(Video) What questions should I be asking about my Managed Service Provider

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –  What questions should I be asking about my Managed Service Provider

[start of transcript]

Hello my name is Roger and today I’d like to talk to you about what questions you should be asking about your managed service provider or your access source I.T. company. There are a number of questions you should be asking before you even get involved with an outsourcing company. Are they stable? Have they been around for a while?

Have they been around for three years or have they been around for three months? Depending on if they’ve been around for three months also depends on what sort of expertise they have. The next question you should be asking is are they scaled.

Your business is booming and you have now gone from ten people to twenty five people in a space of three months. So are they going to be able to manage that scale when that happens for your business? Do they have any experience and the expertise within the business?

Do they know how to set up a Cisco rather or are they going to play around with it and hope for the best? Do they know how to set up a client based server, or again are they going to hope for the best?

Have they got policies and procedures in place to make sure that if John Watts comes into your office to fix something that Peter, the next I.T. person is going to come in and not have to relearn everything that’s been done?

This is really important because if you’re paying an hourly rate he’s going to take three hours to do so that he took an hour to do because he doesn’t know what’s been done and that’s a really big impact on a business.

Another question you should be asking is also are they helping my business. Are they making sure I have the right technology? I’m using the right technology in the right place. I’m using the right systems to make sure things are going to work.

Because if you don’t do that, then your business is going to have problems competing with other businesses and you’re going to have that sort of issues with making sure that you’re competing at the right levels.

One of the other things you should be asking is are they nameless and invisible. Have you had an MSP or contract with a company where you haven’t seen anybody? The only person you’ve spoke to is a voice on the end of the telephone. The only person you speak to is a new man. Are they in your office? Do people see them? Are they seen regularly to make sure that your systems are working to the best level, not just invisible to everybody else?

Thank you very much.

[End of transcript]

(Video) AntiVirus does protect you in the digital world

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –  why and How antivirus protects you in the digital world

[start of transcript]

Hi. My name is Roger and today I’d like to talk to you about antivirus and how antivirus protects you in the digital world. Now there’s a couple of schools of thought about antivirus. One it doesn’t work, one it does work. Those schools of thought, correct in both respects, sometimes it doesn’t work, sometimes it does work, but an antivirus system is also designed to do a number of things.

One, it catches the old problems that we’ve had. It catches all viruses, which are out there and they are [0:40 inaudible], but it also catches things that have been in store on your system that weren’t classified or weren’t called out before but are now.

A regular scan will catch those infections because the regular scan is now using the new systems because those updates are now looking for the components that are on your system. But anti-virus also does one thing. It only does its job if two things that are happening.

One if you’re patching your system and two if you’re regularly updating your antivirus. So whether you update or scan [1:27 inaudible] your definition is part of the process to make sure your antivirus does protect you from digital work.

Thank you.

[End of transcript]

(video) What sort of monitoring is needed by an SME.

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses system monitoring and why an SME needs it.

[Start of transcript]

Hi. My name is Roger. I’d like to talk to you today about what sort of monitoring is needed by a small and medium enterprise of a non-profit organization.

In today’s world, if something breaks it usually stops what you are doing pretty drastically. If your hard drive fails in your laptop or in your pc then naturally that becomes just a paper weight on your table, and you don’t that to happen. You don’t want to be in a situation where when it fails is the first time you realize you had a problem and this is where my team monitoring comes into it.

Most many services providers will have a managed component that is probably free or very inexpensive as part of their package. Because it’s really important to them to understand (a) that you’ve got a problem and (b) to fix the problem before you realize you have a problem, which makes them look really good. And that’s what it’s all about, making them look really good in your eyes.

So, instead of having the hard drive failure or having had the pc running for a long time and then come up and say, ‘well it’s running out of space’. You need to know that sort of thing. And this is where that sort of monitoring comes in.

When they install the monitoring system, they actually do it on all of the pcs, all of the laptops, all of the tablets and phones, and they create a baseline. That baseline is how it works now. So they can see what happens over the course of a couple of months and a couple years. And when you need to replace it, or when you need to upgrade it, if your processor is working overtime just because you’re doing graphic design then you need a better computer to do the job.

And as I said, the good thing about a managed service provider provides if they got a monitoring component is that they will look at the system and go, ‘that’s going to break, we better do something, here’s our hard drive, go and put it in and swap all the data out’. And that is why you need to have it.

Thank you very much.

[end of transcript]

(Video) What is managed web filtering?

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses managed web filtering

[Start of transcript]

Hello, my name is Roger. What is managed web filtering? Well, we all know that everybody likes to access the internet, whether it’s on a tablet, on a mobile phone, laptop, computer, even on the server when you need to download updates and things like that. You always need to access the digital world in some way.

But the trouble is, the bad guys know how we all access the internet, and they are always willing to put little traps and systems in place so they can actually get information out of you or infect your computers.

Now what I mean by that is there are, websites are created, and we all have websites. Websites are not created equally. Some are high-end, high-processing, e-commerce sites that are secure and locked down, and everything is really hunky dory.

But at the other end of the scale, there’s people who put together a WordPress website, who doesn’t worry about security, doesn’t worry about patching or widgets, making sure all the plugins are working, making sure the plugins are all patched up.

Now if this website, the one that was done in WordPress, gets hacked, now there are a number of ways they can do things to you. They can hack your website and take it down. Bang, there goes your website. Or they can just deface it. We were here, stuff you. Great.

The worst one they can do is they can actually infect it so that all of the visitors coming to your site will actually be asked to download now or then. Now when that happens, what happens is you need a system in place that will protect you from that happening to you. Now how do you do that?

Well there’s a number of products around that allow you to protect the way you surf the internet. And by that protection, it will come up and go, don’t go to this website, because it’s infected, or it may go to something that says when you log on to the website, something is wrong.

And that is really important for business. Because you get malware on your PC or your laptop, or your tablet, or your phone, then the bad guys have access to that information. What people don’t understand is it can happen to anybody’s website.

It takes, it can happen at the lowest level with your web-hoster, hosting company, has been hacked, and the server with all of those websites on it are now vulnerable. Or you could be a major news site.

There’s been times where places like ninemsn have been not so much hacked, but the information for things that run their ads have been infected, which then infects the people who come to it.

The other way that you get infected is through Ethernet. So this is a process that the bad guys call water holing, because everybody has to go there to get information. The biggest one that we’ve ever seen was when they infected a site that looks after human resources. So everybody had to go there, work out their leave, and every time they went there they got infected.

But, on top of that, if you get an infection from a website, that you, and you haven’t been protecting yourself in such a way as it will come up and tell you that you’ve got a chance of being infected by the website, then you have a problem with your own technology itself. Because it is no longer yours. It has spyware, it has malware. It may even have things like drive-by malware that encrypts all the information on your system. You don’t want to be in that situation.

On top of that, people also believe that if you go to pornographic sites that you’re going to get infected. To tell you the truth, pornographic sites are probably the securest internet websites on the internet and have ads. And there’s something, because the pornographic sites need people to come to them all the time. And yes, it’s huge business, it’s really a lot of money that they get.

So, you need to have some way to protect yourself, and that is where a managed web filter will come into. That managed web filter will sit on the desktop, or the laptop, or the tablet and phone, and actually intercept the information before it gets to your technology itself, and will protect you. And because it’s a managed web filtering, it’s like any other cloud product, it is a monthly fee.

Thank you.

[End of transcript]

(Video) How are you protecting your clients information

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses How small and medium business and not for profit organisations are protecting your clients information.

[Start of transcript]

Hi, my name is Roger. How are you protecting your client’s information? Every business nowadays uses a digital component to make that business work. And by having that digital component, and making that information available to your staff, then you have to make sure that you are protecting that information at all times.

That information can be anything as basic as a telephone number associated with a person who’s associated with a registration number on your car. That information is really critical to taking it to the next level for protecting your business, and protecting your clients. Because clients are not going to trust you if you are known to breach their privacy.

So to protect the information that you’re collecting from other people, you need to make sure that what you’re collecting, are you going to use it and do you need it? Because it’s no use collecting all this information if it’s just going to sit in a database and one day we’ll get to it. Because that just gives you exposure to a number of other problems.

You also need to be able to segregate that information. You need to be able to take that information and go, “We don’t need that information,” or, “Those certain people do need access to that information.”

And the final part is, you never store information about people with information about their credit cards. Because if you do that, and something does happen in the background, and someone does get compromised, then they have all of that information.

So do you know where all your client data is? Do you know where it’s located, who has access to it, and why those people have access to it? Thank you very much.

[End of transcript]

10 things that any business can do to fight the insider threat – cybersecurity

protect your business informationWe have all heard about the threat to an organisation that a staff member can do.   From having stealing critical information, running an embezzlement scheme or just being a pain in the ass, an insider threat can cripple an organisation in a minimum amount of time.

So what can you do to protect yourself from an employee going rogue?

Background checks

It is critically important, in today’s business world that you make sure you are getting the person that appears on paper.   So after the basic weeding out process and before the offer of the interview you need to check the truth behind the resume.   In most cases, a quick check of references and a look at social media will give you an inkling into a person’s character, capability and attitude.   If there are no obvious contradictions then it is safe to proceed to the next level.   (You could also use a psychology test as supplied by www.thewhitehousereport.com.au)

In addition to this when someone leaves, cancel their access as soon as possible.   Relationships can sour and it is best that when someone has left that they no longer have access to any part of the organisation.

This is doubly important, if you are firing someone.   Before you go through the actual process of firing them make sure they have no access to your systems.

Acceptable use

The insider can quite easily steal your time and money by not actually doing anything illegal.   Staff members who spend a lot of time on social media, especially when they are supposed to be working can have a detrimental effect on not only the business but also on staff morale.

Make sure that you have policies in place that specifies what people can and cannot do with business assets.

Least privileges

Staff members should only have access to information that they need access to do their jobs.   In the case of small and medium business, you have to make a conscious decision that you cannot trust everyone.   By not trusting everyone you are actually protecting your business.   The larger the organisation the more need there is to separate working areas and capability.

Administrator privilege

In any Organisation there should be only a minimal number of administrators.   In most areas there is a need to ensure that staff and users only have access to what they need to do the job.   The administrator account should not be used except for administration.   It should never be associated with an email or webmail account.

All administrators should have separate logins to do normal work.   This reduces the risk of being compromised as well as ensuring that only minimal access to the administration of the business.

Separation of duties

In a really small organisation this is very hard to do but in larger Organisations there should be an action process to spend money from credit cards and bank accounts.   There should be a separation to ensure that one person is not authorizing and acquitting invoices and payments.

Job rotation

There are 2 reasons for this.   It allows you to build resilience into the business because a backup person has access to the processes that the business needs in an emergency.   The second reason is it allows for training of personnel in the roles and as an audit.

Mandatory holidays

Everyone needs to go on holiday.   In most cases 2 – 4 weeks is mandatory.   It allows for recharging batteries as well as protecting the organisation from someone going rogue.

Auditing

Most if not all accounting packages have an auditing feature.   This feature needs to be running at all times to ensure that you can check all transactions occurring within the organisation.

Auditing can also be employed to track other components of the business including information being passed through email, cloud based technologies and cloud based storage.

Data loss prevention technologies

There are number of software packages and hardware systems that allow you to monitor and manage information leaving your organisation.   From restricting USB devices, to cloud storage systems are available to ensure that your trade secrets are not leaving your organisation.

End point protection

This last point is more a solution to one of your people getting infected through malware.   If you have done all of the other nine point’s then malware will have little impact on the organisation if it does get past the end point protection systems.

In addition there should always be 2 levels of end point protection – at the firewall and on the devices, preferably using different vendors.   If malware gets past one it may not get past the second.

These 10 Ideas will ensure that your organisation is better protected from an attack from an employee or staff member.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

How to secure your mobile device!

Mobile devices are the way we now do business.   From checking email, surfing the web to  connecting on social media and creating reports, we are always on, always connected, always busy.

Smart devices, phones and tablets, are critical to having an edge over your competition.  They hold a large amount of data that most people do not consider important – until we lose it.   We realise, too late, that we have lost some very important information.

Using mobile devices means that we can work from anywhere at anytime, if we want to that is.    The lines between work, business and our personal lives are blurring especially if you are a business owner or a manager of a small or medium business (SMB)

The risk requirements for both BYOD and business supplied devices is very important to ensuring the rest of the business is secure.

With so much happening on our mobile devices, how do we protect them from both the physical world as well as the digital world.

Think about these ideas that you need to deploy to protect your physical device.

  • Never leave it alone.   In some places your phone can be stolen right out of your hand while you are talking on it – In NY this is called apple picking.   In most places, the simple act of leaving your device on a table while you pick up your coffee is the only opportunity that the bad guys need.
  • When it is not being used – lock it.   Using a simple 4 number code, a decent password or biometrics ensures that the information on your device is secure for the initial attempt at access.   Change the settings to 3 attempts or 5 attempts before it is locked for x minutes will ensure that you have time to remote wipe the device.
  • Back it up – you never know when something bad is going to happen to your phone.   From a theft to dropping it in the toilet, if it happens how are you going to gain access to your precious data – your contacts for instance.

That is the physical side, what about digital protection:

  • Passwords – Yes we hate them, but in today’s digital world it is one of the only things that keeps the bad guys out.   All passwords should be 8 or more characters, use complex and complicated features (capitals, numbers and symbols), not be a dictionary based word, be easy to remember and be unique for each site.    That’s the reason we ignore those requirements and use the same one for everything.
  • If passwords are a problem then get a password manager or a single sign on (SSO) system.   This will ensure that you can use complex passwords and not have to worry about them.   SSO can also be deployed by an organisation to protect their social media and infrastructure requirements.   If a device is compromised, just delete the access to your business systems.
  • Run Anti-Virus / Anti-Malware.   Most people think that the operating systems of android and apple are secure.   This could not be further from the truth.   Although apple is a little more secure, malware is not always targeted at operating systems.   It is targeted at sub systems like Java, flash and adobe.   That is why all devices need AV as a real time protection system as well as a regular scan to pick up malware that may have disguised itself in the installation process.
  • Only install legitimate software.   Software that is in the app store (Apple) and the Google store (Android) have been vetted to a level to ensure that they do not include malicious code.   Some systems sneak through but they are quickly weeded out.   Applications directly downloaded from websites are especially prone to infection and do not have this protection.

Managing business risk is critical to the resilience of the business.   Make sure that your road warriors have the resources available and needed to work but that they are also safe, secure and protect your business..

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video) The part time person on staff who knows computers V’s the external Managed Services expert!

When it comes to managed services, there are two components, and two ways that a Managed Service Provider looks after your business.

  • You have an internal person who actually know a bit about IT and they know about computers or they play games.
  • And then we’ve got the external expertise. These are the people who are part of a business whose sole purpose is to look after information technology for other businesses.

When it comes to the internal people, there are a number of problems with having people on staff. One, it costs you a lot of money, especially if you’ve got a dedicated IT person.

A dedicated IT person, jack of all trades, can cost you anywhere from $70-150K. Not many small businesses under 20 people can afford that cost. On top of that, they are going to be doing everything.

They are going to be:

  • fixing computer problems,
  • printer problems,
  • setting up firewalls,
  • setting up servers,
  • setting up policies,
  • putting policies in place,
  • working on business continuity,
  • Doing disaster recovery plans.
  • All of this stuff for one person is one difficult.

Yes, they could be the most competent person in the world. But I can guarantee, if they can do all that, they won’t be working for you very long. They will move into a managed service environment where they can specialize in an area that they are really focused on.

When it comes to external expertise, you don’t have to worry about that, because you know that if you’ve got a backup and restore problem, then an expert in backup and restore will come and have a look at it. Or, you have a problem with your printers. And someone who knows printers will come and have a look at it, or remote in and fix it.

These people are what you really need to make your business go forward, because they are the technical expertise that allows you to use your business to do what it needs to do.

To make sure that you, the driving force behind the business, doesn’t have to worry about your IT. The managed service provider are the experts. They are the CIO, the CDO, the IT manager, any component that you need to ask questions about, they will know what to do.

And a good managed service provider will make sure that the external expertise that you require as a business to go forward are in place and ready.

How to make your organisation a smaller target of cybercrime

bigstock-Tight-Rope-Walk-1226218To most small and medium business and non-profit organisations the idea that they are a target of cybercrime is farcical.   I constantly hear “we are too small to be a target” even from organisations that have predicted revenue in the millions of dollars per year.

Cybercrime targets everyone who has a digital footprint.   That includes computers and laptops as well as mobile phones and tablets. It doesn’t matter if it is for work or for home you are still a target.

The problem is “script kiddies”. These are the hacker wanna be’s.   They have downloaded a hacking tool, infecting their own computer in the process, and are ready to look for people to hack.   Script kiddies make up 80% of the noise on the Internet.

How do you make that target smaller?

There are a number of free and low cost strategies SME’s can employ that improve your security posture dramatically.

Train and educate your staff.

Everyone in the business should also realize that they could be targeted by a cyber-criminal.   Could they recognise a spear phishing email?   Or being targeted in a social engineering attack. Do they know not to use an unsecured WI-Fi connection when away from the office?   They won’t know these rules unless you tell them.

This knowledge comes from training.   Your awareness training should not be a one off indoctrination session.   It should be augmented with additional training throughout the year.

There are other things that can be done to increase awareness:

  • Run a daily security email question – first person to answer it gets a prize.   Increase it to a monthly competition and have a substantial prize.   Before you balk at the cost, $200 for a weekend away per month is much cheaper than cleaning up a computer or worse a network after a malware attack.
  • Have posters about basic security principle around the office.   They are available from the Internet at a relatively low cost.

Patch everything

How annoying are those update prompts from Microsoft or Apple?   You haven’t got time for that, there is work to do or you have to go home.

Updates are very important to the operating system and applications that you use in your business. Updates are important; they fix problems that have been discovered.   These problems allow specific malware to target your computer, tablet or phone, and the download (patch) fixes it.   Without the patch you are vulnerable, with the patch you are safe from that attack.   Remember the script kiddies – this is what they target.

Paranoia and common sense are your friend

It may seem silly but everyone on the Internet is not your friend.   In fact there are a huge number of people out there who want to do you harm.

There are too things that everyone on the Internet need to realize – nothing is for free and see above.   So when you see that search article about some celebrity with no clothes on, remember the bad guys are out there and they are after you.

Social media (twitter, Facebook, YouTube and LinkedIn) can be a major problem in this area.   You need social media to get your message out there, but how do you know who to protect against.

Making your organisation a smaller target against cybercrime can be relatively cheap and easy.   Yes you still need to invest in front line internet facing systems and the like.   The difference is the bad guys can lose millions of times and not worry about it, but the good guys need to lose only once.

If it gets through the expensive second generation firewall, it would be a good idea to have your staff on the inside saying – “How come this weird email got through and why are the links pointing to a site in Romania” and delete it instead of clicking on it.

CyberCrime – Using Security Policies to protect your business.

Most small or medium business and not for profit organisation have policies in place to protect, not only the organisation, but also the staff and users from cybercrime.  Being human, we don’t want to follow these rules. 

We like to circumvent them so that we can do what we like and when. 

This is not a new phenomenon, but it has become more pronounced with the advent of the internet. 

With the introduction of Bring Your Own Device (BYOD), ignoring an organization’s protective polices has gotten even easier and more tempting.

This anything-goes attitude is prominent among internet users.

For instance, here’s a statement it’s not uncommon to hear at an SME:  “My organisation doesn’t have a wireless access point, so I added one to the network.”  The person who makes this statement isn’t considering the security and privacy implications of their actions—they’re thinking about the convenience of being able to surf the internet on their Wi-Fi tablet.

Most people do not understand that putting in a wireless access point without understanding the cyber security implications is a severe problem for most organisations.  SME’s do not have the robust and secure technologies that enable them to detect a rogue AP, and such an AP can remain on the network long after the convenience is forgotten.  We recently did a site survey on a new client and found three of these devices on the network that management knew nothing about.  One of them did not have a password, which means that anyone has access to the network.

What about cloud-based storage?  Let’s say I want to work from home on a confidential document, so I install Drop Box and copy my super-sensitive document into the folder, and now I can work on it from home, on my tablet or even on my phone.  Lucky me.  That super-sensitive information that I was working on is seen by someone in a coffee shop, and it is now all over the internet.

Another thing that we have found is that all internal mail for a user can be redirected or copied to an external web server—Google, Yahoo or Hotmail.  Once again, privileged and commercial in-confidence information can haemorrhage from an organisation because someone wants to be seen as important.

Now in most cases, an organisation has put in place a policy that was designed to protect them against this situation.  But an isolated policy is not enough.  In all organisations, cultural change has to be incorporated into every aspect of people’s interactions with technology.  Maybe carrot-and-stick methodology will work—maybe just stick.  Either way, to enforce a policy you need to change the normal culture of most internet users.  That cultural change can be enforced with a set of policies, as well as technological solutions to reinforce those policies.

Businesses have many reasons for wanting to deploy policies to protect their security and privacy.  Some businesses want to cultivate work/home balance; others have top-secret information or intellectual property that they want to keep inside the business.  No matter what the reason, without changing the culture of the business, the policies might as well not exist.