Cybersecurity, (Business Security) the art of dealing with risk

When it comes to cybersecurity or Business Security, the buzz words thrown around by salespeople are polluting the board room and confusing the owners, managers and C Level Execs of SME’s and charities.

They are making it harder for you to discover and understand why you need to define your risk prior to making any decisions about purchasing anything.

When it comes to protecting your organisation from a cyber attack it is all about risk.

The snake oil salesman, carpet baggers and sleaze balls are attracted to our industries in droves.

Why?

Just like in the past, it is easy to confuse someone with catch phrases, innuendo and just plain bull sh*t to purchase product that will not work or has been sold to an organisation as a panacea of all their ills when it comes to cybersecurity.

Big words and even bigger promises are the problem.

There is no “silver bullet” solution out there.

Business security is all about hard work.

It is an investment in time.   It is an investment in understanding and most of all, it is an investment in protecting the many facets of your organisation.

A single solution will not do that.    It cannot be done with the installation of a simple device.

When it comes to business security you have to analyze your risk.

The risk to business.   The risk to the business.   The risk to the people in the business and most of all, the risk to your clients.   Not protecting their data will result in a lost of revenue, confidence and subsequently profit.

That is only the tip of the iceberg.    After an breach it gets worse from there on.

The problem with risk is that risk is hard to visualize.

Most of us have problems with abstract ideas, risk management and risk assessment, if not done correctly are exactly that – abstract.

To move it from abstract to real we have to visualise the risks.   Once we understand the risks we can mitigate them in a manageable way.

The mitigation of a known risk maybe the installation of an expensive piece of software/hardware.

You still have to understand the risk and mitigate it before you justify spending those thousands of dollars!    That investment may only cover one risk, what about the other 49 you have discovered when you did the risk assessment?

We are in the process of putting together a special board room meeting, just for board members, owners, managers and C level execs.   It is a hands on process, working on your environment, to understand the risks and the subsequent ways to protect your organisation in todays digital world.

There is no sales pitch, we are not selling anything but you will walk away from the boardroom with a better understanding of your risks, what they are, how to reduce them and what you need to do moving forward.

Risk Management Game and Resources

The Insider Threat

We have all heard about how the insider can wreak havoc on your business. Yet, business owners and other staff don’t understand how much actual damage they can do.

From a Business Security perspective we’ve definitely experienced people in the workplace who:

  • are self-important
  • always in a hurry
  • not focused on the business at hand.

These Insiders can also have a detrimental impact on business security.

Here are 7 types of Insider Threats who make the insider threat real to any organisation.

1. Convenience seekers – bypass protocol, too hard, too busy

We have all seen them in business.   They jump here and there and start a huge number of jobs but never finish them, or finish them haphazardly.

They are more interested in their own work, not in keeping the company safe. Passwords, Updates and scans are usually bypassed. When something goes wrong, it is never their fault. Clicking on an email link without using commonsense is a primary example.

They are the first to complain about the time it takes IT support to remove a virus. By bypassing the organisation’s Cybersecurity, they put the whole organisation in danger.

Solution – get them to slow down, their job is no more important than anyone else’s.

2. The accidental victim – makes mistakes, doesn’t think

These are the people who are too timid at work. They fear making mistakes, but, by fearing reprisals and keeping quiet, they are the victim. The company suffers as well.

The accidental victim is either an older employee, or a new starter. They are very noticeable in not for profit organisations.

Solution – Provide education and training in the use of computers. Explain what’s expected in their role within the organisation.

3. They know everything – oversharing

This person is very good at big-noting themselves. They use their knowledge of the organisation to place themselves in avoidable situations. They overshare critical and confidential information in email. They don’t think about the consequences of sharing on social media and also in meetings.

Solution – separation of information,  restrict access to the information within the organisation.

4. Untouchables – it will not happen to me

We get these type of people in all types of business.  They are the second cousin to number 1.  I am not a target of cybercrime, it will never happen to me because I have nothing worth stealing.

With technology changes over the years, a bored 14 year old can be the attacker. Access to the internet is their tool. Every internet user or business is a target. Anyone can be attacked and everyone needs to take the necessary precautions.

.Solution – providing education and training.

 5. Entitled ones – access to everything because they ‘want to know’

The Entitled employee is one of the most dangerous non-malicious insider. Their laptops or tablets have the organisations secrets and use free wifi in cafes. They have no business reason to keep all that critical information, but they have to have it.

This means that there is a greater risk of the company information either stolen or attacked.

Solution – need to know.  Stop allowing access to data by staff who don’t need it. Segregate it into public, commercial in confidence and critical.   If someone does not need the information then deny access to it.

6. Traitors – malicious insiders

Previous to this one, the insiders have been the result of stupid behaviors. The Malicious Insider is a malicious person. Their focus is on them. For whatever reason, they might intend to leave, have a grudge against the company or an employee. They won’t hesitate to go to your competition with all your corporate data.

