How do we manage the risk of digital in todays business world?

10 years ago, cyber was not thought of as a risk to the business.   It was just a way to do business that was faster and less expensive.

5 years ago we started to think, in very rudimentary terms, that cyber was a small risk but we knew nothing about it so we will pass it to the ICT department for them to manage.

We did this because the perception of digital risk was purely associated with the ICT of the organisation.

Since 2014 and the Target hack, C level execs, boardroom members, owners, and managers, realized that digital risk was bigger than they expected and the departments that they had relied on to secure their organisations were not, in fact, doing the job to the expected level.

Definitely not their fault, there were a couple of reasons for this, the first being that they relied on people who were more focused on keeping the lights on, making the technology work, than securing the environments.

The other was whenever they, the ICT department / managed service provider tried to secure the business environment, and they would have done regularly, they were fighting culture, fiscal and attitude issues that just made it too hard to make the business environment safe.

In this environment most ICT departments / managed service providers resorted to a number of basic strategies.   Let’s get a decent firewall, let’s get a decent AV and let’s make sure that updates are applied.   This is close to 10% of the requirements to secure an organisation.

Digital and cyber risks are now the number one or two risk factors on management minds in today’s business world.

They still do not know how to manage it.

The hardest part is visualization.   How do those risks manifest themselves within the organisation?

No matter the size, the number of people you employ or the amount of money/revenue you make, digital risk can bring your organisation down in some cases literally overnight.   In fact, at the speed of Cyber!

Business management still thinks that ICT departments and managed service companies are the answer.

They are not!

Business security is a whole of business issue with a mantra that cybersecurity is everyone’s problem.   You need a team that crosses all of the lines of communication, from management to coal face.

You need people who understand the bad guys and can attack your system with the same capabilities and vigorous intention, but without the damage.

They need to approach the problem with the same intensity as the bad guys so that vulnerabilities can be exposed and removed, exploit can be counteracted and restricting a breach by monitoring the attack surface.

This will, in the end, make your environment more secure and stable.

You need someone with the right methodology, an understanding that technology is only part of the solution, and the ability to approach the huge problem in a manageable way.

It is only manageable when you address the areas apart from technology.

Thinking you are immune to a cyber event is a regular occurrence for SME’s

Even if you think you are immune to a cyber attack these ideas are critical to restricting the impact.

I want to talk about some of the problems we have encountered when being called into a cyber event situation for a new client.

Have you looked at all of our business risks?

Risk is the biggest invisible issue in today’s business world.

Most Organisation does not know how to evaluate the risks that their digital component brings to the Organisation because they cannot visualize the risk.

Only by looking at the digital risks will it become apparent that more is needed to be done.

Get some good legal advice!

We regularly come across businesses that do not know what their legal obligations are when it comes to protecting data that they are the custodian of.

If your Organisation collects information about a person or a business you are now the custodian of that data.   The legal implication of being the custodian need to be understood before you make the decisions concerning the information or type of information collected.

Always err on the side of less.  If you cannot justify it do not collect it.

Check your response plan!

When it comes to SME’s, they think they are Bulletproof.

It will never happen to us, we are too small, yadda yadda!

Well, NO.   A cyber event can happen anytime and to anything digital.   When it comes to a true cyber attack you need to have a breach plan.

A plan that tells everyone in your Organisation what you expect them to do, how they will do it, who they report to and the process needed to preserve evidence and get back to business as normal.   Without it, chickens missing heads, running, lots of running, come to mind!

Test your systems with a tabletop war game.

This is absolutely essential to any Organisation with more than 5 staff.

Run some hypothetical scenarios.    Think of a problem and make sure that everyone knows what to do if it ever occurred.   Especially test disaster recovery, business continuity and breach plans.

After testing the system do both a hot wash up (debrief) and a report.

Implement any discovered failures.   Things that could be done better.   Things that were done badly.

You do not want a real emergency to be the first test of these plans.

Test some “what if …” plans.

Another alternative is to come up with some unusual issues.

A fire in the building that does not impact your business but your business is in the same location and your staff can no longer get to the office, showroom, shop for a week.

What is the impact?   What is your solution?

Tested our backup, we have.

We have a rule.   When it comes to backups we have the 3-2-1 rule.

There are 3 copies of all data.   The original data plus 2 other copies.   Those 2 copies consist of an on-site incremental data copy and an off-site copy.  There is always 1 copy of the data stored off-site.

Once again a backup is useless unless it has been tested.    A regular restore copy of a couple of files should be documented every month.   A full-blown restore of the system should be done every year from both locations.

Who do we have to report to?

When it comes to a breach there also needs to be a reporting structure.   Part of your business continuity plan should be a list of people who are allowed to talk to the media, post on social media, talk to vendors or talk internally and to who.

Reputation always impacts needs to be controlled as much as possible in today’s live world.   The policies, plans, and tests will ensure that everyone knows what they need to do.

Does anyone know how to preserve evidence?

If you are knee-deep in a cyber event the last thing that anyone is going to think about is the preservation of evidence.

Once again if the breach plan has been tested then you will know what has to be done.   If would be cold comfort to know that someone who has ruined you life will not face the consequences because there is no evidence against them.

Preservation of digital evidence can also include the information and machine learning that comes from your System Information and Event Management system (SIEM).

Train everyone, security should be part of everyone’s role in the organisation.

Social engineering is the process of targeting people.

It is used to great effect against everyone in business.   Social engineering is a 2 fold process – the bait, the email SPAM, phishing and the bad technology – link, application or attachment.

Combined together they are an effective attack system for the bad guys.

To counteract the social engineering you need to educate everyone.   There are free online courses but additional resources can include competitions, posters.

Get a framework and implement it.

One of the best protective strategies any business can implement is a framework.   I recommend the National Institute of Standards and Technology (NIST) Cybersecurity framework.

By answering the 98 questions, you get an instant base level indication of where your Organisation is in regards to the security maturity.

A framework does a number of things.   It gives you a base level, it gives you a score between 0 and 4, it ensures that you do not forget anything and gives you a road map for business security within your Organisation.

As a flow-on effect, it gives you a score that you can compare apples with apples (security maturity with security maturity) against other Organisations.   When it comes to data sharing you can make informed decisions on how secure the other Organisation will be in regards to data protection.

You have done a vulnerability assessment

Every device that is connected to a network has the capability of compromising the whole network.   The first law of Cybersecurity is “if there is a vulnerability it will be discovered and it will be exploited – no exceptions”.

To ensure that those vulnerabilities are addressed you need to do regular vulnerability scans on the network.

This can be achieved with expensive or free systems.   Either type it is important that vulnerability scans are completed and mitigated and vulnerabilities are patched and managed correctly.

Cybersecurity is not easy!

There’s no such thing as set and forget when it comes to protecting your Organisation from a cyber event.

It is a diligent and continuous process that needs to be done correctly to protect the integrity of the data within your custodianship.

Keep it safe, protect it, monitor it and ensure that if something does happen you have a way back to business as normal.

How fast will your business be back to business as normal after a disaster?

Encryption and Backups are your fall back position

When it comes to business security there are 2 systems that will save you after the impact of a cyber event.   The first is a good backup and the second in encryption.

Neither of them is as foolproof as business owners think.

Understanding the importance of backups.

The whole point of a comprehensive back up regime is to be able to get back to business as normal as fast as possible.

A good backup will help you achieve that.   So will a good disaster recovery plan, a decent business continuity plan as well as building in as much resilience as possible into the organisation itself.

Like any plan or solution it has to be tested, it has to be stressed and more importantly, everyone in the organisation needs to know what to do, where information is and how to implement those plans.

Failing to test or improve from the experiences of real-time tests and war-games is usually where an organisation fails.

You cannot improve a system unless it is tested regularly.   Once tested you can rectify issues discovered during the testing.

You DO NOT want to have the cyber event as the first test of system failure and recovery.

What to do with backups.

When it comes to a backup it needs the following items in place.

  • A copy of all critical and non-critical data stored in another location.
  • A copy of that information only connected to the system when it is doing a backup
  • A process that has no human requirements except to check it has happened and fixing it when it fails (immediately)
  • A system that is regularly tested and improved.  In business everything changes, the systems and data need to be tested but the people involved as well.

Protecting your encryption keys

The second component is encryption.   Seen by many as the silver bullet of data security, it is just another deterrent.   If your data is stolen then encryption will ensure that the data is unreadable, unless the bad guys have the keys.

The most important component of encryption is the security of those keys, if the keys are stolen or get out the encryption is useless.

So protecting those keys is more important than protecting the data the keys are securing.

When it comes to SME’s, not for profit organisations and charities we often find the security keys, especially for securing websites, just lying around a system.   Usually, they are saved in a folder called certificates with no added security around those files.

Protecting your encryption

There are many ways of using encryption and all of them cannot be discussed here so here are a few ideas.

  • Make sure your encryption key is not hardcoded into the applications using it.
  • Make sure your encryption key is your property and not owned by a third party.
  • The encryption keys should never be stored on or in the same system using them.
  • Make sure there is an audit trail in their use.
  • Only use one administrative account to encrypt data, record that account and the password in an out of band location, only used for that specific role.
  • Your keys can be encrypted!
  • Cryptographic keys change regularly, create a policy, process and procedure around that requirement.
  • Back them up.   The keys can be stored on an encrypted thumb drive and stored in a secure location. IE – a safe (part of the policy?)

To stop a cyber event instead of just recovering from one you also need to implement other components.   To survive the onslaught of cybercrime, follow and implement the best practices documented all over the internet.

A plan B is important, just like insurance is important.   When everything else fails your recovery is critical.

The CareMIT Security Methodology will help you secure your systems, people and data.

Why you need an off-site backup

Off-site, secure, out of band backups are your only hope for recovery in a cyber event

Ransomware, the scourge of today’s business, is literally a click away from crippling your business and organisation.

Attackers can reportedly execute the malware and begin encrypting most file types and removing all local backups. It is still unclear how much the demanded ransom is, but researchers have found that TFlower doesn’t append the encrypted files’ extensions.” Connor Madsen webroot. https://www.webroot.com/blog/2019/09/20/cyber-news-rundown-tflower-ransomware-exploiting-rdp

A determined crypto-virus attack on your organisation can reduce the organisations chance to make money, it can impact your reputation and can cause problems for months if not years.

Even an accidental infection, most result from an accident, can cause similar effects.

In the event of a crypto-virus attack, especially for small and medium enterprises, you have 2 options.

  • You pay the ransom – you may get your data back, you may get some of it back or you may get none of it back, we are after all talking about a criminal organisation that is holding your data to ransom.
  • You recover from your backup.

Paying the ransom is up to you, most security and ICT companies will say not to pay.

If you have a security or ICT company, or someone in your organisation that does the job they would have told you to do a backup.

Your back up has to cover the following:

  • It should be regular – depending on your requirements for the data and access to the data a back up should be completed every 24 hours.   A better solution is to have an incremental backup every 15 minutes.
  • It should have no human intervention – the backup has to run no matter what.  If you are backing up to a hard drive, connected to your device and you require someone to change drives then human error comes into it.   The old adage that the backup will fail the same day you need it is true.
  • It should be off-site – As in totally away from the business but also not connected to the business except when it is doing a backup.
  • It should be secure – all the data, no matter where it is stored should have encryption wrapped around it.   It should be encrypted at rest (stored on the location), it should be encrypted in transport (getting there and back) and it should be encrypted if you are going to use it.  This stops the information being stolen but also being accidentally accessed by the provider.
  • It should be tested regularly – you have done a backup and that’s all I have to do.   No, you need to test it regularly.   Do a regular restore to test that it works and also to ensure that you are backing up ALL of your essential data.   You do not want to be in a situation where a failure is your first test.

Achieving all of these components is difficult.   Try talking to us or a reputable ICT and security provider concerning your options!

Click here for your free trial of a secure, out of band off-site backup solution.

Cybersecurity, (Business Security) the art of dealing with risk

When it comes to cybersecurity or Business Security, the buzz words thrown around by salespeople are polluting the board room and confusing the owners, managers and C Level Execs of SME’s and charities.

They are making it harder for you to discover and understand why you need to define your risk prior to making any decisions about purchasing anything.

When it comes to protecting your organisation from a cyber attack it is all about risk.

The snake oil salesman, carpet baggers and sleaze balls are attracted to our industries in droves.

Why?

Just like in the past, it is easy to confuse someone with catch phrases, innuendo and just plain bull sh*t to purchase product that will not work or has been sold to an organisation as a panacea of all their ills when it comes to cybersecurity.

Big words and even bigger promises are the problem.

There is no “silver bullet” solution out there.

Business security is all about hard work.

It is an investment in time.   It is an investment in understanding and most of all, it is an investment in protecting the many facets of your organisation.

A single solution will not do that.    It cannot be done with the installation of a simple device.

When it comes to business security you have to analyze your risk.

The risk to business.   The risk to the business.   The risk to the people in the business and most of all, the risk to your clients.   Not protecting their data will result in a lost of revenue, confidence and subsequently profit.

That is only the tip of the iceberg.    After an breach it gets worse from there on.

The problem with risk is that risk is hard to visualize.

Most of us have problems with abstract ideas, risk management and risk assessment, if not done correctly are exactly that – abstract.

To move it from abstract to real we have to visualise the risks.   Once we understand the risks we can mitigate them in a manageable way.

The mitigation of a known risk maybe the installation of an expensive piece of software/hardware.

You still have to understand the risk and mitigate it before you justify spending those thousands of dollars!    That investment may only cover one risk, what about the other 49 you have discovered when you did the risk assessment?

We are in the process of putting together a special board room meeting, just for board members, owners, managers and C level execs.   It is a hands on process, working on your environment, to understand the risks and the subsequent ways to protect your organisation in todays digital world.

There is no sales pitch, we are not selling anything but you will walk away from the boardroom with a better understanding of your risks, what they are, how to reduce them and what you need to do moving forward.

Risk Management Game and Resources

Cybersecurity is everyone’s job!

Like every organisation, small and medium business have similar problems when it comes to getting people to focus on digital security.

These are some of the inane comments we hear when we discuss digital security with staff and management of SME’s

  • Cybersecurity is Not my problem?
  • Why should I worry about that, we have a firewall?
  • Isn’t that an IT problem?
  • My staff and management teams would never do that!
  • Everyone has the same password for our business system, why is that a problem?
  • We do not see any reason to use complex passwords!

As you can see all of these comments have one thing in common.   Digital security is someone else’s problem.

The first people who will notice a problem with their computer will be the people who are using it the most.

  • They will notice a drop in performance.
  • They will notice when something is not working at an optimum.
  • They will notice that something is not working at the precise level that is needed for them to do their job.

In today’s business world it is very important for all users to understand that they are a target of digital crime.   Being a target means that they need to do something, anything they can to protect themselves from cybercrime.

Cybercrime is what it is.

  • Get infected with a virus = cybercrime.
  • Open a link in an email and have everything encrypted = cybercrime.
  • Full-blown DDOS attack = cybercrime.
  • Just being connected to the digital world makes you a target.   The less protection you have makes you an easier target.

Get over it – anyone who has a device that connects to the digital world is a target.

  • Mobile phone = target.
  • Smart Tablet = target.
  • X-box = target.
  • Computer, server, cloud-based systems are also targets.

In addition to these comments, the digital criminals are clever, persistent and always on the lookout to compromise your system.

The Insider Threat

We have all heard about how the insider can wreak havoc on your business. Yet, business owners and other staff don’t understand how much actual damage they can do.

From a Business Security perspective we’ve definitely experienced people in the workplace who:

  • are self-important
  • always in a hurry
  • not focused on the business at hand.

These Insiders can also have a detrimental impact on business security.

Here are 7 types of Insider Threats who make the insider threat real to any organisation.

1. Convenience seekers – bypass protocol, too hard, too busy

We have all seen them in business.   They jump here and there and start a huge number of jobs but never finish them, or finish them haphazardly.

They are more interested in their own work, not in keeping the company safe. Passwords, Updates and scans are usually bypassed. When something goes wrong, it is never their fault. Clicking on an email link without using commonsense is a primary example.

They are the first to complain about the time it takes IT support to remove a virus. By bypassing the organisation’s Cybersecurity, they put the whole organisation in danger.

Solution – get them to slow down, their job is no more important than anyone else’s.

2. The accidental victim – makes mistakes, doesn’t think

These are the people who are too timid at work. They fear making mistakes, but, by fearing reprisals and keeping quiet, they are the victim. The company suffers as well.

The accidental victim is either an older employee, or a new starter. They are very noticeable in not for profit organisations.

Solution – Provide education and training in the use of computers. Explain what’s expected in their role within the organisation.

3. They know everything – oversharing

This person is very good at big-noting themselves. They use their knowledge of the organisation to place themselves in avoidable situations. They overshare critical and confidential information in email. They don’t think about the consequences of sharing on social media and also in meetings.

Solution – separation of information,  restrict access to the information within the organisation.

4. Untouchables – it will not happen to me

We get these type of people in all types of business.  They are the second cousin to number 1.  I am not a target of cybercrime, it will never happen to me because I have nothing worth stealing.

With technology changes over the years, a bored 14 year old can be the attacker. Access to the internet is their tool. Every internet user or business is a target. Anyone can be attacked and everyone needs to take the necessary precautions.

.Solution – providing education and training.

 5. Entitled ones – access to everything because they ‘want to know’

The Entitled employee is one of the most dangerous non-malicious insider. Their laptops or tablets have the organisations secrets and use free wifi in cafes. They have no business reason to keep all that critical information, but they have to have it.

This means that there is a greater risk of the company information either stolen or attacked.

Solution – need to know.  Stop allowing access to data by staff who don’t need it. Segregate it into public, commercial in confidence and critical.   If someone does not need the information then deny access to it.

6. Traitors – malicious insiders

Previous to this one, the insiders have been the result of stupid behaviors. The Malicious Insider is a malicious person. Their focus is on them. For whatever reason, they might intend to leave, have a grudge against the company or an employee. They won’t hesitate to go to your competition with all your corporate data.

Solution – at the first whiff of someone leaving walk them out the door. Don’t keep a bad apple in the basket. 

7. The secret insiders – the bad guys, in the first stages of an attack

These are the true bad guys, the ones you should be protecting your organisation against.  They may have infiltrated your organisation via one of the other insiders, and are now able to do damage. They could have become an insider through social media, email or web based attack. The secret insider isn’t an employee. They are not answering to your policies and procedures. They will damage your organisation, because you don’t have protections.

Solution – increase awareness, do a penetration test and review the report, then do it all again. Regularly.

These Insider Threats are the ones we have come across.   Some can be a combination of one, two or three traits.  The best way to protect yourself from the insider is to pay attention to your staff and your management.

The best way to find out what your organisation needs to do to be safe is to:

1. Use the CareMIT Digital Diagnostic Tool

2. Come to one of our regular quarterly “Security Board Meetings

Its just not business security you have to worry about

Security!   The problem with security especially cybersecurity is it is not sexy.

In most cases, it is downright boring.

Although not sexy and downright boring it is still something that every CEO, manager, owner, and board member has to focus on.

With all of the automated attack vectors available to the cybercriminals, we can no longer say we are not a target.   We cannot say we have nothing worth stealing.

The more and more reliant business has on the digital world the greater the chance that a cyber event will cripple the organisation.

What are the main things that every management type needs to focus on when it comes to prevention of a cyber event?

Here are a few!

The cost of a cyber event.

The cost of a cyber even can range from lost time and functionality within the organisation to more money than the organisation can find to pay for the breach.

Cryptovirus is an example of lost time and functionality.  If you do not have a functioning and tested backup of the data, you have to rebuild the offending device but you will also have to also replicate all of the data.

A full-blown breach by a dedicated black hat hacker can steal everything and then use your system as a platform to target your clients, suppliers and staff.   When that happens you realize that you are NOT too small to be a target

How they get into your system

The go-to weapon of most cyber attacks is social engineering.   Two parts of a very effective attack strategy.   The technology to effect change, follow a link to an infected website, click on an ad in social media or open an attachment in an email, combined with getting you to trust them where you let them in.

Either way, they are now in.

Risk and problems just compounded.

Simple ransomware for instance, the initial encryption of data is only one of the stages of the attack.   What about stage 2,3 and 4.

Wannacry showed us that a combination of 2 attack vectors allowed a single infection to traverse a whole network.  One computer is a problem for any organisation.   All of the computers is a nightmare.

The protection challenges

In most situations managers, owners, executive, and board members do not understand the digital realm.   Risk management of data (a critical component in today’s business world) is often overlooked and considered an ICT problem.

It’s not!   Today’s digital security challenge is everyone’s issue and the sooner it gets noticed as a business risk and treated as such the faster we will see a reduction in attacks.

From the largest organisations to the smallest single entities, we all keep critical data in places that are easily accessed, relatively unprotected and mobile.

What are you doing to manage the expected cyber events that could cripple your organization?

There is no single, simple fix.   If there was everyone would be safe.

It is a complex issue and one needs to dedicate some time, money and expertise to understanding the issues and risk associated with a cyber event.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings

Why your charity is a great target for cybercriminals

You are doing a great job.   You manage, support a small charity, not for profit organisation and love what you do.

Your primary focus is to get as much done for your charity.   It could be donations, volunteers or grants but all for your primary charity focus.

Your whole role is to make sure that as much money goes through to the people in need.

Now I want you to step back and answer a couple of questions.

  • What would happen to all those good intentions if you got hacked?
  • How many of your supporters would you lose if you got hacked?
  • What would happen to your reputation if you got hacked?

But, it would not happen to you, would it?

Let me tell you a not so secret secret!

You are a target!

Maybe not a target of a full-blown black hat attack but you are a target none the less.  The analogy that I use is “what is the chance that a black belt martial arts person is going to beat you up?” Probably very remote!

When it comes to a cyber event, the black hat attacker is not the problem.

The problem is the hugely available and easy to use automated systems that are available for any person with an inclination to use them.

These automated systems create malware, deliver it, track it, monitor it, manage the stages of an attack and manage and control the money being made.   All a “ hacker” has to do is be willing and ethically capable and pull that trigger.

The risk to your charity organisation is significant.

Our attitude to the digital world as it is just a tool and anyone can use it is having a huge negative impact on business because it is not.

I can guarantee that your charity has a board, it has used a legal company for the structure and has an accountant to look at the books, but the most essential component of the organisation is what you put into the digital world.

From desktop computers to smart devices and cloud-based systems and services, the digital world is all around us.

We treat it like the normal world, that is bad.   Theft in the real world is seen and actioned, in the digital world, it is not.   I could have access to all of your data and you may not even know it is happening.

You need to talk to a MBSSP to bring your organisation to a level where your business security will protect the organistion, the data, the users but most importantly your clients, volunteers and supporters.

Without them you cannot function as a charity, and all your good intentions will disappear.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings

Business Security – Don’t do it yourself!

When it comes to business security, most people think that it is a no brainer!

Delegate to the IT department and it is done.

If you want to be a target, maybe get your 2 minutes of fame on the nightly news and want a cyber event to impact your reputation, finances, operations, and legal capability then, by all means, ask the IT department.
Business security is all about the business.   Yes technology and the IT department are a component but they are not the most important component of the requirements to secure the organisation

Business security starts at the top.   Board Members, managers, and owners are required to look at the business and work out where an attack could come from, calculate the destructive effects, mitigate those effects and then implement protective strategies to cover those attacks.

This is very hard to do when your expertise is based on your core business.   Your core business could be anything – legal, finance, manufacturing or even charity based.   You are good at what you do, that means that you are not the best at understanding the problems associated with business security.

This is when you need the Board, management, and owners to look outside their organisations, to people and organisations that focus on business security.   Business security is their core business!

From a management perspective, business security is all about risk.   Risk assessment, risk management and then risk reduction.   Your organisation has to have an understanding of their risk appetite before they can implement change and reduce those risks.

Business today is wholly dependent on the digital.  We would not be able to do business without it.    Each of those digital components has a risk factor requirement.   Do you know what they are?

A business security risk assessment is the first step in Business security.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings“.