Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /websites/bu/business-security.com.au/index.php:7) in /websites/bu/business-security.com.au/wp-content/plugins/modal_survey/modal_survey.php on line 2380

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /websites/bu/business-security.com.au/index.php:7) in /websites/bu/business-security.com.au/wp-content/plugins/modal_survey/modal_survey.php on line 2380

Warning: Cannot modify header information - headers already sent by (output started at /websites/bu/business-security.com.au/index.php:7) in /websites/bu/business-security.com.au/wp-content/plugins/modal_survey/modal_survey.php on line 2383

Warning: Cannot modify header information - headers already sent by (output started at /websites/bu/business-security.com.au/index.php:7) in /websites/bu/business-security.com.au/wp-includes/feed-rss2.php on line 8
Business Security – an R & I ICT Consulting Website http://business-security.com.au Business Security Demistified Mon, 08 Oct 2018 01:12:11 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.8 There are managed service providers (MSP) and there are really good managed service providers! http://business-security.com.au/there-are-managed-service-providers-msp-and-there-are-really-good-managed-service-providers/ http://business-security.com.au/there-are-managed-service-providers-msp-and-there-are-really-good-managed-service-providers/#respond Mon, 08 Oct 2018 00:42:39 +0000 http://business-security.com.au/?p=1286 Paying a standard fee for your technical support through your Managed Service Provider (MSP)  is an idyllic solution in today’s business and organisations. It allows the organisation to focus on business, core business, what you do to make money, without having to worry about technology, policies and people. The original idea for managed services, you […]

The post There are managed service providers (MSP) and there are really good managed service providers! appeared first on Business Security - an R & I ICT Consulting Website.

]]>

Paying a standard fee for your technical support through your Managed Service Provider (MSP)  is an idyllic solution in today’s business and organisations.

It allows the organisation to focus on business, core business, what you do to make money, without having to worry about technology, policies and people.

The original idea for managed services, you pay a monthly fee for all technical support is failing as greed sets in.

A true managed service provider should be doing it all for you.

Anything that is part of your business and the technology required to achieve your goals should be their responsibility.

Most MSP’s have change the contractual obligations in their service level agreements (SLA) to improve their bottom line at the detriment of the client.

The small print usually states all care but no responsibility.

To increase profits they have changed the way the SLA is applied to business.   They have moved the risk back to your organisation.

Instead of mitigating the risk of something happening by putting in self repairing software or moving your data to the cloud without soverienty, compliance and governance implications they have put it back onto your organisation where you now pay the additional costs.

If your MSP has a clause in their SLA that states you have to pay for time on site, additional costs for policies and plans then they have moved the risk back to your organisation.

Check your SLA / contract have they moved the risk back to you.

The clients interest.

When it comes to a SLA, it should change the onus of technical support away from your organisation to the expertise of the MSP.

The MSP have the skills, training and capabilities to make the technology that your organisation uses to increase revenue and in that profit for your organisation.

A MSP should remove the responsibility on the clients side by having the expertise to fix problems.

They are also the trusted adviser.

In that role they should be advising on the businesses requirements to improve the capability of your business to increase profits and build rapore between you and the them.

This should all be done without pushing a particular vendor, supplier or system.   It should all be based on YOUR requirements!

The capability of the MSP organisation to ensure both functionality and security in the client organisation is the reason that they are there.

There should be a single point of contact, email or phone, that can be contacted to resolve any issue from user to internet.   This single point of contact should have the authority to speak on your behalf to resolve the issues and to improve your bottom line.

The MSPs interest

The MSP role is all about visibility.

Visibility of the system by reporting in all facets of the systems and security.

The reporting has to be done in such a way that management decisions can be made simply and easily.

There are no vanity stats in this process.   The facts are of paramount importance and to get those facts, systems have to be implemented and managed correctly.

The visibility of the people is as important as the technology in showing what is happening behind the scenes and gives an indication in education and training requirements.

The MSP should also be implementing policy and procedures ranging from disaster recovery (DR) and business continuity (BC) to audit capabilities and user policy.

This is not an additional component of the environment, an MSP cannot do its job for the client if it does not understand the importance of your data, where it is located and who has access to that information.

 Why is this important?

Yes, a SLA with these requirements is more expensive.

If you think about it, it has to be.    They are taking their role in your business seriously.

They are allowing the management team to delegate the business requirements to a group of people who should have the expertise to actually do the job, improve the efficiency and security of the organisation and do it with the expertise required to ensure your organisation is going in the right direction.

if you are paying for a SLA that is not doing all of this then you need to look to an organisation that will.   Look to a better way of managing your systems.

The post There are managed service providers (MSP) and there are really good managed service providers! appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/there-are-managed-service-providers-msp-and-there-are-really-good-managed-service-providers/feed/ 0
How important is cyber risk to the board? http://business-security.com.au/how-important-is-cyber-risk-to-the-board/ http://business-security.com.au/how-important-is-cyber-risk-to-the-board/#respond Sun, 30 Sep 2018 05:47:43 +0000 http://business-security.com.au/?p=1270 In the midst of the craziness of this week I was researching not for profit organisations when I discovered an anomaly in their annual reports. The first report I read had no reference to cyber security, information security, business security and data security.   I though that that was a little strange, so I read […]

The post How important is cyber risk to the board? appeared first on Business Security - an R & I ICT Consulting Website.

]]>

In the midst of the craziness of this week I was researching not for profit organisations when I discovered an anomaly in their annual reports.

The first report I read had no reference to cyber security, information security, business security and data security.   I though that that was a little strange, so I read another.

After downloading and reading 15 not for profit organisations annual reports from last year not one of them made any reference to what they were doing to safeguard their clients, users and sponsors information.

Even in the executive summary, protecting the assets was not mentioned.

One of the 15 had 3 pages on their IT infrastructure but this only discussed the number of people, servers and offices that were managed by the organisation and how people connected to the information required by staff to do their jobs.

If there is no information about cyber in an annual report, I have some questions?

Is the board room accountable to the shareholders when it comes to cyber?

The buck stops with you and if you are not taking into account the digital components of your organisation then you have a problem.

How serious is the board about protecting their staff and stake holders?

If they are not discussing it or just giving it lip service then there is going to be a time when the organisation will suffer a cyber event and no one will know what to do.

Business security is all about preparedness.   What will happen if this happens.  What will be the impact on the organisation in a cyber event.

Has risk management taken into account the unique risks associated with the digital world?

All of the risks in today’s business world have to be addressed.

Of all of the risks that businesses face today, probably 20% are traditional risks.   Some of them also have to be looked at with a cyber component.   For instance, what happens if you lose power, how are you going to mitigate the impact within the organisation at a digital level.

If risk has not been discussed how safe is the data?

A board not addressing today’s risk at management level shows a profound disrespect for the whole organisation.

A simple error, no matter what it is, can expose the organisation to financial, reputational and personal loss.    That loss can be incidental or profound, but if not addressed it will have an impact on the organisation.

Why do they not consider the digital world a risk to the organisation?

A recent discussion, actually about 4 years ago said that although everyone knows computers, not everyone understands the fundamentals of how they work.

Taking this attitude into the board room, everyone knows computers, will have a detrimental effect on business.   It will have a bigger impact because technology is changing.   The increased reliance on all things cloud based, mobile and social means we have to think outside the box.   We have to include all of these items in our understanding of the digital world and the impact on our risk analysis.

What has actually been done to safe guard the data under their control?

In most cases, very little.

We often see – the IT department will handle that!

That is wrong on so many levels.

There is a different skill set, business requirement and technology understanding between making the organisation safe at a digital level than keeping the lights on and the computers operating.

With all of the Compliance and governance in business, how have they got around doing it?

Delegation of duties, without delegating authority, is a regular occurrence.

Yes the ICT team will look after that.

But

Without the authority to make change, there are going to be large areas within the business that no one has focused on.

Compliance and governance are not a tick in the box process.

It is a complete over haul of business attitude to protect the data that your clients and staff have faith in you protecting.

Break that faith and see what happens to your organisation.

In addition to that governance and compliance are the realms of the board room, delegating it does not mitigate the risk associated with a cyber event.

Ignoring the impact of a cyber event at the board level has already caused a number of high visibility board members to resign or even worse be fired.

My conclusion

Somewhere we are failing.

The message is wrong, the medium is wrong or the people delivering the message are wrong.

No matter how much you slice it, getting people on boards to understand that digital is a thing and protecting data is a thing, is very difficult.

There is an old adage, “to get people to invest in disaster recovery burn down the building next door”.

The same applies in business security.

Getting boards to invest in digital and business security is have something happen.

Organisational wise or personal, an attack on them will get investment in protecting the organisation.

It is no longer a case of investing in insurance, today, digital protection is not insurance, it is an investment in your brand, your reputation, your staff and y

The post How important is cyber risk to the board? appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/how-important-is-cyber-risk-to-the-board/feed/ 0
Why we need to treat business risk properly! http://business-security.com.au/why-we-need-to-treat-business-risk-properly/ http://business-security.com.au/why-we-need-to-treat-business-risk-properly/#respond Thu, 27 Sep 2018 03:43:09 +0000 http://business-security.com.au/?p=1266 Why is it that until you are knee deep in a full blown cyber event, it is still just someone elses problem. Or, Until you have limited or no access to business resources, do we still think that it is someone elses problem. When does it become a business problem? When does it become something […]

The post Why we need to treat business risk properly! appeared first on Business Security - an R & I ICT Consulting Website.

