Do a podcast they say, it’s easy they say. Sure it is!

Do a podcast they said, it’s easy they said!

Sure it is!

A touch of sarcasm there I am afraid.

My first idea for a podcast was to interview people who had been targeted, exploited and/or who had experienced a cyber event.

It would be full of information about, no wait…..

No one is going to talk about being breached!

That conversation, if they had lost thousands of dollars or worse closed their doors, would be way tooooo painful.

Although it would be of huge benefit to others and my target audience it would definitely be detrimental to the interviewee’s health

If they survived, talking about it would have a negative impact on their revenue, reputation and brand.

Not the best idea I have had.

Scratch that!

Second idea!

Let’s interview people in the industry.

A bit of research on the interwebs and it confirmed a long-standing realization that not-for-profit organisations, charities and small and medium businesses are treated shoddily by the cybersecurity industry.

After a couple of conversations, I soon realized that the best in cyber had very little understanding of the space that is occupied by organisations with less than 50 staff.

There are a number of people that are in the cyber industry who are wholly based in normal business and who understand cyber and smaller organisations.

I actually hope that I can interview them, but

Most do not understand the challenges and problems associated with a struggling small and medium business environment.

Where making a simple decision could mean that you have a cash flow issue, a marketing issue, a cyber problem or a going out of the business problem

So number 3 idea was born

There are two areas where everyone has problems in cyberspace.

The first are NFPs, Charities and SMEs.

Second, are the elderly and mature.

Coming soon as a podcast and video:

“Need help – ask Roger”

Cybersecurity for normal small businesses.

Some straight answers to cyber questions that the others are reluctant to answer.

A podcast about how to build resilience and security into your business from the basics up.

Get answers to the questions that you need to ask about business security

And to make myself even busier I thought,

“An old persons take on protecting their digital stuff”

The most under-protected user of the digital world are the elderly, retired and mature

This area of the population are uneducated and ill-informed but most important they are innocent to the true capability of the cyber-criminal.

This makes them the number one target for the cyber creep.

They are under constant attack through scams, extortion and fear-mongering.

Hopefully going to be launching them both this month, see lockdown has some advantages.

The first episodes of both of them went live this week all I have to do is find the URL for them

#nonprofits #smallbusiness #ExecutivesAndManagement #AccountingAndAccountants #ProfessionalWomen #ceo  #CareMIT #cybersecurity #infosec

Cybersecurity for the C suite executive (CEO, CFO,COO)

Cybersecurity for the C suite executive (CEO, CFO, COO).

Lets look at the facts!

No matter the size, shape or industry of an organisation.

No one is fully prepared for a full-on, bare knuckles, cyber ninja assault.

We are not talking about a random attack.

An attack that is being perpetrated against your organisation with Metasploit and a new copy of Kali.

This attack is from Mr. Creepy!

He knows what he is doing.

He knows what he is after.

But, more importantly, he also knows how to get it.

He has studied your organisation for months to find your weaknesses.

He has the skills and resources (very important) to break in and steal your crown jewels.

These are the people who give my industry grey hairs and stress lines.

Thinking that there is no way that you would be targeted by a professional is a grave mistake.

Because It no longer needs to be a professional!

They are quite happy to train others in the required skills.

They are quite happy to sell others their expertise.

They are quite happy to tell others where they are going wrong.

They have created capabilities and skills that they have incorporated into something to sell.

This increases the capability of the inexperienced cybercriminal immensely.

Want to avoid being on the radar as a prime target then YOU NEED TO DO SOMETHING.

Here is something to start with.

Cybersecurity checklist

#nonprofits #ExecutivesAndManagement #AccountingAndAccountants #ProfessionalWomen #ceo #CareMIT #cybersecurity #infosec

If you are not worried about a cyber-attack then you have probably not been given the right information

If you are not worried about a cyberattack then you have probably not been given the right information!

#Cybersecurity or business security should be one of those areas of business that keeps you up at night.

To tell you the truth it should be one of those areas that terrify you!

When the script kiddy targets you with a random automated attack it is not personal, it is just business.

If you have done nothing or very little in the way of protection then you quickly become a victim.

With the average time inside a network of more than 250 days, most organisations have no systems or capabilities to detect them never mind identify or stop them.

From initial infection to the point where your world ends can be as little as 24 hours or they can sit inside your network and wait.

6 – 12 months is normal.

In that time they are documenting your network, your people, your intellectual property, your systems, your access to money and anything else that they can find.

While you are blissfully unaware of them being there they are getting ready to deliver the coupe de tar.

In addition, while they are rummaging through your proverbial underwear drawers your systems could be spamming your friends, running denial of services attacks on corporate networks, bitcoin mining, storing porn for pedophiles all while they destroy your backups and other systems.

And that is just a random capability from an inexperienced criminal, just imagine what Mr. Creepy can do you if he singles you out and makes you his sole purpose in life!

We have put together a simple 2 page ransomware advice brochure (The before, during and after plan) that could go a long way to reducing the impact of a ransomware attack.

#nonprofits #ExecutivesAndManagement #AccountingAndAccountants #ProfessionalWomen #ceo  #CareMIT #infosec

Download your ransomware guide

Where to start your Business Security / Cybersecurity Journey

Start


Time

3-hour program

What is done

Audit on assets and risk management.

What you get

  • Report on where your organisation is in relation to business security
  • Roadmap to implement basic changes to your business organisation
  • A number of process, procedure and policy templates
  • A number of Plans templates

Tools we use

  • Care-app diagnostic tool
  • Questionnaire similar to basic SWOT
  • Proprietary diagnostic tools
  • Open-source intelligence gathering tools

What do you need to do

  • Implement changes
  • Discuss with management
  • Implement proactive responses to cybersecurity

 

Threshold


Time

8-hour program

What is done

 

What you get

  • Implementation of Internet policy
  • Implementation of online security awareness program
  • In depth Risk analysis
  • In depth Risk mitigation process
  • Full blown digital SWOT

Tools we use

 

What do you need to do

 

 

Baseline

What is done

 

What you get

 

What do you need to do

 

 

Beyond

What is done

 

What you get

 

What do you need to do

 

 

Cybersecurity: Why business security is all about increased profits, productivity and resilience

A bright gold "TRUST" stands atop a dark gray "FEAR" on a deep blue background with light rays shining through both words.

There is a down side to a cyber event and I can tell you, every part is down!

Our role in business security (#cybersecurity) is not to scare the crap out of you but more to educate you in the ways of the cybercriminal.

Have you ever thought what could happen to your company if you did get hacked?

If your organisation was breached by a target cyber attack?

Here are some calculations for you to think about that are factored in when discussing a breach and calculating the impact.

How much down time is too much.

Every organisation has a finite level of payments for staff and workers.

Normally it is calculated in annual, monthly or weekly terms but if we bring it down further, the average cost per hour to the business of wages is considerate.

If your staff can not work due to a cyber event then the costs quickly add up.

How much will it cost to fix

Apart from the old adage of "how long is a piece of string" working out the cost to fix a breach (back to business as normal) really does depend on the severity and the infrastructure.

A targeted attack against an company compared to a random virus infected computer are at opposite ends of the spectrum.

Either one has to be cleaned, restored, rebuilt and checked.  The most overlooked cost is the time it will take to recover.

Impact on revenue

We are all in business to make money.

When the incoming money stops then the company will starve.

If your business is making $20,000 per day and you cannot receive that income for 5 days. What is the impact?

Impact on clients and customers

What happens if you go to a shop and they tell you that they cannot do something because the computers are not working.

You customer has a choice either come back later or buy it from someone else.

Recently Woolworths had a failure in their link to the bank and could not process credit and debit cards. People were leaving trollies at the checkouts and walking out.

Impact on productivity

No matter how you look at it all of these wonderful devices we use in business are just tools.

Our computers, cloud based systems, smart devices, IoT things and phones are just tools for the business to streamline productivity.

If a carpenter cannot use his hammer, how does he hammer in the nails?

When the tools cannot be used then alternatives have to be addressed and implemented.

Impact on staff and management

Not only have you got your team sitting around doing nothing but still getting payed there is a good chance that you now also have a moral problem

There will be recriminations, frustration and anger.

It will radiate out from the team, the groups and the organisation because people are no longer doing what they are good at.

A lack of trust

Outside in the market place there are now rumours about what happened, how it happened and what information of MINE has been exposed to the bad guys.

The only way to counteract a trust issue is through communication.

And now you have a compliance and governance issue

There is a substantial reporting requirement around a breach of an organisation.

Part of the cyber compliance requirements for anyone in business today is in the event of a breach you have to report to a number of government and industry bodies.

Depending on your stance prior to a breach will also depend on how much trouble your business is now in.

Good business security will increase profits, productivity and resilience.

It does not do it as a direct impact on the organisation but it does it through proactivity and making sure that the company has well tested contingency plans.

It may not be noticeable but identifying and addressing the risks, mitigating those risks to a manageable level.

Then implementing the right systems you can avoid the additional costs to the business that a cyber event will deliver.

Secure your business!

Get proactive!

Do the scorecard!

https://caremit.scoreapp.com

How to avoid being a target of script kiddies!

There is a huge difference between a cyber attack generated by a script kiddy running an automated system and one where you are being targeted by a dedicated hacker.

For one, if you are targeted by a dedicated hacker then you already know that you have something worth protecting and you have, hopefully, done something about it.

The biggest problems with cyber attacks on the internet are that 95% of them are coming from an automated system controlled or managed by trainees (script kiddies).

Automated systems have three reasons they are used:

  • They are easy to get.
  • They are easy to use.
  • They are easy to make money out of.

They are easy to get!

There are a number of ways for anyone to get hold of an automated system. They can download an operating system that has an automated system running on it. Kali, Parrot OS or Black-arch are all very good examples but there are others.

Designed as penetration testing tools, these systems have all of the requirements that they need to target organisations, multinationals, or anyone connected to the digital world.

Before you ask, yes it is all legal and above board as long as you are not targeting someone else.

To make these systems more effective they allow them to either download additional components from GitHub or design and program your own applications.

They are easy to use!

The old saying that whenever anything is free you are the product rings true with these systems as well. The creators of these systems keep track of people using them and incorporate any updates into their own releases.

To set up one of these systems all you need is a computer. Once you have administrator access to a computer you can download a virtual environment (VMware if you have some money or Virtual Box for free) and you can then install these operating systems as a virtual operating system.

You can even run the operating system on a microcomputer (Raspberry Pi) for under $100.

Once set up you now have access to the tools and capabilities that, if used correctly, can rival someone who has been in the industry for years. Almost like a novice woodworker creating a dovetail joint on their first try without knowledge of what to do.

No training, just using other people’s knowledge.

In addition, and a bigger issue, what they do not know can be learned or discovered by simply searching google.

The capability and effectiveness of these systems allow them to set up the automated attack and target a huge number of vulnerable systems based on blocks of internet-based addresses.

Simply they can find out if there is a targetable vulnerability just by using facets of the automated systems.

They are easy to make money out of!

These free operating systems have the capability of making money.

To make serious money, though, you need to work with partners. Working with partners can be both beneficial as well as detrimental to their own security.

When it comes to making money it is either through selling information on the dark web, selling cryptovirus decryption keys to vulnerable people or selling access to compromised systems to leverage other attacks.

How to avoid being a target of script kiddies.

To avoid being a victim you need to implement some protective strategies.

You need to apply the CareMIT business security methodology to the organisation but to start at the basics this is what you need to do:

  • Patch and update everything – operating systems, application and to really be secure remove anything that you do not use from the system. This is applied to computers, websites, servers, and smart devices.
  • Disable macros – do not allow macros to run on the computers
  • Use complex, unique and more than 12 characters for every site, service or system in the digital world
  • Use 2 factor or multi-factor authentication. If you manage websites or other cloud-based services make sure the third level of security is in place – captcha
  • Only allow good applications to run on the system. This is called application whitelisting and only approved applications are allowed to run. There are some anti-virus systems that allow you to do this.
  • The last one is critical to your sanity – DO A BACKUP. All the bad guys have to do is win once. A backup ensures that if and when they win they have not really won.

At the basic level, the users of these automated systems are just as vulnerable as the people that they are targeting. A severe case of “user beware”, because if you do not configure the system correctly you are just as vulnerable as your targets.

At the most fundamental level, we all know that most people between 13 and 30 have a limited ethical attitude and good and bad is debatable.

That’s why we have the proliferation of these systems.

Secure your business!

Get proactive!

Do the scorecard!

Read your report!

