kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

Why Your Business Needs a Security and Risk Assessment

Did you know 51% of organizations were hit by ransomware in 2021? With the proper security in place, you can lessen the chances of your business becoming a victim.

Prefer to read? (Transcription)

Davin Chitwood
Oh, let’s rock and roll. Thank you so much for everyone attending today. Of course, I have my colleague here, Sam, he’s our Client Experience Manager. He’s going to help us a little bit through the presentation today, talking about the assessment, which is something that we do annually for all of our clients during our account reviews, just to understand where you’re vulnerable year to year. And so we’ll dive a little bit more into the details there as we go on. But to get started, same was a quick question for you.

Sam Haest
Yeah, we’re gonna start today with a poll, and it is Have you had a cybersecurity risk assessment in the past year, just put it down in the chat.

Davin Chitwood
So you should see the poll, pop up. The reason we asked this is cyber security risk assessments are becoming more common. But not everyone has had one or may not be the first thing on your mind when you think about cybersecurity. See few people answering. If you’re not even sure what a cybersecurity risk assessment is, or why it’s important, or why you need one annually, you’re gonna learn that today. See about 50% have said No, they haven’t had security risk assessment in the in the past year, if you’re unsure.

Davin Chitwood
Well, after this webinar, of course, hopefully that will change. And in the when we do this again next year, hopefully we’ll see some more yeses. But getting started with what actually is a security or cybersecurity, and risk assessment. Well, first off, it is the first step to actually securing your business and implementing cybersecurity. It’s the the best way to not only get what you want, of course, which is a cybersecurity, securing your overall company, but also getting what you need, and understanding what you need.

Sam Haest
It’s a way to assess, reveal, and understand your vulnerabilities. It must be done by a cybersecurity professional, who understands your gaps and the risk associated with it

Davin Chitwood
Exactly right. And the reason when we talked about it needs to be done by cybersecurity professionals, is because let’s take for example, a CPA for a firm or an accounting firm. So when you’re going through an assessment, there may be a general list of just what you need and what you don’t have. But you need to be able to understand the risk associated with those gaps, specifically for your field of business or for your company, and how that affects operations. So like when we talk about an accounting firm, of course tax season, that is a part of the year where when we think of downtime, downtime is just not an option. And so, regarding cybersecurity backups are a critical part of the remediation side of cybersecurity, and it’s often overlooked. And so for an accounting firm, they may have backups in place. They believe they have backups in place, but from a security standpoint, are they being checked in? Are they being checked regularly, because a case can come up where you have a backup or you believe your backups are working, you may check them only once a year? Well, during that time that they’re not being checked, if something happens, and they weren’t working. Now that downtime can go from maybe two hours to two weeks, just because a simple security approach of your backups not being checked, every single day. Now you’re experiencing that downtime. And just from I’ll just use counting as example, like just sticking with that that downtime is not an option. during tax season, you have deadlines. You have dates that you need to meet and certain information needs to be turned in by a certain time. And if you’re down for a week or two, then that not only affects your business that affects your customers and your clients. And we’re going to talk more about duty to stakeholders, everyone who’s invested in that business, everyone who’s a part of that business. Because cyberattacks attacks, they don’t only affect the immediate employees, business owners, but also everyone who’s involved with the organization. So using cybersecurity specialists and professionals who not only understand the security vulnerabilities, but the direct impact to your companies is extremely important.

Sam Haest
Yeah, and it’s easy to understand a security risk assessment is actually too easy to understand for everybody. You don’t have to be a specialist in cybersecurity, or it to understand it. We cater the assessment specifically to you and your business operations stakeholders, so that you understand how it directly impacts your company.

Davin Chitwood
That’s exactly right. A lot of people, they may be wary of a security risk assessment, simply because oh, that my it will handle that or that’s, that’s not my specialty. That’s, that’s why but my head, no, and that’s false. And the reason we could just like Sam said, the way we do our security risk assessments, of course, there is a technical aspect to it. But we cater that to specifically meet and basically, perfectly for your business and your operations. So you understand how it, just like Sam was saying directly impacts your company. Now, you also don’t have to have specific personnel to have an assessment, you don’t have to have a head of it, or even an IT team to have an assessment. Now, when we do assessments with our prospects are our clients, we always encourage your IT provider or your IT person to be included with that assessment, if that’s what you would like or if that makes you feel more comfortable. But that’s not required. You don’t have to have that. And so when we think about risk assessments, it’s for everyone, anyone can do it. And even if you’re not the decision maker, the security and risk assessment is the perfect piece that you can take to your decision makers, and visually show them exactly where you’re vulnerable, exactly what you need, and how to fix it.

Sam Haest
Yep, and it’s like a checkup. It’s like going to the doctor every year. And we kind of do the same thing as well, we call them account reviews, as a checkup annually. We’ll get into that later. But it’s comparable to go to the doctor, you know, most of you do it once a year. But you wouldn’t just go to Walgreens and buy a bunch of medicines for strep throat, and just see which one of them works. go the doctor, you get what they prescribed to you, you get what the specialist prescribes you. Same thing with us, you wouldn’t just go to Best Buy, you’re not supposed to release, they just get antivirus, and different things like that to protect your computer, go to your professional, see what you need, and see what will actually work.

Davin Chitwood
That’s right. And that’s why brings us back to that first point. So first step, if you just throw security tools at your, at your company, at your business at your organization, that’s not the most efficient way to do it. A lot of the tools you may need, they may not even fix the vulnerabilities that you have, and ends up being a waste of money, you need to understand exactly where you’re vulnerable first, where your gaps are insecurity and then create orchestrate the perfect plan to combat those vulnerabilities perfect security controls that you need to fill those gaps. And that’s what an assessment gives you helps you understand and then tells you exactly what you need to fix those vulnerabilities or address those gaps. Well, why why do you actually need an assessment? Why Why does my business need assessment? Why is this important?

Sam Haest
Well, first thing I want to mention is industry compliance is starting 2023. On the first of January, a lot of industries are going to require by law that you get a sim tool. There’s about 16 Plus industries, I’ll just name a few here. And a sim tool is something that water monitors background information on your computer. It’s pretty common, a lot of people have it, but it is important and similar as interest rates, our water and wastewater, transportation sector, health care sector and public health, chemical, chemical sector EMS, our financial services, government facilities sector, criminal manufacturing, energy sector,

Davin Chitwood
you know, and really anyone that’s involved with confidential information of others or even like financial information, anyone that is involved with protecting or someone trusting you with that information. You can you can predict that cybersecurity requirements are in the very near future, if not this year, then next year. But also it’s not just us saying that you need the security tools. It’s not just us saying that you need an assessment. Here you see a little example of actual letter from the White House that came out around this time earlier earlier last year. And I talked on this briefly but Anne Neuberger. She’s the acting national Security Adviser works directly in the White House basically advises the President on all things cyber, well, the President came with an executive order last year regarding cybersecurity, telling you you need to do this, this and this by this date for certain industries, well, and narrowed that down into about a three to four page letter, as you see and directed at CEOs, businesses, critical infrastructure, basically telling everyone that cybersecurity needs to be taken seriously. This is what you need to do, there’s five things that we pull out, you can go back and check on our other webinars where we directly talk about those five things that there’s a central things that you need. But this basically states that CyberSecure is important, and that you need to take it extremely seriously. Now, even recently, just in the past was in August, last month, TSA, they even released a memo to aviation transportation companies, everyone in that field of business, that they must have a security assessment in the next 90 days. And they must remediate all the vulnerabilities gaps that they find by the end of the year. So that’s specifically for that industry. But you can expect that to happen for multiple more industries as the years go by. And so it’s not just us saying that you need assessment, everyone that the White House, the government is going to be requiring the security tools I hear in the near future.

Sam Haest
And it is your duty to your stakeholders as well, to keep them secure.

Davin Chitwood
That’s exactly right. And three’s behind that is because So business is built on trust and relationships, and specifically relationships and trust, it may take two, five to 10 years to build that trust and to build that relationship. And your clients, your stakeholders, your your employees are trusting you with their information, they trust that you are taking security serious, and that you’re doing everything that you can to protect them. But all that trust and relationship that’s been built over time, can be taken away, simply in seconds by simply an employee clicking a link that they’re not supposed to, or go into a website that they shouldn’t have, or opening a file that was malicious. And now it’s accessing or creating a folder in the background in because you didn’t have the proper security controls in place. Now, you’re a victim of a ransomware attack. And all that trust is built out is thrown out the window. Now it will take years and years and years of course, to build that trust back, build those relationships back. But as a business owner, as a CEO, just even as an employee, it is your duty to your stakeholders to take security and takes a cybersecurity serious, because simply because of trust. And that’s what you should do to keep that healthy business relationship. Another thing that we’re seeing as requiring assessment, cybersecurity risk assessments is cyber insurance. If you have a cyber insurance policy already, or you’re looking to get one you may have seen or he might have even been a part of your application process. That you’re you’re required to have a cybersecurity and risk assessment. Now, the reason behind that they may even provide you with an assessment. But if you are an extremely vulnerable company, that premium can now go from maybe $1,200 a year to 5000. And we’re seeing results like that, simply because cyber insurance companies got slammed last year with payouts in claims regarding cyber attacks. And they realize that cyber insurance companies didn’t do their due diligence, understanding the risks that companies have. And so now they’re putting it on the company to make sure you have your assessment you have these preventative measures in place to be even compliant with that cyber insurance policy or even to get a cyber insurance policy. Just like a car insurance. You don’t have antilock brakes or if your home insurance, if you don’t have smoke alarms, that premium is going to skyrocket or they may not even insure you. So growing cyber insurance, security assessments are extremely needed. Let alone cyber threats are changing. The security tools that you use to five years ago aren’t the same. They don’t work the same. They may not even work at all anymore, simply because cyber threats are changing and adapting and the vulnerabilities and gaps that you may have had five years ago, let alone to even two years ago aren’t the same. And now you need an assess submit annually to continually adapt and change your defenses, adjust your cybersecurity defenses, to combat with how those cyber threats are changing these new vulnerabilities that you’re having each year. And that’s why we hold these account reviews with our clients, making sure they understand exactly where they’re vulnerable, and adjusting their defenses as needed. So what does an assessment look like? What is the process, you’ll see a brief example here, just red, yellow squared, green squares course red is bad. Yellow is needs to be worked on in green, of course, is good, maybe some things you’re already doing, right. And we’ll dive a little bit deeper into that. But the process of a simple cybersecurity risk assessment is comes down to three steps, step one, information gathering, understanding your network, your operations, what information you may need to protect, finding those vulnerabilities, finding those gaps. From that, we take all that information, build this assessment, specifically for your business for your organization, helping you making sure you understand the risk associated and then step three is that’s when we actually review the vulnerabilities with you, we break it down in the graph, like you see on the screen right now. And it will be very specific to what what your gap is the risk associated with that. But then we tell you the recommendations to fix that. And we even show you how you can fix that we can even help you with that. Now, a lot of people say well, I may not have time for this, but