]]>

Risk Management – Today’s Balancing act is all about Business Risk

Why is it that until you are knee deep in a full blown cyber event, it is still just someone elses problem.

Or,

Until you have limited or no access to business resources, do we still think that it is someone elses problem.

When does it become a business problem?

When does it become something that YOU, as a manager, C level executive or board member, have to think about.

I have been asking that for years.

Risk management and reducing the impact of residual risk has been around for centuries.   We have always looked at natural disasters as a risk to the business.

When it comes to the digital components, the ones we use to do business, the ones that have a critical impact on every organisation, the ones we use to invoice, communicate and socialise with our clients and staff, why do we fail to see the impact.

We get blinders, a narrow viewpoint, we fail to see the risk that the digital world can deliver to the organisation.

We fail to see the significance of the risks that comes from our digital world.

If we do see it, it has to be an ICT problem.

We are talking about computers and data, therefore it has to be an ICT issue.

This is definitely one of the strangest attitudes in today’s world.

We can no longer treat business risk with the same attitude we have always done.

Today’s Business risk is a whole of business problem and needs a whole of business approach to manage it.

No matter the risk, all risk has an impact on your organisation.   All risk has to be treated.

No matter the system involved.

Business risk has to be treated by one of the following treatments.   Mitigate, accept, transfer or reduce,

Before you can apply a treatment to it you first need to acknowledge the risk itself.

To do that you have to think them through.

Every little thing that could and would impact the organisation and how the organisation will react needs to be processed.

This includes risks to reputation, data loss, finances as well as the impact of ransomware.

Have you taken all of your risks into account.

The post Why we need to treat business risk properly! appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/why-we-need-to-treat-business-risk-properly/feed/ 0
When it comes to cybercrime, protecting 100 clients should be no different from protecting 1,000,000 http://business-security.com.au/when-it-comes-to-cybercrime-protecting-100-clients-should-be-no-different-from-protecting-1000000/ http://business-security.com.au/when-it-comes-to-cybercrime-protecting-100-clients-should-be-no-different-from-protecting-1000000/#respond Sun, 22 Jul 2018 05:46:43 +0000 http://business-security.com.au/?p=1204 The bulk of cybercrime and cyber events in the news are focused on large multi national organisations and government departments.   Newsworthy events are in fact always newsworthy. These are the organisations we hope and believe are focused on protecting the information that we unwittingly give them through our interaction. An attack on them makes […]

The post When it comes to cybercrime, protecting 100 clients should be no different from protecting 1,000,000 appeared first on Business Security - an R & I ICT Consulting Website.

]]>
cybercrime - putting the pieces togetherThe bulk of cybercrime and cyber events in the news are focused on large multi national organisations and government departments.   Newsworthy events are in fact always newsworthy.

These are the organisations we hope and believe are focused on protecting the information that we unwittingly give them through our interaction.

An attack on them makes for great copy.   But, the overall problem with cybercrime and cyber events is not the big fish.   The big fish are known to have millions of records that should be protected from a cyber attack.   Not protecting them reflects in spectacular thefts and large scale reputation failures.   Newsworthy events!

The biggest problem is not the theft of 1,000,000 records or more, although this will be pretty damaging in itself, the real big problem is the theft of 100 or 1000 records.

Large organisations have the expertise, the finances and the understanding that they have to protect their clients information in the best way possible.   SME’s do not!

Large organisations have the technical skills to not only protect the information but also the expertise to forensically dissect an attack and find out what happened, how they got in, where they went and what did they have access to.  SME’s do not!

Large organisations have the ability to test their environments through penetration tests and vulnerability scanning as well as the understanding that education is really important when it comes to a cyber event.   SME’s do not!

How many SME’s have gone out of business after a cyber event is unknown.   Some of the statistics are available, but not many are focused on whether it was poor management and cash flow or a cyber event that damaged their business to a point where it was unrecoverable.

Did it put them out of business?

One of the things I discovered a couple of years ago is the way the cyber criminal works.

There are 3 types of cyber criminal, 5% are hackers (criminal group or nation state), 10% are hacktivists (nation states and concerned citizen?) and about 85% are what we call script kiddies.

The script kiddies are the 12 – 30 year old who are interested in how things work, what they can do and how much damage can I do.   What I like to call the EGO warriors.

There is a large correlation between the script kiddies and the true hackers, one that is not really known, but every now and then becomes visible.

The internet is a great resource.   It is a great resource for us but it is an even greater resource for the budding cyber criminal.   The internet can put the budding script kiddy in contact with the true hacker.   That contact can be very problematic for SME’s.

For example, I am a hacker, and I develop an automated system for checking vulnerabilities of connected devices on the internet.   I do not want to or want to be seen running that automated system so I ask a couple of thousand script kiddies to do it for me.

I now have an army of automated systems, run by my ego warriors, that are testing the internet, the whole internet, for those vulnerabilities.   My automated system feeds back to the ego warriors with information about vulnerable systems (SME’s) and puts that information into a file that they can use to attack those systems.

There are even legitimate cyber protection businesses using this strategy.

But, it is also sent back to me when the automated system is run.   I can now pick and choose an attack vector as well as pick my targets.

For instance, there are ongoing vulnerabilities in Microsoft Remote Desktop Protocol (RDP), a system that is used a lot by SME’s.   A large multi national organisation will use virtual private network access (VPN), a SME will not.   They will expose that protocol port to the internet to make their lifes easier not realising that they are susceptible to an attack.

What are my targets, after a little research – SME’s with access to trusts, intellectual property, large amounts of cash or the new one, critical infrastructure.

These targets have reduced business intelligence, lack complex systems, lack digital expertise, but more importantly have a blaze attitude to security.

You know the attitude well – it will not happen to me, we have nothing worth stealing or she’ll be right.

Will an SME survive having its trust fund drained – probably not!

Will an SME survive having all of its research and development stolen – probably not!

Will an SME survive the reputation hit of having its customer database stolen – probably not!

Will an SME survive the compromise of its website / eCommerce site – maybe but probably not!

Will an SME survive a cryptovirus attack – again maybe, but probably not!

Protecting our digital assets is no longer a multi national organisations problem, it is everyone’s problem, everyone with a digital device has the problem and has to be part of the solution.

The solution is a change of attitude.   Changing our attitude to:

  • it will happen to us so we better do something to protect ourselves,
  • we have something of value worth stealing so we better protect it as well as possible and
  • there is no such thing as she’ll be right because when it comes to a cyber event, it will happen.

The post When it comes to cybercrime, protecting 100 clients should be no different from protecting 1,000,000 appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/when-it-comes-to-cybercrime-protecting-100-clients-should-be-no-different-from-protecting-1000000/feed/ 0
Passwords – it’s not about you http://business-security.com.au/passwords-its-not-about-you/ http://business-security.com.au/passwords-its-not-about-you/#respond Mon, 18 Jun 2018 23:22:37 +0000 http://business-security.com.au/?p=1185 Everywhere you go in the digital world we all need some sort of password. We all forget that the password to access a website is a way to personally protect your information on that website. The conundrum is, passwords are hard for humans to remember but very easy for computers to break. I have a […]

The post Passwords – it’s not about you appeared first on Business Security - an R & I ICT Consulting Website.

]]>
password best practice

Everywhere you go in the digital world we all need some sort of password. We all forget that the password to access a website is a way to personally protect your information on that website. The conundrum is, passwords are hard for humans to remember but very easy for computers to break. I have a system that changes that dynamic.

Although 2 factor authentication and bio metrics are having a significant impact in the way we secure our digital assets, (phones, tables, bank accounts, laptops) there are still millions of websites that do not have that level of security.

We have to make passwords hard for the computers to break.

“One of the hardest things that I have to teach my Australian Defence Force Academy students is that passwords are still the lifeblood of our access to the digital world, we often forget that we have to make them hard so that hackers cannot break them easily, but they have to be easy to remember.” Roger Smith

All passwords have to have the following features:

  • Unique – every website or digital account has to have a separate and different password. There is a very good reason for this!
  • Complex – every password must have a combination of letters, numbers and symbols (a-z, A-Z, 0-9 and punctuation)
  • More than a specific length – all of your passwords have to be longer than 10 characters. It use to be 8 but the increase in computing power over the last 3 years has changed the requirement to 10.
  •  Easy to Remember – we as humans need to be able to remember them without resorting to writing them down.
  • Passwords cannot have –
    • Sequences – 1234, abcd, qwerty
    • Places and locations – towns and cities, high school
    • Single dictionary words – any English language word
    • Leetspeak (hacker speak) – substitute 3 for e, 1 for i or
    • Significant dates – graduation day, kids birthday

The 5 points above create a quandary. It makes it very difficult for us to create complex, unique passwords that are easy to remember.

There are 2 ways to tackle this problem, a password manager or a system that creates passwords that have all of the right criteria. I have a system that will allow users to create complex and unique passwords that are easy to remember and hard for a computer to break!

 

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.

He is the winner of the worldwide 2018 Cybersecurity Educator of the Year award and was Runner up in 2017 .  

He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   

He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.   

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

The post Passwords – it’s not about you appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/passwords-its-not-about-you/feed/ 0
Too big to fail, what about too small to matter? http://business-security.com.au/too-big-to-fail-what-about-too-small-to-matter/ http://business-security.com.au/too-big-to-fail-what-about-too-small-to-matter/#respond Tue, 29 May 2018 01:16:57 +0000 http://business-security.com.au/?p=1179 The 2008 GFC showed us that when there is a crash, there are certain organisations who are, supposedly,  too big to fail. Whether those organisations understood it at the time, it was touted that their failure would create an economic wasteland the like the world has never seen before in the whole of human history. […]

The post Too big to fail, what about too small to matter? appeared first on Business Security - an R & I ICT Consulting Website.

]]>
The 2008 GFC showed us that when there is a crash, there are certain organisations who are, supposedly,  too big to fail.

Whether those organisations understood it at the time, it was touted that their failure would create an economic wasteland the like the world has never seen before in the whole of human history.

In 2008, this problem was delivered to the world by Governments in spades.

All well and good.   The world survived but the actual business landscape has significantly changed since it happened.

Changed in some areas and not at all in others.

Too big to fail is still touted by governments and industry leaders but there has been a significant change in the working man’s thoughts.

Small and medium business have come to the fore!

The implementation and management of the multinational digital organisations and systems have made SME’s competitive.

Platforms that allow SME’s to compete on an even playing field are everywhere.

Cloud-based systems, social media targetting and the fact that all of our prospects are mobile puts everyone in the same game.

The SME’s agility, adaptability, and responsiveness combined with these platforms make them contestant and champions in the new economic arena.

But with this new found capability comes a lack of understanding of the digital platforms that they are using.   An inability to see the dangers because they are so agile.

So focussed on keeping ahead that they do not see, other possibilities.

What happens when it goes to custard?

The statistics for SME’s failing are not easy to come across.

When they fail there is little fanfare.

Very little ramifications.   The flow on effect is minimal!

The owners usually declare bankrupt because they have funneled everything into the business.   A couple of people are out of a job.

When it comes to SME’s, pride has kept it afloat.

The fact that in some cases they have had to beg, borrow and steal to keep the business viable, afloat and thriving in the changing economic environment is indicative of most SME’s who will do anything and everything to survive.

When the failure is out of the owners hands, that is a different issue.

A natural disaster is one way this can happen, another is a cyber event.

A cyber event can happen at any time, any place and to anyone.

The perfect storm.

The perfect storm created by our reliance on the cyber.  Created by our attitude.   You know the ones – we are too small, we have nothing worth stealing and she’ll be right.

When it happens for an SME, there is no “do over”, no “too small to fail”.  They are just “out of business”

SME’s still have the flexability and adaptability to stay in business but they now need to create resilience.   To be stronger, recoverable and less brittle.

To do that they need to act, in kind, the same way that larger organisation act.   They need to have the right policies, processes and procedures in place.

Have the right framework around them to ensure that they are more flexable and better protected than their competition.

A cyber event can range from a slight inconveniance to profound impact, but no matter what the event you have to have some way back from the brink.

Business continuity, disaster recovery and business resilience are all components of today’s agile business.

Without them, you are not agile, not resilient.

You are definitely too small to matter!

The post Too big to fail, what about too small to matter? appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/too-big-to-fail-what-about-too-small-to-matter/feed/ 0
Doing X things to protect your organisation is not the best cybersecurity strategy. http://business-security.com.au/doing-x-things-to-protect-your-organisation-is-not-the-best-cybersecurity-strategy/ http://business-security.com.au/doing-x-things-to-protect-your-organisation-is-not-the-best-cybersecurity-strategy/#respond Sun, 06 May 2018 04:59:44 +0000 http://business-security.com.au/?p=1169 It is no longer a case of do these ‘X’ number of things and your business, organisation or self will be secure from a cyber event. We have all seen, read or been told that you need to do this or don’t do that (I even wrote an article recently on just that) to fix […]

The post Doing X things to protect your organisation is not the best cybersecurity strategy. appeared first on Business Security - an R & I ICT Consulting Website.

]]>
It is no longer a case of do these ‘X’ number of things and your business, organisation or self will be secure from a cyber event.

We have all seen, read or been told that you need to do this or don’t do that (I even wrote an article recently on just that) to fix your cybersecurity.

This attitude is wrong.

All it does is focus you on the ‘X’ number of things that are considered important, it does not fix the overall problem of digital protection, cybersecurity and protecting the organisation’s data against a cyber event.

Today’s threat market is all about two things:

Risk management

Managing the risk to your organisation is totally dependent on the organisation.   Get it wrong though and the organisation is open to litigation, compliance and reputation challenges.

Defining the risk and then mitigating, reducing or ignoring the risk depending on your organisations risk posture.

That risk posture has to have a basis in fact.   Every organisation is different, therefore every organisations risk posture will be different.

“She’ll be right”, “it will never happen to us” and “we have nothing worth stealing” are stupid risk postures and should be avoided at all costs.

Lets take patching – you can not implement a patching process if you have not looked at the associated risk of applying, waiting or ignoring a patch to software or operating systems.

Some patches are critical and the risk to the organisation outweighs the impact of a cyber event.   These need to be applied immediately.

Other patches could mitigate some risks to a system and can be applied as part of the patch process.    We recommend within 15 days.

There are also patches out that would have minimal impact on a system.   If the system was not patched and it was compromised they would not get access to critical data.   These can be applied based on the organisations risk posture.

Looking at the overall risk to an organisation will drive the security around that organisation and the underlying risk associated with a breach can be discussed as part of the overall business risk assessment.

Using frameworks

When used correctly a framework increase the awareness and security around an organisation.

We use NIST, but any framework will do.

A framework allows an organisation to take the blinkers off and focus on the organisation as a whole.

It is a holistic approach to protecting the organisation from a cyber event because it looks at a number of related but often overlooked,  important features of digital and cyber protection.

Each of the components of the framework allows the organisation to implement change in a managed and focused way.

It allows an organisation to improve security, with each change benefiting the organisation.

It is a process, not a knee jerk reaction to the next threat.

Business security is not about implementing a decent firewall, installing end point protection and sitting back because you think you are safe.

Business security is about education, policies and procedures, business continuity, visibility and viability.

This solution cannot be achieved through reaction, it needs to be a proactive process embraces by all members of the organisation.

The post Doing X things to protect your organisation is not the best cybersecurity strategy. appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/doing-x-things-to-protect-your-organisation-is-not-the-best-cybersecurity-strategy/feed/ 0
Cybersecurity and the conference and event industry http://business-security.com.au/cybersecurity-and-the-conference-industry/ http://business-security.com.au/cybersecurity-and-the-conference-industry/#respond Sun, 15 Apr 2018 04:51:50 +0000 http://business-security.com.au/?p=1161 I have never thought about having to apply cybersecurity requirements to an environment like a trade show, concert environment or conference / seminar where lots of people come together for a short period of time and you have minimal control over their activities. Thinking more about it, a high number of transient clientele like a […]

The post Cybersecurity and the conference and event industry appeared first on Business Security - an R & I ICT Consulting Website.

]]>
I have never thought about having to apply cybersecurity requirements to an environment like a trade show, concert environment or conference / seminar where lots of people come together for a short period of time and you have minimal control over their activities.

Thinking more about it, a high number of transient clientele like a trade show, would be a lucrative target for a cyber criminal.

Applying some of the basic principles that make an environment secure here are some ideas.

I am going to talk about things that I have seen and heard of in the last 2 years.

Some will seem far fetched!

An additional problem, is the fact that your attendees will NOT have cyber hygiene as a priority.

Unpatched and outdated system will be part of the norm.

This will make compliance with the new GDPR rules a large part of your organisations focus.

YOU have to protect your attendees from themselves!

Cybersecurity and protecting your environment is now business critical.

Free WiFi.   

You have to offer free WiFi in today’s world.

To secure WiFi you have to know what the capabilities are for creating a cyber issue.

The target are three fold.

  • Access to and theft of unencrypted information,
  • a man in the middle attack and
  • duplicate WiFi access point.
If you are thinking of running free WiFi with no encryption, don’t!   all encrypted information over a free WiFi can be captured as plain text and used.
If you are thinking of having a free WiFi system that people use by going to a website and “signing up / signing in”, don’t!   It is not hard for a dedicated cyber criminal to replicate the sign in page, make it look and feel like the original sign in.   By doing this the cyber criminal can capture the login process and In the process download malware to the device.
If you are thinking of having a single pass phrase for all users, don’t!  Once again, I can replicate your system and deliver internet to the clients but through my system.   There are a number of WiFi systems that use enterprise level support for WPA2.   you can use these systems to personalise and manage all of your staff and visitors.
One of the hardest systems to counter is the man in the middle attack using a Raspberry Pi pumpkin or a “WiFi pineapple”.   Either of these systems can be purchased and configured for under $200 and can cause monumental issues for any delivery of free WiFi.

They create issues by changing a fundamental process within the internet system.

The username and passwords (both randomly generated) can be delivered to the users with their badges.   This will allow for single sign on per account that is a managed and monitored connection.

Opportunities for marketing – putting individual usernames and passwords on the trade show passes.

“Drive by” attacks of Near Field Communication (NFC).

This is stealing information from a fit bits, credit cards, smart devices, passport or drivers license using a scanner for pin and chip technologies.

NFC is designed to allow people to pay for items using their credit card, wave the card over a reader and it deducts money from your bank accounts.

Normal readers have a range of approximately 2 centimeters, but criminals can buy or make scanners that increase the range to 2 metres.

Opportunity for marketing – branded thin aluminum rfid protective credit card sleeves as part of the sign up process.

Rapid response

In regards to all of the attacks that can happen over a WiFi network you need to be able to shut it down in a minimal amount of time to reduce the risk to your organisation as well as to your attendees.

Your WiFi system will need to have alerts and be monitored to allow your organisation to protect them.

Disruption.

In today’s world anything can cause a disruption to an event and although most are though about here are a couple more.

Print off a copy of all attendees and have it located at all entrances, just a basic power failure at the wrong time can be catastrophic.

Disaster recovery / business continuity

For any business in todays business world, a failure of the ICT can have a significant impact on the organisation.

A risk analysis of everything that could go wrong and will have an impact on the organisation needs to be put into perspective.

Each risk has to be mitigated, ignored, transferred or eliminated.

The organisation would also have required functionality to allow it to manage the number of people who will be attending.

The Basics

In addition to what expectations the attendees have there are certain expectation of the organisation that have to be addressed.

These include the fundamentals:
  • Passwords
  • patching
  • encryption
  • backups
  • End point protection

As you can see from above it is not just about protecting the actual event itself.

It is a slow build up to protect everything and everyone that comes in contact with your organisation.   In today’s litigious and compliant world we have to be very aware of the impact of a single event.

Do it correctly and you can use the security of the event as a selling point.   A marketing leverage point that puts your events well above any one else.

The post Cybersecurity and the conference and event industry appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/cybersecurity-and-the-conference-industry/feed/ 0
What can be protected without a cybersecurity professional. http://business-security.com.au/what-can-be-protected-without-a-cybersecurity-professional/ http://business-security.com.au/what-can-be-protected-without-a-cybersecurity-professional/#respond Mon, 26 Mar 2018 05:48:45 +0000 http://business-security.com.au/?p=1153 What Protection can be achieved without a Cybersecurity professional? That is a loaded question, because most professional cybersecurity experts believe that nothing can be done to protect an organisation without said expert. There are a number of things that can be done to make your business environment secure, but all have to be driven by […]

The post What can be protected without a cybersecurity professional. appeared first on Business Security - an R & I ICT Consulting Website.

]]>
Cybersecurity choices in today's worldWhat Protection can be achieved without a Cybersecurity professional?

That is a loaded question, because most professional cybersecurity experts believe that nothing can be done to protect an organisation without said expert.

There are a number of things that can be done to make your business environment secure, but all have to be driven by management with the vision to protect their organisation.

If management, C Level execs, board members and owner beleive that business security is important, vital in fact, then it will be picked up by everyone else in the organisation.

The introduction of cloud computing and everything stored in the cloud has exposed more and more data. This data is targeted by the bad guys.

Here are 6 tactics that can be implemented by any organisation without the need for a security expert

Patch it

The constant barage of patches and updates that come from microsoft, apple and android are exceedingly annoying.

In fact they can have an impact on business.

The reason that they are produced is to protect the operating system.
Patches are developed because someone, somewhere has found a way to compromise a piece of software, the manufactrer has found out about it and the software has been rewritten or changed to stop it from happening.

These changes are called patches and are BENEFICIAL to you. Every organisation needs to have a process to implement those updates.

Complex Password

Passwords have to have 3 requirements.

They have to be complex, any character on the keyboard should be and can be in a password. Letters, numbers, symbols all mixed together to create a complex password.

But, it does not stop there – they also have to be unique, different for every digital location and that have to be longer that 10 characters.

We use to specify 8 but changes to technology and the speeding up of processing power has reduced the time needed to crack an 8 digit password.

2 factor authentication

Any additional protection to data is a good idea.

Two factor authentication relies on three things instead of two to access the information.

It is addirional to username and password and is only triggered if the combination of the first two is correct.

In todays world, we all have a mobile phone, this is used as the two factor authentication process.

User name, password and a code delivered to your phone means you are verifying who you are.

Separate and segregate data.

I can think of three areas in any organisation where information needs to be separated.

Email, financial data, trade secrets have seperate requirements within an organisation.

You do not need to have everyone access financial data.

In the old days it was called compartualisation, need to know. Today it is still very relevant.

Train and educate everyone

There are many free or inexpensive training and education programs available to suit any organisation.

Training needs to be focused on the individual.

Everyone needs to understand why the organisation is protecting the data, why certain things are done in a certain way but most improtantly why the organisaion is trying to protect their staff, clients and finances from the bad guys.

Back it up.

You never know when you are going to experiance a cyber event.

You have to know what information needs to be protected, how often it is accessed and what will happen to the organisation if that information is compromised or lost.

This should be part of your business risk management plan. (You do have one of those?)

The other part of backing it up is to test it.

All of these can be done without the aid of a professional cybersecurity expert.

There is one additional tactic.

Remain vigilant.

The bad guys are everywhere.

They target you, not because you have something worth stealing, but because you are connected to the digital world and you think that is a good idea.

The days of the gentalman cyber criminal are well and truly gone.

Everyone is out for themselves and even a basic hack, malware attack or cryptovirus can shut down your organisation.

Cybersecurity is your responsibility!

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.

He is the winner of the worldwide 2018 Cybersecurity Educator of the Year award and was Runner up in 2017 .

He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.

He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

The post What can be protected without a cybersecurity professional. appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/what-can-be-protected-without-a-cybersecurity-professional/feed/ 0
Cybersecurity – we still do not have the correct focus! http://business-security.com.au/cybersecurity-still-not-correct-focus/ http://business-security.com.au/cybersecurity-still-not-correct-focus/#respond Tue, 06 Mar 2018 00:43:15 +0000 http://business-security.com.au/?p=1148 With the expected $660 billion loss to cybercrime this year, we definitely have to change our understanding, our focus and most importantly our attitude when it comes to business security and cybersecurity. We have to stop with the simplistic crap – I have been guilty of this myself but we have to stop. Cybersecurity is […]

The post Cybersecurity – we still do not have the correct focus! appeared first on Business Security - an R & I ICT Consulting Website.

]]>
focus on cybersecurity

With the expected $660 billion loss to cybercrime this year, we definitely have to change our understanding, our focus and most importantly our attitude when it comes to business security and cybersecurity.

We have to stop with the simplistic crap – I have been guilty of this myself but we have to stop.

Cybersecurity is not only about AV, firewall and patching.

Doing one is good, but the attitude of doing all makes you bullet proof is definitely stupid thinking in today’s business world.  The number of SME’s that adhere to that thinking is phenomenal.

Cybersecurity is about knowing your data, the location of your data and more importantly protecting it from people who should not have access to it.

It is about risk management and understanding that all risks associated with your data have been mitigated, differed or migrated.

There is a whole ecosystem of things that have to be done, as fast as possible, to reduce the risk of a cyber event, but the simplistic keeps getting in the way.

Attitudes like too small, nothing to steal and she’ll be right abound, and really does show that most people have a basic disdain for protecting their organisations.

Until this attitude changes, the basics are the only things that will be applied.

Introduction of the NIST framework (any framework), implementation of SOC and SEIM environments, an acceptance and adherence to policies, process and procedures and a basic understanding of what the bad guys are capable of is absolutely paramount for any organisation going forward.

But, we still rely on just or only the basics.

Without a change we will still go through the same solutions expecting a different outcome.   Definitely stupid thinking.

We forget the capabilities of today’s cyber criminal.

  • They are well educated in ones and zeros, in other words – the digital world.
  • They know how to bend and break the rules that society relies on to be a society.
  • They know how to bend technology to do things that even the designers never thought of.
  • They have a vast range of motivations to do wrong, and
  • They do not give a stuff about you.  To them you, your family, your business are cannon fodder.
Applying this knowledge to your business environment makes you realize that sitting ducks abound and improving your status is paramount.

To change, you need help in changing.

Changing the attitude, getting and listening to advice but more importantly actioning what needs to be done is the only way forward.

There is still one fundamental issue, in most cases, you do not know what you do not know.

Getting advise from experts is important.

You can no longer rely on the jack of all trades, someone who knows computers or thinks they know the digital world.

You need an expert!

You need an expert to stop a cyber event from compromising your organisation.

You have to find the time, the expertise and the financial motivation to make change, but you need an expert to put you on the right path.

If you cannot find it internally then you have to go outside your organisation.

 

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.

He is the winner of the worldwide 2018 Cybersecurity Educator of the Year award and was Runner up in 2017 .  

He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   

He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.   

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

The post Cybersecurity – we still do not have the correct focus! appeared first on Business Security - an R & I ICT Consulting Website.

]]>
http://business-security.com.au/cybersecurity-still-not-correct-focus/feed/ 0