(Video) How to Protect Your Money and Cards within an SME from cybercrime

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime asks how small and medium business and not for profit organisations are securing the information about money and cards from cybercrime.

[Start of transcript]

Hello, my name is Roger. How do you protect the money and your card information within your organization?

Small or medium business not for profit organizations have a requirement to A. Collect money otherwise they get broke and B. To secure the information concerning that money and how it’s being collected and diversified and the banks getting the information.

But on top of that, if you’re running an e-commerce site for instance, then the information that people are putting into that page in the digital world is really important because the criminals are targeting that as well. So if you take payments from the internet or the digital world, or you run a system , how do you make sure that that information is always secure?

Now this is a major target for the cyber criminals because they know that most people, when they set up a website or set up an e-commerce site or accept credit card and PayPal information that they haven’t set it up because they might not know quite what’s going on, they’re not fully understanding what is required of protecting that information.

But on top of that, if you’ve got an e-commerce site, you need a payment gateway. Now that payment gateway is literally the gateway between your site and the bank. And you have to make sure that as you’re accessing that gateway it is in a secure fashion.

The other way you can accept money is through PayPal, or if you’re on places like EBay where they have a platform store, which actually points to a payment gateway.

So what do you need to do to make sure you’re protecting the information? Well, you got to make sure that you’re receiving information from your potential customers and clients and the moment it goes into their computer nobody else can reach into your system. The only way to do that is with a high level encryption component and this is where SSL and TLS comes into it. SSL encrypts all the information and the only people who understand what’s going on are the computer that’s sending it and the one that’s receiving it at the other end.

So protecting that information against cybercrime is also very critical when you’ve got the information itself. So you’ve collected the information and now you want to store it somewhere. Again, you’ve got to make sure that you’re storing that information in such a fashion that you cannot be hacked.

Thank you very much.

[end of transcript]

 

(Video) How to protect your Financial Information

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses protecting your financial information from cybercrime.

[Start of transcript]

Hi. My name is Roger and I would like to talk to you about how to protect your financial information. Financial information is not just the information that you’re collecting about other people. so it’s not just about credit cards, it’s not about security codes on the credit cards, it’s not about expiration dates. What we’re looking at is the financial information that you hold within your business.

So if you’ve got information about your bank account – who has access to it? Why have they got access to it? Have you segmented your business so that only the people who require access to your financial information have that access to the financial information? Or are you using one username and password that logs on for everybody in the business?

So you always have to look at what financial information is and how you are protecting it to a level where not only are you protecting the credit cards of your customers and the credit card information of the customers but you’re also protecting your bank balance and your bank accounts, and access to that accounts.

Because the cyber criminals are a very persistent group of people and they will go after anything that they believe makes them richer. So if you’ve got financial information make sure you are protecting it with all of the right things in place. So they have got secure passwords. Nobody has access to it apart from the people who need access to it.

Thank you very much.

[End of transcript]

 

Digital security – why is it so bloody difficult?

10% of the global population that use the Internet have more than a basic understanding of the digital world.   There is a severe disconnect between what is done and what needs to be done when protecting an organisation from cybercrime.

Throw terms like dark net, cloud technologies, IOT (internet of things) or BYOD and most managers, board members and owners shrug, glaze over and say that it is an IT problem.

In today’s threat landscape, cybercrime, is a business risk.   Probably one of the biggest risks a business will face.   Like all business risks it has to be addressed as soon as possible.   But what are you addressing?

In most cases management teams, board members and owners consider cyber and digital protection an unreasonable and unjustifiable expense for the organisation (until it’s too late that is).   In most cases they under invest in Digital Security, for no other reason than they do not understand the problem.

From a business perspective, of the thousands of attacks on most business systems, mobile devices and other devices that are connected to the digital world every year only one has to succeed.   As an organisation, we have to stop them all.   That compromised system is the Trojan horse to get into your organisation.

We have all experienced a virus and how hard it is to stop and clean up.   Image if that virus was just the scout of a more costly attack.   You don’t have to image it, in most cases it is the vanguard of your worst nightmare!

The recently discovered attack on 100 worldwide banks that netted the criminals around $1 billion was done through a very sophisticated process that included boutique malware (undetectable by the best AV), social engineering, bad work practices, substandard policies and procedures and a lack of auditing.

The perfect storm that netted the bad guys all of that money over a 2 year period.

Compared to walking into a bank with a gun, or blowing the safe, this theft is relatively painless.   It is very profitable! Very profitable and relatively safe!   Catching the bad guys is remote, difficult and the criminals that do get caught show Darwinism at its best.

These 3 factors make the management of cybercrime difficult:

The cost of Digital Security technology!

Walk into any office, locks on the doors, motion detectors in the rooms, alarms on the windows, possibly biometric locks and access and in some cases bollards out front.   These are known protections that have come about in the last 100 years.   Costly but important protection.

Protecting the Organisations digital assets is a little harder.

If an organisation does not understand the WHY of cybercrime and Digital Security the protection requirements are often underestimated.

The business management’s attitude that free or cheap is the solution reigns supreme.

  • Free anti-virus must be better than having to pay a monthly or annual subscription for a managed end point protection system!   The fact that it only captures 90% of the known problems is irrelevant.
  • Or purchasing the inexpensive router from the local retail shop will do the job of a router with UTM (unified threat management).   The attitude that we just need a device that connects to the Internet is often heard.

There are thousands of other examples where free or cheap is the solution that is taken by SME’s and even larger Organisations.

When it comes to technology – you pay for what you get and scrimping on Digital Security by buying the cheapest means you are exposing your business to unnecessary risk.

The cost of protection can be exceedingly high and that is the main reason that risk management and risk assessment is paramount in those decisions.   Throw away lines like “we are too small to be a target” and “it will never happen to us”.   These are based on myth and legend.   Like a normal risk factors, understanding and then mitigating the risk has to be front of mind and in Digital Security, mitigating those risk comes at a cost.

The Digital Security jargon (non jargon) is hard to understand!Businessman

There are times when the discussion around cybercrime and Digital Security  is difficult.   I will even admit that at times I have trouble understanding what sales and technical people are saying, and I have been in the industry for more than 30 years.

One of the reasons for this disconnect is jargon.   Each manufacturer has a new word, new catch phrase, new product name or new operating system, that someone somewhere in the purchasing organisation has to now learn, understand and manage.

Getting straight and understandable answers to basic questions in the digital space can also be difficult. The answers are made more difficult if you cannot understand them or worse still have not asked the right questions.

Paramount to protecting business information is to understand what information needs to be protected.

This communication disconnect also happens when describing the criminal element.   Malware, zombies, botnets are the tools of the digital criminal, but most businesses do not understand the impact that they have on the protection paradigm.

In most cases businesses do not understand why they are being targeted with viruses or malware.

“Why did we get a virus, we have nothing worth stealing” is a cry we get regularly!   Everyone has something worth stealing even if it is just the storage and cycles used by the system itself to become a zombie or to join a botnet.

Digital Security Protection is difficult to manage!

The next problem with Digital Security is the management of all of those digital components.   Organisations believe that digital protection is “set and forget”.   A couple of years ago this might have been true.

Thinking that once it is in place you don’t have to worry about in today’s digital world is a bad idea and can have devastating consequences.   Not updating a device for 12 months or in some cases 3 years is definitely not best practice.

All of the components that protect the business have to be updated regularly, checked regularly and most importantly tested to ensure that they are working to design specifics.   Once again Jargon is a problem.

The digital threat landscape is constantly changing.   The bad guys know this because in most situations they are behind the changes.

Conclusion

Digital Security is a holistic process. Once again jargon impacts the Organisations decisions.   To make a correct risk assessment on the organisation you need to know:

  1. What needs to be protected?
  • Intellectual property
  • Financial information
  • Client information
  • Digital assets
  1. How will it be protected – this is the technical component of the risk analysis process
  • Separate network
  • Restricted access
  • Encryption
  • User access
  1. Who needs access to it?
  • Does everyone in the organisation need access to all information?
  • Can components of the information be separated?

You have to have a basic understanding of the required components that are protecting that information before you can make decisions.

Convenience is usually the primary driving force for business.   It is also the driving force with applications and systems.   Security should be more important than convenience, most of the time it is further down the list.

This article first appeared on LinkedIn

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

How to make your organisation a smaller target of cybercrime

bigstock-Tight-Rope-Walk-1226218To most small and medium business and non-profit organisations the idea that they are a target of cybercrime is farcical.   I constantly hear “we are too small to be a target” even from organisations that have predicted revenue in the millions of dollars per year.

Cybercrime targets everyone who has a digital footprint.   That includes computers and laptops as well as mobile phones and tablets. It doesn’t matter if it is for work or for home you are still a target.

The problem is “script kiddies”. These are the hacker wanna be’s.   They have downloaded a hacking tool, infecting their own computer in the process, and are ready to look for people to hack.   Script kiddies make up 80% of the noise on the Internet.

How do you make that target smaller?

There are a number of free and low cost strategies SME’s can employ that improve your security posture dramatically.

Train and educate your staff.

Everyone in the business should also realize that they could be targeted by a cyber-criminal.   Could they recognise a spear phishing email?   Or being targeted in a social engineering attack. Do they know not to use an unsecured WI-Fi connection when away from the office?   They won’t know these rules unless you tell them.

This knowledge comes from training.   Your awareness training should not be a one off indoctrination session.   It should be augmented with additional training throughout the year.

There are other things that can be done to increase awareness:

  • Run a daily security email question – first person to answer it gets a prize.   Increase it to a monthly competition and have a substantial prize.   Before you balk at the cost, $200 for a weekend away per month is much cheaper than cleaning up a computer or worse a network after a malware attack.
  • Have posters about basic security principle around the office.   They are available from the Internet at a relatively low cost.

Patch everything

How annoying are those update prompts from Microsoft or Apple?   You haven’t got time for that, there is work to do or you have to go home.

Updates are very important to the operating system and applications that you use in your business. Updates are important; they fix problems that have been discovered.   These problems allow specific malware to target your computer, tablet or phone, and the download (patch) fixes it.   Without the patch you are vulnerable, with the patch you are safe from that attack.   Remember the script kiddies – this is what they target.

Paranoia and common sense are your friend

It may seem silly but everyone on the Internet is not your friend.   In fact there are a huge number of people out there who want to do you harm.

There are too things that everyone on the Internet need to realize – nothing is for free and see above.   So when you see that search article about some celebrity with no clothes on, remember the bad guys are out there and they are after you.

Social media (twitter, Facebook, YouTube and LinkedIn) can be a major problem in this area.   You need social media to get your message out there, but how do you know who to protect against.

Making your organisation a smaller target against cybercrime can be relatively cheap and easy.   Yes you still need to invest in front line internet facing systems and the like.   The difference is the bad guys can lose millions of times and not worry about it, but the good guys need to lose only once.

If it gets through the expensive second generation firewall, it would be a good idea to have your staff on the inside saying – “How come this weird email got through and why are the links pointing to a site in Romania” and delete it instead of clicking on it.

Are we the weakest link in the security of our business?

3D Helping HandIn a discussion this week I heard a rather interesting quote.    All computer systems can be compromised but it is vigilance and persistence that create a secure environment.    This is very true.   I was talking to someone that makes his living doing penetration tests on business systems using applications that he has developed and also his slant on social engineering.

One of the things that he did bring up was that hacking and gaining access to business systems has started to go full circle.   This means that social engineering is playing a larger part of the hacking repertoire.   Social engineering is a huge subject and a little larger that the space I have here but I will touch on it for now.

In the past the combination of a social engineering attack coordinated with a direct attack usual had the attacker gaining access at some level.    This had then been superseded by the script kiddies and so called hackers who use readily available programs and exploits from the internet (usually infecting themselves in the process) as a means to access business systems.    This has been augmented with virus, spyware and malware applications that have been broadly targeted on the internet and catching unsuspecting and insecure business in the net.

The newest component in the hacker’s ability to gain access to your business system is the use of social engineering and the use of social media to gain insight into a business’s  infrastructure.   In the old days they would get on the phone and ring the company and get as much information out of those people who were answering the phone.   This has changed  greatly with the introduction of social media.

For example – Joe is a payment receipt clerk for your business.   He has a very in-depth profile on a social media site which includes all of his information, where he works, what he does, who and what he like and dislikes and birthdays and family information.   This information he allows anyone to see.   A hacker can do some research and find out about Joe and he can do some further research on your business and who you do business with.   What “Mr Black” the hacker does is creates a carefully prepared infected invoice (infected PDF file) that he sends from one of your subcontractors and from an expected source.   Joe being an innocent worker doesn’t worry about the email because he believes it is coming from a legitimate source so he  clicks on the file.    If this sound familiar – this is how RSA (one of the most secure security systems on the internet) was compromised.

To have this happen, you have to have some serious legitimate information (Critical IP) that the hacker is after or some seriously available unsecure money to make it worth the hackers worth while.

Most high level Government workers and business CIO and CEO, although they have profiles on social media sites don’t have in-depth information concerning their everyday work environment and even that information is only available to friends or contacts that they know.

To protect yourself from a social engineering attack is relatively easy;    Keep critical business and personal information to only those people that you want to have that information, not the whole internet.  Furthermore access systems that need passwords need to have high level complexity and you should also have some level of auditing and reporting on the internal systems to track transactions within the business.