Ben Love [00:00:04]:
All right, good morning, everybody. Welcome to today’s webinar. My name is Ben Love. I’m the managing director at grassroots it. And this morning, we’re going to be having a little fireside chat about the top five cybersecurity practices for your business it. That’s me. Taken in a much younger day, apparently. All right, so what is cybersecurity? Apart from being an absolutely burning hot topic at the moment? Cybersecurity is the practice of ensuring that your systems are protected from malicious actors, whether that malicious actor becoming directly at you in a very targeted sense, or whether that malicious actor becoming at you in a more generic sense, such as a generic virus, which may not necessarily be targeting you specifically. So cybersecurity, in days gone by, has very much been the domain of the IT department. It’s been something that the IT department has, in some cases, given a passing nod to, in other cases, taken a little bit more seriously. It’s also been an area that traditionally the business, all the way up to the board level, has maybe acknowledged is important, but has actually found a little bit frustrating because it costs money and because it doesn’t necessarily deliver any immediate return or immediate, obvious return. And also because in practice, there can be a little bit of a continuum with convenience and ease of use at one end and security at the other. So if you were to put yourself in a hyper secure environment, such as within a military installation, a defense contract, or somewhere like that, your day to day job would be extremely secure, but it would not be super convenient to access systems and go through processes because there would be more security related hoops for you to jump through. So it’s a bit of a continuum there. And really, the secret for us, as business owners, as IT managers, as CIOs, is to really think about where on that continuum, on that spectrum we want to position our organizations. We need to make an informed decision at a business level about what the very real risks around cyber attack is and decide where we want to slide that little slider across there. So today, what we’re going to do is we are not going to have a theoretical, hypothetical discussion about cybersecurity. We are really just going to cut straight down to the five best practices that we see in the industry that can help you to improve on your cybersecurity stance, your cybersecurity positioning to protect your organization. These are very real things. These are all actionable by you today, if you so wish. And we will leave you with things to investigate and explore and questions to ask to better understand where your organization currently sits with these five key points. Now, there is a PDF that you will have been given access to, which is just a little bit of a notepad, a cheat sheet reminder for you just to take some notes around these top five areas. So let’s get into it. Number one, multi factor authentication, or MFA. MFA at the moment, is the single most effective method of protecting your organization from attack. I cannot say that often enough. It is extremely effective against most of the, against the more popular methods and attacks and breaches that we’re seeing at the moment. It is extremely cheap, if not free to turn it on, and it is really becoming available pretty much everywhere. So multifactor authentication is that second layer of security to help you protect your user accounts when you or any of your users log on to their account. Most of us will be very familiar with this from using Internet banking, for example, where you need to log on to your Internet banking with a username and a password. So that’s something you know. But then there is the second factor, or the multifactor, which is something you have. And that is, in a lot of cases, that’s a physical dongle thing that you have on your keyring with a little code that constantly changes and you need to type in that code. That is the multifactor step instead of a key ring based dongle. A lot of the applications and platforms are now moving to an app on your smartphone, but the theory is exactly the same. You have something, you know, which is your username and password, and then there is something that you have, which is this unique changing code. So the thing about multifactor authentication too, is that really is available on most of the systems that we’re working with these days. So everything from your Internet banking to your Microsoft, three, six, five accounts, xero, cloud, accounting, confluence, social media, you name it, it really is available on pretty much all of these systems. However, in the majority of cases, it is still not turned on by default. Internet banking for business accounts, I think, is enforced by default. A lot of zero stuff is now enforced by default, but a lot of the other stuff still isn’t, and it is really easy to turn on. So my homework for you around this particular point here is to do a quick audit of your organization. So write down a list of all of the applications or services or platforms that your business uses. So, Internet banking, Microsoft Office 3650, you get the idea. And then have a look at those applications and see if they do support multifactor authentication. In most cases, the answer is going to be yes. Once you’ve done that, go and have a look at all of your user accounts within that platform and check to see if multifactor authentication is actually turned on. This is the important bit. Okay? Now, some organizations do like to start this process by enabling MFA on what they see as the higher risk user accounts. I would encourage you to work towards turning it on, on all of your users, because the malicious actors really only need that weakest link to be able to get into your organization. They are very sophisticated in the way they are thinking these days, and oftentimes they will not need direct access to the CFO’s user accounts because they have access to a more junior staff member’s user account, because they will use tricks and techniques such as social engineering to basically wheedle their way through to where they need to go. Next on our list of top five, an intelligent firewall. Now, if I said to everybody here, do you have a firewall in place in your business? And we all know that a firewall is really the bit of equipment that sits between your business’s network and the Internet, and it protects you. So if I ask that question, everybody here, I have no doubt would say, yes, you have a firewall. What I want to talk to you about, though, is the fact that not all firewalls are created equal. A lot of what we call firewalls traditionally are really fairly simplistic and basic in the way they protect you, in the way that firewalling works. They are more what we would call a router. What we really want to encourage you to think about, though, is an intelligent firewall. Now, these come under a couple of different names. You might call them intelligent firewalls, advanced firewalls, UTM appliances. So unified threat management appliances is another term. Essentially what they are, is a firewall, but they have a significant amount of intelligence in how they go about their work. They block unauthorized network activities, but they also proactively, very actively scan and filter all of the network traffic going through between your business and the public Internet. So by doing so, they will be able to, for example, identify that a website that a user is going to has malicious content on it, and therefore block access to that. They can add another layer of scanning to things like email to make sure that email does not have any embedded nasty stuff there. They can also help enforce company policies around what appropriate Internet behavior is. So it’s very easy to turn on some policy based filtering on these things so that your users are unable to access adult websites, for example. These devices can also provide a pretty detailed level of logging and ideally, reporting. Some of them are better at reporting than others, so that you can see what your users are doing with that Internet connection. You can monitor for any malicious activity within the network. And if you get one of the better platforms, such as the Sofos platform, in the event of a breach, in the event of attack, the intelligent firewall is actually capable of identifying that there has been a breach within your network and communicating in real time with maybe your wireless access points, or maybe the user’s computer itself, and blocking off that computer and automatically running diagnostics on where did this breach come from? How did it get into the network? How do we roll back this breach so that we’re back to a clean state? So there are some really sophisticated things that we can do if we’ve got one of these intelligent firewall appliances in place within your network. Here are some examples of what sets an intelligent firewall apart from a normal firewall. I’ve already covered a lot of this application awareness, intrusion prevention, content filtering. Data loss prevention is a good one. So data loss prevention is a technology which lets you protect against your critical information within the organization being leaked out to external parties, when perhaps it shouldn’t be leaving your organization. That’s a cool little one as well. So there are a number of different ways of identifying whether you have an intelligent firewall in place. One of the really easy ways is to actually have a look at what you believe is your firewall there in your server rack or wherever you have this sort of equipment, and just look at the brand. Because there’s a handful of brands that are pretty common in the world of these intelligent firewalls, and they’re brands like Sophos, Cyber Roam, maybe Watchguard. There’s a handful of others. So if you’re unsure about that, check that brand name and ping a question through to the team here at grassroots it. And we can certainly help confirm or deny for you there. Intelligent firewalls do cost more than your garden variety router. Generally there is a capital cost for the appliance, but more importantly, there is an ongoing cost for these things. And this is what sets it apart a little bit there. And the reason is because these appliances are constantly in communication with their manufacturer, with their mothership, I guess. And they’re constantly being updated with new definitions, with more sophisticated algorithms and intelligence in order to stay up to date, to be able to block the latest threats that are coming through. Now, how much in dollars is it going to cost you? Well, this is a piece of string question, because it does depend on a few factors. The main factor is how much load is this thing going to be under? So if you have got 100 users in your business, the device is going to be under more load than if you’ve got five users, if you are really heavy power users of the Internet, versus if you are really light users of the Internet. So it is a little bit of a piece of string question. Unfortunately, in most cases, though, it is not a huge amount of money at all, particularly when you consider how much of an impact this can have on your cybersecurity stance. Okay, so, intelligent firewalls. My homework for you around intelligent firewalls is to confirm that you do actually have an intelligent firewall in place and not simply a garden variety router. All right, point number three, cyber insurance. Cyber insurance is not a technology. It is quite literally an insurance policy. But it is specifically created to help you in the event that your organization does suffer a cyber breach. Now, this is a relatively new form of policy to the marketplace. It has been around for a few years now, but it is still quite new. And the key players in terms of the insurers are really still emerging as to who’s going to have the best product at market. One of the really interesting things I’ve found around cyber insurance, and this is talking with clients and working with clients, but also from firsthand experience with our own cyber insurance policy, is the sophistication of the policy renewal questionnaire that the providers ask you to complete every year before they tell you how much your premiums are going to go up. Only a handful of years ago, three or four years ago, the questionnaire to fill out might have been ten questions. That was things such as, what industry are you in? Do you sell products online? That type of thing? What we’re now seeing, though, as the insurers mature their products and the actuaries really drill down on how to make these policies work, where the true risk lies, all that sort of amazing stuff that they do. We’re seeing the questionnaires become a lot more detailed and sophisticated in what they’re asking you. We are starting to see some policies where they are asking very pointed questions, such as, do you have an intelligent firewall in place? Please provide details of your incident response plan, things like this. So a lot of what we’re talking about today in terms of multifactor authentication and firewalls and so on, you are actually going to see that either becoming a fundamental requirement of being able to have a cyber insurance policy, or at the very least, it is going to help with your premiums if you do have a stronger cybersecurity stance within your business. Now, for a little bit more information on this, I went to my favorite insurance broker, Tod. Thank you, Tod. If you’re out there, who we have been using for many years and are extremely happy with, and he provided some great information around cybersecurity policies. So here’s what we’ve got from Tod. The two most common categories of attack are social engineering and cyber theft. Social engineering. Social engineering is a type of cyber fraud whereby you can read that for yourself, essentially, where the cybercriminals trick you into paying money or trick you into granting them a level of access to your systems that they should not have. It is social engineering. There is always technology involved to some degree, but the weak link here is normally the people. It’s a really dangerous form of attack, and it’s really quite common. So how do you mitigate against the risks of these social engineering attacks? You try and take the human error out of the equation. You also put in policies, very strictly enforced policies a lot of the time around how certain processes are conducted within your business. So, for example, one of the fairly common social engineering based attacks that we see is the malicious actors will send through a faked invoice that looks like it is from one of your suppliers, but it will have different bank account details on the bottom. So that might just automatically pass through to your accounts payable team. It goes through the system and someone ends up paying that money for a fake invoice into the wrong bank account, I. E. The malicious actors bank account, instead of your actual supplier. So there are ways to address that, purely at a business process level. So how do we confirm and validate that those new bank account details are correct? Well, the advice is you pick up the phone. If you get that email from one of your suppliers saying, we’ve changed bank accounts, pick up the phone and call that supplier and say, hey, are these the correct details? Did you actually change your bank account number? Now that is just one example of where these threats can come from. But the social engineering piece is something to be very aware of. Cyber theft, a similar form of direct financial loss that can affect any business, but generally doesn’t include a person being tricked. So this one is more technical. This is where the malicious actors will actually hack into your system somehow. Compromise, maybe your email, compromise bank account details, usernames, passwords, that sort of thing. And this is a really interesting piece of information. Most cybercrimes are being committed by hackers who have been lurking within their victim’s system for roughly nine months before launching their sting. So this actually loops back quite nicely to the discussion previously about multifactor authentication. We have absolutely seen scenarios where a client has not had multifactor authentication enabled on their email system. The malicious actors have somehow gained access to the username and password for one of those user accounts, and thus they’ve been able to access that mailbox, that inbox. But they don’t just jump in there and do something crazy. They watch and they listen and they read and they get a feel for the language that’s used internally within the organization. What’s the slang? What’s the colloquial lingo feel like? Who are the key players? Who actually authorizes those bank payments? And once they have gathered all of that information, they then use that information to craft these phishing emails that I was talking about earlier. So that can be an interesting one, but that loops back quite nicely, as I said, to multifactor, because if you had multifactor authentication turned on, that could never have happened. So, coming straight back here to the cyber insurance piece, what should be covered in my policy? Here’s a list of things that should be covered in a good cyber insurance policy. Crimeware, cyber espionage, cyber extortion, hacking, point of sale, intrusion. There’s a whole lot of stuff to think about there, isn’t there? The cost of cyberattack can be significant. I’m not going to scare you with that number there. We all know we can come up with really large numbers to scare you when it comes to things like this. But the fact of the matter is that cyberattack is very real. We are hearing about some high profile ones in the news on a regular basis, but there are a lot of much smaller and lower profile ones happening on a regular basis. And of course, the big question what is the cost of cyber insurance? Again, it’s a bit of a piece of string question. Go and talk to your insurance broker and they will be able to help you with that piece there. All right, so we’ve been through number one, which is our multifactor authentication. We’ve touched on point number two there, which is our intelligent firewall. We’ve just had a good chat about point number three, which is cyber insurance. But I forgot about homework for cyber insurance, didn’t I? So this is a really easy one here. Go and have a look at your insurance policies. See if you do have cyber insurance as a specific policy, because this is a very specific policy, a lot of cyber breaches may not be caught by your more general policies. If you do not have a specific cyber insurance policy, I would encourage you to go and talk to your insurance broker and ask some questions around that. All right, let’s move on. Number four, cybersecurity awareness training. Now, cybersecurity and technology is all very well and good, but if I were to ask for a quick show of hands, which I won’t do, because I’m not sure how to see whether you’ve got your hand up or not, as to what we all think the weakest link is in our cybersecurity. For our organizations, the answer really is our people. Humans really are the weakest link in terms of all of this. So how do we address that? How do we try and address the fact that our people are always, well, unfortunately, will probably always be the weakest link in this. It really comes down to simply educating your staff. So in many cases of data breach, the data breach did not result from cyberattack, from some genius hacker doing a swordfish and cracking and compromising your systems. It’s probably come down to the mishandling of data by staff, or maybe the lack of training for those staff. So they didn’t realize that that email they received was a malicious email. They thought it was legit, so they clicked on the link, and when they clicked on the link, they let the hackers in. So educating your staff is really fundamental to how we make all of this work. Informing your staff about the efforts, the other efforts you’re taking to keep your business secure, letting your staff know that, hey, we’re installing an intelligent firewall for these reasons. Hey, we’re making you use multifactor authentication because of these reasons. So that really starts to increase the perceived importance amongst your team of cybersecurity. When they see it being addressed at an appropriate level within the organization, they will start to acknowledge that this is actually a very real and important thing. But importantly, then you need to follow through and train them very specifically on how to identify and respond to threats. So who can train them? It can start with you. Simply share your knowledge around cybersecurity. You can share these slide decks if you’d like. There is obviously a huge amount of stuff online, and you can talk to them, mention it in your weekly huddles, keep an eye out for malicious emails, be wise, et cetera. Okay. What you can do though, is that you can take it a little bit, a step past that and actually bring in some, I guess, more structured training. There are expert speakers available who you can bring in to speak to your team around cybersecurity to help show them and train them on what a malicious email looks like, what to check for in the email to make sure that it’s actually legitimate and safe, things like that, and also what to do if they do accidentally click on that malicious email. If they do feel that they may have accidentally invited a security breach, how do they respond? Because the response is extremely important. Accidents happen, but we need to respond to it. There is another really good thing we can do around cybersecurity awareness training. There’s this great little, I don’t know where the phrase came from, but there’s this great little phrase called friendly phishing. So phishing emails are those malicious emails that come through pretending to be something else? Well, we can run friendly phishing campaigns. So these campaigns will send your staff emails that pretend to be one thing, but are definitely not. And we see who clicks on them, plain and simple. So we can then gather some information about how informed and where your staff actually are, but we can then use that to start delivering some education to your staff around, whoops, this actually wasn’t a legitimate email. You probably shouldn’t have clicked on it. Here are the clues that you missed that gave it away, that this was not legitimate. So some nice little behind the scenes friendly phishing campaigns like that can also be quite useful in helping to keep cybersecurity and this awareness piece fairly top of mind amongst your staff. So point number four, cybersecurity awareness training. My homework to you around that one. What are you doing around cybersecurity awareness? You may be comfortable that your staff are fully all over this. They’re totally up to speed with their cybersecurity awareness. Well, I would encourage you to not necessarily make that assumption, but to test that assumption. Maybe deliver a little bit of informal training in your weekly meeting, maybe take the next step and look at seeing how we can help bring some sort of an expert presentation in, or a friendly phishing campaign or something around that to help really with that human element there. All right, we’re almost there, folks. Hang in. Number five, security audits. As exciting as it sounds, what is a cybersecurity audit? It’s a routine check on your cybersecurity processes and activities to identify the weak links, to see how resilient your defenses are, and so on. Now, it can be done as a once off that absolutely happens. They are probably best done on some sort of a routine basis. They can be broken down into smaller chunks, they can be done by yourselves just with some checklists. Or obviously, you can take it all the way to the end of the spectrum, where we bring in some cybersecurity specialists to run a pretty hardcore thing. Who should be involved in a cybersecurity audit? Well, essentially the whole company. See, cybersecurity is no longer just confined to the IT department. This is a whole of business issue, because when you think about things such as our social engineering, which we discussed previously, there’s not a whole lot that the IT department can do to protect against someone in the HR department being socially engineered. This really does need to cover all of your processes throughout the business, as well as, of course, the hard technical points, such as, do you have an intelligent firewall in place? Is it well configured, has multifactor authentication going? And so on. So ideally, a security audit should be a routine exercise within your business. Put a reminder on your calendar so that it’s done, and touch base with your IT partner, grassroots. It is obviously here to help to advise you on how you can go through this process. So there are some very easy things that you can do yourself within your business to work towards having these regular audits. For example, when was the last time that you ran a report and reviewed every single user account that existed within your organization? Now, I can probably guarantee that if every one of you on this webinar were to do that today, you would find at least one user account that did not need to be there. Right? It might be a staff member who has left the organization and for some reason, their user account wasn’t closed down. It might be a contractor who. Well, they kind of haven’t done any work for us for six months, so we probably should close down that user account, because leaving those user accounts open is just one more attack face that the malicious actors can use to try and compromise your environment. So there are some very simple things like that that you can do yourself that don’t need to cost you money, you don’t need the experts in. But it just takes a little bit of thought and maybe a little bit of advice from your IT partner as to where to look to really get some of that low hanging fruit with these audits. So how are you placed? What’s your current cybersecurity plan? How are you currently mitigating against cybersecurity risks? If you run through those top five points that we’ve been through, the intelligent firewall, multifactor authentication, cyber insurance, staff training, and of course, security audits, how are you positioned? How many ticks can you put down? That list of five, what can you do today to help improve your cybersecurity stance? There will always be some very low hanging fruit that you can address within your organization that can have a fairly significant impact on improving your cybersecurity stance. So this does not need to be a big dollar discussion, okay? It is more a process of thinking about it and exploring where the opportunities are to improve that stance. And obviously, a little bit of external advice and perspective can be useful on that. So, folks, that’s the end. I hope I have given you five useful points there to consider. I hope I have given you some questions that you might go away and ask within your businesses or obviously from your trusted advisors. Now, if anyone has any comments or questions, please drop them now into the Q A box or the chat box within your Zoom webinar software, and I’m very happy to start having a look at those here. All right, I’ve got a comment here from Rowan. Hey, Rowdy. We’re starting to get hit up by our bank clients with questions and documentation around cybersecurity. Isn’t that interesting? I currently have a five page document I need to provide to Suncorp so that Rowan’s organization here can stay on their panel and continue to receive work. That’s really interesting, and I have absolutely heard of that happening. So what’s happening here is that businesses are now starting to move through their supply chains, both up and down, mainly up, in this case, obviously, to make sure that they are chasing those weak links out of the cybersecurity chain there. So that’s really interesting. To be honest, I think we’re really going to be seeing a lot more of that come through, because it really does come down to the fact that security is only as strong as the weakest link in the chain, and often a lot of the access that we do give to our suppliers. And interestingly enough, access not merely in an it in a technical sense, but access, maybe in terms of trust, can actually be a big weakness in our businesses. So I think that’s really interesting, Ron, thanks for sharing that. All right, now, does anybody else have any. Not now. Oops, I’m sorry. We’ve just had one come through. Hello, Patricia. I believe Patricia has. Just asking about the a four PDF page that I mentioned at the very beginning of the talk there. I’m actually not sure where that’s linked to. I’m sure Annie will make that clear for us, although very soon. That’s just a little cheat sheet, just so that you remember what these top five points were all right. Thank you, everybody. It’s been wonderful having you here, as always. I hope I have been able to provide you with some value. If you do have any questions, any follow up form, any of this, please, you know where to find us at grassroots. It we are here to help. Have a lovely day.