kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

Cybersecurity For Business

Owners: Is Your Business Safe From Cyber Attacks? Cyber attacks are at an all time high and every business is at risk. Are you doing the most to make sure your
business is safe from malicious cyber attacks?

Prefer to read? (Transcription)

DAVIN: Thank you so much, Kindsey. Like we said, these are monthly Deeper Dives that we’ll be doing every month, and this week we’re going to talk about cybersecurity for business owners – talk about what threats are out there, get rid of some myths that you might have heard of regarding cybersecurity, but also, we’re going to talk about 5 simple things that you need to protect your business, the first step to protect your business, and how to get started.

But before we get started, we’ll start with a simple poll. I have a quick question, just for my curiosity. Have you or someone you know experienced a ransomware attack or a cyber attack? It could be someone clicked on a link and your friend had a pay a ransom. Multiple different ways. The poll should pop up. Click yes or no, and then we’ll get started.

A few coming in. And like Kindsey said before, if you have any questions throughout, feel free to ask in the Q&A box and we’ll try to get through them as we go along. But we’ll definitely try to swing back to them at the end.

We’ll go ahead and dive in. First thing, before we talk about cybersecurity, we’ve got to get a few things out of the way. The first things are the common myths. You hear these things probably every day, and a lot of things you hear aren’t true regarding cybersecurity and cyber threats in general.

A lot of the time you’ll hear, or you may have even said, “We’re too small. We don’t have to worry about anyone trying to attack us. Why would they want to go after our business? It’s nothing that we need to worry about at the moment.” Well, clearly that’s a myth, and clearly that’s false, because these cyber attacks are not personal. They’re not just going after you because they want to or because they need to.

The thing is that these cyber attacks are done at scale. They think in conversion rates. They’re not specifically trying to get a law firm in South Dakota; they’re maybe targeting all law firms in the United States. They think in conversion rates. They’re sending these attacks out not to 10 people, not to 100 people, but hundreds of thousands of different people, hundreds of thousands of different businesses, and they’re looking to attack every business that they can, hoping that maybe just 1% of those clicks on the link or doesn’t have any cybersecurity. From that, they get 1% of those 100,000 attacks with average payouts well over $10,000, $20,000, $30,000, $50,000, that’s easy multimillion dollar paydays just by them clicking a button and sending out all of these cyber attacks, these phishing emails.

So when you think about “We are too small, they’re not specifically trying to get us,” no, they’re not specifically trying to get you, but they’re trying to get everyone. They’re trying to trick everyone into clicking a link or having to pay this ransom. So when you talk about “We’re too small,” it just doesn’t cut it anymore. It’s just not true.

Another thing you probably hear often, or you may have said yourself, is “Good cybersecurity is too expensive. I’m fine with Norton or my little antivirus I have” or, like I said, “We’re too small; we’re not going to worry about cybersecurity at the moment.” Well, that’s false as well. When we talk about good cybersecurity, it’s not expensive anymore.

Now, you can’t go and buy the advanced enterprise grade cybersecurity tools off the shelf, but you can get the same cybersecurity controls and techniques and software that Fortune 500, Fortune 100 companies are using, that the Department of Defense is even using. You can get those for $25-30 bucks a month for your workstations, for your devices in your company. Of course, you get that through an information security team, which we’ll talk about later. But when you talk about cybersecurity being expensive, it costs about the same as going to dinner at Red Lobster or something. It’s very, very affordable, and that myth is busted.

Another thing that is often said and often that we’ve relied on is “Antivirus is good enough. That’s all I need, that’s all there is. It’s worked for – I don’t know how many years I’ve been using it. It’ll keep on working.” That sentence is also false. It’s a myth, because cyber attacks and cyber threats have changed. They’ve adapted.

To keep it brief, the way that antivirus works, it relies on virus signatures, and it’s looking for malicious virus signatures that are known to be malicious. Once it sees one, then it’s specifically looking to block those, whitelist those, keep those from interrupting or attacking your business. Well, cyber attacks don’t have virus signatures anymore. Like I said, they’ve adapted, and now you need something to combat and adapt with those different threats, those different cyber attacks. You need a tool called EDR, endpoint detection and response. We’re going to talk about that more in depth, but basically it doesn’t rely on those virus signatures. It’s behavior-based, which is perfect for monitoring and detecting threats 24/7 and not having to rely on just a simple virus signature.

To be honest, those viruses are usually 3 to 6 months old, so antivirus is stopping old threats. Nowadays, you need something to monitor, detect, and stop threats in real time, 24/7. Clearly, antivirus is just not good enough. They’re not doing the trick anymore, so you need more advanced, better tools.

Another one: “We have cybersecurity insurance. It’s fine, it works. If something does happen, we’ll use that and we’ll be all right.” That’s not the case anymore as well. We’re going to talk about insurance, but insurance companies got slammed last year with payouts regarding ransomware, cyber attacks, all of the above, and they’re not going to do the same thing again.

They’ve made changes already this year. Huge premium increases on cyber insurance as well as insurance companies now have cybersecurity requirements that you have to have in place to be even compliant with that policy. They’re requiring continuous security training. They’re requiring EDR tools like we’re going to talk about today. They’re requiring the 5 things that we’re going to talk about today, the 5 simple cybersecurity practices that you must have to protect your business. Those are going to be needed soon or are already required by insurance companies to be compliant with your policy, to even be able to use that payout that you’re hoping you can rely on. So when you talk about cybersecurity insurance, “We’ve got it, we’re good,” no. Now you need the preventative measures to be even compliant with that policy.

“We survived one ransomware attack. We’re all good. We don’t have to worry about it again. We got our attack out of the way.” That’s not the case anymore as well. When you talk about ransomware attacks, if there is a successful attack, you feel like you paid the ransom, you got everything off, and you’re fine, “we don’t have to worry about it,” that’s not the case as well.

Usually, when you suffer a ransomware attack, the team behind it that actually sent out the attack or that’s receiving the payout will create backdoors, you can call them. Basically, they know that they’ve had a successful attack on you; you’re an easy target, so why not come back again in 3 months, 6 months, maybe even 2 years? Why not come back again, do it all over again, get the same payout, move on, keep that cycle going?

That’s what we see often. Because you survived a ransomware attack, you have this mentality that it won’t happen again, you don’t do anything to prevent it from happening again, so there’s 1 ransomware attack, 2 ransomware attacks, 3 ransomware attacks, and you become the easy target that’s targeted often and pay it often. If you don’t make any changes, then it’s going to keep happening again.

The last one I hear often – you hear it more often than some of the others – is “Cybersecurity is an IT issue. Our IT team is taking care of it. We’re fine; they’ll worry about it.” That’s not the case either. There’s a difference between information technology (IT) and infosec, information security. It really comes down to their objectives. When we talk about IT, their main objectives are productivity, efficiency, minimizing frustration level, making sure everything’s working operation-wise, and they’re really bottom-line focused, making sure everything’s fine and good.

But when you think of information security, and an actual information security team, their objectives are very different. Their objectives are to understand your current risk regarding cybersecurity, understand your vulnerabilities, fill those gaps. Their objective is to monitor and respond to attacks or anomalous activity quickly, as soon as possible. When you talk about cybersecurity, time is everything. Seconds matter. The information security team understands that and they always have that in the back of their mind. It’s of course one of their objectives. But they also keep up with geopolitical factors – what’s going on around the world and how will that affect your organization? Are you a bigger target now because of the specific business that you work in or the field that you work in?

When you put all that together, their main objective is to protect all stakeholders. That’s including the employees, the clients, the customers, the owners, the investors. They’re protecting that business, everything that the stakeholders are involved in. Their goal every day is to protect all of them, and the business as a whole.

So you can get all of those myths – those are some of the myths that you say and some of the things that you’ve heard – throw those out of the window. If anybody has questions, you can pull this up, or of course you can send them to me.

But now we’ve got all the cybersecurity myths, things we’ve known forever, out the window, we’ll talk about securing your business. What threats are we actually facing? What is at risk here? What can happen if you become a victim of a cyber attack? I’m going to put a bunch of these up here and you can read through them, but we’re going to touch on a few things from this list.

We have Tom here, our founder and CEO. He’s going to talk a little bit more about these threats that he faces as well as a CEO and founder. But one thing I do want to touch on is the top one, client loss. When you talk about overall business in general, business relies on relationships and trust. If you don’t have trust, if you don’t trust a client or a client doesn’t trust your business, it’s very, very hard to build a relationship and have a successful business relationship from that.

Now, when you talk about cybersecurity and cyber attacks, that’s when trust is at risk. Say you’re a law firm or an accountant firm or say you work in the medical field. The client or your customer is trusting you with their personal information. Could be their family’s personal information. It could be their financial information. All this confidential information of theirs, they’re trusting you with that.

And then if you have a cyber attack or you’re very related regarding cybersecurity and you’re not taking their privacy serious, when you have a cybersecurity attack, you have to let them know that “Hey, there’s been a breach. Your information could be at risk, a lot of our other clients’ information could be a risk, our information is at risk. We’re currently figuring out what’s going on, but I just wanted to make you aware.” That simple couple sentences throws all the trust that they had for you out the window because they were trusting that you would protect their information, that they were safe in your hands, but if you experience a cyber attack, all that’s out the window and now you basically have to start from scratch, and you’re going to lose a lot of clients, a lot of customers, just simply from the fact of trust.

Tom, I know you can talk a little bit more on this, but that’s one of the main threats that really jumps out to me – the trust factor and the overall client loss that comes with that.

TOM: Yeah. One of the most valuable things that your company has is your reputation. I’ve personally dropped accounting firms and others because they bought into a firm that I was using and I knew they’d suffered a breach, and we couldn’t continue on with them because they didn’t treat it as job one. There’s a lot of surveys that say 40% of businesses that get hit with a breach are out of business in 2 years or 6 months or whatever, and it just depends on who they’re surveying and things like that.

But the bottom line is, it’s a strategic decision. If you’re a leader in your organization, you’re looking at the long-term viability. This is not an expense. It’s an investment in the very survival of the company. It’s actually the cost of doing business anymore. You’ve got to treat it seriously. Security’s got to be job one.

All of these other things, absolutely. Insurance – actually, you can pay for enterprise grade cybersecurity just in the difference between insurance premiums from ’21 to ’22. By far. Easily pay for it.

DAVIN: We had a prospect, they were paying $1,200 a year for cyber insurance. Just this year it went from $1,200 to $5,000. That’s unreal. You put the cybersecurity prevention tools in place before that, one, the premium goes down, but also, you don’t really have to worry about such a big policy regarding cybersecurity because you’re not as big of a risk. You save so much money. That’s a great point to bring up.

TOM: Yeah. If you can even get insurance. Most of them are shifting over to doing a risk analysis, which is what we do for everyone, trying to understand where your vulnerabilities are, and what is the actual risk you’re taking on by not addressing these weaknesses in your company’s security. It’s worth every penny. That’s really it in a nutshell.

DAVIN: Before we move on to the 5 things, I do want to touch on one topic here real quick. It’s operational disruption or destruction, and it’s something that a lot of people overlook when you think of a cyber attack, especially from a business owner mindset. When you think about a cyber attack – say you’re under a cyber attack; all of your network is held ransom. You can’t get on your workstations and devices, and basically your operations are on hold.

For any business, say you can’t do business for 2 weeks. What kind of effect does that have on your business? What kind of effect financially does that have on your business? What if you can’t do payroll? How does that affect your employees? You see on here “loss of contract revenue.” What if you have contracts that those clients of yours are expecting you to deliver on this certain date, but you’re down for 2 weeks? You may get behind a month of work just because your’e down 2 weeks. Now you could lose that contract. They could go somewhere else that they can rely on who takes security serious.

All of those things can get looked past in the rearview because you may just think “Okay, paying the ransom, that’s all we have to deal with.” No, there’s a lot more that comes with a cyber attack and the threats that you may face as a business owner operation-wise, client loss-wise, revenue-wise, employee-wise. There’s lots of different things. Those are all things to consider when you’re a business owner, you’re trying to protect a business that you’ve been working on building for maybe 5, 10, 20 years. Simply someone clicking on a link and now you have a ransomware attack, you can end up closing your doors in a couple days or 2 weeks. It’s really unreal. But these are things you have to think about and you really have to consider when you’re talking about the health and operations of your business and overall security.

TOM: Yeah. I’d like to add to that, Davin. I’m not sure that we focus on it enough, but what you really want to get to, or at least I do – I want to understand what’s best practices. How much should we be spending on professionally managing our IT? How much should we be spending to professionally manage our cybersecurity and have a skilled infosec team on our side? What are the best operators in this particular area of law practice, or other financial advisors like my firm, or any professional service, any manufacturing concern?

If you look at what your peers, the really best run peers in your business are doing, that’s your guidelines. This is what the best in your business do. The best law firms, the best accounting firms, the best manufacturing concerns, this is what they do, this is what they spend. Anyone that wants their company to be the best that it can be, for all the stakeholders, employees, make it an enjoyable place to work, be very effective, and above all else, exceed client expectations – use that as a rough starting point. Just say, “Oh, we’re not spending on cybersecurity. The best in our industry already acknowledge it and understand that it’s super, super critical.”

That’s a great – you’re not having to listen to me or Davin. As infosec specialists, we’re telling you what the best practices are over all sorts of industries, but I know that an intellectual property law firm, patent law, has a different risk profile when it comes to security than a divorce attorney or a general business law firm. They all have different things. Or a financial firm. Just look at the rough guidelines. Those are things that we guide our clients through.

DAVIN: Yeah, and when you talk about best practices, that leads us in perfectly to our next topic. What are those best practices? What should we do? What do we need to have in place? That brings us to the 5 things here.

What you see is a letter from the White House, from Anne Neuberger. You may have seen her on TV. She’s our current acting National Security Advisor regarding cybersecurity. Basically, what she did is put out this letter. In 2021, Biden issued an executive order to all federal agencies and really all businesses, and it was really long, about 30-40 pages, regarding what to do regarding cybersecurity and of course, the future ahead of that.

Anne narrowed that down to about 3 or 4 pages directing CEOs, all business owners, critical infrastructure, and telling them what the United States urges you to do to protect from the threat of ransomware and overall cyber attacks. There’s been a huge increase in cyber attacks in the past few years, so she listed 5 things that everyone should do regarding cybersecurity. It’s not just the big top Fortune 100s, not the huge companies, not just Google or anything. This is for any and all businesses.

This is the basics of what you need. Of course, there’s more to it; of course you have specific needs that you can get filled. But these are the 5 things. If you have a notebook or if you are taking notes, I recommend writing these down. We’re going to go through them in depth for the rest of the webinar, but these are the 5 things that you need to protect your organization.

One of them is use MFA. What is MFA? You might have heard it as 2FA, but it’s multi-factor authentication. It’s just third party authentication. It’s where you type in your username, type in your password, and usually – say you’re logging into Facebook – that’s all you have to do. Well, we’ve seen a huge increase in password compromises, so simple logins like Facebook or maybe QuickBooks, another software that you use to run your business, simple username and password isn’t enough security anymore.

Now you need MFA. Type in username, password, and now you may get a 4- to 6- to 8-digit code on your cellphone or email. That adds a layer of security to your logins that’s needed. If your password is compromised or if it’s hacked or someone has access to your password, now if you have MFA installed or enabled, if they have your password, they also have to steal your phone. They have to get it out of your pocket, read the text message of the number that was sent, and type that in as well to log in.

Simply just using a username and password isn’t enough anymore. Now MFA is essential, and we highly, highly, highly recommend using it everywhere that offers it.

Next you see here, deploy EDR. What is EDR? This is one of the most important cybersecurity tools that you can and should have to protect your business. EDR stands for endpoint detect and response, or you may hear MEDR, managed endpoint detect and response. It is the substitute, or you can call it the bigger brother – it is the next level monitoring detection tool that you need now that’s adapted with cyber threats just as cyber threats have adapted.

We talked a little bit about how the antivirus works, but EDR is behavior-based. It doesn’t rely on those virus signatures we talked about before. It’s relying on anomalous behavior or behavior that’s out of the ordinary, that usually results or is involved with a threat, and is able to detect and stop that threat in real time using AI and machine learning.

Overall, this tool – we’ll create an example right there. Say you get an email and there is a Word document attached. If you click on that Word document and it opens, there is specific activity that’s supposed to happen every time you open that Word document. If it is malicious and contains ransomware or anything like that, when you open that Word document, it may try to access another document or folder in the background or create a folder in the background. Of course, that activity isn’t normal, and the EDR would be able to detect that activity, that threat, and analyze and stop it in real time.

We’re going to talk about the information security team, but this is also where the information security team comes in, that MEDR, that managed endpoint detect and response, where they can look at the storyline of that attack or that threat and see how it happened, fix that vulnerability and make sure it doesn’t happen again, but overall taking your security to the next level where it needs to be.

Simply, if you just had an EDR to start with, then you’d be way ahead of most businesses. If everyone had EDR, you probably wouldn’t hear about cyber attacks as much. Of course you’d still hear about it, but EDR is one of the most essential tools that you need. And that’s one of the affordable tools that we were talking about you can’t just go pull it off the shelf at Best Buy or something. You need an information security team to provide the tool, implement it, and manage it as well.

Next on the 5 things, use encryption. Most of your mobile devices, it’s already turned on. But turn it on anywhere you can. If a laptop gets stolen and you have disk encryption turned on, any data that they may try to get from your device is no longer usable by the simple fact that it’s encrypted. Basically, they can’t make sense out of any of the information that they’re trying to access. That’s a very important tool that we highly recommend using. Like MFA, turn it on or enable it wherever you can. It’s decreasing those attack vectors, which is the main goal of any business. Decrease as many attack vectors as you can and take care of any and all vulnerabilities that you can regarding cybersecurity as well.

Next is highly important and actually goes with the next point as well: continuous defensive improvements are extremely essential when talking about cybersecurity and talking about the 5 things. We mentioned before, cyber threats are changing every single day. They’re adapting. Like I said, they went from relying on virus signatures to not having virus signatures at all.

So as cyber threats change, your defense needs to change and improve as well. Simply installing security patches – when we talk about the difference between IT and infosec, sometimes patches and updates can be overlooked from an IT perspective just because it may create an interruption in operations or something like that, or they push it off because it’s not essential at the moment.

From a security standpoint, improving your defense and making sure those security patches are installed as soon as possible, immediately, is one of the top objectives of the information security team because continuous defensive improvements are essential to making sure you have no vulnerabilities, there’s no new gaps in your business, and once again, decreasing the attack vectors as much as we possibly can.

The last and probably the most essential, right there with EDR – this is actually, like I said, how you can get that EDR tool – is a skilled security team. What does that involve? That’s your infosec team. If you simply have an information security team, a skilled cybersecurity team, the 5 things, everything we’ve talked about today, they’ll take care of it because that’s their job. That’s their focus. That’s their objective. Their main goal is to make sure that all vulnerabilities, all attack vectors are accounted for or taken care of, any gaps are filled. They are monitoring, detecting, investigating, responding 24/7 to your business to any threats.

You see the word “orchestration” up there. There’s a process to building the perfect security stack or the perfect security controls for your business. Your information security team will do that for you. Our goal is to understand what you currently have, understand the vulnerabilities, understand what’s at risk, understand the stakeholders and what we have to protect, and then find those vulnerabilities, orchestrate or create a plan to address those vulnerabilities, put the security controls in place to make sure those vulnerabilities are taken care of, there’s no gaps, there’s no security risk, make sure you have everything in place to protect your stakeholders, your business, the best you can.

You say, “I could do it myself or rely on IT.” No, it’s not do-it-yourself anymore. Like I said, cybersecurity is evolving and adapting, and you need skilled professionals to understand your business, what your needs are, and make sure those needs are met from a security standpoint. An infosec team is extremely important. Like I said, if you just start with an information security team, everything else will get taken care of.

Those are the 5 things. There’s a few other things that you may need depending on your business. We talked about company-owned equipment, remote access. Of course, make sure you do have an acceptable use policy in place. A lot of people work remote now and they want to work from home. Make sure they’re not using their personal device, their personal equipment – one, because you can’t control what is on their device, what they access, and whatever they access, once they connect to your network, if they’re at risk, now you’re at risk. So make sure you use company-owned equipment.

Password managers. Password compromises are blowing up this year. We’re seeing lots of password compromises, lots of email compromises. Making sure you have a way to manage your passwords and password policies is extremely, extremely important.

Tom talked about this earlier in our webinar – set the tone at the top. Make sure security is taken seriously, starting with #1, the founder, CEO, the boss man or lady, making sure they take cybersecurity serious and it trickles down to the rest of the company, creating an overall secure environment and business.

There’s lots of different things you can do regarding cybersecurity. You may have lots of different needs. You may have lots of different vulnerabilities. When we talk about the topic of cybersecurity and tools and what to do, it can be very overwhelming, but that’s where professionals come in to create the perfect cybersecurity plan for your business.

That’s when we talk about, “What’s the first step? What do I do with all this information? You’re right, it is overwhelming. Where do I start?” First thing, meet with professionals. What will happen rom that, you’ll find out what your vulnerabilities are, where you’re vulnerable, what is at risk, and you’ll be able to develop that plan like we talked about to put the perfect cybersecurity tools in place to address your specific vulnerabilities.

From here, you can speak with an information security specialist. What I do want to point out – the main thing that you can reach out to us is our free cybersecurity and risk assessment. That is the starting point. We’ll set a 1:1 meeting and we’ll go through your entire organization and talk about what you currently have in place, your needs, your vulnerabilities, and we’ll create an assessment for you that you can see. It’ll show exactly the gaps where you’re vulnerable, show you exactly what you need to do, and then from there we can help you implement those security tools.

You can use the link that says meeting.irontechsecurity.com to schedule a quick meeting with us. It’ll take 30 minutes – a great investment of your time because during that meeting, like I said, we’ll help you start the process of protecting your business. You can also send us an email at sales@irontechsecurity.com. It’s right up there. You see the phone number as well. Feel free to reach out any time with questions. If you have questions about a certain tool or just overall risk, or maybe another myth that you’ve heard, please reach out and we’ll talk that over with you. We’ll talk about the assessment and overall find out what we need to do to protect your business.

TOM: If you’ve got any questions, throw them into chat. What Davin was talking about when it comes to the skilled security professional – and that’s what the White House is saying. Once again, yeah, we sell it, but that doesn’t mean we don’t know what we’re doing and that it’s wrong. The simple fact of the matter is, basically, nation-state level NSA weapons are now being used against us in the United States each and every single day. That’s not an exaggeration. That is a fact. The game dramatically changed about 5, 6, 7 years ago. These weapons have been leaking out to criminals and others over the past several months.

But the deal about the security team, there’s 3 things that you have to have in place. You’ve got to have good, best of breed technical controls. That’s MFA, EDR. Then you might even need physical controls. You already have them in your office. Your office is locked at certain hours. Those hours are an administrative control. Who has the keys to your office is administrative controls. That’s the third type of control. None of the technical controls, physical controls, none of those will work by themselves. They require administrative controls.

And not only that, you’ve got to have monitoring because the best technical controls cannot 100% stop everything. That’s why the White House is saying you’ve got to already have a skilled security team in place. Not after the fact. That’s not even our specialty. Those are incident response teams. You get a ransomware breakout, you need somebody to manage a crisis, negotiate with the hackers – those are instant response specialties. Our specialty is making sure it doesn’t happen in the first place.

DAVIN: Preventing that.

TOM: Exactly.

DAVIN: Definitely. You’re exactly right, Tom. Our main goal is to prevent everything – the instant response thing, we’re preventing them from getting involved. Like I said, you can schedule a meeting, email us. Feel free to give us a call any time. We don’t see any questions here at the moment, but we will be doing another Deeper Dive next month. Make sure to stay tuned for that. Make sure to look for emails coming out. It’ll be on another Deeper Dive topic regarding cybersecurity.

Once again, feel free to reach out, and thank you all for attending today.