So you can see an opportunity, and if you are adaptable, you can actually grasp that opportunity without having a problem.
Then the last one is we all have a government compliance component. That government compliance component is how it’s all based in the industry, or via government, or how you want to do business yourself.
So let’s just take a step back and go through each of these areas.
The technology. Literally all of the technology components of your business. So you have your operating systems, your hardware, your software, your applications, your encryption, your cloud, BYOD and how you’re going to manage it, firewalls, wireless, VPN, anti-virus, and tie it all together with best practice.
Best practice is usually created by the vendors that say “This is the best way of putting my system together.” To me, that is really important, because if you don’t have the best practice of how that system is put together, then it’s not going to work to your benefit anyway.
The second component is management. So management process that we need to know, and who is involved in what they are. So we have the three P’s – processes, policies and procedures. Because you don’t want to have your accountant come to the business and go “What is my role?” So that’s part of your procedures, part of your processes, part of your policies.
But also on top of that, you need to audit all your technology. You need to have reports coming out of your technology. And you’ve got to be very aware of the reports that come out of technology because they’re only reporting on those systems. So you need to have an overrule reporting system that will help you make decisions at the top level.
You also need training and education. Education and training are really important if you want to protect your business, because if you start training and educating your people, they will then actually come back and say, “We need to do x because x is what my education has told me.”
Then we have the adaptability. So we’re looking at risk assessment, risk management, disaster recovery, business continuity, your cyber and digital resilience and also your culture. Your culture is also just as important as everything else because if your culture doesn’t allow Joe Bob, who’s working at reception, to come to the managing director and say, “We’ve got a problem and this is why.” And the managing director actually accepting that he has a problem, then culture is going to have a big impact in protecting your organization.
And then as I said, we have compliance. Compliance is probably the most difficult component to define because all business or industries, and all organizations are unique. They are different from each other, and different from anywhere else because we are all unique and how we do business depends on who you are.
So all of these framework components make your framework a lot better and a lot easier to understand. It also means you’re going to be making decisions based on fact, not on what’s coming out of the back end, not coming from the IT department saying everything’s rosy.
But as I said, most frameworks are created by companies, and they usually say, “Buy my widget because my widget is the best and it will protect you, and you will be secure.” What a load of poppycock. There’s no silver bullet in the digital world. There’s no way of significantly protecting yourself by using a product.
From Cisco all the way through to D-Link and TP-Link, there is a way around every system. You might not be able to get through a FortiGate, or a Juniper, or a Fortinet firewall, but there are ways around it. That’s why you need to have a framework in place.
By having this attitude that “My widget is the best,” we’re not having a holistic impact on your business. We are not protecting the business. That is also what this is all about.
A Framework has to have certain features
But a framework has to have certain features to make it all work. It has to have features to a level where we are making sure that everything we’re doing for the framework is actually helping the framework.
The framework has to be agnostic
It has to be agnostic. It doesn’t matter whether you’ve got a Cisco firewall, a FortiGate access point, you’re using Symantec on the inside to protect yourself at endpoint protection level. All of those components have to work together. It doesn’t matter whether it’s a FortiGate firewall or a Cisco firewall. It is a firewall, second-generation firewall that does x. So it doesn’t matter what the hardware is.
Your framework has to be understandable
It has to be understandable. All the people in the organization has to understand why you are doing something to make sure your business is protected, and what is in place. We have to have some sort of puzzle that we keep putting a little bit together and making it so that everybody understands that the firewall is there for a reason. The reason why we’ve got these policies is there for a reason, so it has to be understandable by everybody involved.
Your framework has to support your business
One of the things we find in most technology companies is they want your business to change to support their technology. To me, it’s the other way around. The framework has to support your business, and it has to support your business to a level where you don’t have to change how you do business.
Because if you change how you do business, you don’t have the alacrity to go we can swivel on a pin to change direction. So the technology has to be in place to make sure that you can do that swivel if you need to. So it has to support your business, not the other way around.
Your framework has to be manageable
It has to be manageable. What I mean by manageable, someone has to know where all the bits go together and what bits are doing what. Your framework, whether it’s either your technology or it’s adaptability, has to be something that you know “This is what we do. We have a business continuity plan, and this business continuity plan does x.” That is really important for what we’re trying to do with this framework.
Your framework has to protect
Most importantly, your framework has to protect. We know there’s no such thing as 100% security, but we can try for it. That’s what this is all about, trying to make yourself as secure as both your money and your capability, and your team, can make you. So it has to protect you.
Your framework has to be cost-effective
And because we’re trying to protect you, we’re not going to go out and buy—if we’ve got an income, let’s say we’ve got a revenue of $100,000 a year, we’re not going to go out and buy a $50,000 firewall. So we have to have some cost effectiveness in place to make sure that we are getting the best bang for our buck.
Your framework has to build defense in depth
We all know what the old castles used to be, and why they were built, and what stopped them from being as efficient as what they used to be. Originally, the medieval castle was designed to protect the Lord who was in the castle itself. It lasted up until we started creating cannons and we started firing cannonballs at each other. But your framework has to build defense in depth. The thing about a castle was you had a moat. You had a drawbridge. You had high walls. You had people behind those walls. Because you had people behind those walls, if they got through the first levels of security, then they were up there with the people who were trying to attack you.
Each component has to support the other parts of the framework
Most importantly, no matter what we’re trying to do with the framework, each component has to support the other components of the framework itself. So we need to have the right technology in place to make sure that we can have the right management planes in place, and to assist in working out what risk is involved.
Each additional component has to be stronger than its predecessor
And one of the things that we push is if you’ve got a system in place for the moment and you don’t want to spend lots of money when you do spend money, that you don’t replace the NetCom router with another NetCom router. You go to the next level. So you replace it with a Linksys, for instance. More expensive, but it does a lot better.
Your framework has to be stable
But most importantly, your framework has to be stable. It has to allow you to do things that if you unplug things and plug things in, it’s not going to cause the whole system to fall out. That is very important to making sure that your business can do business.
Finally, your framework has to work
And finally, your business framework has to work. If you haven’t got all the components in place, and they’re not all acting holistically, then your framework’s not going to work and it’s not going to protect you at all.
Getting the balance right
So it’s very hard to understand how we get the balance right. The balance is very important and it does depend on how much money you’ve got and how much you want to throw around.
Is there a problem with SME’s?
So, is there a problem with SME’s and how we protect digital security? Well, yes there is. Because an SME has a number of problems just in its inherent capability itself.
Lack of money
We have a problem with money. As I said, if you’re $100,000 business, you’re not going to spend $50,000 on securing that business itself. You might spend $5,000, and if there’s only two or three of you, $5,000 will probably do the job. But because you lack the funds to be able to put a security system in place and create a framework, there are other ways around the framework itself.
Lack of expertise
We also lack the expertise. We don’t understand things like threat intelligence. We understand endpoint protection because that’s usually an anti-virus system. But we don’t understand identity management. Or we don’t understand incidence response or anomaly detection.
Because these are words that are thrown around by vendors that really mean the threat intelligence of you being attacked is probably about 60%. That’s not including a targeted attack on you yourself. How are you managing your identity and your internal people? What usernames and passwords are you using? Those are the things that we just haven’t got the expertise to manage.
Lack of time
And also, we all know that time and money is absolutely annoying when you’re in a small business because when you are in a small business then you have a problem with making sure that the time and the money that you have are focused on the business itself. Because if you don’t focus on the business, the security doesn’t bloody matter anyway. So you have to focus on money, time and the find out how you can cover the expertise.
It’s just not digital
But it’s not just about digital. The digital component, yes is very important. But also, your non-digital stuff. Have you got locks on your phones? When your phones are sitting in the café, are they locked? Do they wipe themselves if someone puts the passcode wrong five times? That is not a digital solution. It is a physical solution. You have locks on your doors and windows. You have internal doors on specific offices. These are not digital, but they’re just as important to protecting your business.
What you can do now
So what can you do now?
Well the first thing you can do is go back to your office and do a risk analysis. Work out what your risks are. Work out what risks are being created by having not the right technology in place.
Upgrade all non-business related components to business systems
The second thing you need to do is find some money to upgrade all your non-business related components to business systems. That includes getting a decent firewall or getting a decent access point.
Educate your people
The other thing you need to do is educate your users. Because if you educate your staff, then as I said before, it will be delivered to your business tenfold because you have people who are actually looking at the issues.
This increases awareness. What you really need is for people to be very aware of what’s going on.
Here are some simple things to do
And there’s some simple things you need to do.
Put some posters up around your organization. If you’ll send me an email, I’ll quite happily send you a PDF of 10 of them that you can put up. Get them printed at Officeworks, off you go.
Initiate a training and education program. I’ll just explain between training and education. Education is when you take everybody and uplift their level to a different level from what they are. So you’ve got to educate them inside of digital security. But training is usually based on getting someone to understand the complexities of a piece of technology. That training is really important as well.
You also need to run competitions, because competitions increase awareness within your organization as well. Make it fun. Don’t bore people with, “Yeah, you’ve got to have a complex password of 25 characters.” But if you have a competition that runs, the first person who gets the answer every day gets a $5 card from somewhere, and the person who does it the most during the week gets a $30 whatever, then you will see that your awareness will increase across the board.
So thank you very much. If you need to get in contact with me, drop me an email at firstname.lastname@example.org, or give us a phone, or jump on the website. You can also follow us on LinkedIn, Twitter, Facebook, Google +, all of those places.
And thank you very much for your coming to the webinar. Much appreciated. This will be uploaded to Google Hangouts and also to YouTube in the next half hour, so if you want to re-watch it you can. And if you have any questions, just pop them into the system and the system will actually tell me if you’ve got a question.
Okay. We don’t seem to have any questions, which is really nice. So thank you very much. I will talk to you next time.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – How being paranoid is a good digital security strategy!
[Start of transcript]
Hello. My name is Roger.
And today, I’d like to talk to you about why being paranoid makes you more secure in the digital world.
In the digital world, everybody is after you. Everybody wants to target you. You get spam, you get phishing emails, you get spear phishing emails. If you go to a website, you could be targeted from the website.
If you download drivers, you could be downloading literally from the Google search. And there are websites and there are torrents where you can get infected by. So, looking at all of that information that’s coming towards you, on the chance that they want to steal something from you, should make you a damn sight more paranoid, the more people are at the moment.
One of the best things that bad guys do is that they will infect torrents. And torrents are used by people who want to download illegally from the internet. And those torrents can have back doors into your business, and your organization and your home computers.
And it’s very important that you get paranoid about why you have this information on your systems. But the good thing about being paranoid is you actually start to protect yourself. You make that assumption that you are in trouble and you need to look at other ways of protecting yourself. And by being paranoid, it makes you a lot more focused on how you protect yourself.
So, thank you. If you need any more information, please contact us.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – What to avoid in an outsourcing professional
[Start of transcript]
Hi. My name is Roger.
And today, I’d like to talk to you about what to avoid in an ITC, an internet technical professional.
Whenever you are employing a managed-service provider or an outsourcing company, there are a number of questions that you should be asking. And it should not be based on price alone. You need to know if their practical experience is going to suit your business. So, if you use Apple technical, they need to be Apple’s experience. If they are Microsoft, then do they have a Microsoft experience? Do they have cloud-based systems that they understand?
The second one is, there is no such thing as one solution fits everybody. I can walk in to anybody and say, “You need to go to cloud.” If I did that, not only am I an idiot, but you’re an idiot for listening to me because every business is different and every business has a requirement to look at what is available and what they need to make sure that going to the cloud is going to be beneficial for you.
The third one is there’s no transfer of knowledge between the professional and the business. You need to be in a big situation where you can’t get hold of the professionals and you can actually sort out some of the problems without resorting to really big issues.
The fourth thing is, how about sales pressure? “If you buy this, we’ll give you a 20% discount. If you buy this, we’ll send you to Maris Island,” and all of that. These are pressures, or systems put on pressure to make you buy that widget at three times the price that it should be anyway.
The fifth thing that you should be looking at is, are they selling smoke and mirrors? It looks pretty cool, sounds pretty cool, but is it going to do to the job that I want it to do?
And another thing to look for is you may get a number of small solutions to that go to making the live solutions, and each one of those small solutions has a huge price tag. And if that’s the case, then, you really do not need that professional.
But there are other things that you need to look at. How about bribes and collusion? Are they being bribed by their suppliers? If you sell a million dollars’ worth of stuff, we’ll send your troops to a Maris Island because that’s really good.
Or they send you incomplete systems. An incomplete system is you get a firewall but if you pay for the firewall, you say $2,000 for the firewall, but all these other components to make the firewall really secure are extra $2,000, $2,000, $2,000. So, you’re getting an incomplete system for what you specified that you want it to do. Then they ignore you.
When you have a sales person that ignores your deadlines, ignores your fiscal position, then you also have problem, because they’re not going to respect you to understand what they need to do to make your business more focused. And they have no accountability. The only accountability to themselves is themselves and you do really don’t want to be in that situation.
So, to make sure you avoid an ICT professional that has all of those, then why don’t you contact us?
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – The hidden cost of doing ICT yourself
[start of transcript]
Hello. My name is Roger.
And today, I’d like to talk to you about the hidden costs of small business doing their own ICT.
In a small business, we have direct costs, how much we buy something for, how much we sell it for. And we have indirect costs. And the indirect costs usually are the costs that we have no control of. And what happens when people start doing their own technical support is your indirect costs go up.
Now, most people are in business to make money and they are in business to do core business, whether that’s for selling widgets or consulting or any of those things. You’re not there, and your people are not there, to work on the information technology, information technology stuff that is making your business work.
And what happens with doing the ICT yourself is it really does take your focus off core business. It’s a lot easier to say to someone, “Come in and fix this and then go away,” than Joe Bob, who’s is the receptionist, or the senior salesperson or the marketing manager, look at the printer problem and say, “Well I just spent nine hours trying to get the printer to work. Now, I’ve got to call someone in.”
So, doing your own ICT is not cost-effective. And there really is no convenience in doing it. Because, as I’ve said, ICT is what makes your business run. But you don’t need to understand that 90 percent of making that system run, you need to understand the 10 percent that you used to make it all work for your business and do core business.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – Clever ways cybercriminals get you to let them in
[start of transcript]
Hello. My name is Roger.
And today, I’d like to talk to you about the clever ways cybercriminals get you to let them in.
So, there are a number of tactics and strategies that the cybercriminals use, both physical and electrical, that allows you to let them in so that they can do their nefarious deeds.
One of the ones that we’ve seen is they used fake access points. And there’s a thing called water-holing where all people congregate within a business. And usually where they’re congregating is actually where you are fixing and attaching to a Wi-Fi point. And if you make an access point the same username and you don’t give it a password, then, all of that information that you’re connecting to is being recorded.
But there are other things they do. One of the things that the bad guys do is they change file names so you might get an attachment that say “readthis.txt,” but you, and because Windows and Apple only read the .txt part, they don’t know that it says “.txt.exe.”
And most anti-viruses won’t allow that to happen. But there are some that regularly will bypass. There are other things that they do. Location of files, they use the actual operating system and the way it searches for information to serve out, so they might have a “notebook.xe” and “notebook.exe,” which is the real one. This one is found before this one, this actives malware and viruses.
Or, we use hosts and DNS redirects. And all those redirects take us to totally different sites. And there’s a number of sites, for instance, if you go to anz.com.au, you go to Australia National Bank. But, if you go to anz, then you go to a fake bank. And that’s how they catch you, just by substituting that one letter.
But one of the other things they do is they use a bait and switch. They get you to download legitimate software, especially if you’re downloading legitimate software from a pirate site. Because if you are doing that, then you are making yourself vulnerable. Because that information that you’re downloading is being stolen by the criminals and has been created to make look like a real information.
So, as you can see, the cybercriminals can be very, very clever. And we have to use a number of systems to make sure that we catch them before they get into our system.
If you need any more information, please contact us. Thank you.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – A firewall does protect you in the digital world
[start of transcript]
Hello. My name is Roger.
I’d like to talk to you today about A Firewall does protect you in the Digital World.
A Firewall is a piece of hardware or software that sits between the real digital world and your device – whether it’s your laptop, your server, your network, your smart device. It sits between the digital world which is out there, and your privately owned piece of it.
And that’s all it’s there to do. It’s there to stop the bad guys coming in to your system and doing damage on your system. It allows information from your system that is requested to go out to the digital world and then come back in again.
And in other cases, it’s very effective about stopping that first level of attack that we have from the digital world.
When it comes to network management and protecting yourself at a network level, then, you need to spend a little bit of money to get a more expensive model of the router/firewall modem component because that is what is going to protect you from the digital world. And that expensive model, whether it’s a FortiGate or a CISCO, or a Palo Alto, is really important because it has a lot more features as well. And we have things like 2nd generation firewalls coming in to the information.
Thank you for listening and if you have any other, if you have any questions, please contact us on the slides after this.
The same way that we listen to accountants, solicitors and motor mechanics, the digital security expert has an important role to play in supporting your organisation.
Digital security is becoming one of the most important areas of modern business.
For some reason we believe technology in business is easy. So easy in fact, that we just install it and forget about it.
Anyone can do it.
Like other professions what you do and what you can do are total opposites. An accountant, for instance, can make you more money by legally changing your tax requirements, or a solicitor can get you a reduced fine or jail sentence better than you could if you were representing yourself.
So a digital security expert can make your organisation more secure because they have studied business and technology, but more importantly they have a better understanding of what the bad guys are doing.
Here are 17 ways that a digital security expert can make your organisation more secure:
They study the bad guys – being a digital security expert is not about selling the next best thing (if there is such a thing). Being a digital security expert is more about understanding your enemy. The more you study the cybercriminal the better you get at predicting their next move and being able to be one step ahead.
They keep abreast of what the bad guys are doing – digital security experts use the same world that the cybercriminal uses to perpetrate their trade. They are in the dark web, watching, recording and documenting what the bad guys are going to do next.
They understand business requirements – what most people do not understand is that the digital security expert has to understand business. They have to understand marketing, management and cash flow. They need this information to ensure the recommendations that they give to their clients will not impact their business, or have minimal impact on the way business functions.
They understand technology – in most cases a digital security expert is at the same level of technology understanding that the bad guys are. To ensure that your business is not vulnerable to a cyber-attack they have to know the technology to ensure it is safe.
There is no such thing as 100% secure – against popular belief, there is no such thing as being totally secure. The digital world is ever changing, so are the tactics, strategies and targets of the cybercriminal. There is always someone else out there who knows that little bit more.
Everyone is a target – if you have a smart device – you are a target. If you have an email address – you are a target. if you have a web site – you are a target. The larger your digital footprint the bigger the target you are. The more your footprint will be targeted by the automated systems that are sold by the criminal gangs.
Technology is not the only answer – there are four components of being secure in the digital world. Technology is one of them. The other three are management, adaptability and compliance. All four components together make a more secure environment than just technology alone.
People are your best defence – your staff and users can be either your best Defence or your biggest problem. If you educate them with proper digital hygiene then you will not only get them to protect themselves but also the flow on effect is that they protect your organisation.
Complex, unique and long passwords are good for business – we all hate these. To access the digital world we need a username and password combination. The more we rely on the digital world the more important these components are. All passwords should always be complex (letters, numbers, symbols, capitals), more than 8 characters long and they have to be unique for each site. That’s pretty easy isn’t it?
Penetration testing will prove you have it right – penetration testing is one of the best ways to test your defences. Penetration testing should also be carried out across all components of the business. From websites, to cloud Infrastructure, from social media to smart devices. A contracted penetration tester should have carte Blanche across the whole network. You are not on a witch hunt or targeting the IT department, you are finding holes in your organisation and finding ways to resolve the risks before you are compromised or hacked by the bad guy.
Think when using social media – social media is great. It is also one of the best systems used for social engineering by the bad guys. Information that is posted to social media sites is there forever. Educate your staff about the dangers of social media. Put a social media process in place to ensure that trade secrets and intellectual property is not posted out there, and each post is checked before going live. In the heated exchange of a social media discussion, think before posting.
Get paranoid – paranoia is the understanding that everyone is against you. In the digital world this is truer than our normal world. Does that make you paranoid? Not really but having the understanding that everyone in the digital world is out to get you makes you more secure.
Use common sense – everyone remembers the old Nigerian Prince scam, people are still getting caught by it. There are a number of things to remember on the digital world – if it is free then it is not (you always have to give something to get something), if it’s free it could be infected with malware, if it’s free somewhere along the line you will have to pay a lot more than what you expected. Using common sense to make that decision is critical.
Email is a broadcast medium – We often forget that although email is targeted, sent specifically to individuals or groups of people, it can go astray. It could be sent to the wrong person via the email fields being filled in automatically. Email can also be forwarded, printed and scanned, sent to people who it was not intended. Like all types of communication be careful with email.
Digital security is a whole of business endeavor – we are constantly told that digital security is an IT problem. No it’s not, it is a whole of business endeavor. Everyone and every department has an impact and input on the digital security of the organisation.
Have a mantra – I have a mantra “digital security is my problem”. What that means is that I take personal responsibility for protecting myself and protecting others. The more people who change their attitude to this mantra the more secure your organisation will be
A digital security expert can and will make your business more secure and like any other profession, what they bring to the table is well above normal expectations. Like accountants and solicitors their expertise can save you substantial amounts of money, sleepless nights and angst, just by them doing their job.
We all approach the cybercrime issue with a very unrealistic attitude that the cybercriminal is a geek who really does not understand what they are doing. To most people the cybercriminal is just in it for the fun.
Compound that with our own attitude of
we are too small to be a target,
it won’t happen to me and
we have nothing worth stealing
And you can see why we have a problem.
Cybercrime perpetrated on the digital world is no longer hap hazard or uncoordinated.
The cybercrime gangs are well organised, exceptionally well run and ruthless in who and what they target. In most situations the main cybercrime gangs are better run and managed than the small and medium business and large Organisations that they target.
What most people do not realise is that most of the high level cybercrime gangs have the same principles as everyone else who is using the digital world.
Make as much as they can!
Make it as fast as possible!
They steal, destroy and manipulate the normal users of the digital world because there is little or no perceived repercussions if they get caught.
The difference is that they know so much more about the digital world than we ever will. They also know how to exploit our vulnerabilities.
Most of the criminal enterprises have a similar structure to every other business.
They have a management team, they have marketing and sales, they have advertising and sales, they deliver products to their clients and they use research and development to create more product.
Their clients are the 12 – 24 year old wanna be hackers who think they would like the glamorous world of a cybercriminal.
Their product is automated systems that gather data and probe exploits on anyone or anything that is connected to the digital world.
They then feed that information back to the command and control systems to create better and more complex systems that are easy for the wanna bes to use.
When it comes to making money they have the same attitude as most SME’s. Make more than you spend.
Apart for the fact that you do not get fired and the retirement plan for the bottom level of the organisation is not very good. Once in the gang, the smallest stuff up and you could be found in the lake face down or even worse never found at all.
If you understand the cybercrime business then you have a better chance of protecting yourself against it.