Tag Archives: CareMIT

It is the responsibility of the board of directors to carefully consider and manage these risks.

Posted on by

Business risk is an inherent part of any enterprise, and it is the responsibility of the board of directors to carefully consider and manage these risks.

When it comes to cybersecurity, there are several factors that the board of a small, medium or non-profit enterprise should consider in order to determine what is an acceptable business risk.

First and foremost, it is important for the board to understand the potential consequences of a cybersecurity breach.

This includes not only the financial costs of responding to the breach and repairing any damage but also the impact on the company’s reputation and customer trust.

The board should also consider the likelihood of a cybersecurity breach occurs, as well as the potential severity of the consequences.

One way to manage cybersecurity risk is through the implementation of robust security protocols and technologies.

This includes ensuring that all software and systems are regularly updated and patched, using strong passwords and implementing two-factor authentication, and regularly training employees on cybersecurity best practices.

The board should also consider investing in cybersecurity insurance, which can help to mitigate the financial impact of a breach.

Another aspect of managing cybersecurity risk is having a robust incident response plan in place.

This should outline the steps to be taken in the event of a breach, including how to communicate with employees, customers, and the media, as well as how to restore systems and recover from the incident.

It is important for the board to consider the potential for external threats, such as cybercriminals.

This includes considering the use of security tools such as firewalls and intrusion detection systems, as well as implementing processes for monitoring and detecting potential threats.

In addition to these technical measures, the board should consider the role of company culture in managing cybersecurity risk.

This includes promoting a culture of cybersecurity awareness and education among employees, as well as setting expectations for responsible behavior online.

Ultimately, the acceptable level of business risk when it comes to cybersecurity will depend on the specific circumstances and needs of the enterprise.

The board should carefully consider the potential consequences of a breach, the likelihood of such an incident occurring, and the measures in place to mitigate and manage these risks.

By taking a proactive approach to cybersecurity, the board can help to protect the company’s assets and reputation, and ensure the long-term success of the enterprise.

Why we need to rethink Business Security

Posted on by

Security is an IT problem.

How many managers, owners, C Level Executives and board members agree with this statement?

More than 50% of small and medium businesses and not-for-profit organisations think that the ICT department is the go-to people when it comes to protecting your business’s crown jewels.

There has been a significant push in the last 5 to 10 years to get SMEs away from this thinking and to think about business risk, compliance, governance and business security.

Yes there is still a significant place for the ICT management of security around technology.   They are the ones who have to work with limited resources, doing more and more with less and less, and producing the same level of protection year in and year out.

When it comes to a cyber event, the problem in today’s business world is that not everything can be secured with technology.

At a basic level, there are 6 areas that create a secure business environment, technology and frameworks is one of them.   The others are risk management, people and education, policy and governance, resilience and finally continuous improvement.

As you can see, technology is only a small part of the solution.

The normal situation for SMEs and Charities is to think that ICT department knows it all.   We have had similar situations ever since computers have become an integral part of the business.

People who “know computers” were called on to fix the business infrastructure simply because of the know computers.   So a web designer was asked to fix a printer or a programmer was asked to set up an internet connection.   Yes, they could do it but in today’s world it is so much more complicated and complex.

Business security needs to be addressed by someone who knows security.   Someone who understands risk!   Someone who understands the fundamental security practices required to protect the organisation.

You would never go to an unqualified accountant to do your tax return, or an unqualified electrician to rewire your house, or even an unendorsed mechanic to repair you new BMW.

When it comes to protecting the business, especially from a cyber event, we rely on people who have minimal understanding of what needs to be done to create a secure business environment.

Where to start your Business Security / Cybersecurity Journey

Posted on by

Start

Time

3-hour program

What is done

Audit on assets and risk management.

What you get

  • Report on where your organisation is in relation to business security
  • Roadmap to implement basic changes to your business organisation
  • A number of process, procedure and policy templates
  • A number of Plans templates

Tools we use

  • Care-app diagnostic tool
  • Questionnaire similar to basic SWOT
  • Proprietary diagnostic tools
  • Open-source intelligence gathering tools

What do you need to do

  • Implement changes
  • Discuss with management
  • Implement proactive responses to cybersecurity

 

Threshold

Time

8-hour program

What is done

 

What you get

  • Implementation of Internet policy
  • Implementation of online security awareness program
  • In depth Risk analysis
  • In depth Risk mitigation process
  • Full blown digital SWOT

Tools we use

 

What do you need to do

 

 

Baseline

What is done

 

What you get

 

What do you need to do

 

 

Beyond

What is done

 

What you get

 

What do you need to do

 

 

Do boards members get cybersecurity wrong?

