10 things that any business can do to fight the insider threat – cybersecurity

protect your business informationWe have all heard about the threat to an organisation that a staff member can do.   From having stealing critical information, running an embezzlement scheme or just being a pain in the ass, an insider threat can cripple an organisation in a minimum amount of time.

So what can you do to protect yourself from an employee going rogue?

Background checks

It is critically important, in today’s business world that you make sure you are getting the person that appears on paper.   So after the basic weeding out process and before the offer of the interview you need to check the truth behind the resume.   In most cases, a quick check of references and a look at social media will give you an inkling into a person’s character, capability and attitude.   If there are no obvious contradictions then it is safe to proceed to the next level.   (You could also use a psychology test as supplied by www.thewhitehousereport.com.au)

In addition to this when someone leaves, cancel their access as soon as possible.   Relationships can sour and it is best that when someone has left that they no longer have access to any part of the organisation.

This is doubly important, if you are firing someone.   Before you go through the actual process of firing them make sure they have no access to your systems.

Acceptable use

The insider can quite easily steal your time and money by not actually doing anything illegal.   Staff members who spend a lot of time on social media, especially when they are supposed to be working can have a detrimental effect on not only the business but also on staff morale.

Make sure that you have policies in place that specifies what people can and cannot do with business assets.

Least privileges

Staff members should only have access to information that they need access to do their jobs.   In the case of small and medium business, you have to make a conscious decision that you cannot trust everyone.   By not trusting everyone you are actually protecting your business.   The larger the organisation the more need there is to separate working areas and capability.

Administrator privilege

In any Organisation there should be only a minimal number of administrators.   In most areas there is a need to ensure that staff and users only have access to what they need to do the job.   The administrator account should not be used except for administration.   It should never be associated with an email or webmail account.

All administrators should have separate logins to do normal work.   This reduces the risk of being compromised as well as ensuring that only minimal access to the administration of the business.

Separation of duties

In a really small organisation this is very hard to do but in larger Organisations there should be an action process to spend money from credit cards and bank accounts.   There should be a separation to ensure that one person is not authorizing and acquitting invoices and payments.

Job rotation

There are 2 reasons for this.   It allows you to build resilience into the business because a backup person has access to the processes that the business needs in an emergency.   The second reason is it allows for training of personnel in the roles and as an audit.

Mandatory holidays

Everyone needs to go on holiday.   In most cases 2 – 4 weeks is mandatory.   It allows for recharging batteries as well as protecting the organisation from someone going rogue.

Auditing

Most if not all accounting packages have an auditing feature.   This feature needs to be running at all times to ensure that you can check all transactions occurring within the organisation.

Auditing can also be employed to track other components of the business including information being passed through email, cloud based technologies and cloud based storage.

Data loss prevention technologies

There are number of software packages and hardware systems that allow you to monitor and manage information leaving your organisation.   From restricting USB devices, to cloud storage systems are available to ensure that your trade secrets are not leaving your organisation.

End point protection

This last point is more a solution to one of your people getting infected through malware.   If you have done all of the other nine point’s then malware will have little impact on the organisation if it does get past the end point protection systems.

In addition there should always be 2 levels of end point protection – at the firewall and on the devices, preferably using different vendors.   If malware gets past one it may not get past the second.

These 10 Ideas will ensure that your organisation is better protected from an attack from an employee or staff member.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video)Why is a managed firewall a good business decision

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses why a managed firewall is a good business decision.

[Start of transcript]

Hi. May name is Roger and today I’d like to talk to you about why a managed firewall is a good business decision. Now, small and mediums business, not-for-profit organizations, SMEs in general are usually the people who go down to the local retail store and buy an off-the-shelf that connects your business to the internet. Now usually they are a dumb piece of equipment. Yes, they will have all the and they can connect and they have a rudimentary firewall in place but they’re not really or truly protecting your business.

To protect your business you need to have the next step up. You need to have what we call a UTM, a Unified Threat Management system. Now unified threats means it looks at all the problems that are on the internet. So it’ll manage your people going to infected websites, it’ll manage phishing attacks, it’ll manage intrusion detection. So it’ll tell you when people are trying to attack you. And that is very important as a business.

But when it comes to managing a business, you have a problem that next step up is also the next step up in how you program it, manage it, look after it. And in most cases you are putting CISCO, FortiGate, Palo Alto in place and you don’t have the expertise internally to manage it. This is where the managed service provider comes in. Because they have the expertise to manage it.

They have the expertise to make sure that it hasn’t got any problems. They have the expertise to make sure that no matter what happens you know that it’s been put in place properly. It’s got the right management in place, it’s been updated regularly and it does protect your business. And that’s what a good firewall does.

Thank you very much.

[End of transcript]

 

(Video) How to prove your Cybersecurity is working

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses why you need to prove your cybersecurity and digital security.

[Start of transcript]

Hi. Today I’d like to talk to you about how to prove your Cybersecurity is working. So you’ve put a lot of defense processes in place and now you need to find out how secure they have made your business. Now, in most cases the IT department will their own run tests or your managed service provider will run their own tests.

But those tests are based on what they know about how it should be protected. So they’re using best practices and they’re using the patching and making sure it’s got all the up-to-date information on them. But you can never be sure that that system is now secure unless you have someone test it. But the trouble is we’re testing it, you have to find a person who’s not going to put patches. Who is going to tell you exactly what you need to do. And also not rely on them making a report to you and then expecting you to pay for the fix if there is one.

So making sure that cybersecurity is secure and your organization is secure is really an ongoing process. But the outside world or the people who are attacking your business are using automated systems. They’re using automated scripts, they’re using automated systems to access social media sites and learning how and what and who you are. So you have to make sure that your cybersecurity is working. So how can you do that?

Well one of the best ways you can do it is you pay to have someone try and compromise your systems. But trying to compromise your systems, they’re using the same attack factors that the bad guys are using. They’re using the same processes that the bad guys are using. They’re not relying on, we know there’s a problem and we know how to get past it. But they are relying on how the hacker or the script kiddie or the hacktivist is going to try to access your system. So one of the big things about the IT world is we’re very arrogant. We all admit that across the board. What I say is how I do things. And when it comes to IT that’s what a lot of people believe.

But the problem is, with that sort of attitude, is it’s got no room for someone who knows something about the system that I don’t know about. So if I’ve got an external person coming in to test my cybersecurity then I know that they are going to use a different tactics, they are going to use different systems, they are going to use totally different objectives to what I expect. And that is what cybersecurity is all about. They maybe only getting in but you’ve got encrypted information of – all your databases are encrypted.

Then if they do get in they still read information, you get a report, but you’ll also know that that information hasn’t been able to be compromised because it’s encrypted. So when it comes to how you’re going to make sure that your systems are working, you need to prove your cybersecurity. And if you prove your cybersecurity your information and your business and the people who trust you to hold that information is going to be very very high.

Thank you very much.

[End of transcript]

How to secure your mobile device!

Mobile devices are the way we now do business.   From checking email, surfing the web to  connecting on social media and creating reports, we are always on, always connected, always busy.

Smart devices, phones and tablets, are critical to having an edge over your competition.  They hold a large amount of data that most people do not consider important – until we lose it.   We realise, too late, that we have lost some very important information.

Using mobile devices means that we can work from anywhere at anytime, if we want to that is.    The lines between work, business and our personal lives are blurring especially if you are a business owner or a manager of a small or medium business (SMB)

The risk requirements for both BYOD and business supplied devices is very important to ensuring the rest of the business is secure.

With so much happening on our mobile devices, how do we protect them from both the physical world as well as the digital world.

Think about these ideas that you need to deploy to protect your physical device.

  • Never leave it alone.   In some places your phone can be stolen right out of your hand while you are talking on it – In NY this is called apple picking.   In most places, the simple act of leaving your device on a table while you pick up your coffee is the only opportunity that the bad guys need.
  • When it is not being used – lock it.   Using a simple 4 number code, a decent password or biometrics ensures that the information on your device is secure for the initial attempt at access.   Change the settings to 3 attempts or 5 attempts before it is locked for x minutes will ensure that you have time to remote wipe the device.
  • Back it up – you never know when something bad is going to happen to your phone.   From a theft to dropping it in the toilet, if it happens how are you going to gain access to your precious data – your contacts for instance.

That is the physical side, what about digital protection:

  • Passwords – Yes we hate them, but in today’s digital world it is one of the only things that keeps the bad guys out.   All passwords should be 8 or more characters, use complex and complicated features (capitals, numbers and symbols), not be a dictionary based word, be easy to remember and be unique for each site.    That’s the reason we ignore those requirements and use the same one for everything.
  • If passwords are a problem then get a password manager or a single sign on (SSO) system.   This will ensure that you can use complex passwords and not have to worry about them.   SSO can also be deployed by an organisation to protect their social media and infrastructure requirements.   If a device is compromised, just delete the access to your business systems.
  • Run Anti-Virus / Anti-Malware.   Most people think that the operating systems of android and apple are secure.   This could not be further from the truth.   Although apple is a little more secure, malware is not always targeted at operating systems.   It is targeted at sub systems like Java, flash and adobe.   That is why all devices need AV as a real time protection system as well as a regular scan to pick up malware that may have disguised itself in the installation process.
  • Only install legitimate software.   Software that is in the app store (Apple) and the Google store (Android) have been vetted to a level to ensure that they do not include malicious code.   Some systems sneak through but they are quickly weeded out.   Applications directly downloaded from websites are especially prone to infection and do not have this protection.

