On Demand Webinar – Website Security and how to make your website more secure

Website Security and how to make your website more secure

[Start of transcript]

Just waiting for the last couple of stragglers to come along. We’ll get stuck into it exactly at 12 mid-day, and it should only take about 20-25 minutes to get through this, but it will also give you a bit of feedback on what’s happening, what you can do and how you can do it.

Good afternoon. Today’s Lunch and Learn is part of a series on digital security, but we’re not really looking at digital security from a vendor point of view, we’re looking at a digital security component that is designed to protect your business, and why you need to protect that component of it.

So today’s Lunch and Learn is “Why is my website a target of hackers?” And we’re just going to go through what the bad guys are doing, why we have websites, how they target your website, how they get in, what their end game is, and how do you stop it from happening to you, and then we can have a conclusion and questions and answers after that.

Why do YOU have a website?

Information

Well, for most of us, it’s to get information out to the public. We have a product or a service that we want people to know about, so we have a website that tells everybody what we do. It can be either a static or a dynamic, doesn’t really matter. It’s just information.

E-commerce

Or, we could be running an e-commerce site, and that e-commerce site would generate revenue for the business. And in some cases, there are a lot of businesses that are purely based on e-commerce, so it’s very important that their website is really, really secure.

E-learning and education

Another component is e-learning and education, which is now on the rise, because it’s a lot easier and more efficient and effective to deliver learning to the general public over the digital world.

Blogging

And then of course, we’ve got the blogging. And everybody, if they have a website now, is being told that they need to create content that goes on that site, and the best way to do that is to talk about either your products or your services in such a way that people will interact with what you’re talking about.

Blogging websites have been broken down into a number of CMS, which is content management systems, so that you can have total control over what you do. And we’re finding that WordPress, Joomla and Drupal are probably 70% of what people are using in the digital world as a blogging platform.

Who is targeting your website?

So, who and why are they targeting your website? Well, there’s three distinct, I suppose, animals that are out there, that are targeting your website.

Script kiddies

There’s the script kiddies. Now, the script kiddies are people who are anywhere between 9 years old, 25 years old. They’re the up-and-comers. They’re thinking this is a lot of fun, and they use automated systems that they’ve downloaded from the cybercrime gangs. And those systems can be free, or they can cost a lot of money. One of the better ones is a Russian component that you can buy for $4,000 Euros. And that will give you the capability to start up your own business as a hacker.

Hacktivists

We then have the hacktivists. Now, the hacktivists are the people who actually annoy the crap out of you. You’ve done something in your business and they didn’t like it, so they’re now in a position to be able to try and access your website. They’ll deface it. They may or may not steal information, but their whole role is to bring presence to what they don’t like about you.

And then, we’ve got the black hat hacker, the true blue person who wants to steal information or steal money from you. And they are the ones who are probably 0.001% of the all-encompassing class of digital criminal. And these are the people who live and breathe breaking into your website.

What do they want?

Money

Well, we all know they want money, and they’ll go out of their way to steal either information or they’ll steal money from you if they can.

Intellectual property

But they’re also after your intellectual property. Your intellectual property which is really important for how you do business and intellectual property that you keep on your website that is under lock and key either through an e-commerce gateway or other ways of controlling access to the system. So in other words, if you’ve got a PDF up there that you want to sell, your intellectual property is that you are selling that PDF as part of your business.

Infect visitors

But one of the main things, and people do not realize is, that the bad guys want to steal access, or gain access to your website so they can infect visitors who are coming to your website. So they can upload malware to your website so that everybody who access your website has the complexity of being infected when they leave. And that is one of the reasons why the websites that we have are big targets for the cybercriminals.

How do they get in?

So, how do they get in? Well, they get in a number of ways.

Unpatched systems

Unpatched systems is one. If you’re running things like WordPress or Joomla, or Drupal, you will be constantly told that you need to update certain components of the website, because new components have been released to patch areas where you may have a vulnerability.

Insecure practices

We also have insecure practices. Now, an insecure practice is when you install a website from initially when you set up your website and it comes up and goes, “What do you want to use as the administrator password?” And a lot of people will put in admin/admin.

Those automated systems that are ran by the script kiddies are actually looking for websites that have admin/admin as username and password. That is an insecure practice that we really need to stamp out. If you’re going to go—if you’re going to build a website, you have to think along the lines of it has to be secure from the moment you put it together.

And those insecure practices, you may have put in admin and admin as username and password. You’re quite happy with the way the website’s going. You’ve not got an e-commerce site that is based on that website, with the username and password of admin and admin, and that is not a really good place to be because that is what the bad guys are targeting.

Cunning

And as I said, the digital criminal is no longer someone who we think is going to be relatively stupid, because they are very good at building our trust. They are very good at targeting us individually or as a group, and they go out of their way to make sure that along the way we are trusting them. Their trust comes down to social media, comes down to emails that we may have received from them. All of this is building trust within you and them.

Technology Failure

The last thing that will allow them to get in though is a technology failure. Again, this is something that we keep an eye on, because the underlying system that your website is built on is built on technology.

A technology failure might also mean we haven’t closed a port on the firewall that goes to the website, or we’ve got problems with technology, or we’re being targeted by a degauss attack. Because they know that if a degauss attack is targeting your e-commerce site, then it’s not going to be able to deliver money to you.

What is their end game?

So what is the digital criminal’s end game? Their end game is to get as much out of you as they can.

Steal everything

So they are there to steal everything. And when I mean they steal everything, they literally do go out of their way to steal everything. So they want your database. They want your access to your PayPal system. They want to be able to steal whatever they can from you. And if you’ve got things behind payment gateways and firewalls, and all that sort of stuff, they want to get at that. And that is why they go out of their way to target your website.

Compromise your visitors

But most importantly, they want to compromise your visitors. If you’re getting a lot of traffic, let’s say 20,000-30,000 visitors, unique visitors, a year, and they—a week, sorry, and they compromise your website, then every one of those 20,000 visitors that will come to your website leave infected. And that is why they go out of their way to make sure that they are targeting websites.

A compromised website can damage:

If you get compromised, your website is hacked, and either through a script kiddie, which is not so devastating as other ways, but if you get hacked by a hacktivist or a full-blown hacker, then you are going to have damage that you are not going to understand how to fix.

Reputation

For one, it will damage your reputation. And by damaging your reputation, in the digital world, reputation is everything. And although we may think that yes, we’ve been hacked and we know. We’ve fixed the problem and we’re going to back after the general public again with the same product and the same line. We’ll find that our reputation is now tarnished. Because it’s been tarnished, the chances are that people, or less people, will now come to you.

Cash flow

But things a compromised website will do is it will impact cash flow, especially if you’re in an e-learning situation or an e-commerce situation, because you are in that situation that allows you to do whatever you need to do.

So if you get a compromised website and all the cash that you’re making is suddenly not going to your coffers but going to the bad guys, then you have a serious cash flow problem. That way, you now have something that you really need to do something about.

Productivity

In addition to cash flow, it will impact your productivity. And I’m talking about whether you can build the widgets that you are selling on the site, on your website, and the productivity component of it is again another impact on your business.

What can you do to stop it happening to you?

So what do we do to stop it, and how do we stop it happening to us?

Patch it all

Well, one of the things we have to do is patch it. WordPress comes out with an update probably once every two or three weeks, and it will come up on your website saying you need to install the newest update.

It gets pretty annoying because it knows that if you don’t patch it then your system and your website is vulnerable. So you need to update your systems as often as required. But that also means you have to update your plugins and your widgets, and everything else that goes with either WordPress, or Joomla, or whatever other systems.

And if you’ve got a system that has been made by someone else, there better be a security component to it. Because if it’s been built on something that only one or two people have access to or have an understanding of, you still need to make sure that it’s not vulnerable to being hacked.

Process and policies

You also need to put in policies and procedures, and processes. How often do you visit your website? How often do you visit not only the front end but the back end? How often do you actually go to the home page of your website?

If you do go to your home page of your website, are you taking notice of things that aren’t working, aren’t doing what they are supposed to be doing, or that information is stale and old, and needs to be updated?

That also means the policies and procedures that you put in place for people who are actually updating the website themselves. If they’re installing a widget on a WordPress site, have you got specific criteria for why it’s being installed?

That specific criteria might include it’s got to have more than 4 ½ stars before you’re allowed to you, and it’s got to be around for more than a year, and it’s got to have more than 10,000 users. Now those criteria would make it very hard for someone to compromise your system through a plugin.

Complicated username and password

As I said, when you set up a WordPress site, it asks you for a username and password for the administrator. The best thing you can do is not only use a complicated password, but use a complicated username. For instance, admin_joeblow_123. And then you need to remember the password and the username, because otherwise you won’t get into your system.

Restrict or manage comments and users

You need to—most people have blogs, and if they’re blogging they are looking for comments or input from other people. And you also need to—because the bad guys also know this and there are times when you’ll get a lot of crap coming through your website, because you’ve got comments enabled but people don’t have to log in and use a username and password.

And that’s a restriction that you need to put in place if you’re going to accept comments. If you’re going to accept comments, the reason why you need a username and password is so that you go to the second step of not having the automated systems putting information into your comments on blogs.

And also, your users have usernames and passwords and you can enforce complicated passwords on them as well just to be on the safe side. But if they’re adding to a comment or if they’re blogging individually on your website, those people also need to have a decent username and password.

Encryption

Wherever possible, try to make sure that the data is encrypted. Because if it’s encrypted, then if they do—if someone does break in and steal, for instance, your database of users and commenters, then that information is very hard to get out of that database. On top of that, if you’re encrypting the information, whether it’s coming or going, there’s no chance of being eavesdropped on and that information being picked up.

But encryption also goes to locking down your system as well. So two-factor authentication. Because with two-factor authentication, you use a username, a password and something else. To me, that is a lot more secure if you’re going to have a very productive website that is going to do things for you.

Use a web gateway

The last component that you can do for your website is to use a thing called a web gateway. Now, your web gateway literally is a gateway on the internet that captures all the traffic coming to your website. There are companies that actually sell the product of a web gateway. We’re not one of them, but what we have found is a web gateway cuts down probably 99% of people targeting your website. Everything else is still functional, but the bad guys have a lot of trouble getting past that gateway to get to your website itself.

In Conclusion

So in conclusion, the bad guys are out there. Don’t get me wrong. They are out there. And they want access to your website to not only steal from you, but to also target your visitors. So make sure you protect your website the same way you protect any other digital system, because if you do that, if something that we initiate to get to the point where you’re protecting your business, then you also understand that we are protecting our clients, our people who are coming to our website.

So that’s the conclusion. My name is Roger Smith. I am an Amazon #1 author on cybercrime and digital security. I am also the CEO of R&I ICT Consulting Services, and I am a speaker on the digital world and how normal users need to be aware of the dangers and how they can take appropriate action.

[End of transcript]

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

On Demand Webinar – Building a secure framework around your business using available technology

Building a secure framework around your business using available technology

[Start of transcript]

Anti-Virus

—anti-virus on any system that is connecting to the internet.

Why we still need it

And this is why we need it, because the viruses that are out there, and they are out there, there’s a lot of them, they need to find homes for themselves, and the only way they can do that is through the technology that we’re utilizing. And that anti-virus means that you’ve got a 99.9% chance of stopping that virus coming into you.

End point protection – AV, malware, spyware

Anti-virus goes to the next level as well, because anti-virus also needs things like endpoint protection. Anti-virus, malware, spyware. And that endpoint protection has two components. It’s actually on the system itself, whether that’s your tablet, your phone, your laptop, your computer, or your server, and it’s managed from somewhere, managed from a central location so that anytime anti-virus attaches to your network it gets pushed out, the newest versions to your system, the newest updates that are required.

Authentication

But we also need to authenticate. We also need to, all of that technology and software that’s coming into our networks, we need to have some way of finding out who’s accessing it and how they’re accessing it. And that who’s accessing it and why it’s being accessed is part of the authentication protocols for your system.

Username and passwords

The most important part of authentication is your username and passwords, and we all know how complicated usernames and passwords are. I’ve just read an article recently about the difference between a professional person and a non-professional IT person on how they manage usernames and passwords.

So a professional, I have a complicated password. I use a password manager, mainly because I have access to 200-300 sites or reasons to have access to 200-300 sites, and I’m never going to be able to remember.

But there’s also other things you can use. You can use a password. You can actually create a base password that you add on different components of. The security, we’ll talk about cloud later on, is cloud is only secure as your usernames and passwords on your terrestrial systems. Because if you don’t have—if you use password and password, then the hackers are going to be able to hack that without a problem in the world.

Default passwords

The other thing about passwords, and especially when it comes to hardware and software installation, is some things come with a default password. They actually come with admin and password, or admin and admin. And this is what default passwords are known by. You can do a quick search on the internet. You can go default password for this model.

And then it will tell you admin/admin or admin/password, admin/blank. But that also then goes on. So you need to change those passwords, those default passwords, before you put something into production.

It’s probably better, as you’re setting it up, the first thing you do, it’s forced on you by some of the high-end security systems, things like Cisco and 40Net, they require you to change your password the first time you log onto the system, and that’s really important.

Encryption

The next part of a technology is encryption. And we’re seeing encryption from a number of places that require information that needs to be encrypted for some reason. Now, we all use encryption when we go to buy something from EBay, or now everything on Facebook is encrypted.

And that’s because that information is there not only because nobody can intercept the communication between the device and the back end, and that back end is also encrypted to make sure that data is secure.

But why do we need encryption? Well, one of the main reasons we need encryption is so that people are no longer able to eavesdrop on the communication between device and back end. But on top of that, if someone actually does get into the back end, or gets into the front end, and steals the database, it’s all encrypted, then they’ve got another problem for themselves.

Normally it would be just in plain text, you know, Joe Bob has got this email address and this credit card number. All that sort of information is in the database. But if it’s all encrypted, then all they get is gobbledy-gook. And that gobbledy-gook is really good because you no longer have a problem with it.

Why we need to employ it in transit

So we need to have some level of encryption, and that level of encryption comes about because we’ve got information being transmitted between your device and the back end and that’s what’s called in transit. And that transmission that comes between you and back again, if it’s encrypted then people can’t read it. If people can’t read it, there’s no problems with it.

Why we need to employ it at rest

But we also need to encrypt our “at rest.” It needs to be encrypted so that when it is located on a hard drive, and even though you employ cloud computing, it’s still residential on some piece of hardware somewhere. It doesn’t matter where it is. It would be nice to know if you know where it is. But it doesn’t matter where it is, as long as it is at rest it is encrypted.

VPN – Virtual Private Network

We have a system called virtual private network, which is really a tunnel between a device and your system over the internet. So it’s literally a system where you can protect all of that information that you put past as intellectual property by making sure that the information is always unreadable. And that’s why we need virtual private networks. We used to have systems dial in, but now virtual private networks are so much easier to use and so much easier to set up.

Wi-Fi

And then we’ve got Wi-Fi. Who here has logged onto a Wi-Fi connection that didn’t require a username or a password? Do you know why it’s not a good idea? Because going back to the encryption component, that username and password, or just the password, the WPA passphrase, actually encrypts the information that you’re putting into the system.

And that passphrase, along with a few other components of your computer, gives you a unique encryption component that then can be used by them to make sure it’s more secure. And again, once again with Wi-Fi, if it’s got default usernames and passwords, change them, because you don’t want other people getting onto your Wi-Fi and using your system to attack other people.

Principles – Dos and don’ts

So we’ve now got some principles around what we’re doing as a business and an organization. Because we know that we need to have newer technology. It doesn’t have to be super new, but it needs to be newer technology. And as I said, with things like Wi-Fi, there are definitely dos and don’ts.

Use complicated passwords and passphrases. Use complicated usernames and passwords for VPNs. Make sure that your technology is doing exactly what you want it to do. And you want to make sure that along the lines of how you protect your business, these are things that you really need to do.

System management

Now later on, we talk about management in our framework. But management of the technology actually has its own systems in place. Normally we have policies and procedures and processes that are managing the people who use the technology, but you need to have some level of system management to make sure that they systems are set up properly.

Visibility

Setting up those systems, because it is very important about how you do it, you need to have a level of visibility. You need to be able to say, “If I set up a firewall, how do I go about doing it?” for instance. “If I’m installing anti-virus, where does it get installed? What does it get done by?” These are the systems that make your system, your organization, more secure.

Accountability

But along with visibility, we also have accountability. We have an accountability component because we need to know who set that firewall up, who changed the rules of that firewall. Did they change the rules, or did they just make a rule up that they didn’t know was going to work and then didn’t worry about it? Who did that? Why did they need to do it?

Manageability

And then we need to have some component of manageability. It’s no use having systems in place that nobody knows how to manage. And for small or medium businesses, understanding technology can be a huge burden because it means you are either not focusing on your core business, or you have someone else who’s not focusing on their core business.

Technology, I know everybody wants convenience and low cost and everything else, it doesn’t matter how convenient the system is, what you are seeing is 10% of what the system can do. Because that 10% is what makes our business work. That other 90%, we don’t even know about. And that’s what the bad guys really want you to do, is they want you to be unaware of where to go.

Data separation

One of the things we come about with small or medium businesses is everything is in one place. Your database is on a server. Your exchange is on a server, and there’s no segregation or separation of that information. That separation of that information is really important. Small businesses usually, staff, with the account system, everybody has access to the account system.

