(Video) How are you protecting your clients information

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses How small and medium business and not for profit organisations are protecting your clients information.

[Start of transcript]

Hi, my name is Roger. How are you protecting your client’s information? Every business nowadays uses a digital component to make that business work. And by having that digital component, and making that information available to your staff, then you have to make sure that you are protecting that information at all times.

That information can be anything as basic as a telephone number associated with a person who’s associated with a registration number on your car. That information is really critical to taking it to the next level for protecting your business, and protecting your clients. Because clients are not going to trust you if you are known to breach their privacy.

So to protect the information that you’re collecting from other people, you need to make sure that what you’re collecting, are you going to use it and do you need it? Because it’s no use collecting all this information if it’s just going to sit in a database and one day we’ll get to it. Because that just gives you exposure to a number of other problems.

You also need to be able to segregate that information. You need to be able to take that information and go, “We don’t need that information,” or, “Those certain people do need access to that information.”

And the final part is, you never store information about people with information about their credit cards. Because if you do that, and something does happen in the background, and someone does get compromised, then they have all of that information.

So do you know where all your client data is? Do you know where it’s located, who has access to it, and why those people have access to it? Thank you very much.

[End of transcript]

The golden rules for BYOD in the workplace

BYOD is huge, it is one of the up and coming technologies that SME’s either embrace or totally hate. Either way it is something that is going to become more prominent over the coming years.

Gone are the days where a business gives you a laptop and mobile phone when you start, in today’s business world the reality is that your staff would rather bring their own device than be controlled by your requirements. So not only do you have to protect your information and critical data but you need to understand how to manage the BYOD revolution.

Here are a couple of ideas that could help.

Make sure that all devices have a Personal Identification Number (PIN) or password. This is the first and only level of protection for a stolen or misplaced device. All BYODs need to have a PIN. The attitude of no PIN no device is a good stand to have.

If data is to be downloaded to the device then all that information needs to be encrypted, so that anything at rest of the device cannot be casually read or used.

Applications that bypass security and get to the heart of your business should be tempered with paranoia. File sharing like drop box need to be weighed with benefits.

Have a BYOD policy, this protects your business but it also explains what your business expectations are of the device. If staff fail to sign that policy then they have no expectation of being supported by the business. This policy will also include what rights your business has to the unit, Including auditing, management and remote wiping of the unit.

Define the devices you will support, with minimum operating systems requirements, versions of android or IOS have to be stipulated.

Finally make sure that the devices do not have apps installed that can or will compromise your business security.

Although BYOD is the up and coming technology your business needs to be wise enough to manage it correctly. It is a disruptive technology, but it can be used for good. It is also here for a while so you have to get use to it but you can do it on your own terms.

Why you need to have all of your data encrypted!

Once again a US government department has been hacked and the data was not encrypted so the cyber criminals had full access to all of the information.   It has also been reported recently that Facebook had one million records stolen and were sold on a public board for $5.00 again no encryption, the data was in “plain text”.

So where do business, enterprises and government departments stand when it comes to keeping your information safe.   In the constant barrage of breaches, stolen information and political hactivism what rights do the normal everyday person have when it comes to having my information compromised.

Being in the business security business, I understand how these things happen, and like me, we do everything in our power to prevent them.   I also understand that the probability that all of my information has been compromised in some way is a very real possibility, but the bad guys just haven’t put it all together yet.

In the 1980’s the environment was all the rage ( not that it has changed but the way of protecting it has) with large multi national conglomerates destroying the environment just to make money, and not taking responsibility for their actions.   I remember hollywood trying to raise the political awareness of the world with movies like Erin Brockavich, with some success.   The thing that I do remember from the film is the correlation between the cost of getting caught  verses the cost of the fine and the cost of doing the cleanup.

At present cybersecurity is at that point.   The administrative cost and fines are less than the cost of making sure that your information is safe.   Until the cost of having lax security practices and systems is severely punished we will continue to here stories like the ones mentioned above.