Managing business risk is critical to the resilience of the business.   Make sure that your road warriors have the resources available and needed to work but that they are also safe, secure and protect your business..

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

So you want to outsource your digital security to a managed security service provider!

There are huge benefits to getting a reputable organisation to manage your digital security.   There are also large risk management component and a due diligence process to follow to ensure that you are getting the best available.

The outsourcing of your digital security involves an in-depth discovery process.   It is not one of those decisions that is solely based on price and cost.   Getting the right outsourcing company with the best reputation is critical to your Organisations viability.    Making a bad decision or decide on one based solely on cost can cripple your business.

These are the areas that you should look at prior to looking at the cost component:

  1. What are they going to do for your organisation?
    • A good Managed Security Service Provider (MSSP) will not only be looking at your firewall, anti-virus and patching.   A good MSSP will have a holistic outlook on how they protect their clients.   A good MSSP will ensure that they are in a position to implement “security change” to create a more holistic outlook on protecting your organisation.
    • That holistic outlook takes the following into account: (start with a protection philosophy and end with a compliance requirement)
      • Technology – UTM firewall, wireless, VPN, best practice and patch management.
      • Management – policy, Procedure, process, auditing, reporting and training and education
      • Adaptability – disaster recovery, business continuity, business resilience, backup and culture
      • Compliance – if you have done the above compliance is a relatively easy.
    • An MSSP will have the empathy and understanding to ensure your organisation is protected
  2. Do they have the expertise?
    • Most managed security service providers focus on one or two types of technology is specific areas.   They may have a focus on Cisco or WatchGuard or a specific AV, or a specific make and model of PC.
    • This level of specification ensures that the MSSP has the right level of education, training and capability within it ranks.
    • A good MSSP should have people who are experts in one or more areas of digital protection, if they do not then talk to another MSSP.
  3. Do they have the capability?
    • Most MSSP’s have the capacity to manage clients.   They will have trained people at every level of the organisation to ensure that they are servicing their clients to the best of their capability.   When it comes to capability the MSSP should have staff with professional qualification to support your business.
  4. What are they going to change to make their life easier?
    • There are changes that will be recommended by an MSSP for two reasons:
      • The systems that you have in place are not doing the job that they should be doing and need to be replaced with systems that are more secure.
      • The systems that you have in place cannot be supported by the MSSP because they do not have the expertise on staff.   So if you have recently invested $10K in a firewall and they want you to replace it with another one worth the same then you probably have the wrong MSSP.
  5. What benefits are you going to get out of it if you PARTNER with them?
    • The outsourcing of your digital security to an MSSP is a partnership.   They are there to protect your data, your Infrastructure, your clients and your staff.  You pay them to do that.   Make sure that all parties involved understand their requirements by putting a service level agreement (SLA) in place.   No SLA then no contract.
  6. How much will it cost?
    • Finally we have the cost.   You should always know how much your monthly digital security cost is going to impact your organisation.   If the month cost is going to change then once again you should be looking at alternatives.  The cost of an MSSP SLA should include monitoring, management and reporting, it will not include projects that are outside the scope of the SLA.

There you have it, if you employ a MSSP based solely on how much it will cost then your organisation will not have the right digital protection.

There are a large number of Organisations out there who think that they are MSSP’s but lack the expertise, capability and understanding that is required to protect your organisation

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video) How playing a game can improve your DR

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses how playing a game can improve your DR process

Hi. My name is Roger. Today I’d like to talk to you about how playing a game can improve your disaster recovery. Disaster recovery is understanding what your business is going to do when everything goes catastrophic. So what are you going to do when building winds down? What you are going to do if flood waters come through? What happens if you get a cyber attack and they take out your main systems?

So disaster recovery is really important because it makes sure that you have the plan to go forward and go onto your business continuity and make sure everything works. But how do you test it. You don’t want to be in a situation where the first test that you do of your disaster recovery is when the flood water is flowing in under the door. Because that is not a place to be. And I can tell you it’s an experience that I wouldn’t wish on my worst enemy. So how do we test it? One of the ways we can test it and have an impact on the business is to actually physically do it. [Indiscernible 00:01:12]. What’s everybody going to do when everyone’s running around in circles? That is not really good and economical way of testing a disaster recovery. And disaster recovery needs to be tested regularly. Once every six months, once every three months, once every year minimum. So it needs to be done. But you don’t want to take everybody out of the loop and make sure that they literally stop working. If you stop working, all of that money, all of the revenue these people are generating is just going out the window. So what you need to do? Well, one of the things we’ve come up with is you play a game. You pick all your primary people around a table in a boardroom and you go [Indiscernible 00:02:00] and he will say, okay you’ve lost this.

Now what is your business disaster recovery system going to make sure that you can do about that? Is the back up in place? Where is the back up? Who’s got the back up? Is the backup [Indiscernible 00:02:18]. So let’s take out the server. The server has what? What are you guys going to do if you don’t have Exchange? Office 365, you just take an internet connection.

What are going to do now? That is what disaster recovery is all about. by finding out how you react to those cards [Indiscernible 00:02:43] will then you will find holes that you can resolve and make sure that when the real problem happens, when flood comes underneath the door, did you have a solution in place that is going to go, turn that off, pick it up and move it over there, hand it in, turn it off and off you go. Because that is you disaster recovery plan. So if you want to have a decent disaster recovery plan without using a revenue usually involved in testing it, then please contact us, we will quite happily come on the [Indiscernible 00:03:21] and make sure you that can do it. Thank you very much.

[End of transcript]

 

(Video) Will IOT impact your SME

Hello. My name is Roger and today I’d like to talk to you about will the Internet of Things (IoT) have an impact on your small business? Internet of Things is a new technology that’s coming out and is now becoming an underlying component of a number of things. Internet of Things relies on two things. One being able to report to something and Internet of Things device can be collecting data about anything.

So, for instance as a product for tracker if you want to make sure that your mobile phone – well not mobile phones, it’s a bit big for that – but your laptop can’t be stolen, you set a little tracker that [Indiscernible 00:00:48] and anywhere in the world that will tell you where it is by using the internet and a large number of other systems that they’ve got in there.

How about the pro-fit systems that are now coming out. Where I can put a band on my wrist, it will tell me my heartbeat, my blood pressure and how much sweating and whether I need to drink in…All of those components.

Now for small business, pro-fit may not be a good fit. But things like tracker would be because the Internet of Things is going in that direction. We are building devices now that are going to benefit people. We used to have systems that were complicated, not very robust. Whereas Internet of Things, you can buy one, put it on whatever you need it to do to monitor and report back to you.

And it will last for twelve or eleven months without changing batteries. And it’ll talk to whatever device you’ve set it up to talk to. So if it’s got a Bluetooth component, as I set pro-fit, it talks to your phone which then tells your main system how fit you are and what you’re doing and why you just had a [Indiscernible 00:02:02] heartbeat because you’ve been pushing too much.

So that’s what IoT will do. So the impact it will have on your business over the next five or six years is going to be pretty huge. And it’s something you need to start factoring in when you’re thinking about how you well you are going to do business going forward.

Thank you very much.

[End of transcript]

 

(Video) How mobile is your business

Hi. My name is roger and today I’d like to talk about how mobile is your business technology. And why does your business need to be mobile. Business world has changed rather drastically in the last couple of years but more and more people are doing business on mobile phones, tablets, laptops.

Because they can. Because all the associated systems utilize the cloud technology component of any business. So if you want be able to collaborate and you don’t know quite how to do, but you have an application that does that.

Then the application needs to be able to be used in a coffee shop. And you need to be able to get into that application at home. And if you’re [Indiscernible 00:00:52] where you’re doing project management, all of those emails that then come through the system saying you need access to the system at all time.

But the mobility is really critical about one other thing and that’s the connection to the digital world that device has. This 3G or 4G is irrelevant. As long as there is a component that connects you to the rest of the digital world then you can utilize and make your business mobile. But mobility doesn’t mean everything has to go into the cloud.

By having components like info soft for instance which is a sales component you can utilize, you don’t really need it on phones. You may need it on tablets because you can then go and have a meeting with someone and take notes directly into the system.

Very hard to do it as a phone device. But it can tell you when you have an appointment, and where you have to be, and why you have be there and what you are talking about. So mobility today in business is really really important because that’s the way we are going.

In the next five years we may not need offices because everything will be in the cloud. You will be working from home, everybody will be able to work in coffee shops. A great idea have a business where everybody can come to you and between everything else and all you can serve coffee. So how mobile is your business technology? It depends on your requirement.

Thank you.

[End of transcript]

 

(Video) What is the cloud Computing?

Hi. My name is Roger and today I would just like to do a brief synopsis of what the cloud is and why we are using the cloud.

Well the cloud we are using nowadays has a number of reasons. 1) It’s inexpensive, 2) it reduces your infrastructure costs and there is no capital [Indiscernible 00:00:20]. And it also becomes not a capex but it is an operational expense.

And that is some of the reasons. It’s no longer a case of you have to spend thousands of dollars to buy a server and another thousands of dollars to find an operating system and then put that over in a corner and you have power to it and Ethernet cables and lots of stuff. So cloud is like buying electricity.

It’s now a resource that we can consume and utilize and then get rid of as we need. But there are three types of cloud. There’s the public cloud, which is everybody. So things like Dropboxes are a public cloud environment.

Office 365 is a public cloud environment. So anybody can use it and anybody can get on it. Then we have a private cloud. Now a private cloud is a cloud that’s supplied by a cloud provider but only one customer can utilize it. And that information on that customer is where this information is going to be stored. And then manage it for you. And then on top of that you got a hybrid cloud. So you can have a bit of public and a bit of private.

Even though at most times they won’t talk to each other but you can have storage in one place. You can have operating systems in another. But what do we use the cloud for? Well, utilization of the cloud, there are three main levels. So we can have infrastructure as a service. That’s where I go and buy a virtual server.

I manage the server but they manage the hardware. So with them looking after the infrastructure, everything that’s above the infrastructure is our responsibility. And again you need people to be able to — who know operating systems, you need people who know applications, you need people who know SQL and Web Data and all of that.

The second component is we have platform as a service. This is where you have – the cloud provider provides the server and the operating system – and that gives you a platform to be able to do everything else that you need to do.

But in both of those cases when it comes to things like antivirus, updates, how you manage it, that’s all your responsibility. And then finally we have software as a service. Software as a service is just the data. So you don’t have to manage every Exchange because Office 365 does — all that does is connect to the Exchange that you have got and then it can send out your email.

Office 365 for instance, for things like Dropbox and OneDrive and any of those Microsoft products that have a component that is in the “cloud”. So you have access to that data because it’s the storage area but that is what the cloud is. So those three things: infrastructure as a service, platform as a service and software as a service is way that derivatives of cloud is coming from.

And you can utilize any components of those. You no longer have to spend $25,000/- getting a server and putting in plugs because you can spend $1000/- a month doing everything you need to do from the server which you’ve got as infrastructure as a service.

Thank you very much.

[End of transcript]

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

(Video) How a SMB can reduce its labour costs using a MSP

Hi. My name is Roger. I’d like to talk to you today about how to reduce your business labor cost. And how as a small business you can go forward using the right technology. As we all know SMEs in business, it can be very difficult and very complicated. How you use technology, why you use it, what you want to use it for? So, you need to get the right qualified people and at the best of times that can be hard.

On top of that you need to make sure that those people are actually going to resolve this — the problems that you have inside your business. But when it comes to paying for someone in the ICT industry that can be very expensive. Some of the people that I work with or I know can cost up to $150,000 to $200,000 for what they do.

So what you end with is someone in a business who is multi-talented. They are your sales person but they are also your IT person. They’re your marketing person but they’re also your IT person. And that does two things. It takes away from their marketing role with their sales role, with their reception role or their CEO role, which is very credible for the business.

And puts them in something that takes a long time to resolve like getting little Johnny some emails to work properly or having little john and Sara talking to the right people when setting up meetings or all that stuff. So you then have other problems associated with that. so one of the things we really need to look at is, how do you reduce those very expensive labor costs by having an ICT person on board or how do you reduce the chance that your sales person is no longer going to do sales because he is too interested in doing the IT.

One of the best ways to do that is to outsource your IT. Now if you outsource your IT, you have someone who comes in or are available on the web, on helpdesk system. They can access your PCs, they can talk you through your problems, all of that sort of stuff. And your sales person and your marketing person continue doing what they do and how they do best.

They are generating revenue for your business not wasting time making the printers work or meetings to call and all those things. so when it comes to reducing your business labor costs, have a really good look at what a MSP can do for your business because I can guarantee that by taking that role away from someone who is doing something else, that person will then go off and make more revenue for you.

Thank you.

[End of transcript]