Linkto scorecard https://caremit.scoreapp.com

#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec

All organisations must face up to their business security requirements

Since small and medium businesses, charities and not for profit organisations are now the bread and butter of cybercriminals targeting.

Isn’t it about time that we started to look at the reasons?

Reason 1 – SME’s have a lack of expertise!

The digital world is complex.

Every area requires a different set of skills and knowledge.  There are areas where some of the skills and requirements flow from one area to another, but these are definitely an uncommon occurrence.

The skills to implement and manage a website are different from networking which in turn are different from the requirements for coding.   Its not the fact they are different, the problem is the required level of skill to do it correctly.

Anyone with a little bit of help can write code, but to write it correctly, securely and properly requires years of skill and practice.

When it comes to the business world, we have a significant requirement for using the digital world.  In most cases, we see the introduction of a digital component into an organisation as easy.

It is not.   To implement and configure is easy.   To implement and configure securely, correctly and in a way that will benefit the organisation takes more than a fundamental underlying knowledge.

Reason 2 – SME’s have a lack of time!

Most SME’s are doing more with less just to keep themselves in profit.   Throw in another complicated process or system and they now have more to do with the same amount of time.

Business security takes time.   To secure an organisation takes time.

A solution is to employ someone on staff to manage the ICT and we will then give him the role of security professionals.   Getting someone with the required skills will cost money.

The second alternative is to enter a service level agreement (SLA) with a Managed Service Provider (MSP) and contract the support of the OCT and security to someone else.   Again this requires the correct skills as well as culture.

Both options will free up some time.

Reason 3 – SME’s have a lack of money!

Security solutions for SME’s can be expensive.   When it comes to technology and the integration of different technologies into the business environment we see some significant costs.

Comparing the costs of a breach to the costs of putting the right technology in place, it is a no brainer, but not until after the fact.

SME’s have the same compliance and governance of multinational corporations but do not have the resources to implement tier 1 or 2 technological solutions.

They make do with what is available and inexpensive not realizing the impact of these additional vulnerabilities can have on their business.

We know the problems here are some solutions

To reduce all three of these issues, as already mentioned is a contractual agreement with an MSP or a Managed Security Solution Provider (MSSP).

They bring the required expertise, they free up time and in most cases they are a viable and cost-effective.

A better solution is to look for an Organisation that has normal MSSP skills but has the capability to add additional security components around your Organisation.

Why 2020 could be a bad cybersecurity year for SME’s

SME’s are a prime target for cybercrime.

They have reduced expertise, minimal money, and an attitude, we are too small to be a target, that leaves them wide open to a cyber event.

Our industry, the people who know and think we understand the bad guys have been pushing for an attitude change for the last 10 years. In a large number of ways, we have failed, especially in the SME space.

In some, we have failed significantly.

By the time we get called in, after a cyber event, it is way too late.

To late to recover, too late to respond and definitely too late, in a number of organisations, to get back to business as normal.

Most SMEs, after a cyber event and especially after a ransomware attack, have but 3 choices,

  • pay the ransom,
  • recover from backup and hope you have a decent backup (a decent, tested backup is vital, no matter the situation)
  • or go out of business.

Here are 3 cybersecurity strategies that every SME should implement to be more secure and avoid that devastating cyber event.

Training users

Increased awareness of business security in a workplace is vital in today’s business world.

Not many businesses know where to go to get that training.

Training needs to be done as an ongoing process.

Once or twice a year is inadequate. But training and education has to be easy, bite-size pieces, easily digested, easily implemented and easily followed.

In addition to ongoing training, you also need to incorporate business security into your onboarding process to instill the required cultural elements into new people on staff.

Want some free cybersecurity training, here is something that will definitely help
https://wizer-training.com/partner/caremit

Risk management and gap analysis

SME’s have a limited understanding of the new risks delivered to the business via our digital components.

The game has changed significantly in the last 10 years and we, as small and medium businesses, are constantly playing catch-up.

We are significantly hampered and handicapped by the impact and scale of our digital usage.

It is everywhere, used in every component and used all of the time.

To understand the risks without understanding the systems you need some help.

Here is some help for you.
Https://CareMIT.scoreapp.com

With the report, you can now implement a gap analysis and work out what you need to do to increase security around your organisation.

The report also ties in well with:

Implemented a framework

If you are looking for a better way to manage security within your Organisation, you need to look no further than a framework.

