One of the worst situations that you can be in is acrimonious separation of an IT person from an organisation.
A bad separation, just like a bad divorce can have significant impact.
Large organisations have systems, policies, procedures and processes in place that protect the organisation, when they are used of course. If followed they protect the organisation well.
SME’s on the other hand have different problems.
We have come across smaller organisation that still have old staff members on the books with full administrator access to everything that is still being done in the organisation.
The problems this creates can be huge.
They have access to privileged accounts. Accounts that can do anything on the organisations digital world.
Just a few ideas of what they can do!
They can steal your trade secrets and take them / sell them to your opposition.
They can steal your client list and use them for a number of bad things – competition, blackmail, sabotage.
They can cause software issues, lock outs and shut downs
They can lock legitimate users / all users out of the organisation.
In most cases the IT person is there because they know computers. They were allocated the role when they joined and you may even have paid for some education and training packages to make them better.
This just puts them in the position of holding the keys to the kingdom.
If you are going to remove an IT person from your organisation, the best thing you can do is outsource your IT, for a short time or indefinately. They have the expertice to protect your organisation and they are under contract to ensure your systems are safe.
Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI. He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.
We just threw it together on WordPress because it looked OK, pretty cool eh, what do you think?
These are some of the reasons and responses that most organisations say about their websites. They do not consider their website an important component of their business security.
All of these implied reasons are all BULL
The damage that a compromised website can do to your reputation, your brand, your customers, your staff and your organisation in general can be devastating.
How can it have such an impact?
Today’s world everything is automated.
From building cars to putting together modem routers, it is all automated, created by robots or done with no human intervention.
Just set and forget!
In this world a bored teen with minimal parental supervision, access to the internet and access to a computer, tablet or smart device can download any number of automated systems that can and will target any website.
just because they are attached to the internet.
Bored teenagers and Hackers alike Don’t Even Break a Sweat…Download… Copy… Paste… Hack!
Its just that easy!
Automated systems target everyone!
That is why a Million+ Sites were Hacked or Defaced by Exploits in the last 12 – 18 months.
Once again attached to the digital world = target!
WordPress security can be very easy as well as exceedingly difficult.
Like any required expertise, anyone can do it but it takes an expert to actually secure a website properly.
Just 1 Bad Plugin or Update & Your Site Is Theirs!
What about Google?
If your website is infected and starts delivering malware to your visitors then you’ll Get Blocked by Search Engines for hosting…A Fake Store, An Attack Site or A Phishing Site…
This will have significant impact on your site especially if you are spending money on SEO.
The all-encompassing world of search – especially GOOGLE, can have a significant impact on your website through search engine optimisation (SEO)
I spoke about reputation in general, how about Brand in particular?
The impact on your reputation, brand and ability to create revenue can be significant.
Your Site, Your Reputation, Your brand, Your Rankings & Your Domain Value Destroyed literally overnight and in a lot of cases it will not register on your business.
The problem could be seen as a change in Googles algorithm.
How big an impact would a significant drop in search visitors have on your organisation?
The significant drop in visitors could be attributed to the blacklisting of your site.
Anyone going to your site will get the google precaution web page – proceed past this point at your own risk. How many people are going to go against that message, only 10%.
It’s Going To Costs You Days & $1000’s To Restore, De-Blacklist + Re-Rank.
So that cheap and cheery website that you put up is now having a significant impact on your organisation.
Significant impact on your cash flow!
Significant impact on your revenue!
Lets now take it further.
If you keep getting your website hacked it will have significant problems for the hosting company as well as all, of the other organisations that have websites hosted on the same platform. Same platform, same internet address.
They will literally ask you to take your website elsewhere because you are having a significant impact on their revenue and profits.
WordPress security – what can you do?
All of your problems started with the assumption that putting up a WordPress website is easy and can be done by anyone. Here are a number of precautions that you can take to reduce the risk.
Update, update update
Like everything digital in today’s world updates are one of the keys to protecting the website. Updates to the WordPress core are critical but updates to plug Ins, widgets and themes are just as important.
Updates remove those areas where the automated systems can get a foot hold on your site.
Visit your site regularly
We have known organisations who have not touched their website in 2 – 3 years. This is bad for 2 reasons. If you are not visiting your site regularly then you are not helping your marketing, you are not putting up, in the words of Tim Read “interesting and helpful content”.
Google does not like this.
If you are not visiting it regularly you are not getting the feel of what your visitors are seeing, and you are not being prompted to update all of these important components.
Use top quality plug ins, themes and widgets
Free is OK, but if you pay for plug ins, themes and widgets then there is a good chance that they will be better for your website.
This includes not only better functionality but also better security and support.
Use 2 factor authentication or Captcha
With some of the tools available, your website can be scanned and the usernames can be discovered.
That is one of the 2 things the wanna be hackers need to compromise your website.
Using 2 factor authentication and or a captcha system you are adding another layer to the log in process.
This makes it harder to access your website using automated systems.
Enforce complex passwords
I know they are hard, but complex passwords are very important when it comes to fighting all those automated systems.
All passwords should have 3 components, complexity (numbers, letters, symbols and capitals), long (more than 8 characters, but 10 is better) and uniqueness (different for every web site you visit or have access to).
Now hopefully you understand why protecting your website with the right attitude is good business sense.
The bad guys are out there and they are looking for every opportunity to ruin your organisation, your reputation and your ability to make money.
It is no longer a case of hoping for the best when it comes to business security.
Business security demistified
Changes to the way we do business, how business is conducted, how fast the transactions are done and the insidious implications of social media have made business in the last 5 years a huge challenge for most business no matter the size.
Multi nationals who rely on their advertising spend to get customers through to the small and medium businesses, the mom and pop organisations, who are challenging them in most areas of today’s business world all have huge if not insurmountable business problems.
No longer can we rely on “that’s how we have always done X”.
In today’s world that is old thinking, old strategy and in most cases a good way to disillusion your clients and go out of business.
With all of this happening we also have the problem of protection.
These are just a few of our inward and outward facing security problems.
We are often told that security is a business problem but all of the onus to fix it falls to the ICT department. This is no longer the way to do it.
Business security is a whole of business phenomena. Everyone from the head of the board to the warehouse cleaner needs to be involved, and involved from the nuts and bolts through to the strategy.
Today’s world is all about data, and protecting that data from anyone and everyone who does not have permission to use it, see it or interact with it. With everything in today’s world being digital, in most cases we cannot see the problems this creates.
Today’s business security is all about common sense, seeing the wood from the trees and making sure that you are alleviating risk at every possibility.
Business security is all about risk!
Business security comes down to risk, defining the risk and then mitigating it for your organisation.
Every organisation is different and every organisation will mitigate the risk differently but all organisations need to start looking at the problem of risk.
Want to see what i am talking about go here and do our quick and nasty trial survey. 7 of the 98 standard NIST questions. Let’s see what your business maturity level is.
This has been hacked! X number of records have been stolen! Another bank ATM system has been compromised!
Yada yada yada. Whats the use?
You can invest millions in cybersecurity and still get hacked.
We now seem to not care.
We are getting reckless.
Reckless to a stage where the old adages are coming back. If in fact they ever went away.
It will not happen to me?
But it will! If you do not focus on protection it will happen to you. It will happen to you because of what the bad guys are capable of. The bad guys know more about the intricacies of programming than some of the engineers who created the program in the first place.
In today’s digital world a bored teenager, with access to the internet, a computer, an aptitude for mischief and minimal parental supervision can literally RUIN your life.
That is not a good thing! But it happens, happens all the time.
I am too small to be a target!
Actually no one is too small to be a target. Everyone who has a device that connects to the internet is a cybersecurity target.
Your mobile phone, your smart device, your laptop or your computer are all connected to a network that eventually connects to the internet.
The moment that you connect to the internet you are a target. You are a target of all of those automated systems created by the bored teenagers.
The moment you open an email, do a search for a product or service, create a website or any of the tens of thousands of things we do on the internet – you are immediately a target.
I have nothing worth stealing!
Ask that of the millions of people, offices and organisations who have been compromised by the cryptovirus also known as ransomware. When you are confronted with the reality that you can no longer access your data, you suddenly realize how valuable that information really is!
Most of the people targeted have some level of protection, some type of security because they realised they had something worth stealing. Even then it happened!
What makes you any different, especially if you do not have any or only minimal protection.
Education is the key.
The reason that people like me harp on about cybersecurity is we see the problems. We see the impact and more importantly we see the solution.
The solution is not investing in millions of dollars of technology, although technology IS needed. It is not about legislation, making it harder to do business, that is also needed. It is wholly and solely about education.
Education has a drastic impact on the frequency, occurrence and severity of being compromised.
At the moment the bad guys do not have to work very hard to get users to click on a link or open an attachment (Social Engineering 101 – the easiest way to target anyone)
We have been conditioned to do it.
Click, double click or swipe is normal everyday activity when using a digital device. There is no thought, it is conditioning. We have to break this conditioning because in most cases that is what the bad guys rely on.
The only way to break this is education – try this course.
The on boarding business security course (http://business-security.com.au/login/)
Relying on one persons understanding of digital crime is a recipe for disaster.
You can be the most knowledgeable person on the planet in your chosen field but you cannot be the most knowledgeable person on everything – that is impossible.
When it comes to the digital world, the individual facets of the world are daunting.
There is no single entity who has all of the answers. In a huge number of places we no longer understand the questions to ask.
We all work in some realm where we either consider ourselves exceptional, or other people consider us exceptional in our knowledge and understanding.
Most people realise this and accept input from others who are experts in their own fields. This collaboration makes everyone involved better.
We have seen those exceptional people do the absolute dumbest things when it comes to digital protection and cybersecurity.
In most cases it comes down to EGO.
To quote the Sky hooks and my friend Shirl ” ego is such a dirty word”. This is where one of the largest problem lies when it comes to digital security.
Our egos get in the way.
Our egos do not allow us to be wrong, do not allow for others to have input into our problems or in some cases accept input from people who do actually know more about the problem than we do.
The EGO of security
One of the biggest problems with keeping ego in check is the understanding of secrecy.
By using my ego to implement security means that others who may have a deeper understanding of the problem or a better solution are kept out of development because i have deemed it secret.
To develop a complete digital security strategy we need to leave our egos at the door. We have to listen to anyone and everyone with an idea concerning protection and implement the best ideas from that process.
When that happens we will see an improvement in digital security. We will see an increase in collaboration and maybe, just maybe, we will be able to beat the digital criminal at their own game.
Building a secure framework around your business using available technology
[Start of transcript]
—anti-virus on any system that is connecting to the internet.
Why we still need it
And this is why we need it, because the viruses that are out there, and they are out there, there’s a lot of them, they need to find homes for themselves, and the only way they can do that is through the technology that we’re utilizing. And that anti-virus means that you’ve got a 99.9% chance of stopping that virus coming into you.
End point protection – AV, malware, spyware
Anti-virus goes to the next level as well, because anti-virus also needs things like endpoint protection. Anti-virus, malware, spyware. And that endpoint protection has two components. It’s actually on the system itself, whether that’s your tablet, your phone, your laptop, your computer, or your server, and it’s managed from somewhere, managed from a central location so that anytime anti-virus attaches to your network it gets pushed out, the newest versions to your system, the newest updates that are required.
But we also need to authenticate. We also need to, all of that technology and software that’s coming into our networks, we need to have some way of finding out who’s accessing it and how they’re accessing it. And that who’s accessing it and why it’s being accessed is part of the authentication protocols for your system.
Username and passwords
The most important part of authentication is your username and passwords, and we all know how complicated usernames and passwords are. I’ve just read an article recently about the difference between a professional person and a non-professional IT person on how they manage usernames and passwords.
So a professional, I have a complicated password. I use a password manager, mainly because I have access to 200-300 sites or reasons to have access to 200-300 sites, and I’m never going to be able to remember.
But there’s also other things you can use. You can use a password. You can actually create a base password that you add on different components of. The security, we’ll talk about cloud later on, is cloud is only secure as your usernames and passwords on your terrestrial systems. Because if you don’t have—if you use password and password, then the hackers are going to be able to hack that without a problem in the world.
The other thing about passwords, and especially when it comes to hardware and software installation, is some things come with a default password. They actually come with admin and password, or admin and admin. And this is what default passwords are known by. You can do a quick search on the internet. You can go default password for this model.
And then it will tell you admin/admin or admin/password, admin/blank. But that also then goes on. So you need to change those passwords, those default passwords, before you put something into production.
It’s probably better, as you’re setting it up, the first thing you do, it’s forced on you by some of the high-end security systems, things like Cisco and 40Net, they require you to change your password the first time you log onto the system, and that’s really important.
The next part of a technology is encryption. And we’re seeing encryption from a number of places that require information that needs to be encrypted for some reason. Now, we all use encryption when we go to buy something from EBay, or now everything on Facebook is encrypted.
And that’s because that information is there not only because nobody can intercept the communication between the device and the back end, and that back end is also encrypted to make sure that data is secure.
But why do we need encryption? Well, one of the main reasons we need encryption is so that people are no longer able to eavesdrop on the communication between device and back end. But on top of that, if someone actually does get into the back end, or gets into the front end, and steals the database, it’s all encrypted, then they’ve got another problem for themselves.
Normally it would be just in plain text, you know, Joe Bob has got this email address and this credit card number. All that sort of information is in the database. But if it’s all encrypted, then all they get is gobbledy-gook. And that gobbledy-gook is really good because you no longer have a problem with it.
Why we need to employ it in transit
So we need to have some level of encryption, and that level of encryption comes about because we’ve got information being transmitted between your device and the back end and that’s what’s called in transit. And that transmission that comes between you and back again, if it’s encrypted then people can’t read it. If people can’t read it, there’s no problems with it.
Why we need to employ it at rest
But we also need to encrypt our “at rest.” It needs to be encrypted so that when it is located on a hard drive, and even though you employ cloud computing, it’s still residential on some piece of hardware somewhere. It doesn’t matter where it is. It would be nice to know if you know where it is. But it doesn’t matter where it is, as long as it is at rest it is encrypted.
VPN – Virtual Private Network
We have a system called virtual private network, which is really a tunnel between a device and your system over the internet. So it’s literally a system where you can protect all of that information that you put past as intellectual property by making sure that the information is always unreadable. And that’s why we need virtual private networks. We used to have systems dial in, but now virtual private networks are so much easier to use and so much easier to set up.
And then we’ve got Wi-Fi. Who here has logged onto a Wi-Fi connection that didn’t require a username or a password? Do you know why it’s not a good idea? Because going back to the encryption component, that username and password, or just the password, the WPA passphrase, actually encrypts the information that you’re putting into the system.
And that passphrase, along with a few other components of your computer, gives you a unique encryption component that then can be used by them to make sure it’s more secure. And again, once again with Wi-Fi, if it’s got default usernames and passwords, change them, because you don’t want other people getting onto your Wi-Fi and using your system to attack other people.
Principles – Dos and don’ts
So we’ve now got some principles around what we’re doing as a business and an organization. Because we know that we need to have newer technology. It doesn’t have to be super new, but it needs to be newer technology. And as I said, with things like Wi-Fi, there are definitely dos and don’ts.
Use complicated passwords and passphrases. Use complicated usernames and passwords for VPNs. Make sure that your technology is doing exactly what you want it to do. And you want to make sure that along the lines of how you protect your business, these are things that you really need to do.
Now later on, we talk about management in our framework. But management of the technology actually has its own systems in place. Normally we have policies and procedures and processes that are managing the people who use the technology, but you need to have some level of system management to make sure that they systems are set up properly.
Setting up those systems, because it is very important about how you do it, you need to have a level of visibility. You need to be able to say, “If I set up a firewall, how do I go about doing it?” for instance. “If I’m installing anti-virus, where does it get installed? What does it get done by?” These are the systems that make your system, your organization, more secure.
But along with visibility, we also have accountability. We have an accountability component because we need to know who set that firewall up, who changed the rules of that firewall. Did they change the rules, or did they just make a rule up that they didn’t know was going to work and then didn’t worry about it? Who did that? Why did they need to do it?
And then we need to have some component of manageability. It’s no use having systems in place that nobody knows how to manage. And for small or medium businesses, understanding technology can be a huge burden because it means you are either not focusing on your core business, or you have someone else who’s not focusing on their core business.
Technology, I know everybody wants convenience and low cost and everything else, it doesn’t matter how convenient the system is, what you are seeing is 10% of what the system can do. Because that 10% is what makes our business work. That other 90%, we don’t even know about. And that’s what the bad guys really want you to do, is they want you to be unaware of where to go.
One of the things we come about with small or medium businesses is everything is in one place. Your database is on a server. Your exchange is on a server, and there’s no segregation or separation of that information. That separation of that information is really important. Small businesses usually, staff, with the account system, everybody has access to the account system.
But as you get bigger, you don’t want that so you need to start separating your data. The other thing about data separation is if you’ve got a Wi-Fi system that has a guest component, or someone has even a Wi-Fi system that doesn’t have a guest component, the best thing you can do is—
Yes, they can log onto your Wi-F and use your Wi-Fi as long as they’ve got the proper passphrase, but you don’t want them inside your network. Because if they’re inside your network, they can do so much damage without even knowing what they’re doing. So data separation means that you make sure that if someone on the Wi-Fi needs to access your network, then they can VPN in, and that separation is critical to protecting your organization.
And because we don’t want a flat network, if you’ve got people who want and need access to specific IP or patents, for instance, then you don’t want everybody having access to it because you’ll lose that intellectual property and trade secrets. And if you’ve got information about how you tender, or how you bill on a tender, or what your cost is for a tender, then you don’t want someone else, your competition for instance, knowing that’s how you work. This is why you don’t want a flat network. You want to make sure that flat network is a tiered access so that people, only specific people, can get to specific information.
Another thing about technology is we worry about how we manage patches. Patch management is really important across the board. Because patch management literally tells you which component you’re patching and which component you’re not patching. Patch management is again, going back to the difference between a professional and an everyday user, a professional would sit down and to, “It doesn’t matter what those patches are, I’m going to apply them all. Most people just get selected by, “I’ll just click the button and go here and score the lot.” That’s what you need to do to make sure. Because you never know when that compromised system, or that system that can be compromised, even though it was a benign compromise, couldn’t do anything you couldn’t get out of, might turn into a cancerous attack. And you need to be able to manage those updates as well.
Finally, we’re looking at best practice. All hardware and software comes with “This is how you should install it. This is the best place to put it. This is how you should set up your firewall. This is how you should then take the next step to go to the next level.”
That best practice is designed by the people who made this hardware and software, so the best practice is coming from literally the horse’s mouth. They are telling you to set up x machine, you need to do x, and if you don’t do x, it’s not going to work to the best capacity that it can.
Why we need them
But also, when it comes to that level of expertise, you need to have the expert advice, because they have created a machine, for instance, that connects your Wi-Fi to the rest of the network. So you need to know what is the best way of doing it, and how you are you are going to do it, and why you need that device in the first place because it does a specific role and protects your business from a specific thing that makes it harder.
So, in conclusion, we’ve looked at the technology. And the technology component of my framework has a number of systems.
Hardware – So we have hardware, which is literally the hardware components of what we use to do our business.
Software – On top of the hardware, then we have software.
Anti-virus – And protecting that software is anti-virus. That’s only a first-level defense, because all of the other things that we’re doing should be making that defense around your organization a lot more secure.
Authentication – We need to make sure that the right people are getting at the right information in the right way, and they cannot run away with that information or make it very hard for us to make sure that information is secure. This is where authentication comes in, so the right usernames and passwords have access to the right information.
Encryption – And all of that information that we’re downloading or moving around our network is all encrypted, so nobody can pick it up and store it somewhere else unencrypted so they can steal that information.
System Management – We need to manage the systems that we put in place. We need to incorporate management policies and procedures so that when the systems are installed, this is how you do it. We do a lot of installation of things like servers, for instance. We have a checklist. That checklist includes what is installed, how it’s installed, where it’s installed, and how the system is set up.
We know that there’s not going to an administrator, an account called administrator because that is part of our system management. We know that the passwords are going to be more than eight characters long. They’re going to adhere to a specific setting that we’ve got in our system. That is why we need to manage the systems properly.
Data Separation – We need to separate our data from public to private to super private to secret. And that data separation is really important for that business. It might mean that you only keep your really important information on a USB stick that you keep in your pocket, hopefully with a backup.
But you know that the only person who has access to that information is you, unless of course you lose it, and then you’d better hope that it’s encrypted. Because if it’s unencrypted, then you have a problem.
But going back to USB sticks for instance, alright? USB sticks are like a ubiquitous part of our business at the moment. Everybody has USB sticks. Everybody has USB hard drives. And there’s two problems. One is how do you make sure that information on that system, if I plug it into my computer I can read it?
You don’t want that to happen. You want to be able to go plug it in, yes, there’s data there but it needs to be unencrypted to be able to access it. Because it’s your data, you usually have the key for that problem. But if you lose that hardware, you lose that USB stick, then you have got a level of protection that is there just in case you lose it.
But the other one about USB sticks is the bad guys have found a way of using them to their systems. What they’ll do is they’ll actually seek car parks with old USB sticks. A friend of mine got caught in Las Vegas with this. Crossing the car park, she picked up a USB stick, looked at it. It has Boeing on it. Boeing Airlines. A legitimate company, rather large.
Obviously someone from Boeing had dropped it, so she took it home. Took it into her hotel room. Instead of handing it into the reception area, she just took it upstairs and plugged it into her laptop, and she was quite happily looking at all the information on it. What it was, was a slideshow.
To make the slideshow work, you could just click on a slide element and it would come up as a product. But if you wanted the slideshow to work, there was a little thing that said slideshow.exe, and she clicked on that. She wasn’t able to use her laptop until she got home because nothing worked after this. That’s one of the reasons why you’ve got to be very careful with what’s happening.
Best Practice – In addition, we have the last thing, which is best practice. Best practices are the way—is professional advice on how you do things. Installing a firewall from Cisco? Then you use the best practices from Cisco. Installing a Wi-Fi system from Linksys? How do they recommend you set it up? That is best practice
Where does this all fit into the framework?
As I said, we’re looking at the framework which is technology, management, adaptability and compliance.
How do you know if it is all in the right place?
We need to know that all of this information is in the right place and all of that technology is working to our benefit in making our business so much more secure. So we don’t need those legacy systems, and if we do need the legacy systems, let’s go and find another system that works the same way to a level we can then utilize for our business.
Where to from here?
So, where to from here? As the little man in the maze said, “What now?” What you need to do is upgrade your systems. You need to make sure you are using the best systems that are available, the newest systems available. That includes, and I’m not really delighting in Windows 10 at the moment, but it is important that you use that type of system.
If you’re using Windows 8.1, great. But if you’re using XP, get rid of it, because it is a huge problem. If you’re using an old iPhone 5 for instance, or an iPhone 4, I use an iPhone 4 for recording, but that’s the only thing I use it for. It hasn’t got anything else on it apart from it plugs into my computer and I can download the movies onto it. That’s really important going forward on how we do it.
So, if you want more information, I have two books out. One you have to buy, the other one is free. If you want to get in contact with me, then I am on Twitter. I’m on Facebook. I’m on LinkedIn. Just drop us a line.
Seminar and Webinars
We do run these webinars and seminars regularly. We’ve got another webinar tomorrow at 12:00, on a Lunch and Learn series. But we run seminars as well, and we do Google Hangouts just to make sure that we are getting in contact with as many people as we can.
So thank you very much. Are there any questions? If there’s no questions, thank you very much for your time. It has been very nice talking to you.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – The hidden cost of doing ICT yourself
[start of transcript]
Hello. My name is Roger.
And today, I’d like to talk to you about the hidden costs of small business doing their own ICT.
In a small business, we have direct costs, how much we buy something for, how much we sell it for. And we have indirect costs. And the indirect costs usually are the costs that we have no control of. And what happens when people start doing their own technical support is your indirect costs go up.
Now, most people are in business to make money and they are in business to do core business, whether that’s for selling widgets or consulting or any of those things. You’re not there, and your people are not there, to work on the information technology, information technology stuff that is making your business work.
And what happens with doing the ICT yourself is it really does take your focus off core business. It’s a lot easier to say to someone, “Come in and fix this and then go away,” than Joe Bob, who’s is the receptionist, or the senior salesperson or the marketing manager, look at the printer problem and say, “Well I just spent nine hours trying to get the printer to work. Now, I’ve got to call someone in.”
So, doing your own ICT is not cost-effective. And there really is no convenience in doing it. Because, as I’ve said, ICT is what makes your business run. But you don’t need to understand that 90 percent of making that system run, you need to understand the 10 percent that you used to make it all work for your business and do core business.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – A firewall does protect you in the digital world
[start of transcript]
Hello. My name is Roger.
I’d like to talk to you today about A Firewall does protect you in the Digital World.
A Firewall is a piece of hardware or software that sits between the real digital world and your device – whether it’s your laptop, your server, your network, your smart device. It sits between the digital world which is out there, and your privately owned piece of it.
And that’s all it’s there to do. It’s there to stop the bad guys coming in to your system and doing damage on your system. It allows information from your system that is requested to go out to the digital world and then come back in again.
And in other cases, it’s very effective about stopping that first level of attack that we have from the digital world.
When it comes to network management and protecting yourself at a network level, then, you need to spend a little bit of money to get a more expensive model of the router/firewall modem component because that is what is going to protect you from the digital world. And that expensive model, whether it’s a FortiGate or a CISCO, or a Palo Alto, is really important because it has a lot more features as well. And we have things like 2nd generation firewalls coming in to the information.
Thank you for listening and if you have any other, if you have any questions, please contact us on the slides after this.
The same way that we listen to accountants, solicitors and motor mechanics, the digital security expert has an important role to play in supporting your organisation.
Digital security is becoming one of the most important areas of modern business.
For some reason we believe technology in business is easy. So easy in fact, that we just install it and forget about it.
Anyone can do it.
Like other professions what you do and what you can do are total opposites. An accountant, for instance, can make you more money by legally changing your tax requirements, or a solicitor can get you a reduced fine or jail sentence better than you could if you were representing yourself.
So a digital security expert can make your organisation more secure because they have studied business and technology, but more importantly they have a better understanding of what the bad guys are doing.
Here are 17 ways that a digital security expert can make your organisation more secure:
They study the bad guys – being a digital security expert is not about selling the next best thing (if there is such a thing). Being a digital security expert is more about understanding your enemy. The more you study the cybercriminal the better you get at predicting their next move and being able to be one step ahead.
They keep abreast of what the bad guys are doing – digital security experts use the same world that the cybercriminal uses to perpetrate their trade. They are in the dark web, watching, recording and documenting what the bad guys are going to do next.
They understand business requirements – what most people do not understand is that the digital security expert has to understand business. They have to understand marketing, management and cash flow. They need this information to ensure the recommendations that they give to their clients will not impact their business, or have minimal impact on the way business functions.
They understand technology – in most cases a digital security expert is at the same level of technology understanding that the bad guys are. To ensure that your business is not vulnerable to a cyber-attack they have to know the technology to ensure it is safe.
There is no such thing as 100% secure – against popular belief, there is no such thing as being totally secure. The digital world is ever changing, so are the tactics, strategies and targets of the cybercriminal. There is always someone else out there who knows that little bit more.
Everyone is a target – if you have a smart device – you are a target. If you have an email address – you are a target. if you have a web site – you are a target. The larger your digital footprint the bigger the target you are. The more your footprint will be targeted by the automated systems that are sold by the criminal gangs.
Technology is not the only answer – there are four components of being secure in the digital world. Technology is one of them. The other three are management, adaptability and compliance. All four components together make a more secure environment than just technology alone.
People are your best defence – your staff and users can be either your best Defence or your biggest problem. If you educate them with proper digital hygiene then you will not only get them to protect themselves but also the flow on effect is that they protect your organisation.
Complex, unique and long passwords are good for business – we all hate these. To access the digital world we need a username and password combination. The more we rely on the digital world the more important these components are. All passwords should always be complex (letters, numbers, symbols, capitals), more than 8 characters long and they have to be unique for each site. That’s pretty easy isn’t it?
Penetration testing will prove you have it right – penetration testing is one of the best ways to test your defences. Penetration testing should also be carried out across all components of the business. From websites, to cloud Infrastructure, from social media to smart devices. A contracted penetration tester should have carte Blanche across the whole network. You are not on a witch hunt or targeting the IT department, you are finding holes in your organisation and finding ways to resolve the risks before you are compromised or hacked by the bad guy.
Think when using social media – social media is great. It is also one of the best systems used for social engineering by the bad guys. Information that is posted to social media sites is there forever. Educate your staff about the dangers of social media. Put a social media process in place to ensure that trade secrets and intellectual property is not posted out there, and each post is checked before going live. In the heated exchange of a social media discussion, think before posting.
Get paranoid – paranoia is the understanding that everyone is against you. In the digital world this is truer than our normal world. Does that make you paranoid? Not really but having the understanding that everyone in the digital world is out to get you makes you more secure.
Use common sense – everyone remembers the old Nigerian Prince scam, people are still getting caught by it. There are a number of things to remember on the digital world – if it is free then it is not (you always have to give something to get something), if it’s free it could be infected with malware, if it’s free somewhere along the line you will have to pay a lot more than what you expected. Using common sense to make that decision is critical.
Email is a broadcast medium – We often forget that although email is targeted, sent specifically to individuals or groups of people, it can go astray. It could be sent to the wrong person via the email fields being filled in automatically. Email can also be forwarded, printed and scanned, sent to people who it was not intended. Like all types of communication be careful with email.
Digital security is a whole of business endeavor – we are constantly told that digital security is an IT problem. No it’s not, it is a whole of business endeavor. Everyone and every department has an impact and input on the digital security of the organisation.
Have a mantra – I have a mantra “digital security is my problem”. What that means is that I take personal responsibility for protecting myself and protecting others. The more people who change their attitude to this mantra the more secure your organisation will be
A digital security expert can and will make your business more secure and like any other profession, what they bring to the table is well above normal expectations. Like accountants and solicitors their expertise can save you substantial amounts of money, sleepless nights and angst, just by them doing their job.