Posted on by

Do boards members get cybersecurity wrong?

My industry has a major issue when it comes to taking highly complex and alien concepts and putting them into a language that normal business people can understand.

Cybersecurity/business security is a complex, expensive and time-consuming process if you want to get it right.

There are no short cut, it is never complete and you have to have contingencies for any and every event.

There is also a huge difference between the IT world and the risk-based cybersecurity requirements of your business.

As a board member do you:

𝐓𝐫𝐮𝐬𝐭 “𝐈𝐓 𝐞𝐱𝐩𝐞𝐫𝐭𝐬” 𝐭𝐨 𝐤𝐧𝐨𝐰 𝐜𝐲𝐛𝐞𝐫?

Cyber and IT are different!

IT is all about keeping the lights on and the revenue engines running.

Cyber and business security is all about the risk to the business from the digital space.

What are the risk to the assets of the business, the people, information, property and your reputation?

Once you know the risks to the assets then you can mitigate them with good strategies.

𝐓𝐡𝐢𝐧𝐤 𝐲𝐨𝐮 𝐤𝐧𝐨𝐰 𝐦𝐨𝐫𝐞 𝐚𝐛𝐨𝐮𝐭 𝐜𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐡𝐚𝐧 𝐭𝐡𝐞 𝐞𝐱𝐩𝐞𝐫𝐭𝐬?

We are often faced with people outside the industry telling us that they know more about the bad guys and their capabilities than we do.

Would you tell a mechanic that you know more about cars, or an accountant more about taxes or a solicitor more about law?

We use subject matter experts for a reason!

For some reason, everyone knows more about cyber and does not see the industry as experts in the field.

𝐔𝐧𝐝𝐞𝐫𝐬𝐭𝐚𝐧𝐝 𝐜𝐲𝐛𝐞𝐫 𝐟𝐢𝐧𝐚𝐧𝐜𝐢𝐚𝐥 𝐥𝐢𝐭𝐞𝐫𝐚𝐜𝐲?

There is a simple equation that we use regularly in the industry.

Spending $1 before a cyber event is equivalent to spending $9 after an event.

97% of cyber-attacks are preventable but to prevent them you need to be proactive.

𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭 𝐈𝐧𝐬𝐮𝐟𝐟𝐢𝐜𝐢𝐞𝐧𝐭 𝐨𝐯𝐞𝐫𝐬𝐢𝐠𝐡𝐭 𝐨𝐟 𝐝𝐚𝐭𝐚, 𝐜𝐮𝐬𝐭𝐨𝐦𝐞𝐫𝐬, 𝐚𝐬𝐬𝐞𝐭𝐬, 𝐚𝐧𝐝 𝐛𝐮𝐬𝐢𝐧𝐞𝐬𝐬 𝐜𝐚𝐩𝐚𝐛𝐢𝐥𝐢𝐭𝐲?

If you do not know your assets then you cannot protect them.

Understanding your assets is the first step in protecting your organisation from a cyber event.

𝐇𝐚𝐯𝐞 𝐈𝐧𝐚𝐝𝐞𝐪𝐮𝐚𝐭𝐞 𝐮𝐧𝐝𝐞𝐫𝐬𝐭𝐚𝐧𝐝𝐢𝐧𝐠 𝐨𝐟 𝐜𝐲𝐛𝐞𝐫 𝐫𝐢𝐬𝐤, 𝐦𝐢𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐦𝐨𝐧𝐢𝐭𝐨𝐫𝐢𝐧𝐠

The risk to every organisation from the digital space is significant.

A simple noncriminal event – lost laptop, printer failure or corrupt hard drive can cause major issues.

Understanding the protection requirements takes an understanding of what your assets are, what are the risks to those assets how can those risks be mitigated and visiting the whole process again every three to six months.

𝐔𝐧𝐝𝐞𝐫𝐬𝐭𝐚𝐧𝐝𝐢𝐧𝐠 𝐭𝐡𝐞 𝐮𝐬𝐞𝐟𝐮𝐥𝐧𝐞𝐬𝐬 𝐨𝐟 𝐚 𝐜𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐟𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤

Implementing a framework to secure an organisation is essential in ensuring the organisation is protected.

It reduces the chances of things being overlooked as well as reducing the requirements for knee-jerk reactions to things happening in real-time.

The stupidity of certification

Posted on by

The stupidity of certification

We are obsessed with certification and qualification in the business world.

In the late 90s, Microsoft certification was the number one qualification in the IT space.

The MCSE (Microsoft Certified System Engineer) was the top one that I held from 1998 - 2006

This high-end cert had a few problems.

A person who had been working with Microsoft software in a business environment often failed the exam because of the difference between the reality of the business world and Microsoft’s rosy glass interpretation of what business had to do to make it run.

Anyone could pass the exam if they studied enough or had access to the answers being sold on the internet.

They did not have to have practical knowledge of NT4 (what a beast) to get a job as a network engineer.

That problem is still around.

Technically wise, cybersecurity certs have a similar problem.

You would think the difference between a certified security engineer and cybercriminals would be close.

They are not.

A certified security engineer lives in a world of frameworks, asset management, risk management, alerts, reports and responses.

The cybercriminal does not even need to be a cybercriminal, all they need is a driving focus to get into a system.

To think outside the box.

To find a vulnerability that no one else has found, work out how to exploit it, complete a proof of concept document and release it to the world with the words “look what I did”, that is all that they need.

Not a certification in place.

Not a qualification in sight!

Just a drive and focus on doing something on the digital world that will get them to notice, the kudos for doing it and the learning that comes with it.

I would bet my uncertified unpapered team against your certs anytime.

I wonder who would win.

Cyberattack – Why are we so vulnerable

Posted on by

By the end of 2022, it is predicted that not for profits, associations, charities and SMEs will face more than 50,000 cyberattacks per day.

99% of those attacks are automatic, random generated attacks that can be counteracted by available basic systems (AV, Firewalls, SPAM filters, SPAM blockers).

These automatic random attacks are created by in-training cybercriminals and cyber activists (script kiddies).

Although the numbers are astounding they also indicate that we need to be vigilant at all times.

Because we still need to address that 1%.

That approximate 500 attacks are targeted at YOU and your organisation.

That is focused on gaining access to your stuff, stealing your money or encrypting your data.

How do we stop that?

We do not and can not stop it by believing “it will never happen to me”, “we are not a target” “we have nothing worth stealing”

We stop it by being proactive.

We stop it by taking security seriously.

We stop it with increased awareness!

We stop it with capability.

Doing nothing is not an option.

If you are frozen like a kangaroo in the headlights of a fast-moving truck then you need a push

A push in the right direction.

A direction that delivers better business security.

Like any complex and dangerous journey, we start with a single step.

That first simple step is to have a conversation with someone like me.

Cyberattacks

Is there recovery from ransomware?

Posted on by

That really does depend on you.

A ransomware attack can happen to anyone, at any time and on any systems.

If you think it will not happen to me then you could have a problem.

Ransomware is the scourge of cybercrime.

It can be enacted by people who have no technical knowledge and are just following a script and system that was downloaded from the internet.

It can be enacted by sending a couple of thousand email to a list of people that they purchased on the internet.

It can be enacted by targeting a group of internet addresses that they thought would be lucrative.

There use to be a thing called “security by obscurity” where you can hide on the internet and we’re relatively secure.

 

That capability is no longer a viable defence strategy.

If you think you will never be targeted, too small or have nothing worth stealing and you do have a cyber event there is little chance of you being able to recover.

But

If you have a different attitude.

If you think the opposite.

Then there is a chance that you will not be a victim.

If you think that you could be a target then you are already thinking about your response.

You are already thinking proactive.

You are ready to think of contingencies.

Even if you do have a ransomware attack then you already know and your team already knows what to do because you have thought about it.

You have plans, processes, procedures and policies in place.

If you have tested them and improved on them then that makes it even more possible that you will survive.

The old adage expects the best but plan for the worst is prevalent today against the cybercriminal.

Why didn’t I insure my bike?

Posted on by

wHAT iF

When I was in the Navy, I was based at Garden Island in Western Australia on and off for 5 years.

In that time I was relatively fit and I represented the Navy in a number of sports.

I would pedal to work (20Km each way) at least 4 days a week.

On a good day 40 minutes from the front door to the office.

90 minutes on the way home because you had to stop at the pub to get the goss

If you know the island you know that there is one problem.

No matter what direction you were going morning, afternoon or even if you had the luxury of knocking off early, you ran into the wind

On the causeway, the easterly and the sea breeze were always in your face.

Both of them could get up to 40Km per hour.

The only consolation was the flatness around the area.

One day my bike was stolen.

Taken out of the backyard.

It wasn’t until it was gone did I realize what it was doing in my life, apart from keeping me fit.

I didn’t have to drive so the wife could have the car to ferry the kids and do all of the other stuff she needed to do.

I didn’t have to drive so there was always extra money in the budget for everything we needed.

I could no longer come and go as I pleased, I now had to fit in with everyone else.

I could no longer go to the pub on the way home.

In fact, apart from the initial cost, the bike had cost me nothing.

This is what is happening in the digital world.

We do not know or understand the heavy lifting that our digital devices and services are doing for us.

That is until they are gone.

When they are gone, we realize that the business, organisation, association or ourselves have taken them for granted.

They were doing everything.

So an accidental loss, a cyber event or an insider will cause havoc unless you have stood back and thought:

What If?

What if we turn it all off?

Now what!

That “what if” makes you proactive.

It builds in resilience.

It is the first step to increased revenue, improved capability and scalability.

Have you looked at the business and thought WHAT IF????

How to avoid being a target of script kiddies!

Posted on by

There is a huge difference between a cyber attack generated by a script kiddy running an automated system and one where you are being targeted by a dedicated hacker.

For one, if you are targeted by a dedicated hacker then you already know that you have something worth protecting and you have, hopefully, done something about it.

The biggest problems with cyber attacks on the internet are that 95% of them are coming from an automated system controlled or managed by trainees (script kiddies).

Automated systems have three reasons they are used:

  • They are easy to get.
  • They are easy to use.
  • They are easy to make money out of.

They are easy to get!

There are a number of ways for anyone to get hold of an automated system. They can download an operating system that has an automated system running on it. Kali, Parrot OS or Black-arch are all very good examples but there are others.

Designed as penetration testing tools, these systems have all of the requirements that they need to target organisations, multinationals, or anyone connected to the digital world.

Before you ask, yes it is all legal and above board as long as you are not targeting someone else.

To make these systems more effective they allow them to either download additional components from GitHub or design and program your own applications.

They are easy to use!

The old saying that whenever anything is free you are the product rings true with these systems as well. The creators of these systems keep track of people using them and incorporate any updates into their own releases.

To set up one of these systems all you need is a computer. Once you have administrator access to a computer you can download a virtual environment (VMware if you have some money or Virtual Box for free) and you can then install these operating systems as a virtual operating system.

You can even run the operating system on a microcomputer (Raspberry Pi) for under $100.

Once set up you now have access to the tools and capabilities that, if used correctly, can rival someone who has been in the industry for years. Almost like a novice woodworker creating a dovetail joint on their first try without knowledge of what to do.

No training, just using other people’s knowledge.

In addition, and a bigger issue, what they do not know can be learned or discovered by simply searching google.

The capability and effectiveness of these systems allow them to set up the automated attack and target a huge number of vulnerable systems based on blocks of internet-based addresses.

Simply they can find out if there is a targetable vulnerability just by using facets of the automated systems.

They are easy to make money out of!

These free operating systems have the capability of making money.

To make serious money, though, you need to work with partners. Working with partners can be both beneficial as well as detrimental to their own security.

When it comes to making money it is either through selling information on the dark web, selling cryptovirus decryption keys to vulnerable people or selling access to compromised systems to leverage other attacks.

How to avoid being a target of script kiddies.

To avoid being a victim you need to implement some protective strategies.

You need to apply the CareMIT business security methodology to the organisation but to start at the basics this is what you need to do:

  • Patch and update everything – operating systems, application and to really be secure remove anything that you do not use from the system. This is applied to computers, websites, servers, and smart devices.
  • Disable macros – do not allow macros to run on the computers
  • Use complex, unique and more than 12 characters for every site, service or system in the digital world
  • Use 2 factor or multi-factor authentication. If you manage websites or other cloud-based services make sure the third level of security is in place – captcha
  • Only allow good applications to run on the system. This is called application whitelisting and only approved applications are allowed to run. There are some anti-virus systems that allow you to do this.
  • The last one is critical to your sanity – DO A BACKUP. All the bad guys have to do is win once. A backup ensures that if and when they win they have not really won.

At the basic level, the users of these automated systems are just as vulnerable as the people that they are targeting. A severe case of “user beware”, because if you do not configure the system correctly you are just as vulnerable as your targets.

At the most fundamental level, we all know that most people between 13 and 30 have a limited ethical attitude and good and bad is debatable.

That’s why we have the proliferation of these systems.

Secure your business!

Get proactive!

Do the scorecard!

Read your report!

Linkto scorecard https://caremit.scoreapp.com

#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec

Why you need a new breed of Business security

Posted on by

Introduction

In the last 20 years, there has been a slow change in how the business approaches the management of the ICT component.

As business and technology changes there have been significant changes in the management process of these systems.   The more complex and costly the systems the more dedicated the support has to be.   We have gone from onsite support from staff (I know computers) to off-site support from a service provider.

SME’s no longer have the resources available to manage their ICT and a new breed of company has been slowly taking more and more control over these parts of your business.

Managed Service Provider (MSP)

Originally these organisations were known as ICT or IT companies.   They were usually run out of hardware and software stores and were more focused on those areas.

It was eventually realized that just managing the hardware and software of small and medium business and not for profit organisations was not enough.   When technology broke, the most organisation still could not afford a technician to come to the site and an IT company need to make their resources go further.

The managed service provider did a number of additional things:

  • They had systems that remotely monitored and managed (RMM) the technology within the organisation.   This allowed them to give feedback to the clients in the way of comprehensive reports on their network
  • They had helpdesk capability to fix issues as they arose from the RMM systems or issues that arose from the users.
  • They started to become proactive, not reactive.
  • In a number of ways they even became vendor managers.  They looked after their clients from the internet down to the user.

Managed Security Service Provider (MSSP)

The business has changed and the requirements for ICT support have changed, the MSP needed to do more.

To be competitive and to be more productive they started adding on services.   These services included if not delivered by the MSP:

  • off site backup,
  • managed firewall,
  • web application firewalls,
  • web site management,
  • managed Anti Virus and many more.

In most cases, they were a bolt-on action to the MSP requirements and were supplied to maximize profit and reduce cost.   In a large number of situations, the customer was not getting value for money because the MSP was tied to a specific vendor.

In the last 5 – 10 years, the bigger the perceived problem with security was the more clients were going to purchase systems from their trusted advised – their MSP.   Once again increasing profits by reducing costs.

Any MSSP that does this is actually exposing their clients to huge problems.   Most of the service level agreements (SLA) reduce this down to “all care no responsibility”

Managed Business security service provider (MBSSP)

SME’s and NFP organisations needed to approach business security in today’s business world from a new direction.

Business security has to be approached from the top down.    Management and board members HAVE to get involved.   Your MSP or MSSP who is not recommending risk management and cybersecurity frameworks is in fact doing a huge disservice to your organisation.

Risk management and a risk management process looks at all of the risks to the organisations and allows you to think and work through the process and deliver strategies to protect the organisation.   It includes the ICT and technology area but there is so much more that has to be incorporated into a risk management plan.

The second part is a cybersecurity framework.   A framework does a number of things:

  • It focuses management on the required tasks to secure the organisation.
  • It removes knee jerk reactions to perceived threats.
  • The more you implement the framework the more secure your organisation.
  • It has to be done with the involvement of all areas of the organisation from management down and from coal face up.
  • It can be managed with reduced costs, expertise and time constraints

Most frameworks have a baseline requirement.   When you start to implement the framework you have to know how secure you are before you can start to improve.   The baseline also allows you to look at priorities within the organisation.

Conclusion

If your organisation is still using an MSP or an MSSP to manage your security without looking at the risk components or without implementing a cybersecurity framework (we recommend the National Institute of Standards and  Technology (NIST) cybersecurity framework) then you need to rethink your business security requirements.

Talk to an organisation that is focused on MBSSP capability.

Secure your business!

Get proactive!

Do the scorecard!

Read your report!

Link to scorecard https://caremit.scoreapp.com

#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec