The First Step to Securing Your Business: NIST Cyber Security & Risk Assessment

DAVIN: Thank you for that warm introduction. I’m excited to speak to you all today. Everyone came here today to learn about the first step to securing your business from a ransomware attack, from a cybersecurity attack. I’m excited to talk to you about that today. We do have Tom Kirkham on here today, and he’s going to touch in on some of the risk management aspects as well as a few other things as we go along.

But before we get started, I do have a question. It is: When was the last time you performed a security and risk assessment on your business? This is a poll. The options should pop up here. We have “never,” “in the last year,” “past 2-5 years,” or “I’m not too sure, I don’t know.” I see some answers coming in.

25%, never. Another 25% within the last year. 50%, not sure. That’s interesting. Also, while you’re answering the poll, Tom did put in the chat – if you do have any questions, make sure to drop that question in the chat and we’ll try to answer it at the end. We do have a lot to go through here.

That’s pretty interesting. We’ll go ahead and get started. We have a lot of content to get through today.

First, what is the first step at securing your business from a ransomware attack, from a cyber attack? That is a cybersecurity risk assessment. You have to understand your vulnerabilities first to put the proper security controls in place to protect them. You have to understand your vulnerabilities and the risks associated with them. So a cybersecurity risk assessment is essential, it’s crucial to understanding those vulnerabilities.

Today we’re going to talk about the NIST Cybersecurity Framework. Most of you may have heard of NIST, but NIST stands for the National Institute of Standards and Technology, and it’s basically a basis that everyone’s using to understand their risk, assess their organization and the vulnerabilities associated.

This framework was created by the government for all organizations – small, medium size, large – to understand, manage, and reduce their cybersecurity risk. We talk about why this is so important. Why do we need cybersecurity? Why do we need to understand our risk? The main thing is to keep your doors open, to keep your business up and running, because cyber attacks are becoming one of the #1 reasons for organizations to go out of business. Studies show that 60% of small to medium size going into large businesses go out of business after a successful cyber attack. So you have less than the chance of a flip of a coin to stay in business after a cyber attack.

As a business owner, as an employee, as a CEO, your main focus is to protect all stakeholders. Tom, I know that’s a subject that you’ve been talking on briefly, protecting all stakeholders, understanding the risk, and really managing the risk from an owner standpoint, from a leader standpoint.

TOM: Yeah, it’s the very livelihood of the people that work there. You’re responsible for their income. You’re responsible to protect your client, your customer data. You’re responsible for making sure you have business continuity, disaster recovery, recovering from a ransomware attack. When you really get down to it, that’s the #1 objective: to not only protect all of those stakeholders and the livelihoods and on and on and on, but it should be the primary objective – increasing your cybersecurity defensive posture should not be a function of IT. IT should be a function of cybersecurity.

DAVIN: And that’s what we’re seeing now. We’ve all relied on IT, and now you’re seeing the need for IT and information security specialists, and them working together to protect your organization, to protect those stakeholders.

We’ll jump right in and we’re going to learn a little bit about the NIST Framework and the 5 core areas. You follow these 5 core areas, this is what you should expect from an information security team, to have all 5 of these areas covered. Follow these in order; this is the best way to first identify what needs to be protected, where your vulnerabilities are, and then security controls in place, and follow this, and you should have the best defense to defend against a cyber attack.

First we’re going to talk about the first core area in the NIST Framework, identify. You have to know what to protect before just throwing security tools at your business. Of course, we’ve relied on multiple different antiviruses and things like that because that’s what people say you need, but now we have to take a more strategic approach to cybersecurity. Cyber threats are adapting, they’re changing, and so we have to as well.

The first thing you have to do is take the assessment and understand where you’re vulnerable. But another thing you have to do is understand what’s at risk. When we think of a cyber attack, we think of downtime, reputation, information, but when you think of downtime, you can break it down even simpler. How much would a day cost you of being down? How much would a week? How much would 2 weeks? A month? You have to think realistically of the actual cost of a cyber attack besides the ransom, besides getting new devices, besides clean-up. There’s a lot more at risk than just paying the ransom.

So you have your downtime, you have your overall reputation. In business, trust, they say takes years to build but can be lost in seconds. Business revolves around trust, so if you have a cyber attack and all the stakeholders’ confidential information that you’re protecting that they’re trusting you with is gone in seconds – just because your assistant may have clicked on a link or you may have clicked on a link, and now your network is infected with ransomware. All that trust you’ve been building over the past years is gone in seconds just because a link was clicked. Those are the risks associated that you have to think about when you see these vulnerabilities. You take an assessment and you do nothing – well, that’s the cost of doing nothing as well.

Like we said, we’re protecting stakeholders. You have their business information, their personal information. Your employees, your confidential information. Those are all things that you’re in the business of protecting, so you have to make sure you understand where those vulnerabilities are to put the proper security controls in place to protect those.

Of course, this is just the first step. I know, Tom, you like to talk about that strategic approach. Think of it as asset management, risk management.

TOM: Yes, and that’s an important distinction to make. A lot of people have a tendency to think of this as an added expense. It doesn’t positively affect the P&L. But for the very same reason you have insurance – you’re trying to plan for the worst case scenario. The good news is by investing in cybersecurity defense and not just cybersecurity insurance, you’re hoping to prevent it. You put a lock on your front door. Maybe you pay a locksmith periodically to get new keys and everything else for whatever reason. That hits the P&L negatively as well.

What we’re talking about is a strategic, conscious decision to invest in the security of your business and all of the stakeholders – the people that rely on the company for their livelihood, the customers that rely on you to protect their data, whether it’s a client – maybe it’s law stuff or medical records or dental records. Medical records, same thing. This is a strategic decision.

No insurance is going to buy your reputation back, so think strategically about cybersecurity defense. But yet it is something serious. The game has changed, and the things Davin is talking about that you need to put in place are the things that’ll prevent you from being a victim.

DAVIN: That was perfect, Tom, talking about the things we need to put in place. This is just the first step of an assessment, understanding what needs to be protected. Now, you understand your vulnerabilities, and now it’s time to do something about it, to move on to the protection stage. This is where you’ve already found your vulnerabilities, you know where your weak points are; now you have to put the proper security controls in place. Like I said, cyber attacks – it’s simple. Companies are going out of business because of it.

So now you know your vulnerabilities. Do something about it. Like Tom was saying, to avoid a robbery, a burglary – that’s a hard word to say. [laughs] You put locks on your doors. When you’re worried about the place burning down, your business going out of business because of a fire, you put fire alarms, sprinklers in place. Now we have to worry about cyber attacks, so now you put security controls in place.

There’s multiple different security controls in place. We’re going to talk about a few here in a little bit, but one that’s one of the most essential and that every organization should have, bare minimum, is continuous cybersecurity training. This may be corny, but I like to think of it this way. You just bought a house; you have your family with you and you say, “We don’t want our house to get broken into, so we’re going to put locks on the doors. Perfect.” You put your locks on the doors, but you don’t tell your spouse or your child to not leave the window open at night. Well, they leave the window open at night and the house is still robbed, or something bad happens.

You can have all those security controls in place, but if the training is not there, then they’re basically useless, just like that lock on the door. That’s why continuous cybersecurity training is absolutely essential.

Another key piece to the protect stage is having that information security team, having an information security specialist being able to manage and use and operate those security tools. Most of these security tools, you can’t just go buy off the shelf. And when we talk about security, that’s not something that you should settle for the cheapest one, the one on the bottom shelf. No, you should take a security-first approach and only expect the best of the best security tools for your organization, for your business, for your stakeholders. Those take an information security team to monitor, manage, and operate.

The key thing is making sure they’re being used and checked and monitored every single day and stopping threats every single day, because cyber attacks don’t take a break, and neither should you or your information security team.

The next stage is detect. You understand your vulnerabilities, you put the security controls in place, and now it’s time to actively monitor and detect and stop those threats. Like I said, cyber threats are changing, and the tools that we need are changing. For example, you think of a car engine light or a gas light. When you’re driving, you see that gas light come on and you know you’re about to be out of gas, or you see the car engine light come on and you know that’s a warning to do something before a bigger problem occurs.

With the security tools in place, you have something to detect a potential attack or an active breach that then you can stop or you have the tools in place or the team in place to mitigate as soon as possible to prevent that bigger attack, that crisis or that overall successful ransomware attack that’s going to cost you hundreds of thousands of dollars.

We’ve relied for years and years and years on tools like an antivirus. Simple enough, that’s just not enough anymore. Antiviruses are basically useless. I’ll keep it brief, but antiviruses, the way they operate, the way they work is that they rely on known virus signatures that are most of the time 3 to 6 months old because they’ve been known to be a virus, and now all antiviruses are looking for them. We need something to monitor in real time, actively, 24/7. Most of the time, ransomware doesn’t contain a virus signature, so the antivirus will never see it coming.

That’s’ why now you need an EDR. If you have a notebook, write this down. It’s endpoint detection and response. You may say MEDR, managed endpoint detection and response. That’s a tool that monitors behavior. It doesn’t rely on those virus signatures. It’s looking for out-of-the-ordinary or anomalous behavior that correlates with a cyber attack. We can go into depth and we’ve done a webinar about this, but to keep it brief, it is a tool that is basically the bigger and better version of antivirus and is what everyone – at least, bare minimum, EDR, training, that’s what you need. That’s the starting point at least.

It takes care of that 24/7 monitoring, detecting and analyzing and looking for those threats. It’s extremely important. It’s one of the most important preventative measures. When we talk about cybersecurity, we’re talking about preventative measures to secure your organization and make sure you have everything in place to avoid that cyber attack.

I want to touch on this. Tom touched on it briefly when we talked about cyber insurance. These cybersecurity tools are those preventative measures that are essential because it’s simple that we can’t rely and organizations can’t rely on cyber insurance anymore, or at least right now. We’re seeing this a lot, and we actually even review our clients’ cyber insurance policies to make sure they’re compliant with whatever requirements are needed because cyber insurance providers and policies aren’t being paid out because they’ve lost so much money because of successful cyber attacks.

Now they have these strict requirements, and a lot of the requirements are tools such as EDR, cybersecurity training, annual risk assessments – which everyone is needing, and that’s why we’re here talking about it, but most organizations don’t have that. When they’re just relying on that cyber insurance, a cyber attack happens, they get hit with ransomware, they go to their cyber insurance provider, and they get hit with a hard “no” simply because something has changed or they’re simply not compliant. They don’t have the preventative measures needed to have that successful payout from their insurance provider or to be compliant with their policy.

Just like home insurance. You have your home insurance, but if you don’t have fire alarms or sprinklers or maybe a fence around your pool, you’re not compliant and you’re not going to get that payout. Same with cyber insurance.

The next step is respond. So you have everything in place, but you have to have a response plan in place as well; just in case there’s a crisis, you’ll have a solution. This is another essential part where the information security team comes into play because they are going to take care of all of this. A lot of your cyber insurance policies require that you have a response plan in place.

I want to talk briefly on the communication point here because there are a lot of new laws coming into place here recently, and you’ll probably see them a lot in the next few months, requiring organizations to report that they’ve had a ransomware attack in a specific period of time. It could be 3 to 5 days, 7 days after the ransomware attack. But if you don’t report it, there’s going to be consequences with that. Fines and such.

That’s something that you want to be aware of and avoid, so that’s a critical part of the response plan that a lot of people do overlook, have overlooked, or are going to overlook in the near future that has actual legal consequences behind it. So you need to make sure your information security team is prepared for that. Of course, here at IronTech Security, we’re keeping up with all of these changes in compliance that you need. We make sure that you have them.

When you talk about mitigation in response, timing is critical. You have to make sure that you have the proper security tools in place, partnered with the infosec team, to mitigate the potential attack or the overall problem as fast as possible, avoiding that downtime that Tom was talking about. We’re going to get into the downtime in a little bit in a second. But it’s very important that the mitigation process is taken seriously, and after that, improvements and adaptations to your defenses are made. Those improvements are essential to make sure the attack doesn’t happen again.

We see often, some of you here may have had a ransomware attack or know someone that’s had a ransomware attack or cyber attack, and if they’ve had a successful one, usually those cyber attackers create – we call them backdoors. They have a successful attack, they move on, but they’ve left what you can call a backdoor. They know that you’re an easy target, so now they made it even easier to attack you again in the near future because they left that backdoor there. With the infosec team, they’re actively looking for those backdoors, making those improvements, making sure that successful attack doesn’t happen again.

The last step we have here is recover. Recovery is one of the most essential pieces that you need as part of your recovery planning. It’s essential because it must be tested and ready to go often, at any time. This comes in with the 24/7 monitoring. This is what your infosec team is taking care of. I want to touch right here on backups because this is one of the most essential, critical, crucial parts of your recovery plan.

This is when we go into that business continuity and that downtime. Backups are an essential piece to make sure that downtime doesn’t go from 1 week to 2 months, or doesn’t go from 2 weeks to 3 months. That’s what you see often because people believe they have a backup, “We should be good, we should be able to get back up in 2 weeks.” But if you have a backup in place and they’re not being checked and monitored regularly, then they’re basically useless.

It’s basically like you don’t have a backup at all because when it’s time to go and that backup hasn’t been checked, you’re ready to roll, you’ve had a cyber attack, you’re ready to get back up and running, and your backups are failing or they may have been encrypted or they may have been affected by the attack – now you’re out of luck. That’s why it’s crucial to have that infosec team actively monitoring and testing those backups and testing the recovery plan so when something does happen, you get back up as fast as possible. Like we said, timing is critical in a cyber attack.

Tom, I know this business continuity, we’ve touched briefly on this. We can talk about downtime and cost here. What can you add here on business continuity and the recovery process?

TOM: Right. This is critical. When you start designing and understanding exactly what this business’s downtime tolerance is, that’s directly related to business continuity. And there’s a dollar cost to how quickly you need to be back up and running. In the simplest terms, assign a dollar cost to what if every computer and server in your organization is shut down. What is the loss of productivity? What is the loss of revenue and other intangibles? Anything you can think of, assign that value.

That will guide you to how much money you need to invest into business continuity. The whole DR, disaster recovery, that’s a different discussion. That’s for things like floods – and I’m not saying business continuity doesn’t enter into it, but both of those – you’ve got data backup, you’ve got server backups, virtual machine virtualization, redundancy and all of these different things. But you as the business owner, president, managing partner, whatever that title is, assign a value to downtime. For attorneys, a lot of it is going to be loss of revenue. Manufacturing, it’s lots of things.

Let that be your guide. “How much does it cost to make sure we’re not down more than an hour? How much does it cost to make sure that we’re only down maximum 24 hours?” You already know what it’s going to cost. That’s your decision. That tells you exactly what you need to do from a business continuity standpoint.

DAVIN: That’s exactly right. It’s funny that you brought that up. Talking about law firms, CPAs, things like that, I was talking to a CPA yesterday and we were going through the assessment, talking about different vulnerabilities, and then we got to talking about downtime. Of course, tax season is over, so I know a lot of accountants are relaxing. I was like, “During tax season, how much downtime can you afford? Is that something you plan for?” The simple answer was, “No, downtime is not an option. My clients/stakeholders are relying on me to be time-efficient and turn in things, meet deadlines. Downtime is just not an option.”

When you think about that, that’s when preventative measures definitely become essential because it’s just not an option to be down. That’s the way you have to think when you talk about cybersecurity and cyber attacks. You have to plan strategically for situations like that.

TOM: One other thing I’d like to add to that, Davin. If you do outsource your IT, chances are you’re either outsourcing it to what’s known in the business as a managed services provider – which generally it’s an all-in price. They proactively manage your network; they recommend “Hey, this server’s getting a little old. Let’s replace it before it goes down and you’ve got a catastrophic server loss.”

But the other side of it is you pay somebody time and materials and you only call them when something’s broken. That directly affects your productivity. If you go ahead and do that calculation for how much it costs for Susie or Bob to be down, then you may say, “Wait a minute, maybe we do need to proactively manage this.” I’m a big, big believer in using an MSP. If they’ve got their company set up right, they are more profitable the fewer problems you have, the less you go down, because they’re johnny on the spot, looking at potential things because they have the experience. “This usually leads to an outage. We’ve got to address it right now.”

DAVIN: Yep. We’ve been talking about the NIST assessment. I do want to show you a brief example of what an assessment looks like. Here you see the circle that says PR-AT-1 right there in the middle. PR is that protect stage that we were talking about. That’s that second stage we were talking about. Then it says AT for awareness training. I want to point out that you see the 2 critical areas.

We’ll create a scenario here. Say this is you. You do the cyber risk assessment and these 2 critical areas come up. You understand the vulnerabilities, you understand the risk associated with it, but no action is taken. You’re in the before stage. No action is taken. It’s showing these 2 critical areas. You’re choosing not to take an action, and when you choose not to take an action or not to change or address these vulnerabilities, that simply equals a cyber attack. You will become a victim of a successful cyber attack, a ransomware attack.

But flip the scenario. It was before, now you’re in after. You’ve gone through the risk assessment, you see these 2 critical areas. We’ll strictly use the #1 PR-AT. That means all users are informed and trained. Most likely if I asked you this and you said no, it would come up as critical. That means that to address this vulnerability, you need cybersecurity training or something like that.

You’re choosing to do something about that known risk, that critical vulnerability, and in turn you’re putting security controls in place, which simply equals avoiding a cyber attack and overall keeping your doors open.

Out of all of this, the first step is taking a cybersecurity risk assessment, understanding your vulnerabilities, and then from that, putting the proper security controls in place, following the 5 steps, and putting your business in the best position to simply stay open, to protect those stakeholders.

Now, you’re taking in all this information; what do you do with it? Speak to an infosec specialist. Speak to me. I’m looking forward to talking to you. You’ll see the meeting.irontechsecurity.com link right there. That link will be in the chat. We can have a short 30-minute conversation; we can talk about the cybersecurity risk assessment, get you started on our cybersecurity risk assessment. We’ll go through the steps we were talking about, address all of your vulnerabilities, help you understand them, and then create a plan specific to you.

Every organization is different. There’s different vulnerabilities, different needs, different risks that we need to address, so we cater a specific security plan for you and overall gt your security posture to where it needs to be.

You can also shoot me an email at sales@irontechsecurity.com, and feel free to give me a call, (479) 379-1200. I look forward to talking to you all. We are offering a free cybersecurity risk assessment. This is something we never do. Usually they’re $700+. Of course, they go really in depth into the essential first step that you need to address your risk and get your business to the security posture that it needs to be.

Tom, do you have anything to add before we head off here? I know we’re at about the 30-minute mark.

TOM: Yeah, I just want to point out – and we’ve been making a point to do this. Going back to IT versus infosec, it’s been our experience – because we work with MSPs all over the nation, or North America, and they do an awesome job from an IT perspective. But 90% of them – and it’s not just our experience; there’s industry experts that understand this and have worked with MSPs as a business. Our peers and other people in masterminds with us and things like that.

About 90% of the outsourced IT companies really don’t specialize in cybersecurity. They have a tendency to use the same old tools that – they are getting better. Bitdefender has a wonderful internet protection suite. But it’s not best of breed. And there’s a reason why you can’t get best of breed from Amazon or Best Buy. It’s because it takes skilled infosec professionals to configure them, monitor, and manage. These are high-tech technical controls that only work properly with the proper policies, the proper administrative controls in place.

I know the natural tendency is to go to your IT person. But why not just go to the people that are true experts in it? You don’t go for a cardiologist for neurosurgery. Fortunately, the cardiologist knows that he’s not competent in neurosurgery. But the IT industry is – I’m trying to be as delicate as I can. What you want them to do is to concentrate on keeping you up and running. That’s their job. That positively affects your bottom line each and every single day.

Security is a visionary, strategic, long-term focus. It negatively affects the bottom line unless you have an event, and then it’s there and it’s going to save your company. Or even worse, some of you may have compliance fines, lawsuits. You certainly don’t want the Office of Civil Rights coming in because you’ve lost patient data. They fine first and then figure out what went wrong. It’s not like the old days where they said, “Let’s see what went wrong and we might fine you.” Nope. “There’s your fine, and now we’re going to help you fix your problems.”

I just want to stress again, go to a security specialist, not someone that just knows something about it. Go to the organizations that eat, drink, and sleep this stuff day in and day out. And understand what best of breed and technical and administrative and physical controls are – what a storyline is. What’s the storyline of a ransomware attack? There’s 5 points to it. If they can’t enumerate those 5 points, they don’t really understand modern defensive cyber warfare. That means they’re not going to know the best equipment to use in the mission, to have the best training themselves.

That’s all I’ve got to say. A little bit of a soapbox there. We love to have a little bit of fun on these 30-minute Deeper Dives, but this is serious business, and we take it extremely serious, as do all MSSPs. I’ve often been accused – and probably Davin has too – you get accused of “You’re making this sound a lot worse and the risk a lot more than what it really is.” The simple truth of the fact is if we told you a lot of the things that we knew, it is absolutely unbelievable. So we don’t.

DAVIN: We’re trying to make it digestible in monthly 30-minute webinars.

TOM: We could spend every 30 minutes on just a horror story that is unbelievable that no one ever hears about. It doesn’t make CNN or New York Times or anything. It’s like, holy – international scale, nation-state threat actors, NSA, U.S. Cyber Command stuff. And we don’t even know the worst ones. We just know a lot of them.

DAVIN: We know what we’re stopping.

TOM: Are there any questions?

DAVIN: Yeah, before we get off here, if you have any questions, feel free to throw them in the chat. Once again, that meeting link is in the chat as well. You can click on that. It’s really simple and easy. Schedule a short meeting whenever it’s convenient for you. Like we did mention, these are every month, the last Thursday of the month. We will have another episode next month, in June, and we look forward to talking to you all there. If you have any questions, feel free to put them in there. But if not, we’ll hop off here in just a second.

KINDSEY: Thanks, everybody.