The keys to the Kingdom.

Passwords

They’re everywhere.  It seems you nearly need one to go to the bathroom these days.  Unfortunately though, they’re Essential.  No, essential isn’t strong enough.  They’re CRITICAL.

As you undoubtedly already know, these pesky passwords are quite literally the keys to the kingdom. You work with them, you bank with them, you reveal your personal life on social media with them, you shop with them, You secure your digital life with them.

However we still deal daily with people who don’t seem to get what would happen if someone were to obtain their keys to their kingdom.

For the sake of brevity, please believe me when I say that ALL your online and computer passwords are critical.  When they fall into the wrong hands, bad stuff follows.  Incidentally, if you want to know if your passwords are already compromised (pretty good chance they are) head on over to Troy Hunt’s excellent HaveIbeenPwned (no that is not a typo) site to test your email and passwords.

So here’s what to do…

If you follow this advice, your digital world will be a lot more secure than it probably is now.

  1. Never reuse the same username/password combination on more than one site.
    1. So that means every site needs a different username/password combination.
    2. This is vital!
  2. Obviously this means you can’t remember them all.  So don’t!  Use a password manager.  We use 1Password, but LastPass, and Dashlane are also excellent.  At the very worst, write them in a book.
  3. A good password is hard to remember.  More than 16 characters with a combination of characters, cases, numbers, and symbols. (So use a password Manager!)
  4. If you must remember the password (very frequent use etc) use a few disparate words strung together. (e.g. “Ferrari desired-moolah,mi55ing” and please don’t use this one).  Just something that you’ll remember, but would be hard to determine from knowing something about you.
  5. Use 2FA/MFA anywhere you can.  This is something you you have.  A hardware token, an Authenticator App, a text to your mobile etc.
  6. Don’t share your password with anyone.

And there you have it.  Simple! Well maybe not simple, but free and achievable.  And please persist with the password manager.  They’re a pain for the first month, while you load them up with all your info.  Then you’ll wonder how you survived without one.

Safe Travels!

Ross Marston.

Cybersecurity is under control, I think…

“Cyber Security is under control, I think…” – CEO

How many times do you hear a CEO say “The finances are under control I think.  The finance department said they were okay.”  My bet is never.

No CEO is going to just accept that the businesses finances are “okay” on the say so of someone else.  They’d rightly demand evidence.  They’d need to see P&L’s, Balance Sheets, and management reports.  They’d want to see
comparisons to equivalent periods.  They’d want to know trends.

They would also want to know what plans were in place to ensure positive trends and growth strategies.  Any CEO worth their salt would also be continually reviewing the strategy to advance the business.  In short, they’d have a strategy.

However, when it comes to Cybersecurity, whether you realise it or not, the stakes are a lot higher.

A significant Cybersecurity breach can send a business to the wall a lot quicker than the business finances can.  The statistics for businesses in the $1m to $200m turnover range (SMBs) are that 60% will be closed within 6 months of a significant Cybersecurity breach.

That’s a staggering statistic when you consider that SMBs are nearly 100% likely to suffer a significant Cybersecurity breach within the next 3 years according to Forbes.  We see breaches happen everyday, and I’m sure you’ve read about the most publicised ones regularly yourself.

Yet I regularly meet with CEOs that tell me that they think their “IT guys” have their Cyber Security “In Hand”, whatever that means.

However Cyber Security is NOT an IT problem.  It is not for the IT department to handle.  It is the CEOs responsibility to have a clearly defined strategy in place to manage Cybersecurity.  

Sure the IT department have a role, the same as the HR department also have a significant role (probably the most significant), as do the Legal Team, the Marketing/Sales/PR departments, the Finance Department, and the Board as a whole.

It is a company wide issue for Every business.  It can only be
effectively dealt with from the senior management of your business.
And, unless you as a CEO take charge, you are aboard the Titanic, and the waters around are icy.

The good news is, it is easy for any decent CEO to mange an effective
Cybersecurity strategy. If you are smart enough to run an SMB, you are definitely capable of implementing an effective Cybersecurity strategy to help safeguard your business. And the good news is, it doesn’t have to cost much money.  You probably already have most of the resources you need.

Step one is to take control and recognise that it’s your responsibility.

At BIS we specialise in working with CEOs and SMB leaders to gain control of their Cybersecurity, and build resilience in their business.

Cyber Criminals are not going away anytime soon.

Ross Marston
Founder and Chief CyberSecurity Strategist Business Intelligence
Security.

Culture Eats Process For Breakfast

BIS Happy Team

Creating a “secure” workplace culture.

It is never more true than when it pertains to Cyber Security.

We’ve all heard the saying, “Culture eats Process for breakfast”. In other words, you can have all the processes you want in place, but if the workplace culture doesn’t support the processes happening, they never will.

You can have as many processes in place as you want, but if you have a workplace culture, where staff are “shamed”, belittled or intimidated for security indiscretions, welllll…, you’ve already lost the battle I’m sorry to say.

In an environment where staff are in some way belittled for any security related incidents (opening a phishing email, being the object of a targeted attack, getting malware on their work station or server profile, etc, etc), most people will do the same thing.  They’ll avoid being belittled of course.

In other words, they’ll try their hardest to cover up the indiscretion.  They’ll avoid being associated with any security related incident at all costs. And why wouldn’t they.  They know the “consequences…”

What to do about it.

So what is the alternative?  We all know security incidents are bad, right?  The media is constantly banging on (mostly inaccurately) about various security incidents.  Who the latest victim is, or some other sensationalised, inaccurate story.

And of course, everyone hates being the person that clicked on the link in the phishing email, or went to the site infected with malvertising, etc.  Even  the IT guy who left his companies website exposed to SQLi or XSS attacks.

But what about if we change that culture?  What about being rewarded (or at the very least thanked) for finding the spear phishing, clone phishing or whaling attack email and notifying your staff mates and IT?  What if there was a demonstrable benefit to quickly notifying your IT specialists if you suspect your devices have been compromised.  What if there was even some sort of game and reward associated with prompt action regarding any security incident?

Now you have what we like to call a warmware firewall.  An early warning and detection system to rival the best NextGen, GenIV, AI, [insert other meaningless sales term here] Firewall available.  Now we have staff and IT motivated to find, notify, and help eliminate Cyber security threats as soon as they’re detected or even suspected.

So how does this work in practice

Humans (the warmware ones we’ve already mentioned) are the ideal firewall.  They’re self learning, they possess AI (Actual Intelligence as opposed to that other sort), and they’re motivated to help naturally as opposed to programmatically.

With some simple and ongoing training, and some motivation (Warm fuzzy, financial or otherwise) they’re the perfect resource to build significant resilience to your Cyber Defense systems.

Example

Here’s an example of how I think this might work, both before and after culture change…

A users inadvertently follows a link in an innocuous (or even obvious) looking email.

  • Before culture change
    • User thinks “last time Bob mentioned something like this the IT guys laughed at him, and everyone else gave him a hard time for being so ‘stupid’.  I’m just going to shut up.  If it has done any damage, someone else might notice it and, it won’t get traced back to me.  If it does, I’ll just deny it.”
    • User shuts up and just keeps working albeit with more perspiration than before.
    • Eventually IT department finds that nightly backups are getting filled with strange files.
    • Investigation reveals most of their file system has been encrypted and held for ransom.
    • It’s taken so long to discover that the encrypted files have written over all the “good Files”
    • Company is forced to negotiate with Cyber Criminals to try to recover their encrypted files.  Unsuccessfully!
    • Everyone hopes it wasn’t their fault.  But it doesn’t really matter as they probably won’t have jobs next week anyway.
  • After Culture change to a Security Rewarding culture
    • User thinks “I better tell IT and team straight away!”
    • User immediately logs off and turns computer off, calls IT.
    • Problem is rectified with very little damage to company infrastructure.
    • User is rewarded with new Mercedes, or TimTams in the ‘fridge  [or insert more practical reward of your choice here…] for their quick action saving the company from extinction.

Some things I think staff should be rewarded for…

There’s obviously no point just creating white noise of false positive alerts.  We need to encourage staff to be alert to certain (and ever changing) events to makes this system work.  But at the top of this list needs to be the end to victimisation (or vilification) of people for reporting issues.

So if users or staff make a false positive report, use the opportunity to encourage them and maybe even educate a little on what to look for in the future.  But if they alert you or others to a real issue.  Reward them!  It’s the best firewall you’ll ever purchase.

A (very non-exhaustive) rewards list…

  • Users who use good Password hygiene…
    • who use a Password Manager to store their myriad of passwords for various sites.  (we recommend either Keepass or 1Password .)
    • who don’t use the same username/password combination on multiple sites
    • who use complex passwords (16 characters with many different types of characters)
    • Who change their passwords regularly.
  • IT People finding vulnerabilities and patching.
  • Users or IT Staff finding un-patched browsers, Apps, or OSs
  • IT Staff noticing unauthorised devices on their networks.
  • Users finding scams or phishing attempt and alerting others.
    • emails with dodgy attachments
    • emails with suspect links
    • emails from suppliers or contractors that are “unusual or unexpected”.
    • AGL electricity bills when you don’t use AGL.
    • Emails that seem to know a lot about you from people you don’t know.
    • Parcel delivery notifications.
    • Overly amorous offers from unknown people.
    • I could go on all day here.  The point is if you find them.  Let others know that it is suspect, so they may be able to spot it next time.
  • Users notifying management about unusual behavior (other staff or their own workstation)
    • Someone copying large quantities of data to USB drives.
    • Their own computer behaving unusually after visiting a site ( weird pop up etc.)
    • Their computer behaving unusually after opening an email or clicking on a link.
      • e.g. “Nothing seemed to happen when I opened the document.”
      • “it asked me if I wanted to enable Macros”
      • strange popup windows appearing.
      • It took me to a completely different site than what I was expecting
    • Finding a file that looks like it has been encrypted, or a file that now has a weird extension
      • e.g. .enc or .locky when it should be .xlsx
  • Users finding that their browser or operating system is out of date or has patches ready to be applied that they think IT may be unaware of.
  • Users finding errors when accessing websites. (e.g. “Flash player is out of date”)
  • users finding your company info in places it shouldn’t be.
  • The list could go on and on.  Maybe create your own and share it with us.

The bottom line is, let’s stop the pointless practice of shaming staff and users who have either made a mistake or inadvertently done “the wrong thing”, and start rewarding our precious “Warmware Firewalls” for their great work in helping to build the defenses of our businesses.

You have absolutely nothing to lose with this approach.  This is a secure culture.

Contact our office for more information on our Workplace Cyber Awareness programs, or any other Cyber security Related issues.

Stay Safe
Ross Marston