A framework is a documented system that allows an organisation to follow the bouncing ball and tighten up the security in a regimented way.

The more the components of the framework are implemented the more secure and mature the organisation.

Frameworks are easy to follow and implement and the one I recommend is the National Institute of Standards and Technology (NIST) cybersecurity framework.
https://www.nist.gov/cyberframework

Answer the 98 questions, honestly, and you now have a road map to implement cybersecurity in a significant way.

The NIST cybersecurity framework also gives you a number.

Between 0 – 4, it can be used as a comparison between businesses, supply chain components, and government departments so you can do business with like-minded organisations.

What can SME’s do?

It is not too late to implement any of these strategies. The bad guys are getting more and more clever, so time is running out.

They are targeting everyone who is connected to the digital world, the internet, with more sophisticated systems, a number of them are now fully automated.

Some of those automated systems have minimal human involvement after the initial set up.

From initial social engineering attack, all the way through to payment of ransom everything is automated and driven by machine learning.

Every SME should be implementing a training and education process, doing a risk and gap analysis and implementing a cybersecurity and business security framework.

With that everything else will follow.

The business will be more stable, the culture of the organisation will change and getting back to business as normal after an attack can be significantly easier.

The impact of a cyber event for an organisation implementing these 3 components or not is significant.

If you haven’t implemented these 3 strategies in the last 12 months, 2 years or 5 years then 2020 is going to be a bad year.

But it’s not too late.

Thinking you are immune to a cyber event is a regular occurrence for SME’s

Even if you think you are immune to a cyber attack these ideas are critical to restricting the impact.

I want to talk about some of the problems we have encountered when being called into a cyber event situation for a new client.

Have you looked at all of our business risks?

Risk is the biggest invisible issue in today’s business world.

Most Organisation does not know how to evaluate the risks that their digital component brings to the Organisation because they cannot visualize the risk.

Only by looking at the digital risks will it become apparent that more is needed to be done.

Get some good legal advice!

We regularly come across businesses that do not know what their legal obligations are when it comes to protecting data that they are the custodian of.

If your Organisation collects information about a person or a business you are now the custodian of that data.   The legal implication of being the custodian need to be understood before you make the decisions concerning the information or type of information collected.

Always err on the side of less.  If you cannot justify it do not collect it.

Check your response plan!

When it comes to SME’s, they think they are Bulletproof.

It will never happen to us, we are too small, yadda yadda!

Well, NO.   A cyber event can happen anytime and to anything digital.   When it comes to a true cyber attack you need to have a breach plan.

A plan that tells everyone in your Organisation what you expect them to do, how they will do it, who they report to and the process needed to preserve evidence and get back to business as normal.   Without it, chickens missing heads, running, lots of running, come to mind!

Test your systems with a tabletop war game.

This is absolutely essential to any Organisation with more than 5 staff.

Run some hypothetical scenarios.    Think of a problem and make sure that everyone knows what to do if it ever occurred.   Especially test disaster recovery, business continuity and breach plans.

After testing the system do both a hot wash up (debrief) and a report.

Implement any discovered failures.   Things that could be done better.   Things that were done badly.

You do not want a real emergency to be the first test of these plans.

Test some “what if …” plans.

Another alternative is to come up with some unusual issues.

A fire in the building that does not impact your business but your business is in the same location and your staff can no longer get to the office, showroom, shop for a week.

What is the impact?   What is your solution?

Tested our backup, we have.

We have a rule.   When it comes to backups we have the 3-2-1 rule.

There are 3 copies of all data.   The original data plus 2 other copies.   Those 2 copies consist of an on-site incremental data copy and an off-site copy.  There is always 1 copy of the data stored off-site.

Once again a backup is useless unless it has been tested.    A regular restore copy of a couple of files should be documented every month.   A full-blown restore of the system should be done every year from both locations.

Who do we have to report to?

When it comes to a breach there also needs to be a reporting structure.   Part of your business continuity plan should be a list of people who are allowed to talk to the media, post on social media, talk to vendors or talk internally and to who.

Reputation always impacts needs to be controlled as much as possible in today’s live world.   The policies, plans, and tests will ensure that everyone knows what they need to do.

Does anyone know how to preserve evidence?

If you are knee-deep in a cyber event the last thing that anyone is going to think about is the preservation of evidence.

Once again if the breach plan has been tested then you will know what has to be done.   If would be cold comfort to know that someone who has ruined you life will not face the consequences because there is no evidence against them.

Preservation of digital evidence can also include the information and machine learning that comes from your System Information and Event Management system (SIEM).

Train everyone, security should be part of everyone’s role in the organisation.

Social engineering is the process of targeting people.

It is used to great effect against everyone in business.   Social engineering is a 2 fold process – the bait, the email SPAM, phishing and the bad technology – link, application or attachment.

Combined together they are an effective attack system for the bad guys.

To counteract the social engineering you need to educate everyone.   There are free online courses but additional resources can include competitions, posters.

Get a framework and implement it.

One of the best protective strategies any business can implement is a framework.   I recommend the National Institute of Standards and Technology (NIST) Cybersecurity framework.

By answering the 98 questions, you get an instant base level indication of where your Organisation is in regards to the security maturity.

A framework does a number of things.   It gives you a base level, it gives you a score between 0 and 4, it ensures that you do not forget anything and gives you a road map for business security within your Organisation.

As a flow-on effect, it gives you a score that you can compare apples with apples (security maturity with security maturity) against other Organisations.   When it comes to data sharing you can make informed decisions on how secure the other Organisation will be in regards to data protection.

You have done a vulnerability assessment

Every device that is connected to a network has the capability of compromising the whole network.   The first law of Cybersecurity is “if there is a vulnerability it will be discovered and it will be exploited – no exceptions”.

To ensure that those vulnerabilities are addressed you need to do regular vulnerability scans on the network.

This can be achieved with expensive or free systems.   Either type it is important that vulnerability scans are completed and mitigated and vulnerabilities are patched and managed correctly.

Cybersecurity is not easy!

There’s no such thing as set and forget when it comes to protecting your Organisation from a cyber event.

It is a diligent and continuous process that needs to be done correctly to protect the integrity of the data within your custodianship.

Keep it safe, protect it, monitor it and ensure that if something does happen you have a way back to business as normal.

How fast will your business be back to business as normal after a disaster?

Cybersecurity, (Business Security) the art of dealing with risk

When it comes to cybersecurity or Business Security, the buzz words thrown around by salespeople are polluting the board room and confusing the owners, managers and C Level Execs of SME’s and charities.

They are making it harder for you to discover and understand why you need to define your risk prior to making any decisions about purchasing anything.

When it comes to protecting your organisation from a cyber attack it is all about risk.

The snake oil salesman, carpet baggers and sleaze balls are attracted to our industries in droves.

Why?

Just like in the past, it is easy to confuse someone with catch phrases, innuendo and just plain bull sh*t to purchase product that will not work or has been sold to an organisation as a panacea of all their ills when it comes to cybersecurity.

Big words and even bigger promises are the problem.

There is no “silver bullet” solution out there.

Business security is all about hard work.

It is an investment in time.   It is an investment in understanding and most of all, it is an investment in protecting the many facets of your organisation.

A single solution will not do that.    It cannot be done with the installation of a simple device.

When it comes to business security you have to analyze your risk.

The risk to business.   The risk to the business.   The risk to the people in the business and most of all, the risk to your clients.   Not protecting their data will result in a lost of revenue, confidence and subsequently profit.

That is only the tip of the iceberg.    After an breach it gets worse from there on.

The problem with risk is that risk is hard to visualize.

Most of us have problems with abstract ideas, risk management and risk assessment, if not done correctly are exactly that – abstract.

To move it from abstract to real we have to visualise the risks.   Once we understand the risks we can mitigate them in a manageable way.

The mitigation of a known risk maybe the installation of an expensive piece of software/hardware.

You still have to understand the risk and mitigate it before you justify spending those thousands of dollars!    That investment may only cover one risk, what about the other 49 you have discovered when you did the risk assessment?

We are in the process of putting together a special board room meeting, just for board members, owners, managers and C level execs.   It is a hands on process, working on your environment, to understand the risks and the subsequent ways to protect your organisation in todays digital world.

There is no sales pitch, we are not selling anything but you will walk away from the boardroom with a better understanding of your risks, what they are, how to reduce them and what you need to do moving forward.

Risk Management Game and Resources