Solution – at the first whiff of someone leaving walk them out the door. Don’t keep a bad apple in the basket. 

7. The secret insiders – the bad guys, in the first stages of an attack

These are the true bad guys, the ones you should be protecting your organisation against.  They may have infiltrated your organisation via one of the other insiders, and are now able to do damage. They could have become an insider through social media, email or web based attack. The secret insider isn’t an employee. They are not answering to your policies and procedures. They will damage your organisation, because you don’t have protections.

Solution – increase awareness, do a penetration test and review the report, then do it all again. Regularly.

These Insider Threats are the ones we have come across.   Some can be a combination of one, two or three traits.  The best way to protect yourself from the insider is to pay attention to your staff and your management.

The best way to find out what your organisation needs to do to be safe is to:

1. Use the CareMIT Digital Diagnostic Tool

2. Come to one of our regular quarterly “Security Board Meetings

Business Security – Don’t do it yourself!

When it comes to business security, most people think that it is a no brainer!

Delegate to the IT department and it is done.

If you want to be a target, maybe get your 2 minutes of fame on the nightly news and want a cyber event to impact your reputation, finances, operations, and legal capability then, by all means, ask the IT department.
Business security is all about the business.   Yes technology and the IT department are a component but they are not the most important component of the requirements to secure the organisation

Business security starts at the top.   Board Members, managers, and owners are required to look at the business and work out where an attack could come from, calculate the destructive effects, mitigate those effects and then implement protective strategies to cover those attacks.

This is very hard to do when your expertise is based on your core business.   Your core business could be anything – legal, finance, manufacturing or even charity based.   You are good at what you do, that means that you are not the best at understanding the problems associated with business security.

This is when you need the Board, management, and owners to look outside their organisations, to people and organisations that focus on business security.   Business security is their core business!

From a management perspective, business security is all about risk.   Risk assessment, risk management and then risk reduction.   Your organisation has to have an understanding of their risk appetite before they can implement change and reduce those risks.

Business today is wholly dependent on the digital.  We would not be able to do business without it.    Each of those digital components has a risk factor requirement.   Do you know what they are?

A business security risk assessment is the first step in Business security.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings“.

Business Security is not just IT

The repercussions of a cyber event will create a serious problem for your oganisation long after the initial threat has been discovered and neutralised.

The bad guys are after everything that they can get their hands on that is not theirs.   They are also targeting anything and everything that has a link to the digital world.

What does not appear in the glossy brochures relating to the next shiny new product is the vulnerabilities that come pre-configured in these new systems.

I am not being nasty, but the pressures to get things to market are enormous and the first thing that is left in the background is security.

To get systems to market they will cut corners, use insecure code or even “borrow” code from other devices bringing their inherent vulnerabilities to their new product.

The wannacry and petya attacks were both perpetrated against a vulnerability that was patched recently but also has been available in most Microsoft operating systems since Windows XP.

The subsystem targeted allows one computer to communicate with another to share files.   There have been a number of vulnerabilities found that have this profile in every operating system.

But what happens if you have succumbed to a cyber event?   How do you improve your Business Security?

There are a number of areas you now have to worry about.

  • The most pressing is the immediate threat.
  • Have they encrypted your files and if so do you have a backup?
  • Has that backup been tested?
  • If you have a back up how will you restore your information and systems?
  • If you have cleaned the system are you sure you have everything?
  • What else has been stolen/accessed?
  • Never ever EVER pay the ransom!  You are dealing with criminals and they cannot be trusted.  If you pay there is no guarantee that you will get your data back
  • I recommend that you start from scratch, but that’s just me.

Short term tactics:

  • Has the event been disclosed,
  • Are you required to tell your clients, staff, customers
  • Has the disclosure had any effect on reputation, on your finances, on your customers, clients and staff. If so what will you now do?
  • I recommend that you do a number of things,
    • change passwords,
    • monitor credit card, and bank accounts.
  • Something that is very important – tell people.

Long term Strategies:

  • Not a person for stats but 60% of SME who have a cyber event will shut their doors within 3 months, a further 50% will shut after 12 months and/or they will be a shadow of what they originally were. (Victimless crime – my arse)
  • Check your Personal Reputation – use google alerts on your name, business name, trade marks.
  • Do a credit check – in some areas you can lock your credit rating, do it!
  • Get someone else to check chat rooms, information for sale and the dark web.

Using Business Security to avoid a cyber event in the first place?   Avoidance is hard, preparation is easy.

  • Have a decent and tested backup of all critical data.
  • encrypt critical data both at rest and in motion
  • use complex, long and unique passwords,
  • PATCH IT ALL,
  • penetration testing with minimal restrictions
  • Get paranoid, be aware and use common sense.
  • Implement a framework (we use NIST),

It is not all doom and gloom, but I can tell you from experience, in the midst of a cyber event, it feels like it.

The best way to counteract a cyber event is to expect to be compromised.

Hope for the best but plan for the worst! 

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings