One of the worst situations that you can be in is acrimonious separation of an IT person from an organisation.
A bad separation, just like a bad divorce can have significant impact.
Large organisations have systems, policies, procedures and processes in place that protect the organisation, when they are used of course. If followed they protect the organisation well.
SME’s on the other hand have different problems.
We have come across smaller organisation that still have old staff members on the books with full administrator access to everything that is still being done in the organisation.
The problems this creates can be huge.
They have access to privileged accounts. Accounts that can do anything on the organisations digital world.
Just a few ideas of what they can do!
They can steal your trade secrets and take them / sell them to your opposition.
They can steal your client list and use them for a number of bad things – competition, blackmail, sabotage.
They can cause software issues, lock outs and shut downs
They can lock legitimate users / all users out of the organisation.
In most cases the IT person is there because they know computers. They were allocated the role when they joined and you may even have paid for some education and training packages to make them better.
This just puts them in the position of holding the keys to the kingdom.
If you are going to remove an IT person from your organisation, the best thing you can do is outsource your IT, for a short time or indefinately. They have the expertice to protect your organisation and they are under contract to ensure your systems are safe.
Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI. He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.
We just threw it together on WordPress because it looked OK, pretty cool eh, what do you think?
These are some of the reasons and responses that most organisations say about their websites. They do not consider their website an important component of their business security.
All of these implied reasons are all BULL
The damage that a compromised website can do to your reputation, your brand, your customers, your staff and your organisation in general can be devastating.
How can it have such an impact?
Today’s world everything is automated.
From building cars to putting together modem routers, it is all automated, created by robots or done with no human intervention.
Just set and forget!
In this world a bored teen with minimal parental supervision, access to the internet and access to a computer, tablet or smart device can download any number of automated systems that can and will target any website.
just because they are attached to the internet.
Bored teenagers and Hackers alike Don’t Even Break a Sweat…Download… Copy… Paste… Hack!
Its just that easy!
Automated systems target everyone!
That is why a Million+ Sites were Hacked or Defaced by Exploits in the last 12 – 18 months.
Once again attached to the digital world = target!
WordPress security can be very easy as well as exceedingly difficult.
Like any required expertise, anyone can do it but it takes an expert to actually secure a website properly.
Just 1 Bad Plugin or Update & Your Site Is Theirs!
What about Google?
If your website is infected and starts delivering malware to your visitors then you’ll Get Blocked by Search Engines for hosting…A Fake Store, An Attack Site or A Phishing Site…
This will have significant impact on your site especially if you are spending money on SEO.
The all-encompassing world of search – especially GOOGLE, can have a significant impact on your website through search engine optimisation (SEO)
I spoke about reputation in general, how about Brand in particular?
The impact on your reputation, brand and ability to create revenue can be significant.
Your Site, Your Reputation, Your brand, Your Rankings & Your Domain Value Destroyed literally overnight and in a lot of cases it will not register on your business.
The problem could be seen as a change in Googles algorithm.
How big an impact would a significant drop in search visitors have on your organisation?
The significant drop in visitors could be attributed to the blacklisting of your site.
Anyone going to your site will get the google precaution web page – proceed past this point at your own risk. How many people are going to go against that message, only 10%.
It’s Going To Costs You Days & $1000’s To Restore, De-Blacklist + Re-Rank.
So that cheap and cheery website that you put up is now having a significant impact on your organisation.
Significant impact on your cash flow!
Significant impact on your revenue!
Lets now take it further.
If you keep getting your website hacked it will have significant problems for the hosting company as well as all, of the other organisations that have websites hosted on the same platform. Same platform, same internet address.
They will literally ask you to take your website elsewhere because you are having a significant impact on their revenue and profits.
WordPress security – what can you do?
All of your problems started with the assumption that putting up a WordPress website is easy and can be done by anyone. Here are a number of precautions that you can take to reduce the risk.
Update, update update
Like everything digital in today’s world updates are one of the keys to protecting the website. Updates to the WordPress core are critical but updates to plug Ins, widgets and themes are just as important.
Updates remove those areas where the automated systems can get a foot hold on your site.
Visit your site regularly
We have known organisations who have not touched their website in 2 – 3 years. This is bad for 2 reasons. If you are not visiting your site regularly then you are not helping your marketing, you are not putting up, in the words of Tim Read “interesting and helpful content”.
Google does not like this.
If you are not visiting it regularly you are not getting the feel of what your visitors are seeing, and you are not being prompted to update all of these important components.
Use top quality plug ins, themes and widgets
Free is OK, but if you pay for plug ins, themes and widgets then there is a good chance that they will be better for your website.
This includes not only better functionality but also better security and support.
Use 2 factor authentication or Captcha
With some of the tools available, your website can be scanned and the usernames can be discovered.
That is one of the 2 things the wanna be hackers need to compromise your website.
Using 2 factor authentication and or a captcha system you are adding another layer to the log in process.
This makes it harder to access your website using automated systems.
Enforce complex passwords
I know they are hard, but complex passwords are very important when it comes to fighting all those automated systems.
All passwords should have 3 components, complexity (numbers, letters, symbols and capitals), long (more than 8 characters, but 10 is better) and uniqueness (different for every web site you visit or have access to).
Now hopefully you understand why protecting your website with the right attitude is good business sense.
The bad guys are out there and they are looking for every opportunity to ruin your organisation, your reputation and your ability to make money.
It is no longer a case of hoping for the best when it comes to business security.
Business security demistified
Changes to the way we do business, how business is conducted, how fast the transactions are done and the insidious implications of social media have made business in the last 5 years a huge challenge for most business no matter the size.
Multi nationals who rely on their advertising spend to get customers through to the small and medium businesses, the mom and pop organisations, who are challenging them in most areas of today’s business world all have huge if not insurmountable business problems.
No longer can we rely on “that’s how we have always done X”.
In today’s world that is old thinking, old strategy and in most cases a good way to disillusion your clients and go out of business.
With all of this happening we also have the problem of protection.
These are just a few of our inward and outward facing security problems.
We are often told that security is a business problem but all of the onus to fix it falls to the ICT department. This is no longer the way to do it.
Business security is a whole of business phenomena. Everyone from the head of the board to the warehouse cleaner needs to be involved, and involved from the nuts and bolts through to the strategy.
Today’s world is all about data, and protecting that data from anyone and everyone who does not have permission to use it, see it or interact with it. With everything in today’s world being digital, in most cases we cannot see the problems this creates.
Today’s business security is all about common sense, seeing the wood from the trees and making sure that you are alleviating risk at every possibility.
Business security is all about risk!
Business security comes down to risk, defining the risk and then mitigating it for your organisation.
Every organisation is different and every organisation will mitigate the risk differently but all organisations need to start looking at the problem of risk.
Want to see what i am talking about go here and do our quick and nasty trial survey. 7 of the 98 standard NIST questions. Let’s see what your business maturity level is.
Relying on one persons understanding of digital crime is a recipe for disaster.
You can be the most knowledgeable person on the planet in your chosen field but you cannot be the most knowledgeable person on everything – that is impossible.
When it comes to the digital world, the individual facets of the world are daunting.
There is no single entity who has all of the answers. In a huge number of places we no longer understand the questions to ask.
We all work in some realm where we either consider ourselves exceptional, or other people consider us exceptional in our knowledge and understanding.
Most people realise this and accept input from others who are experts in their own fields. This collaboration makes everyone involved better.
We have seen those exceptional people do the absolute dumbest things when it comes to digital protection and cybersecurity.
In most cases it comes down to EGO.
To quote the Sky hooks and my friend Shirl ” ego is such a dirty word”. This is where one of the largest problem lies when it comes to digital security.
Our egos get in the way.
Our egos do not allow us to be wrong, do not allow for others to have input into our problems or in some cases accept input from people who do actually know more about the problem than we do.
The EGO of security
One of the biggest problems with keeping ego in check is the understanding of secrecy.
By using my ego to implement security means that others who may have a deeper understanding of the problem or a better solution are kept out of development because i have deemed it secret.
To develop a complete digital security strategy we need to leave our egos at the door. We have to listen to anyone and everyone with an idea concerning protection and implement the best ideas from that process.
When that happens we will see an improvement in digital security. We will see an increase in collaboration and maybe, just maybe, we will be able to beat the digital criminal at their own game.
Google! How many times have we said or heard someone else say:
“Why don’t you Google it?”
“Google told me that….”
“I can fix this problem—I read an article about it on Google!”
These lines are often spoken by someone who tried to save time, money or effort by reading an article instead of consulting an expert. And whether it’s a broken computer, a backed-up sink or the weird-looking bald patch your dog has suddenly developed, when people put their faith in Google there’s usually an unspoken postscript: “I tried to do it the way Google said, and it didn’t work.”
I have been working in IT security for 30 years. I’ve come to see that computer technology is one of the areas where people are most likely to turn to the internet for help. I am not knocking Google—my team uses it regularly to resolve complex and confusing issues with technology.
We also understand that 99.9% of the articles are CRAP.
Well, maybe that was phrased a little too harshly. How about this—80% are CRAP.
Your search for a solution can put you in touch with a lot of people claiming to be “experts.” Some of them even are experts, and may have put a few good ideas into writing. Those search results do not equate to the huge number of hours that a professional will have spent in their chosen profession.
Google does not show me how to fight a civil action in court, but a high-paid lawyer will.
Google does not make your tax records easier to understand, but a good accountant will.
Google does not make changing that engine part any more understandable, but a mechanic does.
With 20% of all google searches being for new content, there’s no Google search you can do that will capture every exact specific of your court case, tax documents or computer problem.
What Google does, is make you realise that you do not know everything. It helps you understand that a professional—the person who wrote the article—is better qualified to do it.
When the sink backs up or the car starts making a funny noise, go ahead and Google. Yes, you can muddle through, and maybe get the right outcome!
But if that first “easy” solution doesn’t work, don’t keep trying more. The cost in time and money of continually tinkering with high-priced possessions are more than what you’d pay to get your problem solved once and for all.
If you want it done right, Google it, find an article about it—and then talk to the person who wrote the article.
Website Security and how to make your website more secure
[Start of transcript]
Just waiting for the last couple of stragglers to come along. We’ll get stuck into it exactly at 12 mid-day, and it should only take about 20-25 minutes to get through this, but it will also give you a bit of feedback on what’s happening, what you can do and how you can do it.
Good afternoon. Today’s Lunch and Learn is part of a series on digital security, but we’re not really looking at digital security from a vendor point of view, we’re looking at a digital security component that is designed to protect your business, and why you need to protect that component of it.
So today’s Lunch and Learn is “Why is my website a target of hackers?” And we’re just going to go through what the bad guys are doing, why we have websites, how they target your website, how they get in, what their end game is, and how do you stop it from happening to you, and then we can have a conclusion and questions and answers after that.
Why do YOU have a website?
Well, for most of us, it’s to get information out to the public. We have a product or a service that we want people to know about, so we have a website that tells everybody what we do. It can be either a static or a dynamic, doesn’t really matter. It’s just information.
Or, we could be running an e-commerce site, and that e-commerce site would generate revenue for the business. And in some cases, there are a lot of businesses that are purely based on e-commerce, so it’s very important that their website is really, really secure.
E-learning and education
Another component is e-learning and education, which is now on the rise, because it’s a lot easier and more efficient and effective to deliver learning to the general public over the digital world.
And then of course, we’ve got the blogging. And everybody, if they have a website now, is being told that they need to create content that goes on that site, and the best way to do that is to talk about either your products or your services in such a way that people will interact with what you’re talking about.
Blogging websites have been broken down into a number of CMS, which is content management systems, so that you can have total control over what you do. And we’re finding that WordPress, Joomla and Drupal are probably 70% of what people are using in the digital world as a blogging platform.
Who is targeting your website?
So, who and why are they targeting your website? Well, there’s three distinct, I suppose, animals that are out there, that are targeting your website.
There’s the script kiddies. Now, the script kiddies are people who are anywhere between 9 years old, 25 years old. They’re the up-and-comers. They’re thinking this is a lot of fun, and they use automated systems that they’ve downloaded from the cybercrime gangs. And those systems can be free, or they can cost a lot of money. One of the better ones is a Russian component that you can buy for $4,000 Euros. And that will give you the capability to start up your own business as a hacker.
We then have the hacktivists. Now, the hacktivists are the people who actually annoy the crap out of you. You’ve done something in your business and they didn’t like it, so they’re now in a position to be able to try and access your website. They’ll deface it. They may or may not steal information, but their whole role is to bring presence to what they don’t like about you.
And then, we’ve got the black hat hacker, the true blue person who wants to steal information or steal money from you. And they are the ones who are probably 0.001% of the all-encompassing class of digital criminal. And these are the people who live and breathe breaking into your website.
What do they want?
Well, we all know they want money, and they’ll go out of their way to steal either information or they’ll steal money from you if they can.
But they’re also after your intellectual property. Your intellectual property which is really important for how you do business and intellectual property that you keep on your website that is under lock and key either through an e-commerce gateway or other ways of controlling access to the system. So in other words, if you’ve got a PDF up there that you want to sell, your intellectual property is that you are selling that PDF as part of your business.
But one of the main things, and people do not realize is, that the bad guys want to steal access, or gain access to your website so they can infect visitors who are coming to your website. So they can upload malware to your website so that everybody who access your website has the complexity of being infected when they leave. And that is one of the reasons why the websites that we have are big targets for the cybercriminals.
How do they get in?
So, how do they get in? Well, they get in a number of ways.
Unpatched systems is one. If you’re running things like WordPress or Joomla, or Drupal, you will be constantly told that you need to update certain components of the website, because new components have been released to patch areas where you may have a vulnerability.
We also have insecure practices. Now, an insecure practice is when you install a website from initially when you set up your website and it comes up and goes, “What do you want to use as the administrator password?” And a lot of people will put in admin/admin.
Those automated systems that are ran by the script kiddies are actually looking for websites that have admin/admin as username and password. That is an insecure practice that we really need to stamp out. If you’re going to go—if you’re going to build a website, you have to think along the lines of it has to be secure from the moment you put it together.
And those insecure practices, you may have put in admin and admin as username and password. You’re quite happy with the way the website’s going. You’ve not got an e-commerce site that is based on that website, with the username and password of admin and admin, and that is not a really good place to be because that is what the bad guys are targeting.
And as I said, the digital criminal is no longer someone who we think is going to be relatively stupid, because they are very good at building our trust. They are very good at targeting us individually or as a group, and they go out of their way to make sure that along the way we are trusting them. Their trust comes down to social media, comes down to emails that we may have received from them. All of this is building trust within you and them.
The last thing that will allow them to get in though is a technology failure. Again, this is something that we keep an eye on, because the underlying system that your website is built on is built on technology.
A technology failure might also mean we haven’t closed a port on the firewall that goes to the website, or we’ve got problems with technology, or we’re being targeted by a degauss attack. Because they know that if a degauss attack is targeting your e-commerce site, then it’s not going to be able to deliver money to you.
What is their end game?
So what is the digital criminal’s end game? Their end game is to get as much out of you as they can.
So they are there to steal everything. And when I mean they steal everything, they literally do go out of their way to steal everything. So they want your database. They want your access to your PayPal system. They want to be able to steal whatever they can from you. And if you’ve got things behind payment gateways and firewalls, and all that sort of stuff, they want to get at that. And that is why they go out of their way to target your website.
Compromise your visitors
But most importantly, they want to compromise your visitors. If you’re getting a lot of traffic, let’s say 20,000-30,000 visitors, unique visitors, a year, and they—a week, sorry, and they compromise your website, then every one of those 20,000 visitors that will come to your website leave infected. And that is why they go out of their way to make sure that they are targeting websites.
A compromised website can damage:
If you get compromised, your website is hacked, and either through a script kiddie, which is not so devastating as other ways, but if you get hacked by a hacktivist or a full-blown hacker, then you are going to have damage that you are not going to understand how to fix.
For one, it will damage your reputation. And by damaging your reputation, in the digital world, reputation is everything. And although we may think that yes, we’ve been hacked and we know. We’ve fixed the problem and we’re going to back after the general public again with the same product and the same line. We’ll find that our reputation is now tarnished. Because it’s been tarnished, the chances are that people, or less people, will now come to you.
But things a compromised website will do is it will impact cash flow, especially if you’re in an e-learning situation or an e-commerce situation, because you are in that situation that allows you to do whatever you need to do.
So if you get a compromised website and all the cash that you’re making is suddenly not going to your coffers but going to the bad guys, then you have a serious cash flow problem. That way, you now have something that you really need to do something about.
In addition to cash flow, it will impact your productivity. And I’m talking about whether you can build the widgets that you are selling on the site, on your website, and the productivity component of it is again another impact on your business.
What can you do to stop it happening to you?
So what do we do to stop it, and how do we stop it happening to us?
Patch it all
Well, one of the things we have to do is patch it. WordPress comes out with an update probably once every two or three weeks, and it will come up on your website saying you need to install the newest update.
It gets pretty annoying because it knows that if you don’t patch it then your system and your website is vulnerable. So you need to update your systems as often as required. But that also means you have to update your plugins and your widgets, and everything else that goes with either WordPress, or Joomla, or whatever other systems.
And if you’ve got a system that has been made by someone else, there better be a security component to it. Because if it’s been built on something that only one or two people have access to or have an understanding of, you still need to make sure that it’s not vulnerable to being hacked.
Process and policies
You also need to put in policies and procedures, and processes. How often do you visit your website? How often do you visit not only the front end but the back end? How often do you actually go to the home page of your website?
If you do go to your home page of your website, are you taking notice of things that aren’t working, aren’t doing what they are supposed to be doing, or that information is stale and old, and needs to be updated?
That also means the policies and procedures that you put in place for people who are actually updating the website themselves. If they’re installing a widget on a WordPress site, have you got specific criteria for why it’s being installed?
That specific criteria might include it’s got to have more than 4 ½ stars before you’re allowed to you, and it’s got to be around for more than a year, and it’s got to have more than 10,000 users. Now those criteria would make it very hard for someone to compromise your system through a plugin.
Complicated username and password
As I said, when you set up a WordPress site, it asks you for a username and password for the administrator. The best thing you can do is not only use a complicated password, but use a complicated username. For instance, admin_joeblow_123. And then you need to remember the password and the username, because otherwise you won’t get into your system.
Restrict or manage comments and users
You need to—most people have blogs, and if they’re blogging they are looking for comments or input from other people. And you also need to—because the bad guys also know this and there are times when you’ll get a lot of crap coming through your website, because you’ve got comments enabled but people don’t have to log in and use a username and password.
And that’s a restriction that you need to put in place if you’re going to accept comments. If you’re going to accept comments, the reason why you need a username and password is so that you go to the second step of not having the automated systems putting information into your comments on blogs.
And also, your users have usernames and passwords and you can enforce complicated passwords on them as well just to be on the safe side. But if they’re adding to a comment or if they’re blogging individually on your website, those people also need to have a decent username and password.
Wherever possible, try to make sure that the data is encrypted. Because if it’s encrypted, then if they do—if someone does break in and steal, for instance, your database of users and commenters, then that information is very hard to get out of that database. On top of that, if you’re encrypting the information, whether it’s coming or going, there’s no chance of being eavesdropped on and that information being picked up.
But encryption also goes to locking down your system as well. So two-factor authentication. Because with two-factor authentication, you use a username, a password and something else. To me, that is a lot more secure if you’re going to have a very productive website that is going to do things for you.
Use a web gateway
The last component that you can do for your website is to use a thing called a web gateway. Now, your web gateway literally is a gateway on the internet that captures all the traffic coming to your website. There are companies that actually sell the product of a web gateway. We’re not one of them, but what we have found is a web gateway cuts down probably 99% of people targeting your website. Everything else is still functional, but the bad guys have a lot of trouble getting past that gateway to get to your website itself.
So in conclusion, the bad guys are out there. Don’t get me wrong. They are out there. And they want access to your website to not only steal from you, but to also target your visitors. So make sure you protect your website the same way you protect any other digital system, because if you do that, if something that we initiate to get to the point where you’re protecting your business, then you also understand that we are protecting our clients, our people who are coming to our website.
So that’s the conclusion. My name is Roger Smith. I am an Amazon #1 author on cybercrime and digital security. I am also the CEO of R&I ICT Consulting Services, and I am a speaker on the digital world and how normal users need to be aware of the dangers and how they can take appropriate action.
Building a secure framework around your business using available technology
[Start of transcript]
—anti-virus on any system that is connecting to the internet.
Why we still need it
And this is why we need it, because the viruses that are out there, and they are out there, there’s a lot of them, they need to find homes for themselves, and the only way they can do that is through the technology that we’re utilizing. And that anti-virus means that you’ve got a 99.9% chance of stopping that virus coming into you.
End point protection – AV, malware, spyware
Anti-virus goes to the next level as well, because anti-virus also needs things like endpoint protection. Anti-virus, malware, spyware. And that endpoint protection has two components. It’s actually on the system itself, whether that’s your tablet, your phone, your laptop, your computer, or your server, and it’s managed from somewhere, managed from a central location so that anytime anti-virus attaches to your network it gets pushed out, the newest versions to your system, the newest updates that are required.
But we also need to authenticate. We also need to, all of that technology and software that’s coming into our networks, we need to have some way of finding out who’s accessing it and how they’re accessing it. And that who’s accessing it and why it’s being accessed is part of the authentication protocols for your system.
Username and passwords
The most important part of authentication is your username and passwords, and we all know how complicated usernames and passwords are. I’ve just read an article recently about the difference between a professional person and a non-professional IT person on how they manage usernames and passwords.
So a professional, I have a complicated password. I use a password manager, mainly because I have access to 200-300 sites or reasons to have access to 200-300 sites, and I’m never going to be able to remember.
But there’s also other things you can use. You can use a password. You can actually create a base password that you add on different components of. The security, we’ll talk about cloud later on, is cloud is only secure as your usernames and passwords on your terrestrial systems. Because if you don’t have—if you use password and password, then the hackers are going to be able to hack that without a problem in the world.
The other thing about passwords, and especially when it comes to hardware and software installation, is some things come with a default password. They actually come with admin and password, or admin and admin. And this is what default passwords are known by. You can do a quick search on the internet. You can go default password for this model.
And then it will tell you admin/admin or admin/password, admin/blank. But that also then goes on. So you need to change those passwords, those default passwords, before you put something into production.
It’s probably better, as you’re setting it up, the first thing you do, it’s forced on you by some of the high-end security systems, things like Cisco and 40Net, they require you to change your password the first time you log onto the system, and that’s really important.
The next part of a technology is encryption. And we’re seeing encryption from a number of places that require information that needs to be encrypted for some reason. Now, we all use encryption when we go to buy something from EBay, or now everything on Facebook is encrypted.
And that’s because that information is there not only because nobody can intercept the communication between the device and the back end, and that back end is also encrypted to make sure that data is secure.
But why do we need encryption? Well, one of the main reasons we need encryption is so that people are no longer able to eavesdrop on the communication between device and back end. But on top of that, if someone actually does get into the back end, or gets into the front end, and steals the database, it’s all encrypted, then they’ve got another problem for themselves.
Normally it would be just in plain text, you know, Joe Bob has got this email address and this credit card number. All that sort of information is in the database. But if it’s all encrypted, then all they get is gobbledy-gook. And that gobbledy-gook is really good because you no longer have a problem with it.
Why we need to employ it in transit
So we need to have some level of encryption, and that level of encryption comes about because we’ve got information being transmitted between your device and the back end and that’s what’s called in transit. And that transmission that comes between you and back again, if it’s encrypted then people can’t read it. If people can’t read it, there’s no problems with it.
Why we need to employ it at rest
But we also need to encrypt our “at rest.” It needs to be encrypted so that when it is located on a hard drive, and even though you employ cloud computing, it’s still residential on some piece of hardware somewhere. It doesn’t matter where it is. It would be nice to know if you know where it is. But it doesn’t matter where it is, as long as it is at rest it is encrypted.
VPN – Virtual Private Network
We have a system called virtual private network, which is really a tunnel between a device and your system over the internet. So it’s literally a system where you can protect all of that information that you put past as intellectual property by making sure that the information is always unreadable. And that’s why we need virtual private networks. We used to have systems dial in, but now virtual private networks are so much easier to use and so much easier to set up.
And then we’ve got Wi-Fi. Who here has logged onto a Wi-Fi connection that didn’t require a username or a password? Do you know why it’s not a good idea? Because going back to the encryption component, that username and password, or just the password, the WPA passphrase, actually encrypts the information that you’re putting into the system.
And that passphrase, along with a few other components of your computer, gives you a unique encryption component that then can be used by them to make sure it’s more secure. And again, once again with Wi-Fi, if it’s got default usernames and passwords, change them, because you don’t want other people getting onto your Wi-Fi and using your system to attack other people.
Principles – Dos and don’ts
So we’ve now got some principles around what we’re doing as a business and an organization. Because we know that we need to have newer technology. It doesn’t have to be super new, but it needs to be newer technology. And as I said, with things like Wi-Fi, there are definitely dos and don’ts.
Use complicated passwords and passphrases. Use complicated usernames and passwords for VPNs. Make sure that your technology is doing exactly what you want it to do. And you want to make sure that along the lines of how you protect your business, these are things that you really need to do.
Now later on, we talk about management in our framework. But management of the technology actually has its own systems in place. Normally we have policies and procedures and processes that are managing the people who use the technology, but you need to have some level of system management to make sure that they systems are set up properly.
Setting up those systems, because it is very important about how you do it, you need to have a level of visibility. You need to be able to say, “If I set up a firewall, how do I go about doing it?” for instance. “If I’m installing anti-virus, where does it get installed? What does it get done by?” These are the systems that make your system, your organization, more secure.
But along with visibility, we also have accountability. We have an accountability component because we need to know who set that firewall up, who changed the rules of that firewall. Did they change the rules, or did they just make a rule up that they didn’t know was going to work and then didn’t worry about it? Who did that? Why did they need to do it?
And then we need to have some component of manageability. It’s no use having systems in place that nobody knows how to manage. And for small or medium businesses, understanding technology can be a huge burden because it means you are either not focusing on your core business, or you have someone else who’s not focusing on their core business.
Technology, I know everybody wants convenience and low cost and everything else, it doesn’t matter how convenient the system is, what you are seeing is 10% of what the system can do. Because that 10% is what makes our business work. That other 90%, we don’t even know about. And that’s what the bad guys really want you to do, is they want you to be unaware of where to go.
One of the things we come about with small or medium businesses is everything is in one place. Your database is on a server. Your exchange is on a server, and there’s no segregation or separation of that information. That separation of that information is really important. Small businesses usually, staff, with the account system, everybody has access to the account system.
But as you get bigger, you don’t want that so you need to start separating your data. The other thing about data separation is if you’ve got a Wi-Fi system that has a guest component, or someone has even a Wi-Fi system that doesn’t have a guest component, the best thing you can do is—
Yes, they can log onto your Wi-F and use your Wi-Fi as long as they’ve got the proper passphrase, but you don’t want them inside your network. Because if they’re inside your network, they can do so much damage without even knowing what they’re doing. So data separation means that you make sure that if someone on the Wi-Fi needs to access your network, then they can VPN in, and that separation is critical to protecting your organization.
And because we don’t want a flat network, if you’ve got people who want and need access to specific IP or patents, for instance, then you don’t want everybody having access to it because you’ll lose that intellectual property and trade secrets. And if you’ve got information about how you tender, or how you bill on a tender, or what your cost is for a tender, then you don’t want someone else, your competition for instance, knowing that’s how you work. This is why you don’t want a flat network. You want to make sure that flat network is a tiered access so that people, only specific people, can get to specific information.
Another thing about technology is we worry about how we manage patches. Patch management is really important across the board. Because patch management literally tells you which component you’re patching and which component you’re not patching. Patch management is again, going back to the difference between a professional and an everyday user, a professional would sit down and to, “It doesn’t matter what those patches are, I’m going to apply them all. Most people just get selected by, “I’ll just click the button and go here and score the lot.” That’s what you need to do to make sure. Because you never know when that compromised system, or that system that can be compromised, even though it was a benign compromise, couldn’t do anything you couldn’t get out of, might turn into a cancerous attack. And you need to be able to manage those updates as well.
Finally, we’re looking at best practice. All hardware and software comes with “This is how you should install it. This is the best place to put it. This is how you should set up your firewall. This is how you should then take the next step to go to the next level.”
That best practice is designed by the people who made this hardware and software, so the best practice is coming from literally the horse’s mouth. They are telling you to set up x machine, you need to do x, and if you don’t do x, it’s not going to work to the best capacity that it can.
Why we need them
But also, when it comes to that level of expertise, you need to have the expert advice, because they have created a machine, for instance, that connects your Wi-Fi to the rest of the network. So you need to know what is the best way of doing it, and how you are you are going to do it, and why you need that device in the first place because it does a specific role and protects your business from a specific thing that makes it harder.
So, in conclusion, we’ve looked at the technology. And the technology component of my framework has a number of systems.
Hardware – So we have hardware, which is literally the hardware components of what we use to do our business.
Software – On top of the hardware, then we have software.
Anti-virus – And protecting that software is anti-virus. That’s only a first-level defense, because all of the other things that we’re doing should be making that defense around your organization a lot more secure.
Authentication – We need to make sure that the right people are getting at the right information in the right way, and they cannot run away with that information or make it very hard for us to make sure that information is secure. This is where authentication comes in, so the right usernames and passwords have access to the right information.
Encryption – And all of that information that we’re downloading or moving around our network is all encrypted, so nobody can pick it up and store it somewhere else unencrypted so they can steal that information.
System Management – We need to manage the systems that we put in place. We need to incorporate management policies and procedures so that when the systems are installed, this is how you do it. We do a lot of installation of things like servers, for instance. We have a checklist. That checklist includes what is installed, how it’s installed, where it’s installed, and how the system is set up.
We know that there’s not going to an administrator, an account called administrator because that is part of our system management. We know that the passwords are going to be more than eight characters long. They’re going to adhere to a specific setting that we’ve got in our system. That is why we need to manage the systems properly.
Data Separation – We need to separate our data from public to private to super private to secret. And that data separation is really important for that business. It might mean that you only keep your really important information on a USB stick that you keep in your pocket, hopefully with a backup.
But you know that the only person who has access to that information is you, unless of course you lose it, and then you’d better hope that it’s encrypted. Because if it’s unencrypted, then you have a problem.
But going back to USB sticks for instance, alright? USB sticks are like a ubiquitous part of our business at the moment. Everybody has USB sticks. Everybody has USB hard drives. And there’s two problems. One is how do you make sure that information on that system, if I plug it into my computer I can read it?
You don’t want that to happen. You want to be able to go plug it in, yes, there’s data there but it needs to be unencrypted to be able to access it. Because it’s your data, you usually have the key for that problem. But if you lose that hardware, you lose that USB stick, then you have got a level of protection that is there just in case you lose it.
But the other one about USB sticks is the bad guys have found a way of using them to their systems. What they’ll do is they’ll actually seek car parks with old USB sticks. A friend of mine got caught in Las Vegas with this. Crossing the car park, she picked up a USB stick, looked at it. It has Boeing on it. Boeing Airlines. A legitimate company, rather large.
Obviously someone from Boeing had dropped it, so she took it home. Took it into her hotel room. Instead of handing it into the reception area, she just took it upstairs and plugged it into her laptop, and she was quite happily looking at all the information on it. What it was, was a slideshow.
To make the slideshow work, you could just click on a slide element and it would come up as a product. But if you wanted the slideshow to work, there was a little thing that said slideshow.exe, and she clicked on that. She wasn’t able to use her laptop until she got home because nothing worked after this. That’s one of the reasons why you’ve got to be very careful with what’s happening.
Best Practice – In addition, we have the last thing, which is best practice. Best practices are the way—is professional advice on how you do things. Installing a firewall from Cisco? Then you use the best practices from Cisco. Installing a Wi-Fi system from Linksys? How do they recommend you set it up? That is best practice
Where does this all fit into the framework?
As I said, we’re looking at the framework which is technology, management, adaptability and compliance.
How do you know if it is all in the right place?
We need to know that all of this information is in the right place and all of that technology is working to our benefit in making our business so much more secure. So we don’t need those legacy systems, and if we do need the legacy systems, let’s go and find another system that works the same way to a level we can then utilize for our business.
Where to from here?
So, where to from here? As the little man in the maze said, “What now?” What you need to do is upgrade your systems. You need to make sure you are using the best systems that are available, the newest systems available. That includes, and I’m not really delighting in Windows 10 at the moment, but it is important that you use that type of system.
If you’re using Windows 8.1, great. But if you’re using XP, get rid of it, because it is a huge problem. If you’re using an old iPhone 5 for instance, or an iPhone 4, I use an iPhone 4 for recording, but that’s the only thing I use it for. It hasn’t got anything else on it apart from it plugs into my computer and I can download the movies onto it. That’s really important going forward on how we do it.
So, if you want more information, I have two books out. One you have to buy, the other one is free. If you want to get in contact with me, then I am on Twitter. I’m on Facebook. I’m on LinkedIn. Just drop us a line.
Seminar and Webinars
We do run these webinars and seminars regularly. We’ve got another webinar tomorrow at 12:00, on a Lunch and Learn series. But we run seminars as well, and we do Google Hangouts just to make sure that we are getting in contact with as many people as we can.
So thank you very much. Are there any questions? If there’s no questions, thank you very much for your time. It has been very nice talking to you.
Interviewer: I think the scary part of it in your business is the fact that you make one mistake, and it will probably be a big mistake.
Roger: Well, yeah. One mistake in the digital security area can lead to repercussions like you would not believe. And I don’t think really, fair enough, I’ve been accused of fear-mongering and everything else.
But I don’t think normal, everyday people, realize that the problems we’ve got is not that we’re not paying attention, it is we’re not doing anything to resolve the problems. It’s either, “It’s not my problem.” Or, “We’re too small to worry about it.” Or, “We’ve got nothing worth stealing.”
But the repercussions of just having an attacker inside your network, it doesn’t matter if it’s your home network or your work network, then you’ve got a really major problem.
Interviewer: Well, it’s interesting. I was looking at my scan file last night.
Interviewer: So every six months I go through that just to make certain there’s nothing in there that I need. I found a couple of things that really I needed to have in another area. But I was appalled by the number of times in that six-month period I’d been asked for money and all I had to do was contact this person, and press here, and “We’ll do this for you.” I was the beneficiary of an estate. It just goes on and on and on.
Roger: Or, “I’m the legal person representing x.”
Interviewer: Right. And it struck me that without the security of a good, well-planned social media approach, you could easily have those coming directly into your inbox.
Interviewer: And by mistake, press them, or just through curiosity you’ll press them and the like, and that can be a huge issue as I have seen with a couple of my clients who have just lost everything.
Roger: Yeah, well there’s a new scam I’ve just noticed recently. That’s the Google Docs, or Microsoft’s One Cloud. What people are sending you is a link to a Google Doc. Okay? You don’t know the person and it may have gone into your inbox. It may go into your Spam box.
But the fact that we are now using Google online as our document repository, or we’re using Microsoft as in OneNote and all those sorts of things, there is a really big chance that you will click on that. Because A, it probably may come in from Jess Smith instead of Jessie Smith, and you may not think “Why is his name changed?”
That initial click is what’s going to happen. What we don’t see is, I suppose a lot of people don’t see, is the fact that the cyber criminals and the digital criminals are always adapting. They’re always changing their tactics. That’s why it makes it very hard for people like us to keep on top of it.
Because when the phishing scams came out, they were all low-level, bad spelling, bad grammar, probably no chance of being opened. We’ve not got to a stage where some of the scams, as I said for Google Docs comes in, and it’s good spelling. It’s targeted at someone to open it.
It may be you’re being sent an email that says “Dear Boss. I came across this last week. I thought you might need to read it.” And that’s all it takes because that’s what the criminals want you to do. They want you to make that initial, I suppose, commitment to them. And that’s really what drives them.
Interviewer: Well, another interesting example that came up yesterday was a mutual friend of ours. And his son came to his dad and said, “What’s this about, Dad?” And Dad looked at it and it was from a person. It may have been eBay. I’m not too certain, but one—it was either from a person or eBay saying, “Just confirming you’re going to be in Toowoomba tomorrow to pick up your $28,000 Caravan.”
Interviewer: And the son had no idea what it was, of course. Nor did the father. But the father was smart enough to follow it through. And what had happened was that this young boy had been targeted by one of his “friends” who decided to teach him a lesson with talking about bullying at school.
And this chap had put in an order to buy this $28,000 Caravan to pick up today or tomorrow, something like that. And the child had no idea what was going on, so he got onto eBay. Then he got onto Google. Google went searching, and Google came back with a shopping lot of news to tell the parent that his son’s email account had been violated by this particular person.
And he had sent this extraordinary number of emails to his teacher, to the school, to other friends at school, in this case to girlfriends and everything else, with the most vile, terrible language you could ever imagine.
Interviewer: And the police are currently involved in solving this particular problem, and they’ll prosecute the person for doing it. But there’s a young person in a school, and I’m talking about 14 and 15 years of age, who decided to destroy somebody by doing this.
But the alert parent was onto it so quickly, and of course an immediate email was sent out by Google, and by him, so it was two separate emails, explaining what had happened. But that’s just one of the dangers we face, and people take no notice of it.
Interviewer: They should.
Roger: Yeah. Well, the other thing is, for instance, going back to that example, is the chances are now that anything that young boy does with that email address is going to be suspect. It doesn’t matter whether it’s above board or below board. So that’s one problem.
All of the problems that email address has created now becomes a bigger problem because they can now, as you said, they bought a Caravan in his name. Have they opened accounts in his name, bank accounts? That type of thing is very important as well.
With an email account with Google, you’ve also got things like if the account has been compromised, you can actually get at all the other information that correlates to that person, where they live, date of birth, if they’ve got a driver’s license, their phone number.
So you’ve now got really a blueprint of that person which they can use for anything they want to use it for. Now it’s lucky it was only one person against one person, because if that had been a criminal gang, then they would have had even bigger problems.
Interviewer: So a criminal gang would have had the ability and the willingness to distribute that same information to 500 other people?
Roger: 500-10,000. Yeah. And then you can use that. See, the digital criminals not only are after the email address. If they’ve compromised your email address, there’s a really good chance that they’ve compromised the computer that that email address is on as well.
From that, because the actual technology that we use to communicate and do whatever we want to do, and play games and everything else, is a valuable commodity to the criminal enterprise. Because from that technology, they can launch other attacks.
They can use that information that is there. And they can then go from where they’re focusing on you to focusing on your friends, your family, to the next level. And that, as we all know, three levels of separation, and we’re probably closer to other people that we don’t know.
(On Demand Webinar) – An overview of organisation protection in the digital world
[Start of transcript]
I’m just waiting for a few people to turn up, just to make sure we get everybody.
We’re broadcasting this on Periscope as well, just to be on the safe side. Let’s see if it works because I think it will be an interesting time to see if we can get this type of thing working.
Today I’d like to talk to you about how a small business can create a better framework for business, so to protect yourself in the digital world and also just to make sure that a lot of things are in place so that you don’t get targeted by not only the bad guys but everything else that is out there. So that’s the aim of the presentation, and hopefully you’ll get something out of it and you’ll be able to go to the next level and improve the security around your business and your organization.
We’ll wait another couple of minutes just for a couple of stragglers that are coming, just to make sure we’ve got everybody, and then we’ll just get stuck into it. You won’t see me. I’ll put up a slideshow that is not that much. I’m not going to baffle you with PowerPoint art, but hopefully we’ll get everybody on the same page when it comes to digital security.
Okay, I’m going to start now.
It’s Complicated out there!
We all know how complicated the digital world can be. No matter what you’re doing on it, no matter what you’re in charge of, no matter what part of it you’re using for your business, it gets pretty complicated pretty quickly. On top of that, if you’re not really careful about what is happening, you then become a target of cybercriminals and cybercrime. What we are trying to avoid is making sure that you are not in there.
Understanding the requirements of digital security
What we’re going to do today is discuss the understanding, the requirements of digital security and just give an overview of what you need to do to protect your organization in the digital world.
Roger Smith – Speaker
My name is Roger Smith. I’m a speaker. I’m also an Amazon #1 author on digital crime. I’m the CEO of R&I Consulting, and I focus on getting everyday users of the digital world to understand the dangers, and take necessary precautions. So my role is to stop smart people making dumb mistakes. That’s what it’s all about.
So this presentation, we’ll just go through:
What the bad guys are after and why we know that
How the bad guys get in and how they target you?
What are the basics of digital security?
Then we’re going to go into the 4 pillars of digital protection and what it means to an organization
Then we’ll talk about getting the right balance and why you need to get that balance involved.
Also then, we’ll just go into other things like you also need to look at the non-digital stuff to protect your organization.
On top of that, at the end of it, we’ll go through what you can do now.
The digital world is used by all of us, literally. Anybody in business in the Western world now has some presence in the digital world, whether it’s just a basic email or it’s a full-blown 3,000 people using a cloud-based system all over America or Australia, in those areas. The reason why we’re going to the digital world, mainly because it’s cost-effective, and on top of that, it is low-cost.
But we use it for everything. Social media, business, networking, search, innovation, R&D. We use it on our websites and we use it for marketing and sales. It is a very interesting balance to make sure that you are—you have the convenience of the digital world but you’re also protecting yourself from the bad guys.
Exponential rise in crime
Originally, crime started with I had something that someone else wanted and they took it away from me. Then in the 1600s, 1700s, 1800s, 1900s, we had a large group of people storing their money in specific places, and that’s where we had the rise of the bank robbers and the places like Jessie James, Ned Kelly, Ronald Beats, because a group of people could steal from a larger group of people.
In 2014, we had the Target hack. It was a very small group of people stole information and money from 34 million people. This is what we’re talking about, the exponential rise in crime. Because at the moment, making sure that you are protected means also making sure that when you give your information away, that is protected as well.
What do they want?
But what do the digital criminals want? What do the bad guys really—why are they doing what they do?
Money, access to money and money under your control
Well, they need access to your money, and access to money itself, but also access to money under your control. So that access to money also means that they are looking for ways to get you to compromise your security and give them your money.
IP / trade secrets / tactics and strategies
They’re also after your intellectual property, your trade secrets, your tactics, how you work, how you do business. All of that information is really important if they were to come in and try and take over something else that you’re already doing.
One of the other things they’re most importantly after is they’re after your client information, because with the client information, they can go off and target other people. It becomes part of their social engineering component of the digital world so that they can find out all the right information about what you’re doing and what your clients are doing.
One of the things that people forget is that they’re also after your technology. They’re after your Wi-Fi system. They’re after your router. They’re after your PC. They’re after your laptop. They’re after your smart devices. Because they can then use those smart devices to target other people.
But on top of that, your technology is worth money to them. Because it’s worth money to them, they are quite happy to compromise your system and make sure that you then become non-controlled by yourself. That is why we lose control of our technology with things like malware and viruses, and worms.
What are they using to get in?
So what are they using to get in?
In most cases, the number one attack weapon of the cybercriminal, or the digital criminal, is email, because everybody’s got an email account. Email is easy enough to target. It doesn’t cost them any money.
With the rise of email, we also saw the rise of spam. In the 1990s, early 2000s, we had spam that was more interested in selling Viagra or getting a Nigerian prince’s money out of Nigeria. But then smarter criminals got hold of it and started utilizing it for other things.
Then we had the rise of the phishing email. We’ve still got phishing email like we get nowadays. The classic example is the crypto-virus. We get a phishing email that’s addressed from the APO, or the Post Office, or Internal Revenue. Because we are very willing to open and look at an email when it’s based on that.
But then again, we then had the introduction of the spear phishing. This has only been around for the last maybe six to seven years. Spear phishing is an email that comes into your system that is specifically targeted at you. Because they’re specifically targeted at you, they’ve done their research.
They know you are. They know who you are targeting. They know what your friends are. They know what your business is. They know what your hobbies are. They will write an email that is specifically aimed at you, making that idiot decision to click on the link.
But what phishing email and spam, and the spear phishing email are doing is they’re targeting exploits within your system. The exploits are pieces of code that haven’t been written properly, or they’ve been removed but they haven’t been deleted from programs. These programs that have these exploits, you know, Windows has 2 ½ million lines of code. Finding a specific error in that takes a lot of work. The trouble is, the cybercriminals have got the time and the energy to do that, and that’s what they do.
Infected web sites
But just like we have operating systems on PCs, we have operating systems on websites as well. We have the underlying operating system. The underlying operating system is what hosts the website itself. So if that gets compromised, all of the websites above it get compromised as well. They use that compromised system to actually file out malware to other people.
The Insider (malicious and unintentional)
We’ve also got the insider. The insider can either be a malicious person who doesn’t like your systems, doesn’t like you, doesn’t like your business, and they’ve been employed by you, and you’ve realized they don’t like you and they have stolen information, or stolen systems, or put malware on your system.
But there’s also the unintentional one. That person who has clicked on the link that you didn’t want them to click on. That has exposed both your PC and your business to the digital criminal. You don’t want that to happen.
What are the basics?
So what are the basics? The basics are really easy. There’s 8 of them. Those 8 basic things that you need to do will protect you in the digital world.
I’ll miss the first one, but passwords. Passwords are really important. They’re your passport to the internet. They are your passport to the internet on any number of websites that you go to. Passwords have to be longer than 8 characters. They have to be complex, so anything on the keyboard is fair game. They have to be unique for every website you go to.
That, as you can understand, that is a problem just in and of itself unless you have a system on doing it. I have a number of videos that you can watch that will actually explain how to create complex passwords that are really easy to remember.
I was talking about exploits earlier. So when an application or an operating system developed or found that they have an exploit, they will patch it. They will send out an update that will remove the capability of something being able to target that issue. Although 99.9% of exploits are benign, they can’t do anything. Maybe you can create a character on the screen, but it’s not going to cause a problem. They’re not going to allow access to the back end of the computer.
The next thing you need to do is worry about anti-virus. An anti-virus is really important because it catches that 99.9% of the viruses that have been around for a while. By catching that, it then means that you can keep an eye out for that other 0.01%, or 0.1%.
Back it UP
The problem with the digital world is it’s digital. My laptop falls in the—gets flooded out, or I drop a cup of coffee on it, or I drop my phone in the toilet, or someone steals my tablet, then all of that information that was on it is now gone. So we have to make sure that we are backing it up and backing it up in such a way that is not stored in the same place. So if I lose my phone, I have a backup of all my contacts, all my videos, all my films.
The next thing we have to worry about is firewalls. Firewalls are used to protect you from the digital world. They stop those basic attacks coming into your PC or into your business. They are there to make sure that whatever coming from inside the business goes out but everything on the outside doesn’t come back in.
There’s two that we’ve coined. Paranoia. Fear the digital world. Don’t be scared of it, but have that underlying system in place that you go, “Should I do that or shouldn’t I do that? Why am I doing that?”
The last one is common sense. Common sense is really important when it comes to making that split-second decision between clicking on that link that decrypts all your data on your PC, or not clicking on that link. Common sense is a question about “Where did they get my email address? How come they’re targeting me, and why are they sending me an email?’
What is a framework?
So what is a framework? I’d like to talk to you, the framework we’ve developed that is, I suppose, an easier way to understand how you can protect yourself. There are a number of frameworks out there. This is just a few.
We’ve got the Control Objectives for Information and Related Technology (COBIT).
We’ve also got the ISO 27000 Series.
We’ve got the NIST Special Production 800 Series
These are complicated frameworks around how you do business. They want you to change your business to fit in with these frameworks. That’s where the problems really start from, because no longer can we say you are a x in this industry, so this is how you have to do business, because if everybody else is doing business that way, there’s no advantage in doing it. That’s where technology is really come into its own.
But also we’ve got the vendor-based technologies and the vendor-based frameworks. Those frameworks are things like the Cisco Security Framework that relies on Cisco products, or Strategic Framework if you’re using cloud, or an IT Security Policy, which is a really basic framework about how you are going to protect your business.
The 4 pillars of digital security
So we’ve taken all this information and we’ve tailored it down to four pillars of digital security.
What you really need to do to protect your organization
You need to worry about the technology. The technology in place of how you are going to do business. That technology makes your business so much better and makes you competitive in the industry.
You also need to have a management component. That management component takes into account all of the other components and the pillars of security.
We then have to have an adaptability component. The adaptability component is not about if something goes wrong, but it also involves having your organization able to change direction without losing impetus. So you can see an opportunity, and if you are adaptable, you can actually grasp that opportunity without having a problem.
Then the last one is we all have a government compliance component. That government compliance component is how it’s all based in the industry, or via government, or how you want to do business yourself.
So let’s just take a step back and go through each of these areas.
The technology. Literally all of the technology components of your business. So you have your operating systems, your hardware, your software, your applications, your encryption, your cloud, BYOD and how you’re going to manage it, firewalls, wireless, VPN, anti-virus, and tie it all together with best practice.
Best practice is usually created by the vendors that say “This is the best way of putting my system together.” To me, that is really important, because if you don’t have the best practice of how that system is put together, then it’s not going to work to your benefit anyway.
The second component is management. So management process that we need to know, and who is involved in what they are. So we have the three P’s – processes, policies and procedures. Because you don’t want to have your accountant come to the business and go “What is my role?” So that’s part of your procedures, part of your processes, part of your policies.
But also on top of that, you need to audit all your technology. You need to have reports coming out of your technology. And you’ve got to be very aware of the reports that come out of technology because they’re only reporting on those systems. So you need to have an overrule reporting system that will help you make decisions at the top level.
You also need training and education. Education and training are really important if you want to protect your business, because if you start training and educating your people, they will then actually come back and say, “We need to do x because x is what my education has told me.”
Then we have the adaptability. So we’re looking at risk assessment, risk management, disaster recovery, business continuity, your cyber and digital resilience and also your culture. Your culture is also just as important as everything else because if your culture doesn’t allow Joe Bob, who’s working at reception, to come to the managing director and say, “We’ve got a problem and this is why.” And the managing director actually accepting that he has a problem, then culture is going to have a big impact in protecting your organization.
And then as I said, we have compliance. Compliance is probably the most difficult component to define because all business or industries, and all organizations are unique. They are different from each other, and different from anywhere else because we are all unique and how we do business depends on who you are.
So all of these framework components make your framework a lot better and a lot easier to understand. It also means you’re going to be making decisions based on fact, not on what’s coming out of the back end, not coming from the IT department saying everything’s rosy.
But as I said, most frameworks are created by companies, and they usually say, “Buy my widget because my widget is the best and it will protect you, and you will be secure.” What a load of poppycock. There’s no silver bullet in the digital world. There’s no way of significantly protecting yourself by using a product.
From Cisco all the way through to D-Link and TP-Link, there is a way around every system. You might not be able to get through a FortiGate, or a Juniper, or a Fortinet firewall, but there are ways around it. That’s why you need to have a framework in place.
By having this attitude that “My widget is the best,” we’re not having a holistic impact on your business. We are not protecting the business. That is also what this is all about.
A Framework has to have certain features
But a framework has to have certain features to make it all work. It has to have features to a level where we are making sure that everything we’re doing for the framework is actually helping the framework.
The framework has to be agnostic
It has to be agnostic. It doesn’t matter whether you’ve got a Cisco firewall, a FortiGate access point, you’re using Symantec on the inside to protect yourself at endpoint protection level. All of those components have to work together. It doesn’t matter whether it’s a FortiGate firewall or a Cisco firewall. It is a firewall, second-generation firewall that does x. So it doesn’t matter what the hardware is.
Your framework has to be understandable
It has to be understandable. All the people in the organization has to understand why you are doing something to make sure your business is protected, and what is in place. We have to have some sort of puzzle that we keep putting a little bit together and making it so that everybody understands that the firewall is there for a reason. The reason why we’ve got these policies is there for a reason, so it has to be understandable by everybody involved.
Your framework has to support your business
One of the things we find in most technology companies is they want your business to change to support their technology. To me, it’s the other way around. The framework has to support your business, and it has to support your business to a level where you don’t have to change how you do business.
Because if you change how you do business, you don’t have the alacrity to go we can swivel on a pin to change direction. So the technology has to be in place to make sure that you can do that swivel if you need to. So it has to support your business, not the other way around.
Your framework has to be manageable
It has to be manageable. What I mean by manageable, someone has to know where all the bits go together and what bits are doing what. Your framework, whether it’s either your technology or it’s adaptability, has to be something that you know “This is what we do. We have a business continuity plan, and this business continuity plan does x.” That is really important for what we’re trying to do with this framework.
Your framework has to protect
Most importantly, your framework has to protect. We know there’s no such thing as 100% security, but we can try for it. That’s what this is all about, trying to make yourself as secure as both your money and your capability, and your team, can make you. So it has to protect you.
Your framework has to be cost-effective
And because we’re trying to protect you, we’re not going to go out and buy—if we’ve got an income, let’s say we’ve got a revenue of $100,000 a year, we’re not going to go out and buy a $50,000 firewall. So we have to have some cost effectiveness in place to make sure that we are getting the best bang for our buck.
Your framework has to build defense in depth
We all know what the old castles used to be, and why they were built, and what stopped them from being as efficient as what they used to be. Originally, the medieval castle was designed to protect the Lord who was in the castle itself. It lasted up until we started creating cannons and we started firing cannonballs at each other. But your framework has to build defense in depth. The thing about a castle was you had a moat. You had a drawbridge. You had high walls. You had people behind those walls. Because you had people behind those walls, if they got through the first levels of security, then they were up there with the people who were trying to attack you.
Each component has to support the other parts of the framework
Most importantly, no matter what we’re trying to do with the framework, each component has to support the other components of the framework itself. So we need to have the right technology in place to make sure that we can have the right management planes in place, and to assist in working out what risk is involved.
Each additional component has to be stronger than its predecessor
And one of the things that we push is if you’ve got a system in place for the moment and you don’t want to spend lots of money when you do spend money, that you don’t replace the NetCom router with another NetCom router. You go to the next level. So you replace it with a Linksys, for instance. More expensive, but it does a lot better.
Your framework has to be stable
But most importantly, your framework has to be stable. It has to allow you to do things that if you unplug things and plug things in, it’s not going to cause the whole system to fall out. That is very important to making sure that your business can do business.
Finally, your framework has to work
And finally, your business framework has to work. If you haven’t got all the components in place, and they’re not all acting holistically, then your framework’s not going to work and it’s not going to protect you at all.
Getting the balance right
So it’s very hard to understand how we get the balance right. The balance is very important and it does depend on how much money you’ve got and how much you want to throw around.
Is there a problem with SME’s?
So, is there a problem with SME’s and how we protect digital security? Well, yes there is. Because an SME has a number of problems just in its inherent capability itself.
Lack of money
We have a problem with money. As I said, if you’re $100,000 business, you’re not going to spend $50,000 on securing that business itself. You might spend $5,000, and if there’s only two or three of you, $5,000 will probably do the job. But because you lack the funds to be able to put a security system in place and create a framework, there are other ways around the framework itself.
Lack of expertise
We also lack the expertise. We don’t understand things like threat intelligence. We understand endpoint protection because that’s usually an anti-virus system. But we don’t understand identity management. Or we don’t understand incidence response or anomaly detection.
Because these are words that are thrown around by vendors that really mean the threat intelligence of you being attacked is probably about 60%. That’s not including a targeted attack on you yourself. How are you managing your identity and your internal people? What usernames and passwords are you using? Those are the things that we just haven’t got the expertise to manage.
Lack of time
And also, we all know that time and money is absolutely annoying when you’re in a small business because when you are in a small business then you have a problem with making sure that the time and the money that you have are focused on the business itself. Because if you don’t focus on the business, the security doesn’t bloody matter anyway. So you have to focus on money, time and the find out how you can cover the expertise.
It’s just not digital
But it’s not just about digital. The digital component, yes is very important. But also, your non-digital stuff. Have you got locks on your phones? When your phones are sitting in the café, are they locked? Do they wipe themselves if someone puts the passcode wrong five times? That is not a digital solution. It is a physical solution. You have locks on your doors and windows. You have internal doors on specific offices. These are not digital, but they’re just as important to protecting your business.
What you can do now
So what can you do now?
Well the first thing you can do is go back to your office and do a risk analysis. Work out what your risks are. Work out what risks are being created by having not the right technology in place.
Upgrade all non-business related components to business systems
The second thing you need to do is find some money to upgrade all your non-business related components to business systems. That includes getting a decent firewall or getting a decent access point.
Educate your people
The other thing you need to do is educate your users. Because if you educate your staff, then as I said before, it will be delivered to your business tenfold because you have people who are actually looking at the issues.
This increases awareness. What you really need is for people to be very aware of what’s going on.
Here are some simple things to do
And there’s some simple things you need to do.
Put some posters up around your organization. If you’ll send me an email, I’ll quite happily send you a PDF of 10 of them that you can put up. Get them printed at Officeworks, off you go.
Initiate a training and education program. I’ll just explain between training and education. Education is when you take everybody and uplift their level to a different level from what they are. So you’ve got to educate them inside of digital security. But training is usually based on getting someone to understand the complexities of a piece of technology. That training is really important as well.
You also need to run competitions, because competitions increase awareness within your organization as well. Make it fun. Don’t bore people with, “Yeah, you’ve got to have a complex password of 25 characters.” But if you have a competition that runs, the first person who gets the answer every day gets a $5 card from somewhere, and the person who does it the most during the week gets a $30 whatever, then you will see that your awareness will increase across the board.
So thank you very much. If you need to get in contact with me, drop me an email at email@example.com, or give us a phone, or jump on the website. You can also follow us on LinkedIn, Twitter, Facebook, Google +, all of those places.
And thank you very much for your coming to the webinar. Much appreciated. This will be uploaded to Google Hangouts and also to YouTube in the next half hour, so if you want to re-watch it you can. And if you have any questions, just pop them into the system and the system will actually tell me if you’ve got a question.
Okay. We don’t seem to have any questions, which is really nice. So thank you very much. I will talk to you next time.