Cybersecurity: Why business security is all about increased profits, productivity and resilience

A bright gold "TRUST" stands atop a dark gray "FEAR" on a deep blue background with light rays shining through both words.

There is a down side to a cyber event and I can tell you, every part is down!

Our role in business security (#cybersecurity) is not to scare the crap out of you but more to educate you in the ways of the cybercriminal.

Have you ever thought what could happen to your company if you did get hacked?

If your organisation was breached by a target cyber attack?

Here are some calculations for you to think about that are factored in when discussing a breach and calculating the impact.

How much down time is too much.

Every organisation has a finite level of payments for staff and workers.

Normally it is calculated in annual, monthly or weekly terms but if we bring it down further, the average cost per hour to the business of wages is considerate.

If your staff can not work due to a cyber event then the costs quickly add up.

How much will it cost to fix

Apart from the old adage of "how long is a piece of string" working out the cost to fix a breach (back to business as normal) really does depend on the severity and the infrastructure.

A targeted attack against an company compared to a random virus infected computer are at opposite ends of the spectrum.

Either one has to be cleaned, restored, rebuilt and checked.  The most overlooked cost is the time it will take to recover.

Impact on revenue

We are all in business to make money.

When the incoming money stops then the company will starve.

If your business is making $20,000 per day and you cannot receive that income for 5 days. What is the impact?

Impact on clients and customers

What happens if you go to a shop and they tell you that they cannot do something because the computers are not working.

You customer has a choice either come back later or buy it from someone else.

Recently Woolworths had a failure in their link to the bank and could not process credit and debit cards. People were leaving trollies at the checkouts and walking out.

Impact on productivity

No matter how you look at it all of these wonderful devices we use in business are just tools.

Our computers, cloud based systems, smart devices, IoT things and phones are just tools for the business to streamline productivity.

If a carpenter cannot use his hammer, how does he hammer in the nails?

When the tools cannot be used then alternatives have to be addressed and implemented.

Impact on staff and management

Not only have you got your team sitting around doing nothing but still getting payed there is a good chance that you now also have a moral problem

There will be recriminations, frustration and anger.

It will radiate out from the team, the groups and the organisation because people are no longer doing what they are good at.

A lack of trust

Outside in the market place there are now rumours about what happened, how it happened and what information of MINE has been exposed to the bad guys.

The only way to counteract a trust issue is through communication.

And now you have a compliance and governance issue

There is a substantial reporting requirement around a breach of an organisation.

Part of the cyber compliance requirements for anyone in business today is in the event of a breach you have to report to a number of government and industry bodies.

Depending on your stance prior to a breach will also depend on how much trouble your business is now in.

Good business security will increase profits, productivity and resilience.

It does not do it as a direct impact on the organisation but it does it through proactivity and making sure that the company has well tested contingency plans.

It may not be noticeable but identifying and addressing the risks, mitigating those risks to a manageable level.

Then implementing the right systems you can avoid the additional costs to the business that a cyber event will deliver.

Secure your business!

Get proactive!

Do the scorecard!

https://caremit.scoreapp.com

Thinking you are immune to a cyber event is a regular occurrence for SME’s

Even if you think you are immune to a cyber attack these ideas are critical to restricting the impact.

I want to talk about some of the problems we have encountered when being called into a cyber event situation for a new client.

Have you looked at all of our business risks?

Risk is the biggest invisible issue in today’s business world.

Most Organisation does not know how to evaluate the risks that their digital component brings to the Organisation because they cannot visualize the risk.

Only by looking at the digital risks will it become apparent that more is needed to be done.

Get some good legal advice!

We regularly come across businesses that do not know what their legal obligations are when it comes to protecting data that they are the custodian of.

If your Organisation collects information about a person or a business you are now the custodian of that data.   The legal implication of being the custodian need to be understood before you make the decisions concerning the information or type of information collected.

Always err on the side of less.  If you cannot justify it do not collect it.

Check your response plan!

When it comes to SME’s, they think they are Bulletproof.

It will never happen to us, we are too small, yadda yadda!

Well, NO.   A cyber event can happen anytime and to anything digital.   When it comes to a true cyber attack you need to have a breach plan.

A plan that tells everyone in your Organisation what you expect them to do, how they will do it, who they report to and the process needed to preserve evidence and get back to business as normal.   Without it, chickens missing heads, running, lots of running, come to mind!

Test your systems with a tabletop war game.

This is absolutely essential to any Organisation with more than 5 staff.

Run some hypothetical scenarios.    Think of a problem and make sure that everyone knows what to do if it ever occurred.   Especially test disaster recovery, business continuity and breach plans.

After testing the system do both a hot wash up (debrief) and a report.

Implement any discovered failures.   Things that could be done better.   Things that were done badly.

You do not want a real emergency to be the first test of these plans.

Test some “what if …” plans.

Another alternative is to come up with some unusual issues.

A fire in the building that does not impact your business but your business is in the same location and your staff can no longer get to the office, showroom, shop for a week.

What is the impact?   What is your solution?

Tested our backup, we have.

We have a rule.   When it comes to backups we have the 3-2-1 rule.

There are 3 copies of all data.   The original data plus 2 other copies.   Those 2 copies consist of an on-site incremental data copy and an off-site copy.  There is always 1 copy of the data stored off-site.

Once again a backup is useless unless it has been tested.    A regular restore copy of a couple of files should be documented every month.   A full-blown restore of the system should be done every year from both locations.

Who do we have to report to?

When it comes to a breach there also needs to be a reporting structure.   Part of your business continuity plan should be a list of people who are allowed to talk to the media, post on social media, talk to vendors or talk internally and to who.

Reputation always impacts needs to be controlled as much as possible in today’s live world.   The policies, plans, and tests will ensure that everyone knows what they need to do.

Does anyone know how to preserve evidence?

If you are knee-deep in a cyber event the last thing that anyone is going to think about is the preservation of evidence.

Once again if the breach plan has been tested then you will know what has to be done.   If would be cold comfort to know that someone who has ruined you life will not face the consequences because there is no evidence against them.

Preservation of digital evidence can also include the information and machine learning that comes from your System Information and Event Management system (SIEM).

Train everyone, security should be part of everyone’s role in the organisation.

Social engineering is the process of targeting people.

It is used to great effect against everyone in business.   Social engineering is a 2 fold process – the bait, the email SPAM, phishing and the bad technology – link, application or attachment.

Combined together they are an effective attack system for the bad guys.

To counteract the social engineering you need to educate everyone.   There are free online courses but additional resources can include competitions, posters.

Get a framework and implement it.

One of the best protective strategies any business can implement is a framework.   I recommend the National Institute of Standards and Technology (NIST) Cybersecurity framework.

By answering the 98 questions, you get an instant base level indication of where your Organisation is in regards to the security maturity.

A framework does a number of things.   It gives you a base level, it gives you a score between 0 and 4, it ensures that you do not forget anything and gives you a road map for business security within your Organisation.

As a flow-on effect, it gives you a score that you can compare apples with apples (security maturity with security maturity) against other Organisations.   When it comes to data sharing you can make informed decisions on how secure the other Organisation will be in regards to data protection.

You have done a vulnerability assessment

Every device that is connected to a network has the capability of compromising the whole network.   The first law of Cybersecurity is “if there is a vulnerability it will be discovered and it will be exploited – no exceptions”.

To ensure that those vulnerabilities are addressed you need to do regular vulnerability scans on the network.

This can be achieved with expensive or free systems.   Either type it is important that vulnerability scans are completed and mitigated and vulnerabilities are patched and managed correctly.

Cybersecurity is not easy!

There’s no such thing as set and forget when it comes to protecting your Organisation from a cyber event.

It is a diligent and continuous process that needs to be done correctly to protect the integrity of the data within your custodianship.

Keep it safe, protect it, monitor it and ensure that if something does happen you have a way back to business as normal.

How fast will your business be back to business as normal after a disaster?

Its just not business security you have to worry about

Security!   The problem with security especially cybersecurity is it is not sexy.

In most cases, it is downright boring.

Although not sexy and downright boring it is still something that every CEO, manager, owner, and board member has to focus on.

With all of the automated attack vectors available to the cybercriminals, we can no longer say we are not a target.   We cannot say we have nothing worth stealing.

The more and more reliant business has on the digital world the greater the chance that a cyber event will cripple the organisation.

What are the main things that every management type needs to focus on when it comes to prevention of a cyber event?

Here are a few!

The cost of a cyber event.

The cost of a cyber even can range from lost time and functionality within the organisation to more money than the organisation can find to pay for the breach.

Cryptovirus is an example of lost time and functionality.  If you do not have a functioning and tested backup of the data, you have to rebuild the offending device but you will also have to also replicate all of the data.

A full-blown breach by a dedicated black hat hacker can steal everything and then use your system as a platform to target your clients, suppliers and staff.   When that happens you realize that you are NOT too small to be a target

How they get into your system

The go-to weapon of most cyber attacks is social engineering.   Two parts of a very effective attack strategy.   The technology to effect change, follow a link to an infected website, click on an ad in social media or open an attachment in an email, combined with getting you to trust them where you let them in.

Either way, they are now in.

Risk and problems just compounded.

Simple ransomware for instance, the initial encryption of data is only one of the stages of the attack.   What about stage 2,3 and 4.

Wannacry showed us that a combination of 2 attack vectors allowed a single infection to traverse a whole network.  One computer is a problem for any organisation.   All of the computers is a nightmare.

The protection challenges

In most situations managers, owners, executive, and board members do not understand the digital realm.   Risk management of data (a critical component in today’s business world) is often overlooked and considered an ICT problem.

It’s not!   Today’s digital security challenge is everyone’s issue and the sooner it gets noticed as a business risk and treated as such the faster we will see a reduction in attacks.

From the largest organisations to the smallest single entities, we all keep critical data in places that are easily accessed, relatively unprotected and mobile.

What are you doing to manage the expected cyber events that could cripple your organization?

There is no single, simple fix.   If there was everyone would be safe.

It is a complex issue and one needs to dedicate some time, money and expertise to understanding the issues and risk associated with a cyber event.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings

Business Security – Don’t do it yourself!

When it comes to business security, most people think that it is a no brainer!

Delegate to the IT department and it is done.

If you want to be a target, maybe get your 2 minutes of fame on the nightly news and want a cyber event to impact your reputation, finances, operations, and legal capability then, by all means, ask the IT department.
Business security is all about the business.   Yes technology and the IT department are a component but they are not the most important component of the requirements to secure the organisation

Business security starts at the top.   Board Members, managers, and owners are required to look at the business and work out where an attack could come from, calculate the destructive effects, mitigate those effects and then implement protective strategies to cover those attacks.

This is very hard to do when your expertise is based on your core business.   Your core business could be anything – legal, finance, manufacturing or even charity based.   You are good at what you do, that means that you are not the best at understanding the problems associated with business security.

This is when you need the Board, management, and owners to look outside their organisations, to people and organisations that focus on business security.   Business security is their core business!

From a management perspective, business security is all about risk.   Risk assessment, risk management and then risk reduction.   Your organisation has to have an understanding of their risk appetite before they can implement change and reduce those risks.

Business today is wholly dependent on the digital.  We would not be able to do business without it.    Each of those digital components has a risk factor requirement.   Do you know what they are?

A business security risk assessment is the first step in Business security.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings“.

Business Security is not just IT

The repercussions of a cyber event will create a serious problem for your oganisation long after the initial threat has been discovered and neutralised.

The bad guys are after everything that they can get their hands on that is not theirs.   They are also targeting anything and everything that has a link to the digital world.

What does not appear in the glossy brochures relating to the next shiny new product is the vulnerabilities that come pre-configured in these new systems.

I am not being nasty, but the pressures to get things to market are enormous and the first thing that is left in the background is security.

To get systems to market they will cut corners, use insecure code or even “borrow” code from other devices bringing their inherent vulnerabilities to their new product.

The wannacry and petya attacks were both perpetrated against a vulnerability that was patched recently but also has been available in most Microsoft operating systems since Windows XP.

The subsystem targeted allows one computer to communicate with another to share files.   There have been a number of vulnerabilities found that have this profile in every operating system.

But what happens if you have succumbed to a cyber event?   How do you improve your Business Security?

There are a number of areas you now have to worry about.

  • The most pressing is the immediate threat.
  • Have they encrypted your files and if so do you have a backup?
  • Has that backup been tested?
  • If you have a back up how will you restore your information and systems?
  • If you have cleaned the system are you sure you have everything?
  • What else has been stolen/accessed?
  • Never ever EVER pay the ransom!  You are dealing with criminals and they cannot be trusted.  If you pay there is no guarantee that you will get your data back
  • I recommend that you start from scratch, but that’s just me.

Short term tactics:

  • Has the event been disclosed,
  • Are you required to tell your clients, staff, customers
  • Has the disclosure had any effect on reputation, on your finances, on your customers, clients and staff. If so what will you now do?
  • I recommend that you do a number of things,
    • change passwords,
    • monitor credit card, and bank accounts.
  • Something that is very important – tell people.

Long term Strategies:

  • Not a person for stats but 60% of SME who have a cyber event will shut their doors within 3 months, a further 50% will shut after 12 months and/or they will be a shadow of what they originally were. (Victimless crime – my arse)
  • Check your Personal Reputation – use google alerts on your name, business name, trade marks.
  • Do a credit check – in some areas you can lock your credit rating, do it!
  • Get someone else to check chat rooms, information for sale and the dark web.

Using Business Security to avoid a cyber event in the first place?   Avoidance is hard, preparation is easy.

  • Have a decent and tested backup of all critical data.
  • encrypt critical data both at rest and in motion
  • use complex, long and unique passwords,
  • PATCH IT ALL,
  • penetration testing with minimal restrictions
  • Get paranoid, be aware and use common sense.
  • Implement a framework (we use NIST),

It is not all doom and gloom, but I can tell you from experience, in the midst of a cyber event, it feels like it.

The best way to counteract a cyber event is to expect to be compromised.

Hope for the best but plan for the worst! 

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings