Two attitudes to cybercrime that have to change!

There has been a large amount of discussion on why cybersecurity is important to all Organisations.    No matter your size or your focus we are all targets of cyber criminals.  The biggest and hardest thing to do is convince small and medium businesses and not for profit Organisations that cybercrime is in fact rampant in the digital world.

I often hear, we are too small to be a target, it will not happen to me and we have nothing worth stealing.   These are classic examples of the SME’s mentality when it comes to cybercrime.

Recently I came across two more reasons that SME’s are not embracing the dangers of cybercrime.

We make hammers

I was recently talking to a small hardware retailer at a networking function.   When I explained to him what we did – educate and protect Organisations against cybercrime to build business resilience – his comment was

“Why should I worry about that, all I do is sell hammers”.

This is a major flaw in the SME business world.  Organisations forget that no matter what you do, how you do it and how you make money we do it in the digital world.  Protecting your digital assets is just as important as using them for the business.

The digital world is cost effective and convenient.   We use it for everything – sales, marketing, communication, accounting.   Connecting to the digital world = target.

Being targeted because they are connected, does not seem to enter into most business minds.  We take enormous care to make sure that we cannot be robbed in the real world.   We are blazee about our digital assets.

We are all citizens of the digital world;

  • Using the digital world = target!
  • Connecting to the digital world = target!
  • Being a member of the digital world = target!

You may sell hammers, or build patios, or run electrical cable, or dig holes, we all still have systems in place that are connected to the digital world.

How do you communicate – email, social media!

How do you bill your clients – accounting package or cloud based system!

What other uses is your smart device used for – on line banking, looking for information.

Each one of those system, in today’s world – is a target.

Make sure you protect it!

Practice you recovery

If disaster struck, would you survive?

One of the largest problems as a managed services provider is that we can do everything that is required of us.   We can create disaster recovery plans, business continuity plans or install backup solutions.   We know that they will work and will protect the organisation.   But how do we prove that?

If the C level, board or management levels are not interested then it is a total waste of time.   There is an advert for a mattress company that goes “a 50% saving on a bed that is not right for you is a 100% waste of money”. The same is true of an untested disaster plan.

An untested DR plan, BC plan or backup are a total waste of time if;

  • It is not tested
  • The right systems are not included in the plans
  • No one knows what to do
  • No one is willing to invest time and money in the outcomes

Where you do not want to be.   The first and only test is when a disaster happens.   That will bring you a world of pain.

The only way to confirm that your plans are going to work is to see what happens if the systems are turned off.

Try it sometime.

It will definitely show you what you can expect in the aftermath of a cyberattack, a natural disaster or just a failed hard drive.

Managing the risk of a cyber-attack is very important to all SME’s.   If you have a digital component it is a risk to your business.   Make sure you mitigate that risk to a level that you are happy about.

Winging it and no plan are not alternatives.

There are so many stories about Organisations that did not have backup, did not have DR or BC plans, or thought that did not have to worry about digital security.

Most of them are now out of business.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video) What is managed web filtering?

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses managed web filtering

[Start of transcript]

Hello, my name is Roger. What is managed web filtering? Well, we all know that everybody likes to access the internet, whether it’s on a tablet, on a mobile phone, laptop, computer, even on the server when you need to download updates and things like that. You always need to access the digital world in some way.

But the trouble is, the bad guys know how we all access the internet, and they are always willing to put little traps and systems in place so they can actually get information out of you or infect your computers.

Now what I mean by that is there are, websites are created, and we all have websites. Websites are not created equally. Some are high-end, high-processing, e-commerce sites that are secure and locked down, and everything is really hunky dory.

But at the other end of the scale, there’s people who put together a WordPress website, who doesn’t worry about security, doesn’t worry about patching or widgets, making sure all the plugins are working, making sure the plugins are all patched up.

Now if this website, the one that was done in WordPress, gets hacked, now there are a number of ways they can do things to you. They can hack your website and take it down. Bang, there goes your website. Or they can just deface it. We were here, stuff you. Great.

The worst one they can do is they can actually infect it so that all of the visitors coming to your site will actually be asked to download now or then. Now when that happens, what happens is you need a system in place that will protect you from that happening to you. Now how do you do that?

Well there’s a number of products around that allow you to protect the way you surf the internet. And by that protection, it will come up and go, don’t go to this website, because it’s infected, or it may go to something that says when you log on to the website, something is wrong.

And that is really important for business. Because you get malware on your PC or your laptop, or your tablet, or your phone, then the bad guys have access to that information. What people don’t understand is it can happen to anybody’s website.

It takes, it can happen at the lowest level with your web-hoster, hosting company, has been hacked, and the server with all of those websites on it are now vulnerable. Or you could be a major news site.

There’s been times where places like ninemsn have been not so much hacked, but the information for things that run their ads have been infected, which then infects the people who come to it.

The other way that you get infected is through Ethernet. So this is a process that the bad guys call water holing, because everybody has to go there to get information. The biggest one that we’ve ever seen was when they infected a site that looks after human resources. So everybody had to go there, work out their leave, and every time they went there they got infected.

But, on top of that, if you get an infection from a website, that you, and you haven’t been protecting yourself in such a way as it will come up and tell you that you’ve got a chance of being infected by the website, then you have a problem with your own technology itself. Because it is no longer yours. It has spyware, it has malware. It may even have things like drive-by malware that encrypts all the information on your system. You don’t want to be in that situation.

On top of that, people also believe that if you go to pornographic sites that you’re going to get infected. To tell you the truth, pornographic sites are probably the securest internet websites on the internet and have ads. And there’s something, because the pornographic sites need people to come to them all the time. And yes, it’s huge business, it’s really a lot of money that they get.

So, you need to have some way to protect yourself, and that is where a managed web filter will come into. That managed web filter will sit on the desktop, or the laptop, or the tablet and phone, and actually intercept the information before it gets to your technology itself, and will protect you. And because it’s a managed web filtering, it’s like any other cloud product, it is a monthly fee.

Thank you.

[End of transcript]

There is no I in TEAM, but there is way too much EGO in Digital security

Talk about having an eye opening moment. bigstock-Auction-with-auctioneer-holdin-10211486

I regularly have coffee at my son’s bar, and I overheard a conversation.

More a robust discussion.

A number of people, in the digital security space of a government department, were generalizing about Digital security.

There was a certain individual there who had a very different outlook on cybersecurity. He said “I know it all, and you know less than me”. At this I almost choked on my coffee.

In the Digital security realm this is an exceedingly stupid thing to say.

He may know more than me or anyone else. I will be the first to admit that I don’t know it all, but knowing everything!

That is just crap!

If he is conveying this to the C level executives and board members then this department has serious problems. The digital criminal is quite happy to take people like him and make them a public spectacle.

I, for one, am amazed at the tactics, strategies and capabilities that the true cybercriminal brings to the game.

I am not talking about the wanna be’s, the script kiddies or the people who use automated systems to scan the digital world for vulnerabilities to target. The true hacker is someone who knows what they are doing.

These are the true masters of the craft.

In most cases, protecting against some of their full blown attacks is damn near impossible.

What happened when stuxsnet and Duqo were released into the wild. The source code was changed into something else entirely. With different payloads and attack vectors it became one of the true hackers major weapons. There are many more like them.

To be a target of a true hacker you have to have something that they want.

It has to be worth their while.

If you have significant cash reserves, important trade secrets or a huge digital presence, then you are a target.

Most SME’s and not for profit Organisations are not in that space, although they may be collateral damage in an attack on someone who is that they work with.

People in the security area of any organisation have an understanding that the process of protection is always evolving. They also understand that the evolution requires the Organisations protection systems to morph into areas where it has never been considered. This happened recently with the adoption of cloud technology and will happen again with the introduction and take up of the Internet of things (IOT).

You have often heard me talk about “the game”.

The “game” is played by the professionals who are interested in making an organisation secure. Winning the “game” is going to bed with the knowledge that today was a good day. Tomorrow may not be! Playing the “game” is doing everything that there is to do, know and understand and applying it so that information within the organisation is safe.

The “game” is about accepting that there are other ways to compromise a system and the defense of the organisation is a holistic process. There is no money or wealth driven motive behind getting into cybersecurity, if there was they would be making a hansom living on the dark side. This is something that the makers of software and applications forget.

This is also applied to the maker of security components. We all know that there is no silver bullet that will fix all of the cybercrime problems.

But most vendors sprout it like theirs is just that.

Do this and you will be secure, don’t worry about the USB in the carpark, the forgotten default password on the router, using unsecured wifi to access the bank account or the insecure access to your intranet. We won’t talk about that!

Digital protection is all about being holistic. There is always a place for technology, but technology will save your organisation – no. Putting the right management in place, making sure the organisation is adaptable or flexible and then making sure that you comply with all of the regulations for your government and industry. That creates robust digital security.

We are not focused on the technical (although we are very good at that) side of your business, we are focused on making your business reach its full potential

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video)Why is a managed firewall a good business decision

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses why a managed firewall is a good business decision.

[Start of transcript]

Hi. May name is Roger and today I’d like to talk to you about why a managed firewall is a good business decision. Now, small and mediums business, not-for-profit organizations, SMEs in general are usually the people who go down to the local retail store and buy an off-the-shelf that connects your business to the internet. Now usually they are a dumb piece of equipment. Yes, they will have all the and they can connect and they have a rudimentary firewall in place but they’re not really or truly protecting your business.

To protect your business you need to have the next step up. You need to have what we call a UTM, a Unified Threat Management system. Now unified threats means it looks at all the problems that are on the internet. So it’ll manage your people going to infected websites, it’ll manage phishing attacks, it’ll manage intrusion detection. So it’ll tell you when people are trying to attack you. And that is very important as a business.

But when it comes to managing a business, you have a problem that next step up is also the next step up in how you program it, manage it, look after it. And in most cases you are putting CISCO, FortiGate, Palo Alto in place and you don’t have the expertise internally to manage it. This is where the managed service provider comes in. Because they have the expertise to manage it.

They have the expertise to make sure that it hasn’t got any problems. They have the expertise to make sure that no matter what happens you know that it’s been put in place properly. It’s got the right management in place, it’s been updated regularly and it does protect your business. And that’s what a good firewall does.

Thank you very much.

[End of transcript]

 

(Video) How to protect your Financial Information

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses protecting your financial information from cybercrime.

[Start of transcript]

Hi. My name is Roger and I would like to talk to you about how to protect your financial information. Financial information is not just the information that you’re collecting about other people. so it’s not just about credit cards, it’s not about security codes on the credit cards, it’s not about expiration dates. What we’re looking at is the financial information that you hold within your business.

So if you’ve got information about your bank account – who has access to it? Why have they got access to it? Have you segmented your business so that only the people who require access to your financial information have that access to the financial information? Or are you using one username and password that logs on for everybody in the business?

So you always have to look at what financial information is and how you are protecting it to a level where not only are you protecting the credit cards of your customers and the credit card information of the customers but you’re also protecting your bank balance and your bank accounts, and access to that accounts.

Because the cyber criminals are a very persistent group of people and they will go after anything that they believe makes them richer. So if you’ve got financial information make sure you are protecting it with all of the right things in place. So they have got secure passwords. Nobody has access to it apart from the people who need access to it.

Thank you very much.

[End of transcript]

 

(Video) How to prove your Cybersecurity is working

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses why you need to prove your cybersecurity and digital security.

[Start of transcript]

Hi. Today I’d like to talk to you about how to prove your Cybersecurity is working. So you’ve put a lot of defense processes in place and now you need to find out how secure they have made your business. Now, in most cases the IT department will their own run tests or your managed service provider will run their own tests.

But those tests are based on what they know about how it should be protected. So they’re using best practices and they’re using the patching and making sure it’s got all the up-to-date information on them. But you can never be sure that that system is now secure unless you have someone test it. But the trouble is we’re testing it, you have to find a person who’s not going to put patches. Who is going to tell you exactly what you need to do. And also not rely on them making a report to you and then expecting you to pay for the fix if there is one.

So making sure that cybersecurity is secure and your organization is secure is really an ongoing process. But the outside world or the people who are attacking your business are using automated systems. They’re using automated scripts, they’re using automated systems to access social media sites and learning how and what and who you are. So you have to make sure that your cybersecurity is working. So how can you do that?

Well one of the best ways you can do it is you pay to have someone try and compromise your systems. But trying to compromise your systems, they’re using the same attack factors that the bad guys are using. They’re using the same processes that the bad guys are using. They’re not relying on, we know there’s a problem and we know how to get past it. But they are relying on how the hacker or the script kiddie or the hacktivist is going to try to access your system. So one of the big things about the IT world is we’re very arrogant. We all admit that across the board. What I say is how I do things. And when it comes to IT that’s what a lot of people believe.

But the problem is, with that sort of attitude, is it’s got no room for someone who knows something about the system that I don’t know about. So if I’ve got an external person coming in to test my cybersecurity then I know that they are going to use a different tactics, they are going to use different systems, they are going to use totally different objectives to what I expect. And that is what cybersecurity is all about. They maybe only getting in but you’ve got encrypted information of – all your databases are encrypted.

Then if they do get in they still read information, you get a report, but you’ll also know that that information hasn’t been able to be compromised because it’s encrypted. So when it comes to how you’re going to make sure that your systems are working, you need to prove your cybersecurity. And if you prove your cybersecurity your information and your business and the people who trust you to hold that information is going to be very very high.

Thank you very much.

[End of transcript]

So you want to outsource your digital security to a managed security service provider!

There are huge benefits to getting a reputable organisation to manage your digital security.   There are also large risk management component and a due diligence process to follow to ensure that you are getting the best available.

The outsourcing of your digital security involves an in-depth discovery process.   It is not one of those decisions that is solely based on price and cost.   Getting the right outsourcing company with the best reputation is critical to your Organisations viability.    Making a bad decision or decide on one based solely on cost can cripple your business.

These are the areas that you should look at prior to looking at the cost component:

  1. What are they going to do for your organisation?
    • A good Managed Security Service Provider (MSSP) will not only be looking at your firewall, anti-virus and patching.   A good MSSP will have a holistic outlook on how they protect their clients.   A good MSSP will ensure that they are in a position to implement “security change” to create a more holistic outlook on protecting your organisation.
    • That holistic outlook takes the following into account: (start with a protection philosophy and end with a compliance requirement)
      • Technology – UTM firewall, wireless, VPN, best practice and patch management.
      • Management – policy, Procedure, process, auditing, reporting and training and education
      • Adaptability – disaster recovery, business continuity, business resilience, backup and culture
      • Compliance – if you have done the above compliance is a relatively easy.
    • An MSSP will have the empathy and understanding to ensure your organisation is protected
  2. Do they have the expertise?
    • Most managed security service providers focus on one or two types of technology is specific areas.   They may have a focus on Cisco or WatchGuard or a specific AV, or a specific make and model of PC.
    • This level of specification ensures that the MSSP has the right level of education, training and capability within it ranks.
    • A good MSSP should have people who are experts in one or more areas of digital protection, if they do not then talk to another MSSP.
  3. Do they have the capability?
    • Most MSSP’s have the capacity to manage clients.   They will have trained people at every level of the organisation to ensure that they are servicing their clients to the best of their capability.   When it comes to capability the MSSP should have staff with professional qualification to support your business.
  4. What are they going to change to make their life easier?
    • There are changes that will be recommended by an MSSP for two reasons:
      • The systems that you have in place are not doing the job that they should be doing and need to be replaced with systems that are more secure.
      • The systems that you have in place cannot be supported by the MSSP because they do not have the expertise on staff.   So if you have recently invested $10K in a firewall and they want you to replace it with another one worth the same then you probably have the wrong MSSP.
  5. What benefits are you going to get out of it if you PARTNER with them?
    • The outsourcing of your digital security to an MSSP is a partnership.   They are there to protect your data, your Infrastructure, your clients and your staff.  You pay them to do that.   Make sure that all parties involved understand their requirements by putting a service level agreement (SLA) in place.   No SLA then no contract.
  6. How much will it cost?
    • Finally we have the cost.   You should always know how much your monthly digital security cost is going to impact your organisation.   If the month cost is going to change then once again you should be looking at alternatives.  The cost of an MSSP SLA should include monitoring, management and reporting, it will not include projects that are outside the scope of the SLA.

There you have it, if you employ a MSSP based solely on how much it will cost then your organisation will not have the right digital protection.

There are a large number of Organisations out there who think that they are MSSP’s but lack the expertise, capability and understanding that is required to protect your organisation

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video) How playing a game can improve your DR

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses how playing a game can improve your DR process

Hi. My name is Roger. Today I’d like to talk to you about how playing a game can improve your disaster recovery. Disaster recovery is understanding what your business is going to do when everything goes catastrophic. So what are you going to do when building winds down? What you are going to do if flood waters come through? What happens if you get a cyber attack and they take out your main systems?

So disaster recovery is really important because it makes sure that you have the plan to go forward and go onto your business continuity and make sure everything works. But how do you test it. You don’t want to be in a situation where the first test that you do of your disaster recovery is when the flood water is flowing in under the door. Because that is not a place to be. And I can tell you it’s an experience that I wouldn’t wish on my worst enemy. So how do we test it? One of the ways we can test it and have an impact on the business is to actually physically do it. [Indiscernible 00:01:12]. What’s everybody going to do when everyone’s running around in circles? That is not really good and economical way of testing a disaster recovery. And disaster recovery needs to be tested regularly. Once every six months, once every three months, once every year minimum. So it needs to be done. But you don’t want to take everybody out of the loop and make sure that they literally stop working. If you stop working, all of that money, all of the revenue these people are generating is just going out the window. So what you need to do? Well, one of the things we’ve come up with is you play a game. You pick all your primary people around a table in a boardroom and you go [Indiscernible 00:02:00] and he will say, okay you’ve lost this.

Now what is your business disaster recovery system going to make sure that you can do about that? Is the back up in place? Where is the back up? Who’s got the back up? Is the backup [Indiscernible 00:02:18]. So let’s take out the server. The server has what? What are you guys going to do if you don’t have Exchange? Office 365, you just take an internet connection.

What are going to do now? That is what disaster recovery is all about. by finding out how you react to those cards [Indiscernible 00:02:43] will then you will find holes that you can resolve and make sure that when the real problem happens, when flood comes underneath the door, did you have a solution in place that is going to go, turn that off, pick it up and move it over there, hand it in, turn it off and off you go. Because that is you disaster recovery plan. So if you want to have a decent disaster recovery plan without using a revenue usually involved in testing it, then please contact us, we will quite happily come on the [Indiscernible 00:03:21] and make sure you that can do it. Thank you very much.

[End of transcript]

 

(Video) Will IOT impact your SME

Hello. My name is Roger and today I’d like to talk to you about will the Internet of Things (IoT) have an impact on your small business? Internet of Things is a new technology that’s coming out and is now becoming an underlying component of a number of things. Internet of Things relies on two things. One being able to report to something and Internet of Things device can be collecting data about anything.

So, for instance as a product for tracker if you want to make sure that your mobile phone – well not mobile phones, it’s a bit big for that – but your laptop can’t be stolen, you set a little tracker that [Indiscernible 00:00:48] and anywhere in the world that will tell you where it is by using the internet and a large number of other systems that they’ve got in there.

How about the pro-fit systems that are now coming out. Where I can put a band on my wrist, it will tell me my heartbeat, my blood pressure and how much sweating and whether I need to drink in…All of those components.

Now for small business, pro-fit may not be a good fit. But things like tracker would be because the Internet of Things is going in that direction. We are building devices now that are going to benefit people. We used to have systems that were complicated, not very robust. Whereas Internet of Things, you can buy one, put it on whatever you need it to do to monitor and report back to you.

And it will last for twelve or eleven months without changing batteries. And it’ll talk to whatever device you’ve set it up to talk to. So if it’s got a Bluetooth component, as I set pro-fit, it talks to your phone which then tells your main system how fit you are and what you’re doing and why you just had a [Indiscernible 00:02:02] heartbeat because you’ve been pushing too much.

So that’s what IoT will do. So the impact it will have on your business over the next five or six years is going to be pretty huge. And it’s something you need to start factoring in when you’re thinking about how you well you are going to do business going forward.

Thank you very much.

[End of transcript]

 

(Video) How mobile is your business

Hi. My name is roger and today I’d like to talk about how mobile is your business technology. And why does your business need to be mobile. Business world has changed rather drastically in the last couple of years but more and more people are doing business on mobile phones, tablets, laptops.

Because they can. Because all the associated systems utilize the cloud technology component of any business. So if you want be able to collaborate and you don’t know quite how to do, but you have an application that does that.

Then the application needs to be able to be used in a coffee shop. And you need to be able to get into that application at home. And if you’re [Indiscernible 00:00:52] where you’re doing project management, all of those emails that then come through the system saying you need access to the system at all time.

But the mobility is really critical about one other thing and that’s the connection to the digital world that device has. This 3G or 4G is irrelevant. As long as there is a component that connects you to the rest of the digital world then you can utilize and make your business mobile. But mobility doesn’t mean everything has to go into the cloud.

By having components like info soft for instance which is a sales component you can utilize, you don’t really need it on phones. You may need it on tablets because you can then go and have a meeting with someone and take notes directly into the system.

Very hard to do it as a phone device. But it can tell you when you have an appointment, and where you have to be, and why you have be there and what you are talking about. So mobility today in business is really really important because that’s the way we are going.

In the next five years we may not need offices because everything will be in the cloud. You will be working from home, everybody will be able to work in coffee shops. A great idea have a business where everybody can come to you and between everything else and all you can serve coffee. So how mobile is your business technology? It depends on your requirement.

Thank you.

[End of transcript]