(Video) How to Protect Your Money and Cards within an SME from cybercrime

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime asks how small and medium business and not for profit organisations are securing the information about money and cards from cybercrime.

[Start of transcript]

Hello, my name is Roger. How do you protect the money and your card information within your organization?

Small or medium business not for profit organizations have a requirement to A. Collect money otherwise they get broke and B. To secure the information concerning that money and how it’s being collected and diversified and the banks getting the information.

But on top of that, if you’re running an e-commerce site for instance, then the information that people are putting into that page in the digital world is really important because the criminals are targeting that as well. So if you take payments from the internet or the digital world, or you run a system , how do you make sure that that information is always secure?

Now this is a major target for the cyber criminals because they know that most people, when they set up a website or set up an e-commerce site or accept credit card and PayPal information that they haven’t set it up because they might not know quite what’s going on, they’re not fully understanding what is required of protecting that information.

But on top of that, if you’ve got an e-commerce site, you need a payment gateway. Now that payment gateway is literally the gateway between your site and the bank. And you have to make sure that as you’re accessing that gateway it is in a secure fashion.

The other way you can accept money is through PayPal, or if you’re on places like EBay where they have a platform store, which actually points to a payment gateway.

So what do you need to do to make sure you’re protecting the information? Well, you got to make sure that you’re receiving information from your potential customers and clients and the moment it goes into their computer nobody else can reach into your system. The only way to do that is with a high level encryption component and this is where SSL and TLS comes into it. SSL encrypts all the information and the only people who understand what’s going on are the computer that’s sending it and the one that’s receiving it at the other end.

So protecting that information against cybercrime is also very critical when you’ve got the information itself. So you’ve collected the information and now you want to store it somewhere. Again, you’ve got to make sure that you’re storing that information in such a fashion that you cannot be hacked.

Thank you very much.

[end of transcript]

 

(Video) Why are good digital security solutions in short supply

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses why digital security solutions are in short supply

[Start of transcript]

Hello, my name is Roger. Why are digital security systems in short supply?

I was on LinkedIn a couple days ago and came across an ebook from Checkpoint. Checkpoint they’re a supplier of firewalls and intrusion protection and anything that is front facing onto the internet. Now, the information in that white paper was really good information, it really was.

There was only one problem with it; they’re working on the principle that it is a silver bullet component. You put this in, you will be secured. You do this, you will be secured. You protect yourself in this way you will be secured.

Now, cyber criminals rely on you doing this because to them, they know that there is no such thing as a silver bullet. There is no such thing as something that you can do that A. Doesn’t require maintenance, B. Doesn’t require someone looking after it, and C. Other components would have had nothing to do with it. Because cyber security is holistic, it really is holistic.

There are four main components of it. You’ve got your technology, so your operating systems, your software, your hardware, antivirus, your encryption all of those components use technology. Then you’ve got management components, your policies that tell your users how they’re going to use the technology.

Your procedures that make sure that when they put a server together or when they put a work station together, or they do something in your business that it is this way and this way only. It also includes training and education. So you got a new firewall, who knows how to set it up? Do you know how to set it up? And if so, what’s the next step?

The next part is adaptability. The adaptability of your system to be resilient. So something does happen, what are your steps that are going to take you back to being business as usual? And this is business continuity, disaster recovery, resilience, what culture you’ve got in your business.

And then the last component, which is really important, usually a lot of people focus on, compliance, which is what I’m talking about, before they focus on the other things. But if you get those other three things in place, compliance is a relatively easy process.

Because you’ve already done the policies and procedures. You already got the high end taking place, you’re already doing the patching that makes it all work. So, it’s a holistic process, a complete, total, protected sequence.

Now, because that holistic attitude is very rare when it comes to protecting business that’s why it’s in short supply. Because I can to down and buy a Cisco router and I’m going to be protected. No I’m not. Because I haven’t got the policies and procedures in place. I haven’t got the DR in place, I haven’t got my compliance in place.

So, it’s very difficult to make sure that the next step you take is not listen to the salesperson, but listen to someone who is going to say, ‘yes, you can buy X. Doesn’t matter if it came from Checkpoint, or Cisco, or Fortinet or whatever. Because you know that that is only one small component of protecting your business.

Thank you very much.

[end of transcript]

(Video) What is managed web filtering?

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses managed web filtering

[Start of transcript]

Hello, my name is Roger. What is managed web filtering? Well, we all know that everybody likes to access the internet, whether it’s on a tablet, on a mobile phone, laptop, computer, even on the server when you need to download updates and things like that. You always need to access the digital world in some way.

But the trouble is, the bad guys know how we all access the internet, and they are always willing to put little traps and systems in place so they can actually get information out of you or infect your computers.

Now what I mean by that is there are, websites are created, and we all have websites. Websites are not created equally. Some are high-end, high-processing, e-commerce sites that are secure and locked down, and everything is really hunky dory.

But at the other end of the scale, there’s people who put together a WordPress website, who doesn’t worry about security, doesn’t worry about patching or widgets, making sure all the plugins are working, making sure the plugins are all patched up.

Now if this website, the one that was done in WordPress, gets hacked, now there are a number of ways they can do things to you. They can hack your website and take it down. Bang, there goes your website. Or they can just deface it. We were here, stuff you. Great.

The worst one they can do is they can actually infect it so that all of the visitors coming to your site will actually be asked to download now or then. Now when that happens, what happens is you need a system in place that will protect you from that happening to you. Now how do you do that?

Well there’s a number of products around that allow you to protect the way you surf the internet. And by that protection, it will come up and go, don’t go to this website, because it’s infected, or it may go to something that says when you log on to the website, something is wrong.

And that is really important for business. Because you get malware on your PC or your laptop, or your tablet, or your phone, then the bad guys have access to that information. What people don’t understand is it can happen to anybody’s website.

It takes, it can happen at the lowest level with your web-hoster, hosting company, has been hacked, and the server with all of those websites on it are now vulnerable. Or you could be a major news site.

There’s been times where places like ninemsn have been not so much hacked, but the information for things that run their ads have been infected, which then infects the people who come to it.

The other way that you get infected is through Ethernet. So this is a process that the bad guys call water holing, because everybody has to go there to get information. The biggest one that we’ve ever seen was when they infected a site that looks after human resources. So everybody had to go there, work out their leave, and every time they went there they got infected.

But, on top of that, if you get an infection from a website, that you, and you haven’t been protecting yourself in such a way as it will come up and tell you that you’ve got a chance of being infected by the website, then you have a problem with your own technology itself. Because it is no longer yours. It has spyware, it has malware. It may even have things like drive-by malware that encrypts all the information on your system. You don’t want to be in that situation.

On top of that, people also believe that if you go to pornographic sites that you’re going to get infected. To tell you the truth, pornographic sites are probably the securest internet websites on the internet and have ads. And there’s something, because the pornographic sites need people to come to them all the time. And yes, it’s huge business, it’s really a lot of money that they get.

So, you need to have some way to protect yourself, and that is where a managed web filter will come into. That managed web filter will sit on the desktop, or the laptop, or the tablet and phone, and actually intercept the information before it gets to your technology itself, and will protect you. And because it’s a managed web filtering, it’s like any other cloud product, it is a monthly fee.

Thank you.

[End of transcript]

There is no I in TEAM, but there is way too much EGO in Digital security

Talk about having an eye opening moment. bigstock-Auction-with-auctioneer-holdin-10211486

I regularly have coffee at my son’s bar, and I overheard a conversation.

More a robust discussion.

A number of people, in the digital security space of a government department, were generalizing about Digital security.

There was a certain individual there who had a very different outlook on cybersecurity. He said “I know it all, and you know less than me”. At this I almost choked on my coffee.

In the Digital security realm this is an exceedingly stupid thing to say.

He may know more than me or anyone else. I will be the first to admit that I don’t know it all, but knowing everything!

That is just crap!

If he is conveying this to the C level executives and board members then this department has serious problems. The digital criminal is quite happy to take people like him and make them a public spectacle.

I, for one, am amazed at the tactics, strategies and capabilities that the true cybercriminal brings to the game.

I am not talking about the wanna be’s, the script kiddies or the people who use automated systems to scan the digital world for vulnerabilities to target. The true hacker is someone who knows what they are doing.

These are the true masters of the craft.

In most cases, protecting against some of their full blown attacks is damn near impossible.

What happened when stuxsnet and Duqo were released into the wild. The source code was changed into something else entirely. With different payloads and attack vectors it became one of the true hackers major weapons. There are many more like them.

To be a target of a true hacker you have to have something that they want.

It has to be worth their while.

If you have significant cash reserves, important trade secrets or a huge digital presence, then you are a target.

Most SME’s and not for profit Organisations are not in that space, although they may be collateral damage in an attack on someone who is that they work with.

People in the security area of any organisation have an understanding that the process of protection is always evolving. They also understand that the evolution requires the Organisations protection systems to morph into areas where it has never been considered. This happened recently with the adoption of cloud technology and will happen again with the introduction and take up of the Internet of things (IOT).

You have often heard me talk about “the game”.

The “game” is played by the professionals who are interested in making an organisation secure. Winning the “game” is going to bed with the knowledge that today was a good day. Tomorrow may not be! Playing the “game” is doing everything that there is to do, know and understand and applying it so that information within the organisation is safe.

The “game” is about accepting that there are other ways to compromise a system and the defense of the organisation is a holistic process. There is no money or wealth driven motive behind getting into cybersecurity, if there was they would be making a hansom living on the dark side. This is something that the makers of software and applications forget.

This is also applied to the maker of security components. We all know that there is no silver bullet that will fix all of the cybercrime problems.

But most vendors sprout it like theirs is just that.

Do this and you will be secure, don’t worry about the USB in the carpark, the forgotten default password on the router, using unsecured wifi to access the bank account or the insecure access to your intranet. We won’t talk about that!

Digital protection is all about being holistic. There is always a place for technology, but technology will save your organisation – no. Putting the right management in place, making sure the organisation is adaptable or flexible and then making sure that you comply with all of the regulations for your government and industry. That creates robust digital security.

We are not focused on the technical (although we are very good at that) side of your business, we are focused on making your business reach its full potential

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

10 things that any business can do to fight the insider threat – cybersecurity

protect your business informationWe have all heard about the threat to an organisation that a staff member can do.   From having stealing critical information, running an embezzlement scheme or just being a pain in the ass, an insider threat can cripple an organisation in a minimum amount of time.

So what can you do to protect yourself from an employee going rogue?

Background checks

It is critically important, in today’s business world that you make sure you are getting the person that appears on paper.   So after the basic weeding out process and before the offer of the interview you need to check the truth behind the resume.   In most cases, a quick check of references and a look at social media will give you an inkling into a person’s character, capability and attitude.   If there are no obvious contradictions then it is safe to proceed to the next level.   (You could also use a psychology test as supplied by www.thewhitehousereport.com.au)

In addition to this when someone leaves, cancel their access as soon as possible.   Relationships can sour and it is best that when someone has left that they no longer have access to any part of the organisation.

This is doubly important, if you are firing someone.   Before you go through the actual process of firing them make sure they have no access to your systems.

Acceptable use

The insider can quite easily steal your time and money by not actually doing anything illegal.   Staff members who spend a lot of time on social media, especially when they are supposed to be working can have a detrimental effect on not only the business but also on staff morale.

Make sure that you have policies in place that specifies what people can and cannot do with business assets.

Least privileges

Staff members should only have access to information that they need access to do their jobs.   In the case of small and medium business, you have to make a conscious decision that you cannot trust everyone.   By not trusting everyone you are actually protecting your business.   The larger the organisation the more need there is to separate working areas and capability.

Administrator privilege

In any Organisation there should be only a minimal number of administrators.   In most areas there is a need to ensure that staff and users only have access to what they need to do the job.   The administrator account should not be used except for administration.   It should never be associated with an email or webmail account.

All administrators should have separate logins to do normal work.   This reduces the risk of being compromised as well as ensuring that only minimal access to the administration of the business.

Separation of duties

In a really small organisation this is very hard to do but in larger Organisations there should be an action process to spend money from credit cards and bank accounts.   There should be a separation to ensure that one person is not authorizing and acquitting invoices and payments.

Job rotation

There are 2 reasons for this.   It allows you to build resilience into the business because a backup person has access to the processes that the business needs in an emergency.   The second reason is it allows for training of personnel in the roles and as an audit.

Mandatory holidays

Everyone needs to go on holiday.   In most cases 2 – 4 weeks is mandatory.   It allows for recharging batteries as well as protecting the organisation from someone going rogue.

Auditing

Most if not all accounting packages have an auditing feature.   This feature needs to be running at all times to ensure that you can check all transactions occurring within the organisation.

Auditing can also be employed to track other components of the business including information being passed through email, cloud based technologies and cloud based storage.

Data loss prevention technologies

There are number of software packages and hardware systems that allow you to monitor and manage information leaving your organisation.   From restricting USB devices, to cloud storage systems are available to ensure that your trade secrets are not leaving your organisation.

End point protection

This last point is more a solution to one of your people getting infected through malware.   If you have done all of the other nine point’s then malware will have little impact on the organisation if it does get past the end point protection systems.

In addition there should always be 2 levels of end point protection – at the firewall and on the devices, preferably using different vendors.   If malware gets past one it may not get past the second.

These 10 Ideas will ensure that your organisation is better protected from an attack from an employee or staff member.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video)Why is a managed firewall a good business decision

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses why a managed firewall is a good business decision.

[Start of transcript]

Hi. May name is Roger and today I’d like to talk to you about why a managed firewall is a good business decision. Now, small and mediums business, not-for-profit organizations, SMEs in general are usually the people who go down to the local retail store and buy an off-the-shelf that connects your business to the internet. Now usually they are a dumb piece of equipment. Yes, they will have all the and they can connect and they have a rudimentary firewall in place but they’re not really or truly protecting your business.

To protect your business you need to have the next step up. You need to have what we call a UTM, a Unified Threat Management system. Now unified threats means it looks at all the problems that are on the internet. So it’ll manage your people going to infected websites, it’ll manage phishing attacks, it’ll manage intrusion detection. So it’ll tell you when people are trying to attack you. And that is very important as a business.

But when it comes to managing a business, you have a problem that next step up is also the next step up in how you program it, manage it, look after it. And in most cases you are putting CISCO, FortiGate, Palo Alto in place and you don’t have the expertise internally to manage it. This is where the managed service provider comes in. Because they have the expertise to manage it.

They have the expertise to make sure that it hasn’t got any problems. They have the expertise to make sure that no matter what happens you know that it’s been put in place properly. It’s got the right management in place, it’s been updated regularly and it does protect your business. And that’s what a good firewall does.

Thank you very much.

[End of transcript]

 

(Video) How to protect your Financial Information

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses protecting your financial information from cybercrime.

[Start of transcript]

Hi. My name is Roger and I would like to talk to you about how to protect your financial information. Financial information is not just the information that you’re collecting about other people. so it’s not just about credit cards, it’s not about security codes on the credit cards, it’s not about expiration dates. What we’re looking at is the financial information that you hold within your business.

So if you’ve got information about your bank account – who has access to it? Why have they got access to it? Have you segmented your business so that only the people who require access to your financial information have that access to the financial information? Or are you using one username and password that logs on for everybody in the business?

So you always have to look at what financial information is and how you are protecting it to a level where not only are you protecting the credit cards of your customers and the credit card information of the customers but you’re also protecting your bank balance and your bank accounts, and access to that accounts.

Because the cyber criminals are a very persistent group of people and they will go after anything that they believe makes them richer. So if you’ve got financial information make sure you are protecting it with all of the right things in place. So they have got secure passwords. Nobody has access to it apart from the people who need access to it.

Thank you very much.

[End of transcript]

 

(Video) How to prove your Cybersecurity is working

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses why you need to prove your cybersecurity and digital security.

[Start of transcript]

Hi. Today I’d like to talk to you about how to prove your Cybersecurity is working. So you’ve put a lot of defense processes in place and now you need to find out how secure they have made your business. Now, in most cases the IT department will their own run tests or your managed service provider will run their own tests.

But those tests are based on what they know about how it should be protected. So they’re using best practices and they’re using the patching and making sure it’s got all the up-to-date information on them. But you can never be sure that that system is now secure unless you have someone test it. But the trouble is we’re testing it, you have to find a person who’s not going to put patches. Who is going to tell you exactly what you need to do. And also not rely on them making a report to you and then expecting you to pay for the fix if there is one.

So making sure that cybersecurity is secure and your organization is secure is really an ongoing process. But the outside world or the people who are attacking your business are using automated systems. They’re using automated scripts, they’re using automated systems to access social media sites and learning how and what and who you are. So you have to make sure that your cybersecurity is working. So how can you do that?

Well one of the best ways you can do it is you pay to have someone try and compromise your systems. But trying to compromise your systems, they’re using the same attack factors that the bad guys are using. They’re using the same processes that the bad guys are using. They’re not relying on, we know there’s a problem and we know how to get past it. But they are relying on how the hacker or the script kiddie or the hacktivist is going to try to access your system. So one of the big things about the IT world is we’re very arrogant. We all admit that across the board. What I say is how I do things. And when it comes to IT that’s what a lot of people believe.

But the problem is, with that sort of attitude, is it’s got no room for someone who knows something about the system that I don’t know about. So if I’ve got an external person coming in to test my cybersecurity then I know that they are going to use a different tactics, they are going to use different systems, they are going to use totally different objectives to what I expect. And that is what cybersecurity is all about. They maybe only getting in but you’ve got encrypted information of – all your databases are encrypted.

Then if they do get in they still read information, you get a report, but you’ll also know that that information hasn’t been able to be compromised because it’s encrypted. So when it comes to how you’re going to make sure that your systems are working, you need to prove your cybersecurity. And if you prove your cybersecurity your information and your business and the people who trust you to hold that information is going to be very very high.

Thank you very much.

[End of transcript]

(Video) How does an Managed Service Provider (MSP) Control your Business Costs

How do managed services control the cost of your business?

Today’s technology is complicated. We have so many catch phrases and so many different words and so much jargon around that it’s very hard for small businesses who are not in the IT space to understand what they need to do, how they need to go forward, what technology and systems do they need to have in place to gain the best advantage against their opposition and to get more customers and clients.

When it comes to managing your technology within a business, there are two things you can do. There are three things you can do, but two of them we’ll talk about. We’ll talk about the first one, which is you have someone on task who is onsite, one of your salespersons for instance.

When it comes to technology, we’ve found and I think you’ll find that you’ve found, that the person who has been assigned to look after the computers likes to play with the computers all the time. They like to be in a situation where they don’t have to do their main role, their money-spinning role. They would rather look after technology, make the printer work, play with the firewall.

So not only are you now paying a person to do two jobs, one job is always going to be a failure compared to the other one. When it comes to managed services, and most managed service providers have different plans, you can get someone who will manage your technology.

So little Johnny can now go back off and be a salesperson or a marketing person or the secretary, whatever he used to be. Or in most cases, and in a large number of businesses, the CEO or small business manager. They can now go off and do what they need to do to make the business grow.

What we find in technology is that over a yearly period, the cost of the technology will change. So in January it might only be $100. In February you had a server failure, and it’s $2K, and that’s not including hardware, software, that sort of stuff. In March, it’s gone down to $700. April it’s down to $200, and $200 again , and $1700 because you had to buy and install a new printer and manage it and all that sort of stuff.

So you end up with this type environment where you’re spending lots of money at some times, and you’re not spending very much money at other times.

With a managed service provider, you have a constant fee in most cases starting around $495. They will say, yes, you’ve got a problem, and you’re going to lose money here. But you’re going to make money here. You’re going to lose money here and there. That type of thing.

So over the flow of a year, you may have spent $17K on your IT, with break-fix, as we call it, compared to 12*495. And that 495 will include things like monitoring and management, reports, it will make sure that your people are educated, that your people understand how things are working.

Sometimes if you want to pay a bit more you could have a virtual CIO, Chief Information Officer or an IT manager who will then talk to your management team, work out where your management team want to go, and then discuss what technologies you need to do to get there.

Because when it comes to this, these people know what they’re doing. The technology they’re going to employ is going to improve your business. And it’s no use having someone onsite saying, let’s go buy that. But you don’t know what else it’s going to do, how it’s going to achieve the rest of the business target market.

So as you can see, managed services can create a level field. You get a monthly fee, some things you get a service level agreement. We will have a person on site within an hour, we will have someone answering the phone all the time, we will have monthly reports, monitoring of all your systems including things like iPhones and iPads and Androids, tablets, all of that as part of the managed service plan.

So as you can see, managed services, and managed security services can save you a lot of money.

So if you want to see or talk to anybody about managed services, please contact us. Thank you very much.

Digital security – why is it so bloody difficult?

10% of the global population that use the Internet have more than a basic understanding of the digital world.   There is a severe disconnect between what is done and what needs to be done when protecting an organisation from cybercrime.

Throw terms like dark net, cloud technologies, IOT (internet of things) or BYOD and most managers, board members and owners shrug, glaze over and say that it is an IT problem.

In today’s threat landscape, cybercrime, is a business risk.   Probably one of the biggest risks a business will face.   Like all business risks it has to be addressed as soon as possible.   But what are you addressing?

In most cases management teams, board members and owners consider cyber and digital protection an unreasonable and unjustifiable expense for the organisation (until it’s too late that is).   In most cases they under invest in Digital Security, for no other reason than they do not understand the problem.

From a business perspective, of the thousands of attacks on most business systems, mobile devices and other devices that are connected to the digital world every year only one has to succeed.   As an organisation, we have to stop them all.   That compromised system is the Trojan horse to get into your organisation.

We have all experienced a virus and how hard it is to stop and clean up.   Image if that virus was just the scout of a more costly attack.   You don’t have to image it, in most cases it is the vanguard of your worst nightmare!

The recently discovered attack on 100 worldwide banks that netted the criminals around $1 billion was done through a very sophisticated process that included boutique malware (undetectable by the best AV), social engineering, bad work practices, substandard policies and procedures and a lack of auditing.

The perfect storm that netted the bad guys all of that money over a 2 year period.

Compared to walking into a bank with a gun, or blowing the safe, this theft is relatively painless.   It is very profitable! Very profitable and relatively safe!   Catching the bad guys is remote, difficult and the criminals that do get caught show Darwinism at its best.

These 3 factors make the management of cybercrime difficult:

The cost of Digital Security technology!

Walk into any office, locks on the doors, motion detectors in the rooms, alarms on the windows, possibly biometric locks and access and in some cases bollards out front.   These are known protections that have come about in the last 100 years.   Costly but important protection.

Protecting the Organisations digital assets is a little harder.

If an organisation does not understand the WHY of cybercrime and Digital Security the protection requirements are often underestimated.

The business management’s attitude that free or cheap is the solution reigns supreme.

  • Free anti-virus must be better than having to pay a monthly or annual subscription for a managed end point protection system!   The fact that it only captures 90% of the known problems is irrelevant.
  • Or purchasing the inexpensive router from the local retail shop will do the job of a router with UTM (unified threat management).   The attitude that we just need a device that connects to the Internet is often heard.

There are thousands of other examples where free or cheap is the solution that is taken by SME’s and even larger Organisations.

When it comes to technology – you pay for what you get and scrimping on Digital Security by buying the cheapest means you are exposing your business to unnecessary risk.

The cost of protection can be exceedingly high and that is the main reason that risk management and risk assessment is paramount in those decisions.   Throw away lines like “we are too small to be a target” and “it will never happen to us”.   These are based on myth and legend.   Like a normal risk factors, understanding and then mitigating the risk has to be front of mind and in Digital Security, mitigating those risk comes at a cost.

The Digital Security jargon (non jargon) is hard to understand!Businessman

There are times when the discussion around cybercrime and Digital Security  is difficult.   I will even admit that at times I have trouble understanding what sales and technical people are saying, and I have been in the industry for more than 30 years.

One of the reasons for this disconnect is jargon.   Each manufacturer has a new word, new catch phrase, new product name or new operating system, that someone somewhere in the purchasing organisation has to now learn, understand and manage.

Getting straight and understandable answers to basic questions in the digital space can also be difficult. The answers are made more difficult if you cannot understand them or worse still have not asked the right questions.

Paramount to protecting business information is to understand what information needs to be protected.

This communication disconnect also happens when describing the criminal element.   Malware, zombies, botnets are the tools of the digital criminal, but most businesses do not understand the impact that they have on the protection paradigm.

In most cases businesses do not understand why they are being targeted with viruses or malware.

“Why did we get a virus, we have nothing worth stealing” is a cry we get regularly!   Everyone has something worth stealing even if it is just the storage and cycles used by the system itself to become a zombie or to join a botnet.

Digital Security Protection is difficult to manage!

The next problem with Digital Security is the management of all of those digital components.   Organisations believe that digital protection is “set and forget”.   A couple of years ago this might have been true.

Thinking that once it is in place you don’t have to worry about in today’s digital world is a bad idea and can have devastating consequences.   Not updating a device for 12 months or in some cases 3 years is definitely not best practice.

All of the components that protect the business have to be updated regularly, checked regularly and most importantly tested to ensure that they are working to design specifics.   Once again Jargon is a problem.

The digital threat landscape is constantly changing.   The bad guys know this because in most situations they are behind the changes.

Conclusion

Digital Security is a holistic process. Once again jargon impacts the Organisations decisions.   To make a correct risk assessment on the organisation you need to know:

  1. What needs to be protected?
  • Intellectual property
  • Financial information
  • Client information
  • Digital assets
  1. How will it be protected – this is the technical component of the risk analysis process
  • Separate network
  • Restricted access
  • Encryption
  • User access
  1. Who needs access to it?
  • Does everyone in the organisation need access to all information?
  • Can components of the information be separated?

You have to have a basic understanding of the required components that are protecting that information before you can make decisions.

Convenience is usually the primary driving force for business.   It is also the driving force with applications and systems.   Security should be more important than convenience, most of the time it is further down the list.

This article first appeared on LinkedIn

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.