But as you get bigger, you don’t want that so you need to start separating your data. The other thing about data separation is if you’ve got a Wi-Fi system that has a guest component, or someone has even a Wi-Fi system that doesn’t have a guest component, the best thing you can do is—

Yes, they can log onto your Wi-F and use your Wi-Fi as long as they’ve got the proper passphrase, but you don’t want them inside your network. Because if they’re inside your network, they can do so much damage without even knowing what they’re doing. So data separation means that you make sure that if someone on the Wi-Fi needs to access your network, then they can VPN in, and that separation is critical to protecting your organization.

Flat network

And because we don’t want a flat network, if you’ve got people who want and need access to specific IP or patents, for instance, then you don’t want everybody having access to it because you’ll lose that intellectual property and trade secrets. And if you’ve got information about how you tender, or how you bill on a tender, or what your cost is for a tender, then you don’t want someone else, your competition for instance, knowing that’s how you work. This is why you don’t want a flat network. You want to make sure that flat network is a tiered access so that people, only specific people, can get to specific information.

Patch Management

Another thing about technology is we worry about how we manage patches. Patch management is really important across the board. Because patch management literally tells you which component you’re patching and which component you’re not patching. Patch management is again, going back to the difference between a professional and an everyday user, a professional would sit down and to, “It doesn’t matter what those patches are, I’m going to apply them all. Most people just get selected by, “I’ll just click the button and go here and score the lot.” That’s what you need to do to make sure. Because you never know when that compromised system, or that system that can be compromised, even though it was a benign compromise, couldn’t do anything you couldn’t get out of, might turn into a cancerous attack. And you need to be able to manage those updates as well.

Best practice

Finally, we’re looking at best practice. All hardware and software comes with “This is how you should install it. This is the best place to put it. This is how you should set up your firewall. This is how you should then take the next step to go to the next level.”

That best practice is designed by the people who made this hardware and software, so the best practice is coming from literally the horse’s mouth. They are telling you to set up x machine, you need to do x, and if you don’t do x, it’s not going to work to the best capacity that it can.

Why we need them

But also, when it comes to that level of expertise, you need to have the expert advice, because they have created a machine, for instance, that connects your Wi-Fi to the rest of the network. So you need to know what is the best way of doing it, and how you are you are going to do it, and why you need that device in the first place because it does a specific role and protects your business from a specific thing that makes it harder.

Conclusions

So, in conclusion, we’ve looked at the technology. And the technology component of my framework has a number of systems.

  • Hardware – So we have hardware, which is literally the hardware components of what we use to do our business.
  • Software – On top of the hardware, then we have software.
  • Anti-virus – And protecting that software is anti-virus. That’s only a first-level defense, because all of the other things that we’re doing should be making that defense around your organization a lot more secure.
  • Authentication – We need to make sure that the right people are getting at the right information in the right way, and they cannot run away with that information or make it very hard for us to make sure that information is secure. This is where authentication comes in, so the right usernames and passwords have access to the right information.
  • Encryption – And all of that information that we’re downloading or moving around our network is all encrypted, so nobody can pick it up and store it somewhere else unencrypted so they can steal that information.
  • System Management – We need to manage the systems that we put in place. We need to incorporate management policies and procedures so that when the systems are installed, this is how you do it. We do a lot of installation of things like servers, for instance. We have a checklist. That checklist includes what is installed, how it’s installed, where it’s installed, and how the system is set up.

We know that there’s not going to an administrator, an account called administrator because that is part of our system management. We know that the passwords are going to be more than eight characters long. They’re going to adhere to a specific setting that we’ve got in our system. That is why we need to manage the systems properly.

  • Data Separation – We need to separate our data from public to private to super private to secret. And that data separation is really important for that business. It might mean that you only keep your really important information on a USB stick that you keep in your pocket, hopefully with a backup.

But you know that the only person who has access to that information is you, unless of course you lose it, and then you’d better hope that it’s encrypted. Because if it’s unencrypted, then you have a problem.

But going back to USB sticks for instance, alright? USB sticks are like a ubiquitous part of our business at the moment. Everybody has USB sticks. Everybody has USB hard drives. And there’s two problems. One is how do you make sure that information on that system, if I plug it into my computer I can read it?

You don’t want that to happen. You want to be able to go plug it in, yes, there’s data there but it needs to be unencrypted to be able to access it. Because it’s your data, you usually have the key for that problem. But if you lose that hardware, you lose that USB stick, then you have got a level of protection that is there just in case you lose it.

But the other one about USB sticks is the bad guys have found a way of using them to their systems. What they’ll do is they’ll actually seek car parks with old USB sticks. A friend of mine got caught in Las Vegas with this. Crossing the car park, she picked up a USB stick, looked at it. It has Boeing on it. Boeing Airlines. A legitimate company, rather large.

Obviously someone from Boeing had dropped it, so she took it home. Took it into her hotel room. Instead of handing it into the reception area, she just took it upstairs and plugged it into her laptop, and she was quite happily looking at all the information on it. What it was, was a slideshow.

To make the slideshow work, you could just click on a slide element and it would come up as a product. But if you wanted the slideshow to work, there was a little thing that said slideshow.exe, and she clicked on that. She wasn’t able to use her laptop until she got home because nothing worked after this. That’s one of the reasons why you’ve got to be very careful with what’s happening.

  • Best Practice – In addition, we have the last thing, which is best practice. Best practices are the way—is professional advice on how you do things. Installing a firewall from Cisco? Then you use the best practices from Cisco. Installing a Wi-Fi system from Linksys? How do they recommend you set it up? That is best practice

Where does this all fit into the framework?

As I said, we’re looking at the framework which is technology, management, adaptability and compliance.

How do you know if it is all in the right place?

We need to know that all of this information is in the right place and all of that technology is working to our benefit in making our business so much more secure. So we don’t need those legacy systems, and if we do need the legacy systems, let’s go and find another system that works the same way to a level we can then utilize for our business.

Where to from here?

So, where to from here? As the little man in the maze said, “What now?” What you need to do is upgrade your systems. You need to make sure you are using the best systems that are available, the newest systems available. That includes, and I’m not really delighting in Windows 10 at the moment, but it is important that you use that type of system.

If you’re using Windows 8.1, great. But if you’re using XP, get rid of it, because it is a huge problem. If you’re using an old iPhone 5 for instance, or an iPhone 4, I use an iPhone 4 for recording, but that’s the only thing I use it for. It hasn’t got anything else on it apart from it plugs into my computer and I can download the movies onto it. That’s really important going forward on how we do it.

More Information

So, if you want more information, I have two books out. One you have to buy, the other one is free. If you want to get in contact with me, then I am on Twitter. I’m on Facebook. I’m on LinkedIn. Just drop us a line.

Seminar and Webinars

We do run these webinars and seminars regularly. We’ve got another webinar tomorrow at 12:00, on a Lunch and Learn series. But we run seminars as well, and we do Google Hangouts just to make sure that we are getting in contact with as many people as we can.

So thank you very much. Are there any questions? If there’s no questions, thank you very much for your time. It has been very nice talking to you.

[End of transcript]

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

(Video) A firewall does protect you from the Digital World

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – A firewall does protect you in the digital world

[start of transcript]

Hello. My name is Roger.

I’d like to talk to you today about A Firewall does protect you in the Digital World.

A Firewall is a piece of hardware or software that sits between the real digital world and your device – whether it’s your laptop, your server, your network, your smart device. It sits between the digital world which is out there, and your privately owned piece of it.

And that’s all it’s there to do. It’s there to stop the bad guys coming in to your system and doing damage on your system. It allows information from your system that is requested to go out to the digital world and then come back in again.

And in other cases, it’s very effective about stopping that first level of attack that we have from the digital world.

When it comes to network management and protecting yourself at a network level, then, you need to spend a little bit of money to get a more expensive model of the router/firewall modem component because that is what is going to protect you from the digital world. And that expensive model, whether it’s a FortiGate or a CISCO, or a Palo Alto, is really important because it has a lot more features as well. And we have things like 2nd generation firewalls coming in to the information.

Thank you for listening and if you have any other, if you have any questions, please contact us on the slides after this.

[End of transcript]

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.

(Video) What questions should I be asking about my Managed Service Provider

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –  What questions should I be asking about my Managed Service Provider

[start of transcript]

Hello my name is Roger and today I’d like to talk to you about what questions you should be asking about your managed service provider or your access source I.T. company. There are a number of questions you should be asking before you even get involved with an outsourcing company. Are they stable? Have they been around for a while?

Have they been around for three years or have they been around for three months? Depending on if they’ve been around for three months also depends on what sort of expertise they have. The next question you should be asking is are they scaled.

Your business is booming and you have now gone from ten people to twenty five people in a space of three months. So are they going to be able to manage that scale when that happens for your business? Do they have any experience and the expertise within the business?

Do they know how to set up a Cisco rather or are they going to play around with it and hope for the best? Do they know how to set up a client based server, or again are they going to hope for the best?

Have they got policies and procedures in place to make sure that if John Watts comes into your office to fix something that Peter, the next I.T. person is going to come in and not have to relearn everything that’s been done?

This is really important because if you’re paying an hourly rate he’s going to take three hours to do so that he took an hour to do because he doesn’t know what’s been done and that’s a really big impact on a business.

Another question you should be asking is also are they helping my business. Are they making sure I have the right technology? I’m using the right technology in the right place. I’m using the right systems to make sure things are going to work.

Because if you don’t do that, then your business is going to have problems competing with other businesses and you’re going to have that sort of issues with making sure that you’re competing at the right levels.

One of the other things you should be asking is are they nameless and invisible. Have you had an MSP or contract with a company where you haven’t seen anybody? The only person you’ve spoke to is a voice on the end of the telephone. The only person you speak to is a new man. Are they in your office? Do people see them? Are they seen regularly to make sure that your systems are working to the best level, not just invisible to everybody else?

Thank you very much.

[End of transcript]

(Video) How can a MSP / MSSP increase business efficiency

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –  How can a MSP / MSSP increase business efficiency

[Start of transcript]

Hello my name is Roger and today I’d like to talk to you about how a managed service provider or a managed security service provider can increase your business in efficiency. SMEs have a large problem when it comes to I.T. Not so much that they don’t understand it, but what happens is in a small or medium businesses up to twenty five people, you usually end up with someone who knows computers.

They will be doing all of the stuff that they need to do to make sure the business is working. Those people who know computers might be a salesman. Might be the secretary. Might even be the CEO, who have a lot better things to do than looking after the printer or making sure a database is right.

You are taking people away from their core business and I know CEOs like to work sixty hour weeks, but I guarantee if you take the I.T. worries away then they have a better way of making more money and it’s a better way of doing business.

So an MSP and an MSSP coming to the table as an outsourcing product gives you a large area to be able to work with cause they have better ways of doing business. They understand the technology and they can implement more efficient and effective solutions for your business.

They’re not there just to be—to implement stuff that’s not going to work. They are going to make sure that it’s going to benefit your business and take you to the next level.

Thank you very much.

[End of transcript]

(Video) What is Business Continuity?

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –  Business Continuity

[Beginning of transcript]

Hello! My name is Roger and I’d like to talk to you about what is Business Continuity.

Business Continuity, along with disaster recovery, are looking at critical compartments and functions of the organization and make sure that they will continue to run if there’s an interruption to your business.

So, it counteracts business interruptions to a level where you know that if something is going to happen or something has happened, you will be in a situation where it will be a better problem day forward.

So, with the business continuity plan, you have to have solutions to problems and business continuity does solutions have to have an understanding of how they are going to impact the business of the organizations.

There are two main components of Business Continuity:

Your Recovery Point Objectives –which ones do you want to get up and running again and how fast you need to do that is called a Recovery Time Objective.

And those two components are what you should be looking at in the business to find out what is going to be good for your business and how fast you need things up and running.

But with that Business Continuity, there’s a lot of things. You have to understand that if you have a disaster and you need the business continuity plan or the business continuity has to come in to it, you need to know that you have to spend money to get back to where you were and who has the purse strings and how people access that money is part of business continuity.

Also, you need to have a compliance component. The compliance component make sure that your business is up and running and protecting everything that it needs to protect your tasks.

Thank you very much.

[End of transcript]

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

(video) How to increase Cyber Awareness within an SME

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –  How to increase Cyber Awareness within an SME

[Beginning of transcript]

Hello. My name is Roger and I’d like to talk to you today about how you can increase in your site cyber awareness within a small and medium enterprise.

When it comes to cybercrime and the cyber criminals, everyone and every piece within your organization is a target and those targets are what the cyber criminals go after all the time. So, you have to make sure that people are aware why we do these things, why you are in the process of protecting it and you are in the process of protecting them as well as your business or organization, your staff and your clients.

That is why passwords are so important. And the way to come up a better way of doing things, passwords are going to be around for long. And passwords, not only on your systems but also on systems that are being installed. So your wireless access point. . Your router needs a decent password. You better need decent password, your internet connection need a decent password.

And what I mean by “decent” is it is complex, it is more than 8-characters long, and it is unique to the piece of equipment that you to put it on because the cyber criminals are very, very clever. And you need to understand that being clever, they’re also very aware of what normal people do on the internet. And they make sure that they exploit better.

Thank you very much.

[End of transcript]

(Video) How to create a Business Continuity Plan

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –   How to create a Business Continuity Plan

[Beginning of transcript]

Hello. My name is Roger and today I’d talk about creating a Business Continuity Plan.