If a radical thought like having a monetary payment based on a percentage of GDP would be a good place to start ( before the accountants and fiddle merchants get near it).   If a security breach is met with a 15% fine of GDP would it make everyone take notice.   Of course it would, the cost of getting caught with your cybersecurity pants down would have and should have a detrimental impact on the business, to such a level where it could put you out of business.

One of the best ways to make sure that all your critical information is protected it to encrypt it all at some level.   Maybe it slows down the process but it would ensure that if the information was compromised then the information cannot be read without considerable additional resources.

In all situations your cybersecurity focus is to get the bad guys to go somewhere else.   Making the process of attacking you hard, complicated or down right difficult is your one and only aim.   By removing the robotic and non target attacks, by restricting your accidental exposure and by being vigilant and paranoid then the only way that you can be attacked is directly.

To be directly attacked you need to have done one of the following – seriously pissed of someone, have a prototype or some type of intellectual property that is going to be the next billion dollar invention or you have to have access to some serious money.    If any of these are true then you already have made a serious investment in protecting it.

Essential SME business cybersecurity – the main points

To most small and medium business and not for profit organisations, cybersecurity is one of the last points of interest at the management level. This assumption is not only bad for business but it can seriously damage you reputation as well as severely compromise your cash flow.

Like anything else in business – everything is connected.   Want to take payments online then you have to implement tighter security processes to make it happen.   Some SME’s understand this correlation, many don’t!

As an SME these points are where you need to start on your cybersecurity journey.

 Everyone has something to loose

No matter who you are, what your business is and who your customers are, you are selling something to someone.   With that point comes a number of other points.   You have to protect your business.   You have to protect you business information.  You have to protect your customers and their information.   Finally you have to make sure that your staff are protected as well.

What you use to do that is a matter of personal choice, as well as how you have been sold by the best salesperson available.  Just remember one solution is not the be all and end all of cybersecurity.   Cybersecurity is a process, almost a holistic process.   All of the parts have to work together to make a secure business environment.

Before the Internet, there was such a comment as ” too small to be a target”.   This no longer applies to the Internet world.   Just by being connected to the Internet you are a target.   It is like taking you business and moving it into the worst neighbourhood in the city, putting a lock on the door and hoping that someone doesn’t steal your “stuff”.

On the Internet there are no police on the corner, there are no niceties of business.   You are a target and the only thing that you can do is arm yourself with the biggest “gun” you can find.   It would be nice if we could turn it around on the cyber criminals and go on the offensive, but we cannot.  So we have to put in place protections that will keep the cyber criminals on the outside as well as protecting those people coming to you to purchase your goods.

 Proactive and paranoia play a large part in you protection

If you are not already PARANOID, Then I suggest this is the time to do it. In the world of cybersecurity paranoid is good, because everyone is after you.  Truly after you.   They want to steal your money, your intellectual property, your business and in some cases you complete identity.

So in cricket terms, you have to get on the front foot.   You have to position your business in such a way that it is only the very clever cyber criminal who have a chance of breaching your protections.   There is no such thing as inpeneteratable, your cybersecurity objective is to make it so hard and difficult that the cyber criminal will go else where, preferably your opposition.

There are lots of things that you can use to do this but these three things are a start.    Use passwords, difficult and complicated on everything. (check this out)  Train and teach your people the art of being suspicious and questioning things that look out of place and use some level of data encryption when the information is out of your control.   Finally put a security framework around your business.

Growth and opportunities have to be tempered with protective solutions

Since SME’s have little understanding of cyber resilience and cybersecurity making the business grow without implementing some level of protection is fraught with danger.  Most SME’s understand that opportunities have to be grasped with both hands.   A cyber resilient business is not only protected now but it has the ability to react to changes in the industry that will deliver better business opportunities.

Most business that are more that ten years old have a different perspective and focus that what they had when they started.   They have seen opportunities is other markets, different markets and some in the same.   Most businesses are in areas where they did not think they would be when the wrote their business plan.

These opportunities have developed through social media, the Internet or cloud computing.   Getting your marketing and brand out there are critical to a business and it has never been easier to compete on the world stage than now.   just remember the moment you attach yourself to the Internet, you are target.

So apart from the bad and to quote a song “the future’s so bright we will have to wear shades”.    Just make sure that your cybersecurity complements you business requirements.

BYOD for small business – a work in progress

So you work for a company, so you think the IT systems that they supply to you are inadequate, you think, why cant I use my iPad to do my work.

More and more small and medium business and not for profit organisations (SMB) are facing these type of requests.    The bring your own deceive (BYOD) phenomena is not going to get easier but in my opinion it is going to get a lot worse, especially for the SMB’S space.

Here are four ideas to make it easier for your organisation.

Start with a “written” policy.   All SMB’S need to have a written policy on device management.  This makes it easier for you in the long run as you start with a system of control in place.   This policy states where you stand in the management of your data.   A written policy will be readily accepted by both users and management as everyone knows where they stand.   One of the largest problem is when a device is moved on with outgoing staff.   The policy also has to cover the required security of the information on it.   Your business does not want to loose intellectual property when someone leaves.   A caveat of using your own device is that it can be wiped prior to leaving the organisation.

Segment your network.   This allows all wireless connection to be connected outside the main network environment.    This means that unless the device is physically plugged into the WIRED network access to restricted information can be managed correctly.    Make sure wireless connection also have decent authentication and encryption capability.    If the BYOD doesn’t have the correct security requirements then do not lower the security requirements to allow that system to have access.   This is one of the points that should never be compromised for a staff member.

Develop a security standard.   Just because a staff memeber brings in a device doesn’t mean that it is automatically going to be allowed to be used.   Create a standard level of equipment that the business will support and this list needs to be published internally.   The list can be added to and subtracted from as new devices become available.   This will allow your IT people to have more control over the devices being bought into your organisation.  it will also allow your business to restrict the use of the device as well as what can be stored on the device.   A combination of Microsoft exchange 2010 policies and the types of devices allows you to control a number of the features.

 Draw the line between corporate and personal.   Once you start to bring devices onto your network you also need to define what level of support your IT department will supply.   Will it just be corporate mail, or will it be the total device.  Furthermore do you have the power to remote wipe the device when it is lost or stolen.   If there is corporate information on the device this has to be thought through.   Again this should be defined in the BYOD policy.

The introduction of hand held devices will improve a business but it has to be tempered with some level of control and management.   Without the control, your IT department will be run off their feet trying to keep you staff’s devices in control.

Starbucks, free wifi and the bigger security picture!

Recently I had a holiday in Malaysia, the holiday was great but I realised that there is a severe problem with security and the attitude of people in regards to security when we were sitting down for coffee in Starbucks.

Like the rest of the world the Starbuck franchise in Malasia has free wifi, free in such a way that you do not even need to know a username or password to use it.   Now for most people this is great and don’t get me wrong I sometimes use it with a lot of restriction on myself because I know the dangers that can come from it.

While we were having coffee and I was thinking about the problems associated with this level of access these 2 characters walked in and sat down.   I was only taking limited notice of them, but my focused changed when they started to pull out some interesting equipment.   Apart from the laptops, high end HP systems, something that would set me back $4 or 5 K, they also added a couple of USB devices and started to run them up.

I ignored them for about 20 minutes as we were in a family discussion about what and where to eat (very important in our family for some reason) but I glanced over at the screen and all I saw was a graph that looked very similar to wire shark, not only that but it was also logging everything that was going through the WiFi.   I normally use wire shark to track rouge access points within client networks and what I was looking at was similar.

This bought this idea to me

One of the easiest ways for someone to steal all of your corporate information, personal information and client information is for you not to be thinking clearly in this type of environment.   Those two characters would have picked up any information that was transmitted to any website, share-point environment, mail server or CRM that was not SSL protected.   That information is in plain text.  Easy to track and even easier to use.

All information concerning Facebook, LinkedIn, even twitter would have been captured, that included the username and password to get onto the sites.   That information although may not seem important could be used very efficiently as a social engineering play to gain more information and create an in depth profile of you.

Yes free WiFi is great but if you do not have one that is locked down with a pass code then be very carefully with where you are going on your device.

Do you rely Just On Security Technology to protect your business information?

Nearly every day you hear about another security threat spreading across the internet. As a small or medium business, or a not for profit organisation (SME) how vulnerable are you to these threats?

SME’s are connecting to the internet in record numbers to support improved and greater market opportunities, to increase productivity and to strengthen communications with staff, management, customers and suppliers. The problem is, the more you open your network and business to the internet the more your confidential business information and data is at risk.

So you think you are too small to be a target?

Think again, if you use Microsoft software then you are a target by default. Microsoft is not bad but it has the largest market share, therefore any released virus, worm or application created by a hacker can achieve more with less. These programs spread rapidly and inflict damage on a global scale and you, as an SME can be caught in their net.

Security threats are constantly emerging and evolving, the job of securing your business information becomes all consuming. Little jobs take time – updating and checking anti-virus, patching and updating operating systems and applications, checking firewalls with renewed rules and policies are a critical requirement of your business risk analysis.

They still have to be done regularly.

The importance of checking these components in a timely manner cannot be underestimated. Consider the cost in lost productivity, reputation and non-compliance penalties that a breach could visit on your business. Effective security can be costly, time consuming and difficult for SME’s to implement successfully. Skilled security people are often difficult to find and cost prohibitive to have on staff. As a result the job often falls on the technologically savvy staff member who is already snowed under with other ICT matters or their own job to implement security features properly.

Today’s security threats are business size neutral. They leave a SME with the same security challenges as large corporations. The trouble is that SME’s do not have the depth of resources to handle them. This is where a Managed Services Security Providers (MSSP) can be of benefit to your business.

What are the benefits to your business of outsourcing your security?

You can focus on your core business

Outsourcing allows all of your staff to concentrate on revenue generating business initiatives instead of computer, security and infrastructure issues. Having limited IT resources on staff takes business resources away from your core business.

Reduced Cost

Outsourcing security sources provides your business with access to “big business” security protection at an affordable price.  The expense is more cost effective than hiring or contracting a security expert and the consistent monthly billing helps ensure security services that you need are available without unforseen hassles and expenses. An integrated and comprehensive solution that can help reduce the expenses of maintenance, upgrades and add on security solutions is a benefit to any business.

24 X 7 (always available) expert security staff.

You’re on staff, in house expert is normally available only during working hours. In most cases your outsourced Security Company can act as an always available security and ICT management department. They can also provide your business with access to an internet security expert without incurring the cost of hiring, training and retaining highly skilled staff.

Gain Customised Service

All MSSP’s have service plans and you can select the service plan that will fit your requirements.

Receive up-to-date protection

Technical security solutions such as firewalls, antivirus software, content filtering solutions, and virtual private networks (VPNs) are far more effective when they are maintained regularly with the latest system updates.  Changes to your business resilience and regulatory requirements can also have a detrimental effect on your business stability.

Why R & I ICT Consulting Services is right for you!

How do you know you are getting what you paid for?

  1. Company reputation – see what our clients are saying about us. We have references and referees that you can ask.
  2. Plans and services – we have a comprehensive assortment of plans and services depending on your business requirements and size.
  3. Service Level Agreement – all of our plans and services have a service level agreement incorporated into them so that you know what will be delivered in protecting your business.
  4. Guarantee – We guarantee all of our technicians work with a 100% money back guarantee. We also stick to any pricing that we put forward to you. All projects are priced on a per project basis so that no matter how long it takes it will not cost you anymore. No more “time and materials” projects based on how long is a piece of string that have costs blowing out uncontrollably.
  5. Monthly Reports – we supply monthly reports that are delivered with your next month invoice. We like to prove how much we have done for your business in the last month.