How to get started protecting your company against cyber threats.

Posted by on March 7, 2019 9:16 am
Categories: How To Guides

hello my name is Brian Stevenson and I
am your host for the cyber Chronicles
this week we’re gonna talk about where
to start in cybersecurity we get this
question quite a bit from companies
saying I don’t even know where to start
you know I’ve been told that I need to
make sure that my cybersecurity is
protected my company’s protected but I
don’t even know where to start and it’s
a very confusing landscape so that’s
what this episode is going to attempt to
discuss stay tuned it should be a good
episode so why get started in
cybersecurity to begin with all right
why not why not I think I got a small
business I don’t have to worry about
well 33 percent of owners don’t have any
IT controls at all and almost 87 percent
of owners don’t feel they’re at risk I’m
a small businessman I mean all these
hackers are going after just large
businesses which is nothing further from
the truth 43% of all small businesses
are hacked on an annual basis according
to ink magazine the biggest concern
around that is 60 percent of those
companies that are hacked go out of
business within six months so this is a
concern this is something you have to
take action on otherwise you’re putting
your company at risk all the hard work
that you put in place could go down the
drain in a matter of a minute so we’re
gonna get started and talk about where
do you start what what steps do you take
okay so when you start looking at the
cybersecurity universe you start looking
at you know what products do I get
started with and maybe even took the
time and Google that you know where to
wait where do I get started you’re gonna
see ads of companies literally hundreds
of companies all saying start with our
technology and in a lot of cases it’s
not the best idea for you you know they
don’t know your particulars and yet I
heard the other day there’s almost 2,000
technology cyber security technology
companies out in the in the marketplace
all vying for your attention all saying
you know buy my technology so it is a
very confusing marketplace it’s
overwhelming and
a slide that we’re throwing up here is
over two years old and just just the you
know words of suggestion is be very
skeptical of anybody’s marketing
features that they state because there
are a lot of companies on this on these
lists that you know quite frankly are
either gonna get purchased absorbed or
could go out of business themselves very
quickly so what’s the first step that we
recommend you know look at your
information and assets and ask yourself
what are the crown jewels of the company
what do I need to protect
is it intellectual property IP is a
customer information perhaps it’s credit
card data that you have stored does your
company have a presence on the internet
I mean is this your front-facing
brochure to the Internet if that were to
go down how would that impact your
company I mean what would happen if this
information your crown jewels was not
available for two to three days a week a
month three months six months if it got
compromised you need to determine what
you need to protect first and then start
putting in place controls to protect
that information that’s our first step
that we want to talk about so once
you’ve determined you know what you want
to protect your crown jewels you want to
make sure and this is our second step at
a high level that we recommend is this
information is backed up on a routinely
basis is amazing how much information
how many companies don’t backup their
information on ongoing basis we’re not
going to get into the details of you
know what do you want it you know how to
back it up on-site in the cloud that
could be a whole other podcast so we’ll
probably talk to it at a later date but
right now we just want to give you the
basic building blocks you want to backup
your crown jewels your your information
that you do not want to leave or lose so
you backup this information as
frequently as it changes so you’re gonna
see people say hey back up every day
back up every week back up every month
our suggestion is you just need to back
it up as the information changes if it’s
your website your front-facing thing you
only want to back it up on an ongoing
basis as changes occur to the website if
you’re storing credit card information
just as credit card information is added
so if it’s everyday you want to have a
daily backup if you don’t and the data
is compromised you’re gonna have a day
without that information how would that
impact the company if its intellectual
property if it’s a patent and you’re
designed something and you’re selling
something that information may not need
to be backed up that frequently because
it’s maybe not change that frequently so
you backup as the information changes
one thing that we highly recommend is
you test your backup process so assume
there’s been a compromise see what
happens and then do a restore in a
environment that’s that’s safe to see
okay what would have happened if we had
been compromised we restore the data are
we functional you want to make sure in
your company more than one person can
execute that backup so let’s say there
is information that’s compromised all
hands on deck who’s going to do the
restore assign that responsibility to
somebody and put it in paper and your
backup your cybersecurity policies you
want to have a backup who backup to your
backup you want to make sure they’re
more one more than one person could
execute that backup you want to make
sure these backups are stored in a place
that also would secure and it’s always
been interesting to me and I’ve been in
the IT business for a couple days here
all right decades you want to make sure
your backup is in a place that is secure
I was at a client one time and their
backups were in a room that was unlocked
there their actual information was in a
very secure environment but their
backups were in a in a
in a room that was not locked and
literally over the sign and said do not
enter backups backup room this is
something that you don’t want to do
because this is information now somebody
can go in and take your backups and have
your crown jewels and have your
information so you want to make sure
it’s also in a secure environment so
backups are very important make sure
that you have a backup policy in place
later on we’re going to have how-to on
how to decide what to do on-site and the
cloud off-site we’re going to go into
that there’s all kinds of nuances of
backups but right now we’re just stating
a basic fact that you need to have
backups okay the second foundational
stack that we recommend is that you have
a plan in place if there is a breach who
do you call to get help if there’s a
breach who’s responsible to run point on
the breach we’ve seen companies even
enterprise companies have a breach and
1015 people go in a room and no one
knows who’s responsible who’s in charge
and it comes up becomes a very chaotic
environment you’re gonna want to decide
in advance if there is a breach this
person is responsible for leading point
and and gathering the troops and making
sure that everything’s taken care of
but who do you call from an outside
resource to come in if you don’t have an
inside resource to determine where the
breach occurred how to stop it
how to patch it how to make sure it
doesn’t happen again do you have an
attorney on retainer this is one that
that’s very important in my opinion is
if your crown jewels are information
that’s protected by a regulatory a
regulation ie credit card information
for PCI healthcare records for HIPAA
your publicly held sort of
sarbanes-oxley if you have those types
of requirements you’re gonna want to
consult with an attorney who specializes
in cybersecurity to find out if you have
to announce this breach to the public
there are time frames that you’re
required by law to announce the breach
you don’t want to be that company that
it has a breach and it takes you three
four months to announce it to the public
so that’s that’s another really
important step you only have one person
responsible for a breach if you have
multiple people it again it becomes it
becomes very chaotic so that’s our
second step the other thing is you may
want to consider if you are a larger
company is hiring a firm on a retainer
to help you if there is a breach and the
reason you want to put them on a
retainer is legal contracts retainers
are a legal contract agreement between
you and the company that’s going to help
you if there is a breach in terms of SL
A’s service level agreements timeframes
that they’re gonna respond boots on the
ground that sort of thing you don’t want
to negotiate a contract when you’re in a
crisis if there’s a crisis there’s been
a breach you don’t want to call someone
for a forensics expert to come in and
figure out what’s going on they’re gonna
put a contract in front of you and
obviously in a crisis you’re just gonna
sign it those contracts are obviously
gonna be very slighted towards the firm
who’s helping you you want to negotiate
there’s a retainer in advance in some
cases actually pay them in advance which
has a increase in their service level
agreements typically that they’ll be on
the ground a lot faster and they’ll
respond a lot faster so if you’re a
larger company or your crown jewels are
that critical you may want to consider
hiring a forensics team putting them on
retainer and then we have a whole new
video coming up on that and how do you
determine which forensics company to
decide and to go with because there’s a
lot of good ones out there and as always
there’s some companies out there that
you probably want to stay away from so
that’s our second step that we recommend
that all companies take okay the third
step that we recommend is knowledge is
power right
and one thing that you’re gonna want to
do in your company whether there’s two
employees or a thousand is educate your
employees educate your employees on the
risks that are occurring in the cyber
security universe it can easily be as
just sending out an email to all
employees stating that we are now taking
cybersecurity very seriously we now have
a policy in place in terms of who’s
responsible for it we are putting
controls in place to make sure that our
company is protected and here are some
tips to all employees in terms of safe
internet usage and email usage a lot of
devices or are compromised in companies
are compromised by clicking on malware
or clicking on files from people you
don’t know and then infecting the
network by executing that file you you
don’t you want to make sure your
employees understand that what is safe
what is your username and password
policy you know do you have how many
characters is it alphanumeric what’s the
length that you recommend and how
quickly or how often do you refresh
those passwords that something is very
important for your employees and your
company to protect it how do you safely
go online what is the risk of posting
you know confidential information
private information on social media
what’s the policy as employees leave how
do you make sure that their access has
taken away and who’s responsible for
that one that we strongly recommend
because this is something that’s
actually it’s occurred to our company
already is a wire transfer policy put in
place now today if you don’t have one
what’s your wire transfer policy
if there’s a request to transfer
information and in our case we put it at
a thousand dollars so anything over a
thousand dollars what’s the policy you
need to slow down the process to make
sure that you’re not being compromised
that this is a request to transfer
information that’s not accurate I
actually had a meeting with one of the
people in our company and we’re sitting
there and he his email came across his
smartphone and he looked at me and said
I just got an email from you and we were
both pretty surprised because I was not
on my computer and the email requested
that I did he buy $500 with the Amazon
gift cards and keep it confidential
because it was a surprise for the rest
of the employees very easily could have
happened if we weren’t sitting in that
room together talking and obviously it
was a manila dress it looked like it
came from my email address to the staff
member so this occurs a lot is wire
transfer fraud is an email will come to
one of your staff members from the
president or CEO or owner of the company
requesting the wire transfer make sure
that you have controls in place to
verify that information before it occurs
anything over a certain dollar amount
needs to be verified verbally by calling
the owner or calling a person or seeing
the person physically to say did you
request this don’t take these requests
just to via email it’s put a control in
place so that’s that’s one of our
stronger recommendation recommendations
and let’s let’s move on okay on
education I’m gonna back up a second
because we didn’t touch on this so in
the educational aspect there’s a lot of
good education out in the internet
there’s YouTube videos there’s files you
can download from the Small Business
Administration there is companies that
specialize in training your employees
you know if you’re interested in that
know before is a really good one wombat
is a very good one what they’ll do is
they’ll actually put programs in place
educational programs that you can have
your employees go through for safe
internet usage and they’ll actually also
have a simulated phishing attacks or
testing your employees on what they
learned and so there are tools out there
that you can look at and we’ll probably
have a video to talk about how do you
educate your employees and what tools
are available from a free aspect all the
way to a very sophisticated HR training
policy so I wanted to add that to the
training or the education and let’s move
on to our next step here ok the next
thing we want to talk about is patch
management this is this is something
that man it occurs a lot and drives me
it probably legalized a lot of people
you see companies that are compromised
or hacked and then it turns out that
there was an update to that software
application that no patch has been
applied for six months a year two years
and that’s why they were compromised so
keep your software up to date any
software that you’re using has updates
most of your products that you have have
firmware updates you’re going to want to
make sure that you do those as well so
patch often and automatically for all
your employees if possible so you set up
your application applications there’s
gonna be if there are updates do you
manually update them or do we make sure
that they’re done automatically I would
suggest you do them automatically for
your employees your major servers cloud
providers and other technology you want
to do them manually
because you’re gonna want to put them in
a sandbox before you put them in
production to make sure nothing breaks
but you’re gonna want to do those as
quickly as possible
who’s responsible for the patch
management who’s responsible to making
sure that all of our applications are up
and running and the latest patches this
is a real
your concern if you don’t this is what
happens patches are Chorale ah times
because of security risks are following
security these security risks are
publicized in numerous websites so the
security risk is publicized around an
application ABC hackers then can go into
search engines and search for websites
that have the old version of that
software and the compromised the
vulnerability is publicized and tells
the hackers on specifically how to take
advantage of that a lot of times there’s
YouTube videos it’ll actually walk
people through how to take control of
these assets based on the vulnerability
it’s extremely important than you do
patch management if I look at even our
website so website were a small business
like a lot of small businesses we use
WordPress we receive anywhere from five
to ten patch updates per week WordPress
itself has updates very frequently to
its core engine almost all of them in
the last year have been due to security
compromised concerns very easy to search
a search engine to find out which
websites are using an old WordPress
version so don’t don’t take this lightly
make sure that you have all your
applications updated to the latest
version and make sure that you’re your
also has updates a little bit more
complicated we’ll talk about that in
another episode but you’re also going to
want to make sure that your hardware
your firmware for your servers your
routers your your wireless are all
updated to the latest firmware let’s
move on ok we touched on this a little
earlier but this one we believe is it is
its own category password policy so
password policy is really important make
sure that all your employees use a
strong password remind them not to use
same password they use on other sites
there’s been so many compromises in the
last year I’m not going to get into the
specifics and these passwords are a lot
of cases are reused on other
applications so if there’s a compromise
on a social media site on a standard
application site these are this
information and now goes to the hackers
a lot of times it’s reposted on the dark
web where people can download it and
then just use your username and password
and it’s the same username and password
they use on 15 different sites so they
can go to your you know your Bank of
America Wells Fargo and say I wonder if
this person is using the same username
and password I can go through all of
these in from all these usernames and
passwords and try and invariably they’ll
find one person that has that don’t make
sure your employees understand don’t use
the same password they’re using on their
social media sites
because they’re compromised quite
frequently if you’re using WordPress and
again most small businesses use
WordPress as their their website
application make sure that your user
name is not set the default admin right
so you don’t want to give these hackers
easily part of the equation to break in
your system so you don’t want admin and
then a password use a strange username
alphanumeric right you can do J 5 2 X 3
4 2 1 as your your admin name and then
also use a password so now you’re
actually more difficult to compromise
than you would if it was admin and I
just have to guess your password can
we’re a relatively small company in
cybersecurity I checked before we did
this podcast and we are averaging about
a hundred attempts per day to break into
our WordPress site and I would say 90%
of them our username is admin and then
a password to them in our particular
case once you do that that IP addresses
then banned going forward it’s not a
fail-safe because if you know what
you’re doing you can implement change
your IP address but it’s again just
another step of control that keeps kind
of the the I would say the
unsophisticated hackers the smaller
hackers away from your website which can
do just as much damage as the very
sophisticated hackers so password
management is very very important and
let’s move on to our next recommendation
ok the next tip that we have suggestion
we have and this is foundational stuff
right is make sure if they’re your
application that you’re using has
multi-factor authentication that you
implement it
you’ll hear multi-factor authentication
MFA you’ll hear two-factor
authentication kind of all the same
thing we’re gonna have a podcast that
talks about this and more in depth but
if you enable two-factor authentication
all that means is the the applications
can require different additional
information before you can log in so
you’ll try to look at you log in your
application username and password it’s
gonna stop you at that point and say
whoa we need more information and to
make sure that Brian is logging in to
this application so maybe a text sent to
your phone there’s a Google application
out there’s a lot of apps use that does
a randomization of a number that allows
you to log in at that point to ensure
that you’re there there our enterprise
level authentication products if you
want to have just the ultimate in
protection for your own system so you
can you can implement and it’s a random
number typically generated by the
application and it protects you even if
your passwords compromised so you’re
logging in and says username password
it’s requiring additional information
some applications actually give you a
discount if you if you implement
multi-factor authentication we have an
application we use a lot that gives us a
10% discount just because they know that
if we have this implemented the chances
of being compromised go down
they also sent us a notification on
every successful login that’s not in the
IP address that we typically log into so
we log into this application here in our
corporate headquarters as well as our
home address so those team two locations
are well known to this application if
someone tries to log in or has my
username and password and is compromised
right and they log in from Europe I’m
gonna get an email that says hey someone
just tried to log in from Europe is this
you so it’s just more controls put in
place that allow you to operate safely
as a company so we highly recommend that
you turn on multi-factor authentication
okay so thank you for watching this
video I hope it was helpful if you have
any questions pre please list them down
below just again to recap you know it’s
it’s a very complicated confusing
universe but you gotta get started these
are kind of the basics what step one was
what information you want to protect
step two is making sure that your
information is backed up three who do
you call if there’s a breach what’s your
your breach policy your compromised
policy for train your employees make
sure your employees are trained make
sure they’re not putting their passwords
on a post-it and putting it on their
monitor I know there’s people out there
doing that or putting them underneath
your mouse pad that’s really tricky it’s
hard to find again I know people who are
doing that make sure your software is
updated patch management is really
important make sure you have a strong
password policy if I can speak password
policy and then lastly as a foundational
recommendation make sure that you turn
on two-factor authentication for every
application you do those things you’re
gonna be much more difficult to be
compromised and you should be operate
your company in a much safer mode than
most of the 33% of companies that don’t
have any controls in place at all thank
you for watching this video the next
video we’re gonna have a series is what
do you do from here from a foundational
stack what do we recommend
and we’ll post that soon and again any
comments listen down below and I
appreciate you listening as always take
care and be safe