Now, Business Continuity Plan is really important for any business going forward but it has a 5-point life cycle and that life cycle is used to make sure that you are always up-to-date with your business continuity. So the first thing that we have to look at is what risks are in the business and what risks will impact the business to stop it from going forward and continuing to do business.

We don’t have to design a solution around what those risks are and then we have to implement those designed systems to make sure that we are looking at how things are going to run and how things are going to be at a business continuing level.

From there, we need to test it. Now, testing can be one of two things. One of the two things is you can do a hypothetic ‘what happens if this happens?’ Will these things be in place and that’s great. Or you can do it physically – turn off something. What happens if I turn off this? Oh no, that’s broken.

And then from there, we can maintain it. And that maintenance they looks at all of the new additional components that we bring into the business as we go forward as a business. So, new technology – better business continuity.

But going back to the analysis, we have to look at business impact statement – what systems impact the business the most? What is the most critical part of the business? What is the biggest threat and how do we analyze that threat to make sure it is all right. And then, once we’re done with that, we need to go, well, if we’ll lose this, what requirements are we required to recover from that problem?

We need to have a business continuity plan for security for ourselves and we also need to put into account as an individual business what components could go well to that plan. And with every organization, it will be different. You might have two problems but they might have different requirements to make sure that they have business continuity and their business continues no matter what.

Thank you very much.

[End of transcript]

(video) Are you sick of your ICT costing a fortune

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –     why ICT cost so much to implement

[beginning of transcript]

Hello. My name is Roger. Are you sick of your technology costing a fortune?

So let’s have a look of why it costs so much. A lot of large organizations especially in our space, people like CISCO or fortiGate, invest a lot of money in understanding what the bad guys are doing. They invest a lot of money in doing technology to make sure that the bad guys are not getting in to your systems and that is one of the reasons why they’re a lot more expensive than some Dlink or Linksys.

So, you need to know that although technology is expensive and if you bought something like a fire eye system depending on the size of the organization, it comes down to making sure that you are understanding the risks to your business.

If you don’t consider the risks of being hacked really important, then you won’t spend a lot of money on protecting yourself. But if you the other attitude where my business is critical, my information is critical, my information about my client is critical, then you start to invest in making sure that you have the best environment.

The other alternative to making sure that you have the best is to outsource and you can use better technology to deliver better outcomes within your business because you are not paying capital expense to bring that into place.

And because you’re not paying large amounts of money as an initial outlay to make things work, and then you’re training people up to make sure they are working, then you need to know that the systems of the outsourcing company is going to bring to the table are going to be a lot more productive and beneficial to your business.

Thank you very much.

[End of transcript]

I don’t know everything that is why I need a Mantra “Cybersecurity is MY Problem”

“Cybersecurity is MY Problem”

There are hundreds, if not thousands of security experts out there who will tell you that you have to listen to them.
So, Why would you listen to me?
I do not know everything!  Come to that, no one does!   No one ever will!  But, They will try to tell you that they know everything.
There is nothing on the planet that will protect you fully in the digital world.   And Nothing is available or will it be available in the foreseeable future.
We have to change.    We have to change before the bad guys take over the digital world.
What we do know is that we have a problem.
What we know is we have a problem keeping our digital information secure.
We have to – improvise, adapt and overcome.   Oh raa
What I know is that digital protection has to be holistic.
A holistic outlook will deliver better digital protection.
To fully achieve holistic digital protection you have to have a mantra.   An affirmation.   A focus for your protection.
We have a mantra.   Our mantra is “Cybersecurity is MY problem” say it with me “Cybersecurity is MY problem”
What does it mean?
It means that there is no silver bullet .   It means that it is hard work.   It means that it can be expensive and costly.
It means that everyone in the organisation is responsible for protecting your organisation.
Everyone does their bit.
Everyone is aware.
Everyone, not just the ICT department, or the managers, or the board members but everyone has to do their bit.
Digital security is intensive, focused and above all hard work.   There is no set and forget.   It is a constant battle between you, your staff, your organisation and the bad guys.   Attacks change, defences adapt – this is the way of digital protection.
Why am I telling you this?    We build and supply holistic digital security systems to small and medium business and not for profit Organisations.
What I do have is a passion, no that is wrong, I have a focus on protecting people from the criminals that inhabit the digital world.
So why would you listen to me?   I am just a normal ICT consultant with an extrordinary outlook on digital crime.   I do not understand the need to say – buy this because it is the best thing you can buy – especially when it is untrue.
If you want to create a more secure organisation in the digital world you need to talk to me.   Talk to me now
What I do do is create a holistic environment
Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.