Why Business Security is a specialised field

I am sorry, but if I hear another IT person or manager express that they do not know how they were target by malware when they have Anti Virus I am going to scream.

The issues and problems associated with Business Security needs to have a different and more refined and robust focus than normal IT.

They need to focus on what the bad guys are actually capable of.

Normal IT, in most organisations, have a primary focus of keeping the lights on, making things work and keeping it functional.

We have to stop thinking that Business Security is the realm of IT, because it is not.

Business Security is a whole of business process and HAS to be treated that way.

This is why you need a professional who is focused on the security component of an organisation.

Someone who can cross all of the areas of the business and get all levels involved in the process.   For small and medium business, this is an expense that few can afford.

The ways that a system and organisation can be compromised are numerous, and in most ways are practically invisible to small and medium sized organisations.

There are also numerous reasons that they are targeted, but automated systems are the primary contender.

The only reason they are targeted is that they are connected to the internet.

The bad guys need no other excuse than you have a digital device and it is connected to the internet.

In addition small and medium organisations do not have the three things that are vital to protecting the organisation:

  • Skills
  • Time
  • Money

Investing in these things are normally outside the purview of ordinary business.

Its not from want or trying.

Most want to be secure.

They just do not know how to get to that next level, and if they knew would not have the above resources to make it happen.

Cybersecurity / Business Security is a typical catch 22 situation.

Professional Business Security Support

You need to invest in the skills, time and money but do not have the skills, time and money within the organistion to be able to apply what you need.

This is why you need a framework.

A framework that is going to apply a progressive protection strategy around the business.

That framework can be any of the available frameworks but for small and medium business i think that mine would be a great place to start.

My framework puts technology, management, adaptability and compliance into a system where each additional components makes the organisation just that little bit more secure.

Try it here

In addition a managed Security Service Package is a great way to make your money, expertise and time go a lot further.

Most MSSP’s will look after all of those critical components of an organisation.

They have the skills to do it, they have the expertise to make it more secure than an untrained person and will definitely make your money go a lot further.

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

What are the riskiest network TCP / UDP ports and how do you secure them?

Vulnerabilities do not rest on TCP ports, they rest on services.

Any TCP port can be open but if there is no corresponding service using that port an attack on the port will most probably fail.

There are exceptions to this – TCP Port knocking and encryption allow a port to be open but will register as closed.

All hacking / malware attacks are targeted at those services and each of those services can have different applications behind them.

A little background – A Quick introduction to hacking.

Vulnerabilities are discovered and used in attacks based on a number of things:

  • application, – what is the application that is using the TCP port, Apache and IIS have different vulnerabilities and they both can be as unsafe or as safe as each other.   It depends on the attacker, defender, version and the installation process
  • version, – one version will be more secure that the previous one – In the labs we demonstrate a problem with VS-FTP version 2.3.4 it has a back door hard coded into the software.   Anyone who knows that can use it to compromise the server it is installed on.   By upgrading to 2.3.5. you remove the vulnerability and the back door.   With the introduction of IOT the main vector of attack are port 80 attacks and hard coded default usernames and passwords
  • installation process – the installation process for a number of applications have a default username and password.   If these are not changed then the system is vulnerable.   Tomcat and vnc are examples of known default usernames and passwords.
  • interaction within the application and the operating system. – there are a number of applications that are vulnerable when installed on a specific type of operating system.  Code red – targeted port 80 (HTTP) to attack the SQL components of a web server on port 1433 (MSSQL)

Fingerprinting and scanning

This is the process of finding out what application and services are behind the port.

It also tells us what version is running.

A simple NMap scan will deliver this information to anyone who knows how to use it.

A simple Nessus scan will reveal even more!

User rights and shell

A hacker needs 2 things to be dangerous.

He needs to have the authority – administrator (god) access and he needs to create a shell, something to run commands, scripts or applications in.

You can still do damage to a system if you have less than admin access but it is only to the application that is running – compromising tomcat will give me access to the web server component of a system.  There are ways to escalate the user from a service to the administrator.

If you do not have the ability to gain a shell then most attacks will not work.

In the world of penetration testing we can discover hundreds of vulnerabilities but only one or two or ten will enable me to compromise the system with both administrator access and a shell.

They are the only ones we report, resolve and remediation.

Hackers use Google and YouTube

Most hackers will find information on what they are targeting, how to do it and what they need to do through a basic search.

So with that all being said – here are the top 20 ports with their corresponding application. Insecure network services

TCP PortsPort numbers

  • 21. TCP – Ftp – file transfer protocol – one of the oldest ports on the internet and is used to transfer information from one system to another over a TCP connection.   Can be used in Command and Control of malware.
  • 23 – TCP – telnet – the most basic of shells, can be used to transfer commands and scripts from computer to computer.   Unencrypted and easily captured.
  • 25  TCP – SMTP – email servers – exchange, sendmail, and any system that has been designed to send email as part of its system requirement.
  • 69 – UDP – TFTP trivial file transfer protocol – used to update and transfer information from computers to routers.   Information can be intercepted because it is a UDP connection.
  • 80. TCP – HTTP – hyper text transfer protocol – Apache, iis
  • 143 – TCP – imap – mail protocol
  • 110 – TCP – pop3 – mail protocol
  • 443 – TCP – HTTPS secure hypertext transfer protocol
  • 53 – TCP/UDP -DNS domain name service – bind, windows
  • 8080 – TCP – tomcat  management –
  • 161 – TCP – SNMP –
  • 3389 – TCP – RDP – remote desktop protocol
  • 4444 – TCP/UDP – metasploit
  • 1433 – TCP – SQL
  • 137,138,139 – UDP – netbios
  • 1723 – TCP – VPN PPTP
  • 9100 – TCP Internet Printing
  • Gaming ports – inbound and outbound – some games install and connect to a web based server on a specific port based on the game.   The game allows an attacker to use the game as a platform to store and activate malware.

There is no way to secure individual ports and their applications except to make sure the application and operating system are up to date.

There are a number of ways to protect an organisation:

a second generation firewall / next generation firewall will inspect packets at the network, data and physical level as they enter and leave and compare that information to its database.

If an attack is indicated it will either stop it or move it to a sandbox.

The other ways are through logging, auditing and reporting.

Depending on the size of the organisation a SIEM maybe necessary, but a process of alerts is vital to catching the initial components of a breach.

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Why do i need a Managed Security provider?

Why are we the weakest link in cybersecurity – we just don’t care!

The threats are NOT imaginary.

The threats are real!

The visibility of the wannacry attack actually highlights how vulnerable the world is with its reliance on all things digital

Zero day exploits and known vulnerabilities are available for every operating system, including IOT devices.

 Anything with a digital signature can be hacked.

Where it all breaks down is that in most cases there is a human who is attached to the device.

A human who has the ability to veto all security measures in their hurry to do something, anything with the device.

How often have we seen the “updates available” on our server, laptop, smart device or application and have been in too much of a hurry to apply them.

In most cases it would take 10 minutes out of our busy daily schedule, 10 minutes where we have to find something else to do – not screen related.

cybersecurity We are so busy that we cannot find that 10 minutes?

Most systems are now being designed to make it obvious, and will persistently tell us that we need to update.

What do we do?

We complain that we do not have enough time.   We are too busy.   We cannot stop for that brief space of time to increase our security.

The SMB patch for wannacry has been available since march, that is almost 8 weeks before the cryptovirus attack, but the impact was significant because we were too busy.

I thought that we had learned from the “code red” attack in the early 2000’s, that patching is a very important part of digital security, obviously not!

“Code Red” crippled the internet because of un patched SQL servers, the patch had been available for 3 months prior to the release of the virus.

Most of the problems with security in the digital world is US.

We are too focused on our tools to see the underlying features that have actually been put in place to protect us.

There is a quote I often use in my training “THERE IS NO PATCH FOR HUMAN STUPIDITY”

 We are the weakest link in cybersecurity, in the digital chain where we should be the strongest.

In most cases we are very stupid!

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Ransomware – So you think you have nothing worth stealing?

Lets just look at that for a moment

In today’s world we all use the internet to do business, to communicate, to have fun.

What we forget is this!

  • You have a Mobile phone or tablet = target
  • You have email = target
  • You have a web site = target
  • You own a Smart TV = target
  • You live in a Smart home = target
  • Have anything that is part of the Internet of things = target

There is no getting away from it.

If you are connected to the internet, the digital world, the cyber world, in any shape or form – you are a target.

Do you now agree that you are a target!

By being a target, what are they after?

Most people think that they have nothing worth stealing?

In today’s digital world, that is bull.

If I was a hacker – What could I steal from you?

Lets just start with just the basics –

  • money or access to money
  • Intellectual property, trade secrets or restrict access to information
  • PI information about you

Additionally, Technology – your computers, phones, tablets, your smart devices.

Things you may not even consider your phone systems and your gaming console.

So you are also saying that you have nothing worth stealing!

So lets look at the phenomena that is the fastest growing digital crime ever seen – ransomware.

Ransomware Why is ransomware so effective?

To anyone who has been a target of ransomware, you realise very very fast that not having access to things that you considered not inportant, suddenly become very important.

With a ransomware attack you have three actions –

  1. its not important so I won’t worry about it,
  2. I will pay the ransom or
  3. I will restore from backup

Your choice, but i can guarantee that not having a tested and secure backup will haunt you.

The problem with the digital world is we are all exposed.

We are all targets.

More importantly, if you don’t do something about it who will?

Want to know more about business security?

Join us for the business security intensive


Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

What is the difference between a Penetration Test and a vulnerability scan?

Google Alerts – The week I died 7 times, and how I knew about it!

What a weird thing!

 I have a Google alert for my name, just to check that people are not talking about me.
Recently, over the space of about 10 days i died and was buried 7 times.
A disconcerting occurrence.   I was happy to see that none of them were me.
It has bought to my notice the importance of google alerts.
For those people not using google alerts i would suggest that you do.
Google alerts scans the internet for any reference of the criteria you have configured for your alert within a set period of time – mine are last 24 hours.

I have a number of alerts configured.

I have an alert that triggers on “cyber, cybercrime, cybersecurity, digital security, MSP, managed services and business security”.  This is to keep me up to date in industry newsWhat is the difference between a Penetration Test and a vulnerability scan?
I have an alert that triggers on our clients names, products and services. This keeps me up to date with what our clients are doing and if there is any chatter that could potentially turn into a problem.
I have an alert that triggers on any of our business names, products and services.  This tells me of there is any chatter about our organisation and so that we are aware of problems before they become issues.
Google alerts are a cheap and inexpensive way (free) of keeping track of what is happening on the internet around you and your niche.   I would suggest that you utalise it.
Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 
Why do i need a Managed Security provider?

Compliance is only as good as the people doing the audit.

There are two real noticeable ways of doing compliance, when it comes to business security.
The first is looking at the audit requirements and only doing what is required to meet that audit.
If you change a part of the compliance requirements you then fail the audit.
The second is to actually do the process correctly.
Making the system as secure as possible within the constraints of finances, time and capability.
Using a decent business security framework (mine or someone else’s) is the first step in building a secure environment for your technology, money, intellectual property, staff and clients.
The impact of a failed compliance audit can cause a number of issues for any size business.   The biggest one is that your organisation is vulnerable to a cyber event.
The impact of a cyber event on the owners and managers of small business, on C level executives of larger organisations and on sitting board members can be be devistating in a number of ways.
Loss of revenue, falling stock prices, fines and legal suits to name a few.   They can have a significant impact on business capability as well as at an individual level.
The right compliance audit can show that you have done everything that is possible to protect the organisation from cyber crime and still be compromised.

That is the nature of the cyber beast.

We are all playing catch up.
We are at the beck and call of the cyber criminal.
So protecting the organisation at a strategic and tactical focus stops the knee jerk reactions of the events that we all hear about in the news and on the internet.
This is why a framework is so important.
For instance, the newest version of a ransomware variant is targeting a zero day exploit that was patched a couple of weeks ago.
This would not have any significant impact on an organisation who has a software patching policy in place and active.   The patch for that exploit would have been applied in the patching process.  Reducing the risk of that vulnerability being exploited.
Another example is 2 factor authentication for VPN log in.   Two factor authentication works on the principle of username and password and a third component.
The third component only comes into play if the first two are correct.  The third component can be an SMS to a phone or a 6 digit number on a fob.  Put in the information and you have access.
Increased security, auditable and easy to use.   It also increases the security of your business.
For more information on compliance sign up for our business security intensive using the NIST framework at a location near you.

A business security framework for the cyber insured

The introduction and subsequent uptake of insurance focusing on “cyber” have shown that the insurance industry is serious about protecting the assets of businesses all over the world.
The level of protection is dependent on the policy, your business requirements and also how much protection you need for your business.
Insurance without looking at increased protection however, will not work.  A breach would / could put you in the situation where you are not covered.
If you do not get your business security and protection correct then you will be in a situation where a cyber crime against your business will not be covered under your insurance policy
Here is a basic framework that aligns with most cyber insurance policies.
  1. Technology.  There are a number of areas where technology investment is paramount.   Here are a few
    • Router, modem, firewall – get the best you can afford.   Definitely get rid of the system supplied by the ISP or the shop bought one from a home retail shop.  As a level of protection they will not protect your organisation.   Minimal spend should be around $600 for a small business up to more than $20k for a large organisation
    • End point protection – 2 things about end point protection, they will catch malware and suspect applications because, like us the hackers are inherently lazy and use old known code.   The second is doing a regular scan, this will allow systems to catch up with malware that has been recently discovered.
    • Wifi – access to your wifi allows access to your systems, whether it is set up to have access or not.   Once again spend a little and invest in the best you can afford.
    • Encryption – if you are collecting staff, user, client and financial information then it need to be protected from ease dropping with encryption.   Encryption needs to focus on data at rest, where and when it is stored as well as in transit.
    • Patching and updates – operating systems – do it, applications – do it, websites – do it, tablets and phones – do it.   Absolutely critical to protecting anything digital in today’s world.
    • Up to date operating systems and applications – if you are using old versions of MAcOS, windows XP, android – replace them ASAP
  2. Management.

    • Policies procedures and processes – policies are very important as they tell your staff where you stand on passwords, internet usage, email usage, education and training.   Make sure everyone reads and understands them.   Procedures allow you to specify how things are done so that anyone can walk in and do a task without supervision.   Processes will also allow systems inside the organisation to be implemented as a standard
    • Audit and reporting – it is no use collecting information from the system if no one is going to look at it.   You need to implement a standard process that audits the information and reports it to management.
    • Logging and alerts – all systems have some level of logging.  In a small organisation daily checks of individual logs can be done, in larger organisations there is a need for a central location and a system that alerts staff to issues coming from firewalls, intrusion detection or AV.
    • Password management – in today’s world passwords are your passport to the digital world so they have to have 3 components – must be more than 10 characters, must be unique for each location and must be complex, having letters, numbers, capitals and symbols.
    • Education and training – there is a 300% ROI on education in an organisation.   Your staff are the first and last line of defence, when the technology fails an educated user will be the last line of defense
  3. Sustainability
    • Disaster recovery – when it alls goes to custard (and it will) you better have a way back.   This is what disaster recovery is all about.   It doesn’t matter if it is physical (flood, fire), digital (cyryptovirus, failed hard drive) everything that is stored digitally is vulnerable.
    • Risk management – you need to way up the risks of a issue impacting your organisation.   The higher the risk the more you need to mitigate it.   If you use the NIST framework to manage your risk and exposure it will benefit the process of risk management
    • Backups – everything that is important need to have a backup made of it.   If it is business critical then the risk of something happening needs to be weighed up against mitigation and cost.   Virtual imaging backup software is a huge solution to this priblem
    • Business continuity – what happens if the district where you office is locked down and noone can access the office.  What contigencies have yo got in place.
  4. Compliance – if you are collecting PII (personal identification information) then you will have a compliance requirement.   If you are collecting financial information then PCI DSS compliance requirements come into the situation as well
 So insurance is all very well but unless your organisation invests in the additional components of your cyber protection you may find that the cryptovirus that has encrypted all of your data is not covered.
If you want to know more get my book or ebook
Roger Smith is the CEO of R & I ICT Consulting Services,(http://rniconsulting.com.au), Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime (http://www.amazon.com.au/CyberCrime-Clear-Present-Danger-Security-ebook/dp/B00LEJTN5Y), author of the Digital Security Toolbox (http://www.rogersmith.com.au/roger/toolbox/) and the SME digital security framework (http://smesecurityframework.com.au/csb/).   He is a Speaker (http://www.rogersmith.com.au/roger/roger-smith/), Author, Teacher and educator (http://securitypolicytraining.com.au/cybersecurity-awareness-introduction/) on cybercrime and how to protect yourself from the digital world.

Cybersecurity and business security training when it is working, you WILL know!

Joining the Cybersecurity IN Crowd

When it comes to proving that your Cybersecurity and business security training is working there is usually not much to show!   In most cases there is a general rumbling within an organisation, like every other training: wasting time, effort and sometimes money.   

BUT, there is a little known fact that when cybersecurity training is embraced there is an overwhelming camaraderie created.

Complete the course and you are one of the crowd.  

A part of the IN crowd.  

Look at that you, know a little more about computers, security and that is important for moral within any organisation.

Like any other training and education program we need to know how to use the tools that we are given in the organisation.   Cybersecurity and business security focuses on protecting the information that those tools generate.

How do you know that your training is being embraced

If they are discussing the training – you win

Getting people involved in any training is hard – most people just want to do their jobs.  More importantly, in todays world they either think they know it all or management doesn’t think it is important.  

If you have delivered any type of business security or cybersecurity training or presentations and they are talking about it in the break room then that is a vast improvement.     

This increase in awareness allows the organisation to concentrate on other areas of core business namely products and services.   In addition this level of discussion also makes for increased awareness, better protection for the organisations infrastructure.   

A win for the staff as well as a win for management.

There is a distinct lack of visible passwords

If your training is working you will find that everyone is more aware of the organisations password strategies.   This awareness should be visible with a distinct lack of post it notes all over peoples work stations, monitors and under keyboards.   

When everyone has been taught how to create complex passwords that are unique to every website or location, that are easy to remember and are longer then 10 characters, security within the organisation just has to improve.

Errors and mistakes with digital information start to disappear.

Once a training package has been completed there is a distinct decrease in the number of silly mistakes made by the people who have received the training.

Why don’t People make as many silly mistakes.   They do not open email attachments, follow links, email critical information outside the organisation, make silly regretful comments on social media and are less susceptible to social engineering attacks.   They think about the consequences and the have a higher awareness threshold

They have been taught to follow the “trust no one” philosophy, are paranoid of the digital world, show an increased awareness in what and how the bad guys are targeting them, your organisation and their access to money.  

Bragging about recognizing a specifically sneaky phishing / spear phishing email

The biggest off shoot is when staff members start to brag about cyber attack failures that they have been involved in.  A targeted email that was aimed at the accounts department.   A phone call they thought was fishy.

When that happens everyone feels good.

There is an increase in business interaction

With an increased awareness of what is a true business proposal and what is krap, business can start to make an impact in their areas of core business.

If you combine a true cybersecurity, business security training package with an above average NIST score you can start to influence your market niche, control who you do business with and improve their business capabilities.

As we all know training and education of staff, management, C-Level execs and board members is very important.   The significant changes in internal attitudes to cybercrime and fraud increase significantly if a decent training.

If you are interested in a decent inexpensive training package for small and medium enterprise then contact us on one of the following links.


Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Ransmware, Crypto Virus and educating your users

Ransomware, so you think it’s a joke?

“Never before have so few, stole so much, from so many that the many fail to see a problem!”

Ransmware, Crypto Virus and educating your users

Ransomware, Crypto Virus and educating your users

I got a phone call from a mate the other day wanting some advice.

My mate is attached to a not for profit organisation that has a number of self-managed branches all over Australia.

His question was “what do you know about ransomware?”   

My immediate response to that was “why, it hasn’t happened to you, has it?”

It turns out that one of the branches of his NFP organisation had been targeted through a phishing email and one of the volunteers had opened it.   Not realising what they had done, it had also been left to encrypt over the weekend.   ALL of their data was now encrypted.

My first response – restore from backup, clean the virus or better still rebuild the infected computer, and educate the users.   In that order!

I knew a forensic investigation was not going to tell us much!

But, wait there is more!

No we did not have end point protection installed on any computers or servers and when the incumbent IT Company (WTF) looked at the backup, they had not had a successful backup since 3 1/2 weeks prior.

The incumbent and external IT Company had not been seen on site in more than 12 months.    There was no reporting, no management and no proactivity.

All they had was a help desk and when that was needed it all turned to crud.

This scenario happens every minute of every day.

Often, we do not see the problems that the digital world creates, so like the ostrich, we hide from the repercussions in the hope that it will not happen to us.

This really is a bad attitude, both as an individual, but more importantly as an organisation.

No one is immune, there is no vaccine, everyone can be targeted and more importantly, being attached to the internet, everyone is.

The criminals are persistent, uncaring and, although we do not give them credit, most importantly clever.   They patiently wait for anyone and everyone to make a mistake and they capitalise on that mistake.

Just think of this – if we had no important data worth stealing (or encrypting) then ransomware would not be a 5 billion dollar industry.

The most important things to do – personally and as a business:

  • Trust no one
  • Be paranoid
  • Use common sense
  • Have a tested backup
  • Use antivirus
  • Get a decent firewall
  • Patch it all
  • Education
  • Audit and report

Try this little experiment – how long can you use a new computer before you realise that you need access to some old information.   If it’s not very long then you need to protect yourself from ransomware.

In addition I sent them this link – to see how mature their organisation is and it was completed by the IT person and they got a 1.7.   If it was at this maturity level, they would not have had the significant problem that they had.

I guarantee that if it was completed by management or a member of the board they would have got below 0.5.

Try it and see! http://business-security.com.au/go/audit/

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Why do i need a Managed Security provider?

Why assumptions in business security are bad for your business

There is an old adage that has stuck with me since my early Navy days, never assume, because it makes an ass out of you and me.

Why do i need a Managed Security provider?

Why do i need a Managed Security provider?

When it comes to business security, assumption is a really bad place to be.    It happens all of the time!   We are assuming that the bad guys are only as clever or dumb as the person who puts the security together.
We have seen, heard, read and demonstrated that this is not the case.    The criminals who use the digital world to perpetrate their crimes are neither stupid nor dumb.   In most cases, especial in the true criminal environments, they can be exceedingly clever in their chosen field.
Their chosen field is using technology to separate you from your money, your trade secrets or your technology.
They are very good at it.
Why is it
In most business environments, small, medium, large or not for profit, the ICT department / person / person who knows computers is full on keeping systems working.   They are firefighting, troubleshooting and just keeping their noses above the level of crud that is the job.
The do not have time to implement stringent security measures so they revert to ‘easy wins’.
A firewall, maybe an acceptable use policy, anti virus and updates.   Anything that they can implement in a couple of hours and tick the box that says they are now secure – usual because the sales person said so.
In today’s rarefied cybercrime environment this is no longer enough.
It is not their fault, there are not enough hours in the working day to implement most of the strategies for a secure business environment.
This is where an external cybersecurity contractor comes into it.   A contractor who will augment your system, make it more secure, test it and deliver outcomes that, although expected, never usually eventuate inside the business.
Like everything else in today’s world finding the right one, one that is not going to rip you off, one who knows there stuff and one who uses or has developed a framework for security is very hard to find.