Why we need to rethink Business Security

Security is an IT problem.

How many managers, owners, C Level Executives and board members agree with this statement?

More than 50% of small and medium businesses and not-for-profit organisations think that the ICT department is the go-to people when it comes to protecting your business’s crown jewels.

There has been a significant push in the last 5 to 10 years to get SMEs away from this thinking and to think about business risk, compliance, governance and business security.

Yes there is still a significant place for the ICT management of security around technology.   They are the ones who have to work with limited resources, doing more and more with less and less, and producing the same level of protection year in and year out.

When it comes to a cyber event, the problem in today’s business world is that not everything can be secured with technology.

At a basic level, there are 6 areas that create a secure business environment, technology and frameworks is one of them.   The others are risk management, people and education, policy and governance, resilience and finally continuous improvement.

As you can see, technology is only a small part of the solution.

The normal situation for SMEs and Charities is to think that ICT department knows it all.   We have had similar situations ever since computers have become an integral part of the business.

People who “know computers” were called on to fix the business infrastructure simply because of the know computers.   So a web designer was asked to fix a printer or a programmer was asked to set up an internet connection.   Yes, they could do it but in today’s world it is so much more complicated and complex.

Business security needs to be addressed by someone who knows security.   Someone who understands risk!   Someone who understands the fundamental security practices required to protect the organisation.

You would never go to an unqualified accountant to do your tax return, or an unqualified electrician to rewire your house, or even an unendorsed mechanic to repair you new BMW.

When it comes to protecting the business, especially from a cyber event, we rely on people who have minimal understanding of what needs to be done to create a secure business environment.

Why we fail to future proof our business!

In the last 10 years we have seen some significant changes in the way that small and medium businesses and not-for-profit organisations have used technology and the digital world to increase their footprint in the business world.

The problem associated with small business are not necessarily based on the digital components.

When it comes to the digital world all organisations have found ways to utilise those digital components to improve their bottom line, increase revenue and drive profit.

One of the biggest problems for small and medium business is they have to be constantly keep looking for ways to improve the utilisation of the digital components whilst also having an eye on how much it costs.

There are seven mistakes that SMEs make when it comes to business and digital protection.

Set and forget

The problem with set and forget philosophies is that the digital world is ever changing.

There is constant change to the way systems work, how the systems fail and the way the Bad guys are targeting those systems.

By thinking that installing some level of protection into an organisation then walking away from it is the best solution is incredibly bad.

Lack of awareness

Awareness of the capabilities of the bad guys have shown that they are constantly thinking outside the box.

Lack of awareness also shows that we think we buy a solution for a problem but that solution can be leveraged to attack your systems through known and unknown vulnerabilities.

Thinking that you can do it alone

We all need help.

When it comes to the awareness around business security and the digital world it is an area of expertise where we need a lot more help than normal. When it comes to other expertise services for instance solicitors, accountants or even mechanics we approach their knowledge with an understanding that they know what they are doing.

For some reason when it comes to business security we apply a totally different principle in our understanding of the digital world.

I know computers is not something that differentiates a professional SOP security expert from a person on staff who plays games.

Not using professionals where necessary

Understanding that the professionals are there to help, even though they cost money, is something that is kept in the back of the mind of most business owners, sealevel executives or board members that they are a necessary evil to doing business.

Understanding the risk associated with today’s business using the digital environment is a complex process.

Embrace change, but listen to the market

There is a fine line between using old technology to do business and spending large amounts of money on cutting edge technology.

Old systems when employed in business have a number of known problems.

They include old hardware, old software, known vulnerability problems and slow and problematic systems.

Cutting-edge environments are important but they should never be the driving force of how you do business.

Where to start?

One of the questions that we are always asked, for a small business, is where to start.

The first place to start is to step back from your organisation and to look at it with an eye of what if.

The first thing that needs to be done is to define the risk associated with the business and what your appetite for risk will be.

reinventing the wheel!

With the changes in technology one of the things that you don’t want to be doing is reinventing the wheel every two or three years.

The idea behind future proof in your organisation is to have the policies the technology and the people in place that allows you to replace or upgrade systems without having to change the way you do business.

When it comes to protecting organisation it is

Where to start your Business Security / Cybersecurity Journey

Start


Time

3-hour program

What is done

Audit on assets and risk management.

What you get

  • Report on where your organisation is in relation to business security
  • Roadmap to implement basic changes to your business organisation
  • A number of process, procedure and policy templates
  • A number of Plans templates

Tools we use

  • Care-app diagnostic tool
  • Questionnaire similar to basic SWOT
  • Proprietary diagnostic tools
  • Open-source intelligence gathering tools

What do you need to do

  • Implement changes
  • Discuss with management
  • Implement proactive responses to cybersecurity

 

Threshold


Time

8-hour program

What is done

 

What you get

  • Implementation of Internet policy
  • Implementation of online security awareness program
  • In depth Risk analysis
  • In depth Risk mitigation process
  • Full blown digital SWOT

Tools we use

 

What do you need to do

 

 

Baseline

What is done

 

What you get

 

What do you need to do

 

 

Beyond

What is done

 

What you get

 

What do you need to do

 

 

Cybersecurity – Too much Cheese, not enough whiskers!

Cybersecurity is a touchy subject.
Everyone wants the government and those in politics to do something about it.
When it comes to cybercrime the solution is not that easy.
We all think that cybersecurity (Digital Security) is unimportant!
That’s an IT problem/issue!
Its someone else’s problem!
Someone else will look after it.
The anonymity of the digital world makes anything and everything possible.   We can no longer be sure of who we are communicating with, and even the friends we know could have been compromised making any conversation insecure.
“Why should I protect myself in the digital world” is a question we hear daily in the industry.   I have done enough, I have anti virus!    This attitude comes from C level Execs, Board members, managers in all level of industry and commerce as well as people at the coal face.
The announcement from the government shows, once again, that we are not looking at a solution to the problem but another way to endorse the attitudes of the big business and government departments.
The attack surface in the digital world is huge.   The introduction of IoT will compound the issues associated with protection 100 fold.
Think of a beach and each grain of sand is an application, website, IoT device, Operating system or smart device.   The problem is visibility, how do we know what is happening below the surface, behind the scenes?  We don’t!   No one on the planet can!
I have friends who can hack a smartphone (yes any smartphone) record where you are and what you are saying and you would not even know it was happening.   Nothing on the screen, no flashing apps, nothing!
Attitudes need to change!
Cybersecurity has to be holistic!   It has to include any and all components of a business in the protection of that business.
There is no silver bullet that will put down the Cybercrime werewolf.   Anyone that sells you a silver bullet is exposing your organisation to untold problems.   Not just because you have bought into the hype, but you have also forgotten that there are other ways to compromise a system that what they are protecting you against.
Trust no one, if you are connected to the digital world no matter the device or the reason.   Trust No One!

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings

Why SME’s should future proof their business.

Emerging and disruptive technologies will have/are having an impact on every organisation from the smallest subcontractor to the largest multinational organisations.

Multinationals have the resources to deploy cutting edge technologies.   They have the fiscal capabilities as well as the internal drive and vision to use new technologies to gain the edge over their competition and attract and manage customers.

When it comes to small business, the utilisation and implementation of these changes are complex, frustrating and fiscally challenging.   The trickle-down effect and impact is often overlooked because of these requirements.

Every small organisation needs to develop capabilities that allow the implementation of emerging technologies without having to change the fundamental capabilities of the organisation.

Technology is great for business, new technologies, on the other hand, can be hugely problematic to implement, configure and manage, but more importantly to measure.

Technology, we are finding is fleeting.   Something that we use today may not be around in 12 months time.

In contrast, we see old processes and procedure come around again and again with only minimal change no matter the technologies involved.   This is the key to future-proofing your organisation.

The two things that are needed by small organisations are:

  • How to implement change without negative impact
  • Recovering from change, if it fails, in a low impact and manageable way.

In both cases, an in-depth understanding of the organisation is critical.     This is often something that small organisations consider unimportant.

Ask a small retail shop, a legal organisation or an accounting firm what they do, how they do it and what components they consider critical to business and in most cases they cannot tell you.

Intellectual property, trade secrets and the fundamental business process that make the organisation unique are only known to a few people.   This is both good (stops information leakage) and bad (no one knows what the organisation and management are doing).

Future-proofing your organisation is an important component of today’s business world for small organisations.    If you change your business model because of technology, what else has to change, what will stay the same but more importantly will the change allow you to protect cash flow and revenue production?

 

 

 

 

 

 

How to avoid being a target of script kiddies!

There is a huge difference between a cyber attack generated by a script kiddy running an automated system and one where you are being targeted by a dedicated hacker.

For one, if you are targeted by a dedicated hacker then you already know that you have something worth protecting and you have, hopefully, done something about it.

The biggest problems with cyber attacks on the internet are that 95% of them are coming from an automated system controlled or managed by trainees (script kiddies).

Automated systems have three reasons they are used:

  • They are easy to get.
  • They are easy to use.
  • They are easy to make money out of.

They are easy to get!

There are a number of ways for anyone to get hold of an automated system. They can download an operating system that has an automated system running on it. Kali, Parrot OS or Black-arch are all very good examples but there are others.

Designed as penetration testing tools, these systems have all of the requirements that they need to target organisations, multinationals, or anyone connected to the digital world.

Before you ask, yes it is all legal and above board as long as you are not targeting someone else.

To make these systems more effective they allow them to either download additional components from GitHub or design and program your own applications.

They are easy to use!

The old saying that whenever anything is free you are the product rings true with these systems as well. The creators of these systems keep track of people using them and incorporate any updates into their own releases.

To set up one of these systems all you need is a computer. Once you have administrator access to a computer you can download a virtual environment (VMware if you have some money or Virtual Box for free) and you can then install these operating systems as a virtual operating system.

You can even run the operating system on a microcomputer (Raspberry Pi) for under $100.

Once set up you now have access to the tools and capabilities that, if used correctly, can rival someone who has been in the industry for years. Almost like a novice woodworker creating a dovetail joint on their first try without knowledge of what to do.

No training, just using other people’s knowledge.

In addition, and a bigger issue, what they do not know can be learned or discovered by simply searching google.

The capability and effectiveness of these systems allow them to set up the automated attack and target a huge number of vulnerable systems based on blocks of internet-based addresses.

Simply they can find out if there is a targetable vulnerability just by using facets of the automated systems.

They are easy to make money out of!

These free operating systems have the capability of making money.

To make serious money, though, you need to work with partners. Working with partners can be both beneficial as well as detrimental to their own security.

When it comes to making money it is either through selling information on the dark web, selling cryptovirus decryption keys to vulnerable people or selling access to compromised systems to leverage other attacks.

How to avoid being a target of script kiddies.

To avoid being a victim you need to implement some protective strategies.

You need to apply the CareMIT business security methodology to the organisation but to start at the basics this is what you need to do:

  • Patch and update everything – operating systems, application and to really be secure remove anything that you do not use from the system. This is applied to computers, websites, servers, and smart devices.
  • Disable macros – do not allow macros to run on the computers
  • Use complex, unique and more than 12 characters for every site, service or system in the digital world
  • Use 2 factor or multi-factor authentication. If you manage websites or other cloud-based services make sure the third level of security is in place – captcha
  • Only allow good applications to run on the system. This is called application whitelisting and only approved applications are allowed to run. There are some anti-virus systems that allow you to do this.
  • The last one is critical to your sanity – DO A BACKUP. All the bad guys have to do is win once. A backup ensures that if and when they win they have not really won.

At the basic level, the users of these automated systems are just as vulnerable as the people that they are targeting. A severe case of “user beware”, because if you do not configure the system correctly you are just as vulnerable as your targets.

At the most fundamental level, we all know that most people between 13 and 30 have a limited ethical attitude and good and bad is debatable.

That’s why we have the proliferation of these systems.

Secure your business!

Get proactive!

Do the scorecard!

Read your report!

Linkto scorecard https://caremit.scoreapp.com

#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec

All organisations must face up to their business security requirements

Since small and medium businesses, charities and not for profit organisations are now the bread and butter of cybercriminals targeting.

Isn’t it about time that we started to look at the reasons?

Reason 1 – SME’s have a lack of expertise!

The digital world is complex.

Every area requires a different set of skills and knowledge.  There are areas where some of the skills and requirements flow from one area to another, but these are definitely an uncommon occurrence.

The skills to implement and manage a website are different from networking which in turn are different from the requirements for coding.   Its not the fact they are different, the problem is the required level of skill to do it correctly.

Anyone with a little bit of help can write code, but to write it correctly, securely and properly requires years of skill and practice.

When it comes to the business world, we have a significant requirement for using the digital world.  In most cases, we see the introduction of a digital component into an organisation as easy.

It is not.   To implement and configure is easy.   To implement and configure securely, correctly and in a way that will benefit the organisation takes more than a fundamental underlying knowledge.

Reason 2 – SME’s have a lack of time!

Most SME’s are doing more with less just to keep themselves in profit.   Throw in another complicated process or system and they now have more to do with the same amount of time.

Business security takes time.   To secure an organisation takes time.

A solution is to employ someone on staff to manage the ICT and we will then give him the role of security professionals.   Getting someone with the required skills will cost money.

The second alternative is to enter a service level agreement (SLA) with a Managed Service Provider (MSP) and contract the support of the OCT and security to someone else.   Again this requires the correct skills as well as culture.

Both options will free up some time.

Reason 3 – SME’s have a lack of money!

Security solutions for SME’s can be expensive.   When it comes to technology and the integration of different technologies into the business environment we see some significant costs.

Comparing the costs of a breach to the costs of putting the right technology in place, it is a no brainer, but not until after the fact.

SME’s have the same compliance and governance of multinational corporations but do not have the resources to implement tier 1 or 2 technological solutions.

They make do with what is available and inexpensive not realizing the impact of these additional vulnerabilities can have on their business.

We know the problems here are some solutions

To reduce all three of these issues, as already mentioned is a contractual agreement with an MSP or a Managed Security Solution Provider (MSSP).

They bring the required expertise, they free up time and in most cases they are a viable and cost-effective.

A better solution is to look for an Organisation that has normal MSSP skills but has the capability to add additional security components around your Organisation.

Why 2022 could be a bad cybersecurity year for SME’s

SME’s are a prime target for cybercrime.

They have reduced expertise, minimal money, and an attitude, we are too small to be a target, that leaves them wide open to a cyber event.

Our industry, the people who know and think we understand the bad guys have been pushing for an attitude change for the last 10 years. In a large number of ways, we have failed, especially in the SME space.

In some, we have failed significantly.

By the time we get called in, after a cyber event, it is way too late.

To late to recover, too late to respond and definitely too late, in a number of organisations, to get back to business as normal.

Most SMEs, after a cyber event and especially after a ransomware attack, have but 3 choices,

  • pay the ransom,
  • recover from backup and hope you have a decent backup (a decent, tested backup is vital, no matter the situation)
  • or go out of business.

Here are 3 cybersecurity strategies that every SME should implement to be more secure and avoid that devastating cyber event.

Training users

Increased awareness of business security in a workplace is vital in today’s business world.

Not many businesses know where to go to get that training.

Training needs to be done as an ongoing process.

Once or twice a year is inadequate. But training and education has to be easy, bite-size pieces, easily digested, easily implemented and easily followed.

In addition to ongoing training, you also need to incorporate business security into your onboarding process to instill the required cultural elements into new people on staff.

Want some free cybersecurity training, here is something that will definitely help
https://wizer-training.com/partner/caremit

Risk management and gap analysis

SME’s have a limited understanding of the new risks delivered to the business via our digital components.

The game has changed significantly in the last 10 years and we, as small and medium businesses, are constantly playing catch-up.

We are significantly hampered and handicapped by the impact and scale of our digital usage.

It is everywhere, used in every component and used all of the time.

To understand the risks without understanding the systems you need some help.

Here is some help for you.
Https://CareMIT.scoreapp.com

With the report, you can now implement a gap analysis and work out what you need to do to increase security around your organisation.

The report also ties in well with:

Implemented a framework

If you are looking for a better way to manage security within your Organisation, you need to look no further than a framework.

A framework is a documented system that allows an organisation to follow the bouncing ball and tighten up the security in a regimented way.

The more the components of the framework are implemented the more secure and mature the organisation.

Frameworks are easy to follow and implement and the one I recommend is the National Institute of Standards and Technology (NIST) cybersecurity framework.
https://www.nist.gov/cyberframework

Answer the 98 questions, honestly, and you now have a road map to implement cybersecurity in a significant way.

The NIST cybersecurity framework also gives you a number.

Between 0 – 4, it can be used as a comparison between businesses, supply chain components, and government departments so you can do business with like-minded organisations.

What can SME’s do?

It is not too late to implement any of these strategies. The bad guys are getting more and more clever, so time is running out.

They are targeting everyone who is connected to the digital world, the internet, with more sophisticated systems, a number of them are now fully automated.

Some of those automated systems have minimal human involvement after the initial set up.

From initial social engineering attack, all the way through to payment of ransom everything is automated and driven by machine learning.

Every SME should be implementing a training and education process, doing a risk and gap analysis and implementing a cybersecurity and business security framework.

With that everything else will follow.

The business will be more stable, the culture of the organisation will change and getting back to business as normal after an attack can be significantly easier.

The impact of a cyber event for an organisation implementing these 3 components or not is significant.

If you haven’t implemented these 3 strategies in the last 12 months, 2 years or 5 years then 2020 is going to be a bad year.

But it’s not too late.

How do we manage the risk of digital in todays business world?

10 years ago, cyber was not thought of as a risk to the business.   It was just a way to do business that was faster and less expensive.

5 years ago we started to think, in very rudimentary terms, that cyber was a small risk but we knew nothing about it so we will pass it to the ICT department for them to manage.

We did this because the perception of digital risk was purely associated with the ICT of the organisation.

Since 2014 and the Target hack, C level execs, boardroom members, owners, and managers, realized that digital risk was bigger than they expected and the departments that they had relied on to secure their organisations were not, in fact, doing the job to the expected level.

Definitely not their fault, there were a couple of reasons for this, the first being that they relied on people who were more focused on keeping the lights on, making the technology work, than securing the environments.

The other was whenever they, the ICT department / managed service provider tried to secure the business environment, and they would have done regularly, they were fighting culture, fiscal and attitude issues that just made it too hard to make the business environment safe.

In this environment most ICT departments / managed service providers resorted to a number of basic strategies.   Let’s get a decent firewall, let’s get a decent AV and let’s make sure that updates are applied.   This is close to 10% of the requirements to secure an organisation.

Digital and cyber risks are now the number one or two risk factors on management minds in today’s business world.

They still do not know how to manage it.

The hardest part is visualization.   How do those risks manifest themselves within the organisation?

No matter the size, the number of people you employ or the amount of money/revenue you make, digital risk can bring your organisation down in some cases literally overnight.   In fact, at the speed of Cyber!

Business management still thinks that ICT departments and managed service companies are the answer.

They are not!

Business security is a whole of business issue with a mantra that cybersecurity is everyone’s problem.   You need a team that crosses all of the lines of communication, from management to coal face.

You need people who understand the bad guys and can attack your system with the same capabilities and vigorous intention, but without the damage.

They need to approach the problem with the same intensity as the bad guys so that vulnerabilities can be exposed and removed, exploit can be counteracted and restricting a breach by monitoring the attack surface.

This will, in the end, make your environment more secure and stable.

You need someone with the right methodology, an understanding that technology is only part of the solution, and the ability to approach the huge problem in a manageable way.

It is only manageable when you address the areas apart from technology.

Thinking you are immune to a cyber event is a regular occurrence for SME’s

Even if you think you are immune to a cyber attack these ideas are critical to restricting the impact.

I want to talk about some of the problems we have encountered when being called into a cyber event situation for a new client.

Have you looked at all of our business risks?

Risk is the biggest invisible issue in today’s business world.

Most Organisation does not know how to evaluate the risks that their digital component brings to the Organisation because they cannot visualize the risk.

Only by looking at the digital risks will it become apparent that more is needed to be done.

Get some good legal advice!

We regularly come across businesses that do not know what their legal obligations are when it comes to protecting data that they are the custodian of.

If your Organisation collects information about a person or a business you are now the custodian of that data.   The legal implication of being the custodian need to be understood before you make the decisions concerning the information or type of information collected.

Always err on the side of less.  If you cannot justify it do not collect it.

Check your response plan!

When it comes to SME’s, they think they are Bulletproof.

It will never happen to us, we are too small, yadda yadda!

Well, NO.   A cyber event can happen anytime and to anything digital.   When it comes to a true cyber attack you need to have a breach plan.

A plan that tells everyone in your Organisation what you expect them to do, how they will do it, who they report to and the process needed to preserve evidence and get back to business as normal.   Without it, chickens missing heads, running, lots of running, come to mind!

Test your systems with a tabletop war game.

This is absolutely essential to any Organisation with more than 5 staff.

Run some hypothetical scenarios.    Think of a problem and make sure that everyone knows what to do if it ever occurred.   Especially test disaster recovery, business continuity and breach plans.

After testing the system do both a hot wash up (debrief) and a report.

Implement any discovered failures.   Things that could be done better.   Things that were done badly.

You do not want a real emergency to be the first test of these plans.

Test some “what if …” plans.

Another alternative is to come up with some unusual issues.

A fire in the building that does not impact your business but your business is in the same location and your staff can no longer get to the office, showroom, shop for a week.

What is the impact?   What is your solution?

Tested our backup, we have.

We have a rule.   When it comes to backups we have the 3-2-1 rule.

There are 3 copies of all data.   The original data plus 2 other copies.   Those 2 copies consist of an on-site incremental data copy and an off-site copy.  There is always 1 copy of the data stored off-site.

Once again a backup is useless unless it has been tested.    A regular restore copy of a couple of files should be documented every month.   A full-blown restore of the system should be done every year from both locations.

Who do we have to report to?

When it comes to a breach there also needs to be a reporting structure.   Part of your business continuity plan should be a list of people who are allowed to talk to the media, post on social media, talk to vendors or talk internally and to who.

Reputation always impacts needs to be controlled as much as possible in today’s live world.   The policies, plans, and tests will ensure that everyone knows what they need to do.

Does anyone know how to preserve evidence?

If you are knee-deep in a cyber event the last thing that anyone is going to think about is the preservation of evidence.

Once again if the breach plan has been tested then you will know what has to be done.   If would be cold comfort to know that someone who has ruined you life will not face the consequences because there is no evidence against them.

Preservation of digital evidence can also include the information and machine learning that comes from your System Information and Event Management system (SIEM).

Train everyone, security should be part of everyone’s role in the organisation.

Social engineering is the process of targeting people.

It is used to great effect against everyone in business.   Social engineering is a 2 fold process – the bait, the email SPAM, phishing and the bad technology – link, application or attachment.

Combined together they are an effective attack system for the bad guys.

To counteract the social engineering you need to educate everyone.   There are free online courses but additional resources can include competitions, posters.

Get a framework and implement it.

One of the best protective strategies any business can implement is a framework.   I recommend the National Institute of Standards and Technology (NIST) Cybersecurity framework.

By answering the 98 questions, you get an instant base level indication of where your Organisation is in regards to the security maturity.

A framework does a number of things.   It gives you a base level, it gives you a score between 0 and 4, it ensures that you do not forget anything and gives you a road map for business security within your Organisation.

As a flow-on effect, it gives you a score that you can compare apples with apples (security maturity with security maturity) against other Organisations.   When it comes to data sharing you can make informed decisions on how secure the other Organisation will be in regards to data protection.

You have done a vulnerability assessment

Every device that is connected to a network has the capability of compromising the whole network.   The first law of Cybersecurity is “if there is a vulnerability it will be discovered and it will be exploited – no exceptions”.

To ensure that those vulnerabilities are addressed you need to do regular vulnerability scans on the network.

This can be achieved with expensive or free systems.   Either type it is important that vulnerability scans are completed and mitigated and vulnerabilities are patched and managed correctly.

Cybersecurity is not easy!

There’s no such thing as set and forget when it comes to protecting your Organisation from a cyber event.

It is a diligent and continuous process that needs to be done correctly to protect the integrity of the data within your custodianship.

Keep it safe, protect it, monitor it and ensure that if something does happen you have a way back to business as normal.

How fast will your business be back to business as normal after a disaster?