Digital security – why is it so bloody difficult?

10% of the global population that use the Internet have more than a basic understanding of the digital world.   There is a severe disconnect between what is done and what needs to be done when protecting an organisation from cybercrime.

Throw terms like dark net, cloud technologies, IOT (internet of things) or BYOD and most managers, board members and owners shrug, glaze over and say that it is an IT problem.

In today’s threat landscape, cybercrime, is a business risk.   Probably one of the biggest risks a business will face.   Like all business risks it has to be addressed as soon as possible.   But what are you addressing?

In most cases management teams, board members and owners consider cyber and digital protection an unreasonable and unjustifiable expense for the organisation (until it’s too late that is).   In most cases they under invest in Digital Security, for no other reason than they do not understand the problem.

From a business perspective, of the thousands of attacks on most business systems, mobile devices and other devices that are connected to the digital world every year only one has to succeed.   As an organisation, we have to stop them all.   That compromised system is the Trojan horse to get into your organisation.

We have all experienced a virus and how hard it is to stop and clean up.   Image if that virus was just the scout of a more costly attack.   You don’t have to image it, in most cases it is the vanguard of your worst nightmare!

The recently discovered attack on 100 worldwide banks that netted the criminals around $1 billion was done through a very sophisticated process that included boutique malware (undetectable by the best AV), social engineering, bad work practices, substandard policies and procedures and a lack of auditing.

The perfect storm that netted the bad guys all of that money over a 2 year period.

Compared to walking into a bank with a gun, or blowing the safe, this theft is relatively painless.   It is very profitable! Very profitable and relatively safe!   Catching the bad guys is remote, difficult and the criminals that do get caught show Darwinism at its best.

These 3 factors make the management of cybercrime difficult:

The cost of Digital Security technology!

Walk into any office, locks on the doors, motion detectors in the rooms, alarms on the windows, possibly biometric locks and access and in some cases bollards out front.   These are known protections that have come about in the last 100 years.   Costly but important protection.

Protecting the Organisations digital assets is a little harder.

If an organisation does not understand the WHY of cybercrime and Digital Security the protection requirements are often underestimated.

The business management’s attitude that free or cheap is the solution reigns supreme.

  • Free anti-virus must be better than having to pay a monthly or annual subscription for a managed end point protection system!   The fact that it only captures 90% of the known problems is irrelevant.
  • Or purchasing the inexpensive router from the local retail shop will do the job of a router with UTM (unified threat management).   The attitude that we just need a device that connects to the Internet is often heard.

There are thousands of other examples where free or cheap is the solution that is taken by SME’s and even larger Organisations.

When it comes to technology – you pay for what you get and scrimping on Digital Security by buying the cheapest means you are exposing your business to unnecessary risk.

The cost of protection can be exceedingly high and that is the main reason that risk management and risk assessment is paramount in those decisions.   Throw away lines like “we are too small to be a target” and “it will never happen to us”.   These are based on myth and legend.   Like a normal risk factors, understanding and then mitigating the risk has to be front of mind and in Digital Security, mitigating those risk comes at a cost.

The Digital Security jargon (non jargon) is hard to understand!Businessman

There are times when the discussion around cybercrime and Digital Security  is difficult.   I will even admit that at times I have trouble understanding what sales and technical people are saying, and I have been in the industry for more than 30 years.

One of the reasons for this disconnect is jargon.   Each manufacturer has a new word, new catch phrase, new product name or new operating system, that someone somewhere in the purchasing organisation has to now learn, understand and manage.

Getting straight and understandable answers to basic questions in the digital space can also be difficult. The answers are made more difficult if you cannot understand them or worse still have not asked the right questions.

Paramount to protecting business information is to understand what information needs to be protected.

This communication disconnect also happens when describing the criminal element.   Malware, zombies, botnets are the tools of the digital criminal, but most businesses do not understand the impact that they have on the protection paradigm.

In most cases businesses do not understand why they are being targeted with viruses or malware.

“Why did we get a virus, we have nothing worth stealing” is a cry we get regularly!   Everyone has something worth stealing even if it is just the storage and cycles used by the system itself to become a zombie or to join a botnet.

Digital Security Protection is difficult to manage!

The next problem with Digital Security is the management of all of those digital components.   Organisations believe that digital protection is “set and forget”.   A couple of years ago this might have been true.

Thinking that once it is in place you don’t have to worry about in today’s digital world is a bad idea and can have devastating consequences.   Not updating a device for 12 months or in some cases 3 years is definitely not best practice.

All of the components that protect the business have to be updated regularly, checked regularly and most importantly tested to ensure that they are working to design specifics.   Once again Jargon is a problem.

The digital threat landscape is constantly changing.   The bad guys know this because in most situations they are behind the changes.

Conclusion

Digital Security is a holistic process. Once again jargon impacts the Organisations decisions.   To make a correct risk assessment on the organisation you need to know:

  1. What needs to be protected?
  • Intellectual property
  • Financial information
  • Client information
  • Digital assets
  1. How will it be protected – this is the technical component of the risk analysis process
  • Separate network
  • Restricted access
  • Encryption
  • User access
  1. Who needs access to it?
  • Does everyone in the organisation need access to all information?
  • Can components of the information be separated?

You have to have a basic understanding of the required components that are protecting that information before you can make decisions.

Convenience is usually the primary driving force for business.   It is also the driving force with applications and systems.   Security should be more important than convenience, most of the time it is further down the list.

This article first appeared on LinkedIn

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

Essential SME business cybersecurity – the main points

To most small and medium business and not for profit organisations, cybersecurity is one of the last points of interest at the management level. This assumption is not only bad for business but it can seriously damage you reputation as well as severely compromise your cash flow.

Like anything else in business – everything is connected.   Want to take payments online then you have to implement tighter security processes to make it happen.   Some SME’s understand this correlation, many don’t!

As an SME these points are where you need to start on your cybersecurity journey.

 Everyone has something to loose

No matter who you are, what your business is and who your customers are, you are selling something to someone.   With that point comes a number of other points.   You have to protect your business.   You have to protect you business information.  You have to protect your customers and their information.   Finally you have to make sure that your staff are protected as well.

What you use to do that is a matter of personal choice, as well as how you have been sold by the best salesperson available.  Just remember one solution is not the be all and end all of cybersecurity.   Cybersecurity is a process, almost a holistic process.   All of the parts have to work together to make a secure business environment.

Before the Internet, there was such a comment as ” too small to be a target”.   This no longer applies to the Internet world.   Just by being connected to the Internet you are a target.   It is like taking you business and moving it into the worst neighbourhood in the city, putting a lock on the door and hoping that someone doesn’t steal your “stuff”.

On the Internet there are no police on the corner, there are no niceties of business.   You are a target and the only thing that you can do is arm yourself with the biggest “gun” you can find.   It would be nice if we could turn it around on the cyber criminals and go on the offensive, but we cannot.  So we have to put in place protections that will keep the cyber criminals on the outside as well as protecting those people coming to you to purchase your goods.

 Proactive and paranoia play a large part in you protection

If you are not already PARANOID, Then I suggest this is the time to do it. In the world of cybersecurity paranoid is good, because everyone is after you.  Truly after you.   They want to steal your money, your intellectual property, your business and in some cases you complete identity.

So in cricket terms, you have to get on the front foot.   You have to position your business in such a way that it is only the very clever cyber criminal who have a chance of breaching your protections.   There is no such thing as inpeneteratable, your cybersecurity objective is to make it so hard and difficult that the cyber criminal will go else where, preferably your opposition.

There are lots of things that you can use to do this but these three things are a start.    Use passwords, difficult and complicated on everything. (check this out)  Train and teach your people the art of being suspicious and questioning things that look out of place and use some level of data encryption when the information is out of your control.   Finally put a security framework around your business.

Growth and opportunities have to be tempered with protective solutions

Since SME’s have little understanding of cyber resilience and cybersecurity making the business grow without implementing some level of protection is fraught with danger.  Most SME’s understand that opportunities have to be grasped with both hands.   A cyber resilient business is not only protected now but it has the ability to react to changes in the industry that will deliver better business opportunities.

Most business that are more that ten years old have a different perspective and focus that what they had when they started.   They have seen opportunities is other markets, different markets and some in the same.   Most businesses are in areas where they did not think they would be when the wrote their business plan.

These opportunities have developed through social media, the Internet or cloud computing.   Getting your marketing and brand out there are critical to a business and it has never been easier to compete on the world stage than now.   just remember the moment you attach yourself to the Internet, you are target.

So apart from the bad and to quote a song “the future’s so bright we will have to wear shades”.    Just make sure that your cybersecurity complements you business requirements.

Help, My data is being attacked, what are they after?

Its not personal-its just businessAs a small and medium business and not for profit organisation why is my business data being attacked and what are the attackers after.   This question has many answers, it could be kids who want to see if they can access your data just for the sheer hell of it or it could be something a lot more sinister.   If an attacker gains access to your data and information then you could be in for a very hard time.

SME’s are easier targets for criminals, they lack the internal training and knowledge required to protect their sensitive data.   They have limited access to high end and costly security features and resources.   Most of the time, SME’s do not realise how vulnerable they are to both internal and external attacks.   When an SME is attacked or compromised, the repercussions and effects of that compromise are all mechanisms of having a decent security strategy.   The resilience of the business will ensure that if something does happen that the business is in a better position than previously thought.

What can be damaged?    In the event that your business is attacked there are 6 things that will create havoc if the attacker gains access to your data and information:

One of the most devastating repercussions of an internal or external attack is the Destruction and loss of Intellectual property or Trade Secrets.   Most SME’s have significant money and intellect tied up in what they do and how they do it.   This information is critical to the viability of the business.    If your competition had access to this information then your business could take a significant financial hit?

Another area of damage that an internal and external attacker can visit on your business is Vandalism.   This sounds pretty strange but one of the most psychologically damaging things that can happen to a business, the owners or management and also the staff is to have their web site changed, or even worse changed in such a way that it is infected with malware so all of their visitors become infected.    There is nothing worse than going to your web site and finding that the content has been changed.   It may be just a prank but the repercussions can be pretty overwhelming.

An internal or external attacker can do a great deal of damage to a business’s reputation.   This can be achieved in a number of ways.   The most prevalent is the fact that you have been compromised and you don’t inform your clients, or you have been compromised and the internet finds out about it.   What happens if an attacker gains access to your client file list and sends each of your clients an invoice.    In another situation is if your internal memos, where a comment about a client can be taken out of context or misconstrued were released to the outside world.   That would have a significant impact on your reputation, Think WikiLeaks.

Internal or external attackers can use information that they have gained for fraud and theft.    They can sell or give away the information on the internet to the highest bidder through notice boards and chat rooms and depending on the information – credit card details – they can gain access to your client’s money and steal it.

A security breach doesn’t always include the loss of information, if your data becomes unavailable through an internal or external attack then you will have the additional problem of Lost Revenue.   If the information and data for your business is off line due to an attack then your business will start to loose income.   Depending on the length of time that your data is unavailable will have a significant impact on your business.

All of the information that you have on your business system is your responsibility to protect.   If you fail to protect that information then you may be legally liable to your clients in regards to breaching their privacy and personal information.   This liability can take on many forms and could include compensating your clients for the loss of their personal information.

The responsibility to protect your business data and information falls squarely on the shoulders of management and owners when it comes to protecting the business.   Implementation
of a security strategy will allow the business to be in a better situation to protect the business, react if the business is attacked or recover when something does happen.

3 quick things you can do to secure your home computer?

Everyone knows that computers are the most influential piece of equipment for both the office and home to come around since the ball point pen.  An office environment has the benefit of having either a managed services or outsourcing company or onsite technical expert and expertise to protect their data but a home computer doesn’t.  The technical support usually comes from mum or dad or from the teenager.  This can be disastrous especially if the computer is used for other purposes like internet banking, internet purchases or keeping confidential personal data safe.

Most of the time the protection for a home computer is the installation of an antivirus software package and then the whole thing is forgotten in the euphoria of accessing the internet, doing the “Facebook thing” and playing games either on line or against the computer.   Don’t get me wrong I “LUV” playing games on my computer but I believe that I have a relatively secure laptop most of the time, but I have the luxury of having a little training and experience behind me.

So what can YOU do to protect not only your computer but also your personal data and your internet banking?   These are 3 of the most basic things that you can do in the never ending process of keeping yourself secure:

AntiVirus: There is no excuse for not having some level of antivirus installed on your computer.   There are a number of freely available packages – Security Essentials (Microsoft), Avast or Avira, that will stop most viruses in the wild but there are times where they will not pick up viruses that have not been discovered.  A more secure antivirus that does a lot more will have to be purchased.    If you are looking to purchase one of these packages then you should be looking at Kaspersky, Norton (Symantec), Trend or the like.   These packages do a lot more than just track your antivirus.   They will protect your computer from Malware (Scripts being run from a website), I had this experience just the other day when I was doing some research and went to a website that wanted to infect my computer.   My antivirus protected me.  Most of them also have a decent Anti-SPAM component as well as a fairly substantial firewall.   I can hear you from here – I have a MAC and it never gets a virus.  Sorry that is no longer true.    Some malware will infect a MAC and they are very painful to remove.

Firewall:  By having a firewall installed at all times especially when you are surfing the internet is not only a necessity but it can honestly save your wealth.   They can at times be problematic with false positives (incorrect readings) but as a first line of defence they are indispensable.   Although most firewalls are set and forget, if they detect something wrong they will pop up a warning – Please read it – so that you can make a decision on letting something in or not.  Again there are free variants available but good ones come packaged with the antivirus.

Update: I cannot say this often enough update as often as possible and don’t put it off unless there is a good reason.   The update process is designed to patch holes in operating system software as well as application of all types.    A hole in software is where the virus writers target their programs because they know that people are lazy and don’t like to update their computers and even worse restart their computers after the update process.   All of the big software companies, including game writers, now have an update process and after you install an application it will check the website through the application or every time that you open it.

As an additional point if you are running Peer 2 Peer software on your computer, normally installed by the teenager to download music and movies for free, then I suggest that you remove it.   Peer 2 Peer software is designed to punch holes through firewall and disable antivirus so that they can be seen on the internet.  Peer 2 Peer software works on the principle that there are numerous sources or copies of the wanted download that you want.   The problem is that the available directories can be used by outside people to store child porn, pornography or pirated movies and music that you may not even know about.

So there you have it.   Home computer security is mostly common sense and thinking ahead.    These 3 points will ensure that your computer is well on its way to being protected when you use it.