One of the worst situations that you can be in is acrimonious separation of an IT person from an organisation.
A bad separation, just like a bad divorce can have significant impact.
Large organisations have systems, policies, procedures and processes in place that protect the organisation, when they are used of course. If followed they protect the organisation well.
SME’s on the other hand have different problems.
We have come across smaller organisation that still have old staff members on the books with full administrator access to everything that is still being done in the organisation.
The problems this creates can be huge.
They have access to privileged accounts. Accounts that can do anything on the organisations digital world.
Just a few ideas of what they can do!
They can steal your trade secrets and take them / sell them to your opposition.
They can steal your client list and use them for a number of bad things – competition, blackmail, sabotage.
They can cause software issues, lock outs and shut downs
They can lock legitimate users / all users out of the organisation.
In most cases the IT person is there because they know computers. They were allocated the role when they joined and you may even have paid for some education and training packages to make them better.
This just puts them in the position of holding the keys to the kingdom.
If you are going to remove an IT person from your organisation, the best thing you can do is outsource your IT, for a short time or indefinately. They have the expertice to protect your organisation and they are under contract to ensure your systems are safe.
Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI. He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.
We just threw it together on WordPress because it looked OK, pretty cool eh, what do you think?
These are some of the reasons and responses that most organisations say about their websites. They do not consider their website an important component of their business security.
All of these implied reasons are all BULL
The damage that a compromised website can do to your reputation, your brand, your customers, your staff and your organisation in general can be devastating.
How can it have such an impact?
Today’s world everything is automated.
From building cars to putting together modem routers, it is all automated, created by robots or done with no human intervention.
Just set and forget!
In this world a bored teen with minimal parental supervision, access to the internet and access to a computer, tablet or smart device can download any number of automated systems that can and will target any website.
just because they are attached to the internet.
Bored teenagers and Hackers alike Don’t Even Break a Sweat…Download… Copy… Paste… Hack!
Its just that easy!
Automated systems target everyone!
That is why a Million+ Sites were Hacked or Defaced by Exploits in the last 12 – 18 months.
Once again attached to the digital world = target!
WordPress security can be very easy as well as exceedingly difficult.
Like any required expertise, anyone can do it but it takes an expert to actually secure a website properly.
Just 1 Bad Plugin or Update & Your Site Is Theirs!
What about Google?
If your website is infected and starts delivering malware to your visitors then you’ll Get Blocked by Search Engines for hosting…A Fake Store, An Attack Site or A Phishing Site…
This will have significant impact on your site especially if you are spending money on SEO.
The all-encompassing world of search – especially GOOGLE, can have a significant impact on your website through search engine optimisation (SEO)
I spoke about reputation in general, how about Brand in particular?
The impact on your reputation, brand and ability to create revenue can be significant.
Your Site, Your Reputation, Your brand, Your Rankings & Your Domain Value Destroyed literally overnight and in a lot of cases it will not register on your business.
The problem could be seen as a change in Googles algorithm.
How big an impact would a significant drop in search visitors have on your organisation?
The significant drop in visitors could be attributed to the blacklisting of your site.
Anyone going to your site will get the google precaution web page – proceed past this point at your own risk. How many people are going to go against that message, only 10%.
It’s Going To Costs You Days & $1000’s To Restore, De-Blacklist + Re-Rank.
So that cheap and cheery website that you put up is now having a significant impact on your organisation.
Significant impact on your cash flow!
Significant impact on your revenue!
Lets now take it further.
If you keep getting your website hacked it will have significant problems for the hosting company as well as all, of the other organisations that have websites hosted on the same platform. Same platform, same internet address.
They will literally ask you to take your website elsewhere because you are having a significant impact on their revenue and profits.
WordPress security – what can you do?
All of your problems started with the assumption that putting up a WordPress website is easy and can be done by anyone. Here are a number of precautions that you can take to reduce the risk.
Update, update update
Like everything digital in today’s world updates are one of the keys to protecting the website. Updates to the WordPress core are critical but updates to plug Ins, widgets and themes are just as important.
Updates remove those areas where the automated systems can get a foot hold on your site.
Visit your site regularly
We have known organisations who have not touched their website in 2 – 3 years. This is bad for 2 reasons. If you are not visiting your site regularly then you are not helping your marketing, you are not putting up, in the words of Tim Read “interesting and helpful content”.
Google does not like this.
If you are not visiting it regularly you are not getting the feel of what your visitors are seeing, and you are not being prompted to update all of these important components.
Use top quality plug ins, themes and widgets
Free is OK, but if you pay for plug ins, themes and widgets then there is a good chance that they will be better for your website.
This includes not only better functionality but also better security and support.
Use 2 factor authentication or Captcha
With some of the tools available, your website can be scanned and the usernames can be discovered.
That is one of the 2 things the wanna be hackers need to compromise your website.
Using 2 factor authentication and or a captcha system you are adding another layer to the log in process.
This makes it harder to access your website using automated systems.
Enforce complex passwords
I know they are hard, but complex passwords are very important when it comes to fighting all those automated systems.
All passwords should have 3 components, complexity (numbers, letters, symbols and capitals), long (more than 8 characters, but 10 is better) and uniqueness (different for every web site you visit or have access to).
Now hopefully you understand why protecting your website with the right attitude is good business sense.
The bad guys are out there and they are looking for every opportunity to ruin your organisation, your reputation and your ability to make money.
(On Demand Webinar) – An overview of organisation protection in the digital world
[Start of transcript]
I’m just waiting for a few people to turn up, just to make sure we get everybody.
We’re broadcasting this on Periscope as well, just to be on the safe side. Let’s see if it works because I think it will be an interesting time to see if we can get this type of thing working.
Today I’d like to talk to you about how a small business can create a better framework for business, so to protect yourself in the digital world and also just to make sure that a lot of things are in place so that you don’t get targeted by not only the bad guys but everything else that is out there. So that’s the aim of the presentation, and hopefully you’ll get something out of it and you’ll be able to go to the next level and improve the security around your business and your organization.
We’ll wait another couple of minutes just for a couple of stragglers that are coming, just to make sure we’ve got everybody, and then we’ll just get stuck into it. You won’t see me. I’ll put up a slideshow that is not that much. I’m not going to baffle you with PowerPoint art, but hopefully we’ll get everybody on the same page when it comes to digital security.
Okay, I’m going to start now.
It’s Complicated out there!
We all know how complicated the digital world can be. No matter what you’re doing on it, no matter what you’re in charge of, no matter what part of it you’re using for your business, it gets pretty complicated pretty quickly. On top of that, if you’re not really careful about what is happening, you then become a target of cybercriminals and cybercrime. What we are trying to avoid is making sure that you are not in there.
Understanding the requirements of digital security
What we’re going to do today is discuss the understanding, the requirements of digital security and just give an overview of what you need to do to protect your organization in the digital world.
Roger Smith – Speaker
My name is Roger Smith. I’m a speaker. I’m also an Amazon #1 author on digital crime. I’m the CEO of R&I Consulting, and I focus on getting everyday users of the digital world to understand the dangers, and take necessary precautions. So my role is to stop smart people making dumb mistakes. That’s what it’s all about.
So this presentation, we’ll just go through:
What the bad guys are after and why we know that
How the bad guys get in and how they target you?
What are the basics of digital security?
Then we’re going to go into the 4 pillars of digital protection and what it means to an organization
Then we’ll talk about getting the right balance and why you need to get that balance involved.
Also then, we’ll just go into other things like you also need to look at the non-digital stuff to protect your organization.
On top of that, at the end of it, we’ll go through what you can do now.
The digital world is used by all of us, literally. Anybody in business in the Western world now has some presence in the digital world, whether it’s just a basic email or it’s a full-blown 3,000 people using a cloud-based system all over America or Australia, in those areas. The reason why we’re going to the digital world, mainly because it’s cost-effective, and on top of that, it is low-cost.
But we use it for everything. Social media, business, networking, search, innovation, R&D. We use it on our websites and we use it for marketing and sales. It is a very interesting balance to make sure that you are—you have the convenience of the digital world but you’re also protecting yourself from the bad guys.
Exponential rise in crime
Originally, crime started with I had something that someone else wanted and they took it away from me. Then in the 1600s, 1700s, 1800s, 1900s, we had a large group of people storing their money in specific places, and that’s where we had the rise of the bank robbers and the places like Jessie James, Ned Kelly, Ronald Beats, because a group of people could steal from a larger group of people.
In 2014, we had the Target hack. It was a very small group of people stole information and money from 34 million people. This is what we’re talking about, the exponential rise in crime. Because at the moment, making sure that you are protected means also making sure that when you give your information away, that is protected as well.
What do they want?
But what do the digital criminals want? What do the bad guys really—why are they doing what they do?
Money, access to money and money under your control
Well, they need access to your money, and access to money itself, but also access to money under your control. So that access to money also means that they are looking for ways to get you to compromise your security and give them your money.
IP / trade secrets / tactics and strategies
They’re also after your intellectual property, your trade secrets, your tactics, how you work, how you do business. All of that information is really important if they were to come in and try and take over something else that you’re already doing.
One of the other things they’re most importantly after is they’re after your client information, because with the client information, they can go off and target other people. It becomes part of their social engineering component of the digital world so that they can find out all the right information about what you’re doing and what your clients are doing.
One of the things that people forget is that they’re also after your technology. They’re after your Wi-Fi system. They’re after your router. They’re after your PC. They’re after your laptop. They’re after your smart devices. Because they can then use those smart devices to target other people.
But on top of that, your technology is worth money to them. Because it’s worth money to them, they are quite happy to compromise your system and make sure that you then become non-controlled by yourself. That is why we lose control of our technology with things like malware and viruses, and worms.
What are they using to get in?
So what are they using to get in?
In most cases, the number one attack weapon of the cybercriminal, or the digital criminal, is email, because everybody’s got an email account. Email is easy enough to target. It doesn’t cost them any money.
With the rise of email, we also saw the rise of spam. In the 1990s, early 2000s, we had spam that was more interested in selling Viagra or getting a Nigerian prince’s money out of Nigeria. But then smarter criminals got hold of it and started utilizing it for other things.
Then we had the rise of the phishing email. We’ve still got phishing email like we get nowadays. The classic example is the crypto-virus. We get a phishing email that’s addressed from the APO, or the Post Office, or Internal Revenue. Because we are very willing to open and look at an email when it’s based on that.
But then again, we then had the introduction of the spear phishing. This has only been around for the last maybe six to seven years. Spear phishing is an email that comes into your system that is specifically targeted at you. Because they’re specifically targeted at you, they’ve done their research.
They know you are. They know who you are targeting. They know what your friends are. They know what your business is. They know what your hobbies are. They will write an email that is specifically aimed at you, making that idiot decision to click on the link.
But what phishing email and spam, and the spear phishing email are doing is they’re targeting exploits within your system. The exploits are pieces of code that haven’t been written properly, or they’ve been removed but they haven’t been deleted from programs. These programs that have these exploits, you know, Windows has 2 ½ million lines of code. Finding a specific error in that takes a lot of work. The trouble is, the cybercriminals have got the time and the energy to do that, and that’s what they do.
Infected web sites
But just like we have operating systems on PCs, we have operating systems on websites as well. We have the underlying operating system. The underlying operating system is what hosts the website itself. So if that gets compromised, all of the websites above it get compromised as well. They use that compromised system to actually file out malware to other people.
The Insider (malicious and unintentional)
We’ve also got the insider. The insider can either be a malicious person who doesn’t like your systems, doesn’t like you, doesn’t like your business, and they’ve been employed by you, and you’ve realized they don’t like you and they have stolen information, or stolen systems, or put malware on your system.
But there’s also the unintentional one. That person who has clicked on the link that you didn’t want them to click on. That has exposed both your PC and your business to the digital criminal. You don’t want that to happen.
What are the basics?
So what are the basics? The basics are really easy. There’s 8 of them. Those 8 basic things that you need to do will protect you in the digital world.
I’ll miss the first one, but passwords. Passwords are really important. They’re your passport to the internet. They are your passport to the internet on any number of websites that you go to. Passwords have to be longer than 8 characters. They have to be complex, so anything on the keyboard is fair game. They have to be unique for every website you go to.
That, as you can understand, that is a problem just in and of itself unless you have a system on doing it. I have a number of videos that you can watch that will actually explain how to create complex passwords that are really easy to remember.
I was talking about exploits earlier. So when an application or an operating system developed or found that they have an exploit, they will patch it. They will send out an update that will remove the capability of something being able to target that issue. Although 99.9% of exploits are benign, they can’t do anything. Maybe you can create a character on the screen, but it’s not going to cause a problem. They’re not going to allow access to the back end of the computer.
The next thing you need to do is worry about anti-virus. An anti-virus is really important because it catches that 99.9% of the viruses that have been around for a while. By catching that, it then means that you can keep an eye out for that other 0.01%, or 0.1%.
Back it UP
The problem with the digital world is it’s digital. My laptop falls in the—gets flooded out, or I drop a cup of coffee on it, or I drop my phone in the toilet, or someone steals my tablet, then all of that information that was on it is now gone. So we have to make sure that we are backing it up and backing it up in such a way that is not stored in the same place. So if I lose my phone, I have a backup of all my contacts, all my videos, all my films.
The next thing we have to worry about is firewalls. Firewalls are used to protect you from the digital world. They stop those basic attacks coming into your PC or into your business. They are there to make sure that whatever coming from inside the business goes out but everything on the outside doesn’t come back in.
There’s two that we’ve coined. Paranoia. Fear the digital world. Don’t be scared of it, but have that underlying system in place that you go, “Should I do that or shouldn’t I do that? Why am I doing that?”
The last one is common sense. Common sense is really important when it comes to making that split-second decision between clicking on that link that decrypts all your data on your PC, or not clicking on that link. Common sense is a question about “Where did they get my email address? How come they’re targeting me, and why are they sending me an email?’
What is a framework?
So what is a framework? I’d like to talk to you, the framework we’ve developed that is, I suppose, an easier way to understand how you can protect yourself. There are a number of frameworks out there. This is just a few.
We’ve got the Control Objectives for Information and Related Technology (COBIT).
We’ve also got the ISO 27000 Series.
We’ve got the NIST Special Production 800 Series
These are complicated frameworks around how you do business. They want you to change your business to fit in with these frameworks. That’s where the problems really start from, because no longer can we say you are a x in this industry, so this is how you have to do business, because if everybody else is doing business that way, there’s no advantage in doing it. That’s where technology is really come into its own.
But also we’ve got the vendor-based technologies and the vendor-based frameworks. Those frameworks are things like the Cisco Security Framework that relies on Cisco products, or Strategic Framework if you’re using cloud, or an IT Security Policy, which is a really basic framework about how you are going to protect your business.
The 4 pillars of digital security
So we’ve taken all this information and we’ve tailored it down to four pillars of digital security.
What you really need to do to protect your organization
You need to worry about the technology. The technology in place of how you are going to do business. That technology makes your business so much better and makes you competitive in the industry.
You also need to have a management component. That management component takes into account all of the other components and the pillars of security.
We then have to have an adaptability component. The adaptability component is not about if something goes wrong, but it also involves having your organization able to change direction without losing impetus. So you can see an opportunity, and if you are adaptable, you can actually grasp that opportunity without having a problem.
Then the last one is we all have a government compliance component. That government compliance component is how it’s all based in the industry, or via government, or how you want to do business yourself.
So let’s just take a step back and go through each of these areas.
The technology. Literally all of the technology components of your business. So you have your operating systems, your hardware, your software, your applications, your encryption, your cloud, BYOD and how you’re going to manage it, firewalls, wireless, VPN, anti-virus, and tie it all together with best practice.
Best practice is usually created by the vendors that say “This is the best way of putting my system together.” To me, that is really important, because if you don’t have the best practice of how that system is put together, then it’s not going to work to your benefit anyway.
The second component is management. So management process that we need to know, and who is involved in what they are. So we have the three P’s – processes, policies and procedures. Because you don’t want to have your accountant come to the business and go “What is my role?” So that’s part of your procedures, part of your processes, part of your policies.
But also on top of that, you need to audit all your technology. You need to have reports coming out of your technology. And you’ve got to be very aware of the reports that come out of technology because they’re only reporting on those systems. So you need to have an overrule reporting system that will help you make decisions at the top level.
You also need training and education. Education and training are really important if you want to protect your business, because if you start training and educating your people, they will then actually come back and say, “We need to do x because x is what my education has told me.”
Then we have the adaptability. So we’re looking at risk assessment, risk management, disaster recovery, business continuity, your cyber and digital resilience and also your culture. Your culture is also just as important as everything else because if your culture doesn’t allow Joe Bob, who’s working at reception, to come to the managing director and say, “We’ve got a problem and this is why.” And the managing director actually accepting that he has a problem, then culture is going to have a big impact in protecting your organization.
And then as I said, we have compliance. Compliance is probably the most difficult component to define because all business or industries, and all organizations are unique. They are different from each other, and different from anywhere else because we are all unique and how we do business depends on who you are.
So all of these framework components make your framework a lot better and a lot easier to understand. It also means you’re going to be making decisions based on fact, not on what’s coming out of the back end, not coming from the IT department saying everything’s rosy.
But as I said, most frameworks are created by companies, and they usually say, “Buy my widget because my widget is the best and it will protect you, and you will be secure.” What a load of poppycock. There’s no silver bullet in the digital world. There’s no way of significantly protecting yourself by using a product.
From Cisco all the way through to D-Link and TP-Link, there is a way around every system. You might not be able to get through a FortiGate, or a Juniper, or a Fortinet firewall, but there are ways around it. That’s why you need to have a framework in place.
By having this attitude that “My widget is the best,” we’re not having a holistic impact on your business. We are not protecting the business. That is also what this is all about.
A Framework has to have certain features
But a framework has to have certain features to make it all work. It has to have features to a level where we are making sure that everything we’re doing for the framework is actually helping the framework.
The framework has to be agnostic
It has to be agnostic. It doesn’t matter whether you’ve got a Cisco firewall, a FortiGate access point, you’re using Symantec on the inside to protect yourself at endpoint protection level. All of those components have to work together. It doesn’t matter whether it’s a FortiGate firewall or a Cisco firewall. It is a firewall, second-generation firewall that does x. So it doesn’t matter what the hardware is.
Your framework has to be understandable
It has to be understandable. All the people in the organization has to understand why you are doing something to make sure your business is protected, and what is in place. We have to have some sort of puzzle that we keep putting a little bit together and making it so that everybody understands that the firewall is there for a reason. The reason why we’ve got these policies is there for a reason, so it has to be understandable by everybody involved.
Your framework has to support your business
One of the things we find in most technology companies is they want your business to change to support their technology. To me, it’s the other way around. The framework has to support your business, and it has to support your business to a level where you don’t have to change how you do business.
Because if you change how you do business, you don’t have the alacrity to go we can swivel on a pin to change direction. So the technology has to be in place to make sure that you can do that swivel if you need to. So it has to support your business, not the other way around.
Your framework has to be manageable
It has to be manageable. What I mean by manageable, someone has to know where all the bits go together and what bits are doing what. Your framework, whether it’s either your technology or it’s adaptability, has to be something that you know “This is what we do. We have a business continuity plan, and this business continuity plan does x.” That is really important for what we’re trying to do with this framework.
Your framework has to protect
Most importantly, your framework has to protect. We know there’s no such thing as 100% security, but we can try for it. That’s what this is all about, trying to make yourself as secure as both your money and your capability, and your team, can make you. So it has to protect you.
Your framework has to be cost-effective
And because we’re trying to protect you, we’re not going to go out and buy—if we’ve got an income, let’s say we’ve got a revenue of $100,000 a year, we’re not going to go out and buy a $50,000 firewall. So we have to have some cost effectiveness in place to make sure that we are getting the best bang for our buck.
Your framework has to build defense in depth
We all know what the old castles used to be, and why they were built, and what stopped them from being as efficient as what they used to be. Originally, the medieval castle was designed to protect the Lord who was in the castle itself. It lasted up until we started creating cannons and we started firing cannonballs at each other. But your framework has to build defense in depth. The thing about a castle was you had a moat. You had a drawbridge. You had high walls. You had people behind those walls. Because you had people behind those walls, if they got through the first levels of security, then they were up there with the people who were trying to attack you.
Each component has to support the other parts of the framework
Most importantly, no matter what we’re trying to do with the framework, each component has to support the other components of the framework itself. So we need to have the right technology in place to make sure that we can have the right management planes in place, and to assist in working out what risk is involved.
Each additional component has to be stronger than its predecessor
And one of the things that we push is if you’ve got a system in place for the moment and you don’t want to spend lots of money when you do spend money, that you don’t replace the NetCom router with another NetCom router. You go to the next level. So you replace it with a Linksys, for instance. More expensive, but it does a lot better.
Your framework has to be stable
But most importantly, your framework has to be stable. It has to allow you to do things that if you unplug things and plug things in, it’s not going to cause the whole system to fall out. That is very important to making sure that your business can do business.
Finally, your framework has to work
And finally, your business framework has to work. If you haven’t got all the components in place, and they’re not all acting holistically, then your framework’s not going to work and it’s not going to protect you at all.
Getting the balance right
So it’s very hard to understand how we get the balance right. The balance is very important and it does depend on how much money you’ve got and how much you want to throw around.
Is there a problem with SME’s?
So, is there a problem with SME’s and how we protect digital security? Well, yes there is. Because an SME has a number of problems just in its inherent capability itself.
Lack of money
We have a problem with money. As I said, if you’re $100,000 business, you’re not going to spend $50,000 on securing that business itself. You might spend $5,000, and if there’s only two or three of you, $5,000 will probably do the job. But because you lack the funds to be able to put a security system in place and create a framework, there are other ways around the framework itself.
Lack of expertise
We also lack the expertise. We don’t understand things like threat intelligence. We understand endpoint protection because that’s usually an anti-virus system. But we don’t understand identity management. Or we don’t understand incidence response or anomaly detection.
Because these are words that are thrown around by vendors that really mean the threat intelligence of you being attacked is probably about 60%. That’s not including a targeted attack on you yourself. How are you managing your identity and your internal people? What usernames and passwords are you using? Those are the things that we just haven’t got the expertise to manage.
Lack of time
And also, we all know that time and money is absolutely annoying when you’re in a small business because when you are in a small business then you have a problem with making sure that the time and the money that you have are focused on the business itself. Because if you don’t focus on the business, the security doesn’t bloody matter anyway. So you have to focus on money, time and the find out how you can cover the expertise.
It’s just not digital
But it’s not just about digital. The digital component, yes is very important. But also, your non-digital stuff. Have you got locks on your phones? When your phones are sitting in the café, are they locked? Do they wipe themselves if someone puts the passcode wrong five times? That is not a digital solution. It is a physical solution. You have locks on your doors and windows. You have internal doors on specific offices. These are not digital, but they’re just as important to protecting your business.
What you can do now
So what can you do now?
Well the first thing you can do is go back to your office and do a risk analysis. Work out what your risks are. Work out what risks are being created by having not the right technology in place.
Upgrade all non-business related components to business systems
The second thing you need to do is find some money to upgrade all your non-business related components to business systems. That includes getting a decent firewall or getting a decent access point.
Educate your people
The other thing you need to do is educate your users. Because if you educate your staff, then as I said before, it will be delivered to your business tenfold because you have people who are actually looking at the issues.
This increases awareness. What you really need is for people to be very aware of what’s going on.
Here are some simple things to do
And there’s some simple things you need to do.
Put some posters up around your organization. If you’ll send me an email, I’ll quite happily send you a PDF of 10 of them that you can put up. Get them printed at Officeworks, off you go.
Initiate a training and education program. I’ll just explain between training and education. Education is when you take everybody and uplift their level to a different level from what they are. So you’ve got to educate them inside of digital security. But training is usually based on getting someone to understand the complexities of a piece of technology. That training is really important as well.
You also need to run competitions, because competitions increase awareness within your organization as well. Make it fun. Don’t bore people with, “Yeah, you’ve got to have a complex password of 25 characters.” But if you have a competition that runs, the first person who gets the answer every day gets a $5 card from somewhere, and the person who does it the most during the week gets a $30 whatever, then you will see that your awareness will increase across the board.
So thank you very much. If you need to get in contact with me, drop me an email at email@example.com, or give us a phone, or jump on the website. You can also follow us on LinkedIn, Twitter, Facebook, Google +, all of those places.
And thank you very much for your coming to the webinar. Much appreciated. This will be uploaded to Google Hangouts and also to YouTube in the next half hour, so if you want to re-watch it you can. And if you have any questions, just pop them into the system and the system will actually tell me if you’ve got a question.
Okay. We don’t seem to have any questions, which is really nice. So thank you very much. I will talk to you next time.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – How being paranoid is a good digital security strategy!
[Start of transcript]
Hello. My name is Roger.
And today, I’d like to talk to you about why being paranoid makes you more secure in the digital world.
In the digital world, everybody is after you. Everybody wants to target you. You get spam, you get phishing emails, you get spear phishing emails. If you go to a website, you could be targeted from the website.
If you download drivers, you could be downloading literally from the Google search. And there are websites and there are torrents where you can get infected by. So, looking at all of that information that’s coming towards you, on the chance that they want to steal something from you, should make you a damn sight more paranoid, the more people are at the moment.
One of the best things that bad guys do is that they will infect torrents. And torrents are used by people who want to download illegally from the internet. And those torrents can have back doors into your business, and your organization and your home computers.
And it’s very important that you get paranoid about why you have this information on your systems. But the good thing about being paranoid is you actually start to protect yourself. You make that assumption that you are in trouble and you need to look at other ways of protecting yourself. And by being paranoid, it makes you a lot more focused on how you protect yourself.
So, thank you. If you need any more information, please contact us.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – What to avoid in an outsourcing professional
[Start of transcript]
Hi. My name is Roger.
And today, I’d like to talk to you about what to avoid in an ITC, an internet technical professional.
Whenever you are employing a managed-service provider or an outsourcing company, there are a number of questions that you should be asking. And it should not be based on price alone. You need to know if their practical experience is going to suit your business. So, if you use Apple technical, they need to be Apple’s experience. If they are Microsoft, then do they have a Microsoft experience? Do they have cloud-based systems that they understand?
The second one is, there is no such thing as one solution fits everybody. I can walk in to anybody and say, “You need to go to cloud.” If I did that, not only am I an idiot, but you’re an idiot for listening to me because every business is different and every business has a requirement to look at what is available and what they need to make sure that going to the cloud is going to be beneficial for you.
The third one is there’s no transfer of knowledge between the professional and the business. You need to be in a big situation where you can’t get hold of the professionals and you can actually sort out some of the problems without resorting to really big issues.
The fourth thing is, how about sales pressure? “If you buy this, we’ll give you a 20% discount. If you buy this, we’ll send you to Maris Island,” and all of that. These are pressures, or systems put on pressure to make you buy that widget at three times the price that it should be anyway.
The fifth thing that you should be looking at is, are they selling smoke and mirrors? It looks pretty cool, sounds pretty cool, but is it going to do to the job that I want it to do?
And another thing to look for is you may get a number of small solutions to that go to making the live solutions, and each one of those small solutions has a huge price tag. And if that’s the case, then, you really do not need that professional.
But there are other things that you need to look at. How about bribes and collusion? Are they being bribed by their suppliers? If you sell a million dollars’ worth of stuff, we’ll send your troops to a Maris Island because that’s really good.
Or they send you incomplete systems. An incomplete system is you get a firewall but if you pay for the firewall, you say $2,000 for the firewall, but all these other components to make the firewall really secure are extra $2,000, $2,000, $2,000. So, you’re getting an incomplete system for what you specified that you want it to do. Then they ignore you.
When you have a sales person that ignores your deadlines, ignores your fiscal position, then you also have problem, because they’re not going to respect you to understand what they need to do to make your business more focused. And they have no accountability. The only accountability to themselves is themselves and you do really don’t want to be in that situation.
So, to make sure you avoid an ICT professional that has all of those, then why don’t you contact us?
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – The hidden cost of doing ICT yourself
[start of transcript]
Hello. My name is Roger.
And today, I’d like to talk to you about the hidden costs of small business doing their own ICT.
In a small business, we have direct costs, how much we buy something for, how much we sell it for. And we have indirect costs. And the indirect costs usually are the costs that we have no control of. And what happens when people start doing their own technical support is your indirect costs go up.
Now, most people are in business to make money and they are in business to do core business, whether that’s for selling widgets or consulting or any of those things. You’re not there, and your people are not there, to work on the information technology, information technology stuff that is making your business work.
And what happens with doing the ICT yourself is it really does take your focus off core business. It’s a lot easier to say to someone, “Come in and fix this and then go away,” than Joe Bob, who’s is the receptionist, or the senior salesperson or the marketing manager, look at the printer problem and say, “Well I just spent nine hours trying to get the printer to work. Now, I’ve got to call someone in.”
So, doing your own ICT is not cost-effective. And there really is no convenience in doing it. Because, as I’ve said, ICT is what makes your business run. But you don’t need to understand that 90 percent of making that system run, you need to understand the 10 percent that you used to make it all work for your business and do core business.
The same way that we listen to accountants, solicitors and motor mechanics, the digital security expert has an important role to play in supporting your organisation.
Digital security is becoming one of the most important areas of modern business.
For some reason we believe technology in business is easy. So easy in fact, that we just install it and forget about it.
Anyone can do it.
Like other professions what you do and what you can do are total opposites. An accountant, for instance, can make you more money by legally changing your tax requirements, or a solicitor can get you a reduced fine or jail sentence better than you could if you were representing yourself.
So a digital security expert can make your organisation more secure because they have studied business and technology, but more importantly they have a better understanding of what the bad guys are doing.
Here are 17 ways that a digital security expert can make your organisation more secure:
They study the bad guys – being a digital security expert is not about selling the next best thing (if there is such a thing). Being a digital security expert is more about understanding your enemy. The more you study the cybercriminal the better you get at predicting their next move and being able to be one step ahead.
They keep abreast of what the bad guys are doing – digital security experts use the same world that the cybercriminal uses to perpetrate their trade. They are in the dark web, watching, recording and documenting what the bad guys are going to do next.
They understand business requirements – what most people do not understand is that the digital security expert has to understand business. They have to understand marketing, management and cash flow. They need this information to ensure the recommendations that they give to their clients will not impact their business, or have minimal impact on the way business functions.
They understand technology – in most cases a digital security expert is at the same level of technology understanding that the bad guys are. To ensure that your business is not vulnerable to a cyber-attack they have to know the technology to ensure it is safe.
There is no such thing as 100% secure – against popular belief, there is no such thing as being totally secure. The digital world is ever changing, so are the tactics, strategies and targets of the cybercriminal. There is always someone else out there who knows that little bit more.
Everyone is a target – if you have a smart device – you are a target. If you have an email address – you are a target. if you have a web site – you are a target. The larger your digital footprint the bigger the target you are. The more your footprint will be targeted by the automated systems that are sold by the criminal gangs.
Technology is not the only answer – there are four components of being secure in the digital world. Technology is one of them. The other three are management, adaptability and compliance. All four components together make a more secure environment than just technology alone.
People are your best defence – your staff and users can be either your best Defence or your biggest problem. If you educate them with proper digital hygiene then you will not only get them to protect themselves but also the flow on effect is that they protect your organisation.
Complex, unique and long passwords are good for business – we all hate these. To access the digital world we need a username and password combination. The more we rely on the digital world the more important these components are. All passwords should always be complex (letters, numbers, symbols, capitals), more than 8 characters long and they have to be unique for each site. That’s pretty easy isn’t it?
Penetration testing will prove you have it right – penetration testing is one of the best ways to test your defences. Penetration testing should also be carried out across all components of the business. From websites, to cloud Infrastructure, from social media to smart devices. A contracted penetration tester should have carte Blanche across the whole network. You are not on a witch hunt or targeting the IT department, you are finding holes in your organisation and finding ways to resolve the risks before you are compromised or hacked by the bad guy.
Think when using social media – social media is great. It is also one of the best systems used for social engineering by the bad guys. Information that is posted to social media sites is there forever. Educate your staff about the dangers of social media. Put a social media process in place to ensure that trade secrets and intellectual property is not posted out there, and each post is checked before going live. In the heated exchange of a social media discussion, think before posting.
Get paranoid – paranoia is the understanding that everyone is against you. In the digital world this is truer than our normal world. Does that make you paranoid? Not really but having the understanding that everyone in the digital world is out to get you makes you more secure.
Use common sense – everyone remembers the old Nigerian Prince scam, people are still getting caught by it. There are a number of things to remember on the digital world – if it is free then it is not (you always have to give something to get something), if it’s free it could be infected with malware, if it’s free somewhere along the line you will have to pay a lot more than what you expected. Using common sense to make that decision is critical.
Email is a broadcast medium – We often forget that although email is targeted, sent specifically to individuals or groups of people, it can go astray. It could be sent to the wrong person via the email fields being filled in automatically. Email can also be forwarded, printed and scanned, sent to people who it was not intended. Like all types of communication be careful with email.
Digital security is a whole of business endeavor – we are constantly told that digital security is an IT problem. No it’s not, it is a whole of business endeavor. Everyone and every department has an impact and input on the digital security of the organisation.
Have a mantra – I have a mantra “digital security is my problem”. What that means is that I take personal responsibility for protecting myself and protecting others. The more people who change their attitude to this mantra the more secure your organisation will be
A digital security expert can and will make your business more secure and like any other profession, what they bring to the table is well above normal expectations. Like accountants and solicitors their expertise can save you substantial amounts of money, sleepless nights and angst, just by them doing their job.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – What questions should I be asking about my Managed Service Provider
[start of transcript]
Hello my name is Roger and today I’d like to talk to you about what questions you should be asking about your managed service provider or your access source I.T. company. There are a number of questions you should be asking before you even get involved with an outsourcing company. Are they stable? Have they been around for a while?
Have they been around for three years or have they been around for three months? Depending on if they’ve been around for three months also depends on what sort of expertise they have. The next question you should be asking is are they scaled.
Your business is booming and you have now gone from ten people to twenty five people in a space of three months. So are they going to be able to manage that scale when that happens for your business? Do they have any experience and the expertise within the business?
Do they know how to set up a Cisco rather or are they going to play around with it and hope for the best? Do they know how to set up a client based server, or again are they going to hope for the best?
Have they got policies and procedures in place to make sure that if John Watts comes into your office to fix something that Peter, the next I.T. person is going to come in and not have to relearn everything that’s been done?
This is really important because if you’re paying an hourly rate he’s going to take three hours to do so that he took an hour to do because he doesn’t know what’s been done and that’s a really big impact on a business.
Another question you should be asking is also are they helping my business. Are they making sure I have the right technology? I’m using the right technology in the right place. I’m using the right systems to make sure things are going to work.
Because if you don’t do that, then your business is going to have problems competing with other businesses and you’re going to have that sort of issues with making sure that you’re competing at the right levels.
One of the other things you should be asking is are they nameless and invisible. Have you had an MSP or contract with a company where you haven’t seen anybody? The only person you’ve spoke to is a voice on the end of the telephone. The only person you speak to is a new man. Are they in your office? Do people see them? Are they seen regularly to make sure that your systems are working to the best level, not just invisible to everybody else?
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – why and How antivirus protects you in the digital world
[start of transcript]
Hi. My name is Roger and today I’d like to talk to you about antivirus and how antivirus protects you in the digital world. Now there’s a couple of schools of thought about antivirus. One it doesn’t work, one it does work. Those schools of thought, correct in both respects, sometimes it doesn’t work, sometimes it does work, but an antivirus system is also designed to do a number of things.
One, it catches the old problems that we’ve had. It catches all viruses, which are out there and they are [0:40 inaudible], but it also catches things that have been in store on your system that weren’t classified or weren’t called out before but are now.
A regular scan will catch those infections because the regular scan is now using the new systems because those updates are now looking for the components that are on your system. But anti-virus also does one thing. It only does its job if two things that are happening.
One if you’re patching your system and two if you’re regularly updating your antivirus. So whether you update or scan [1:27 inaudible] your definition is part of the process to make sure your antivirus does protect you from digital work.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – How to increase Cyber Awareness within an SME
[Beginning of transcript]
Hello. My name is Roger and I’d like to talk to you today about how you can increase in your site cyber awareness within a small and medium enterprise.
When it comes to cybercrime and the cyber criminals, everyone and every piece within your organization is a target and those targets are what the cyber criminals go after all the time. So, you have to make sure that people are aware why we do these things, why you are in the process of protecting it and you are in the process of protecting them as well as your business or organization, your staff and your clients.
That is why passwords are so important. And the way to come up a better way of doing things, passwords are going to be around for long. And passwords, not only on your systems but also on systems that are being installed. So your wireless access point. . Your router needs a decent password. You better need decent password, your internet connection need a decent password.
And what I mean by “decent” is it is complex, it is more than 8-characters long, and it is unique to the piece of equipment that you to put it on because the cyber criminals are very, very clever. And you need to understand that being clever, they’re also very aware of what normal people do on the internet. And they make sure that they exploit better.