Sam Haest
it’s really only an hour time commitment. If that really if that me maybe 40 minutes, unless you’re a talker, something like that. It’s not even gonna go an hour. Usually a lot of people don’t think that the time at all to check this out. But it’s really simple that most time you’re going to spin is an hour until you get set up honestly.

Davin Chitwood
Definitely. And we’re going to just go ahead and dive a lot more deeper into this assessment we asked, we had someone asked for more details. Well, let’s get right into it. Now you see this three step process. And Sam talked about the time commitment. This can be broken down into two meetings, three meetings, whatever works for your schedule, we can adjust and make that work specifically, of course for you. Now, what you’ll see here is, let me go back one. What you’ll see here is an example that we just put together real fast of what an assessment may look like for your organization. So of course, you see the red, the yellow, the green, for this example, you’ll say we’ll say green is some things that you’re already doing well, and so on the Rapid Assessment square, you’ll see right in the middle, is a square that says Manage detection and response. What does that mean? And how is that specific to your business? So we talked briefly about how you may have antiviruses. And that’s what you’ve been relying on for a very long time. Well, simply antiviruses just aren’t good enough anymore. And I’ll tell you why. The reason is because the way antivirus works is that it relies on virus signatures to detect a cyber threat. And now nowadays, just keep it brief cyberthreats, they may not have a virus signatures anymore. For the antivirus to find that exact virus signature, the threat has to be known. And for it to be known, it has to be about three to six months old. And so now you need an actual tool that can monitor and detect threats in real time 24/7. And this should be the first step to any security approach. This would be a security tool that you can put on all your workstations if you work in the water and wastewater industry. So you have a SCADA device or industrial control system. And EDR, which is an endpoint detection and response tool. That’s something that shouldn’t be required on your, on your SCADA device just because for the simple fact that you have you are protecting and servicing so many people in your community. And if there’s manipulation to the chemical treatment, or even maybe the valves that affect your water, which can be controlled by that SCADA device. That’s something that needs to be protected. Now you’ll also see backup disaster recovery on here, from the example we use with an accounting firm. If your backups aren’t being checked regularly daily, then basically you don’t have backups at all. You’ll see security awareness training in the top right corner of the rapid assessment as being red, that correlates directly with cybersecurity insurance that we mentioned briefly before, a lot of cyber insurance policies are actually requiring continuous cybersecurity training.

Sam Haest
So that’s gonna keep everyone in the office just sharp. Overall, it’s exactly right. The biggest thing with that is, you can have all these tools, but at the end of the day, the statistics are 90% of successful breaches come from somebody in the office who clicked on something they shouldn’t have, or somebody that didn’t do something right with that they fell for a phishing email, maybe anything along those lines, and training is going to keep them sharp with that. That’s exactly

Davin Chitwood
right. And you’ll see in the top left two factor authentication, if you are using remote access of any kind, such as remoting, into remoting, into a workstation from home, or maybe you’re in the office and remoting into your server, or maybe remoting into that that SCADA device that if you’re doing any type of remote access, two factor authentication should be required. And that’s simply because of if those login or those credentials to remote into another device, if they become compromised, that is an extremely hard attack to stop and even detect, because it looks like it’s simply coming from you. But if you have two factor authentication installed or being used, if your credentials become compromised, the next step they have to do is reach in your pocket and, and grab your phone, my phone is always in my pocket. So I’d be very, very impressed if someone got that from me. But a simple example of that is just something that happens every day that may be overlooked, especially regarding remote access. Working from home, it’s a lot more common now. But that two factor authentication is extremely important. Now, of course, there’s a few more other topics we could get into here, you’ll see the acceptable use policy, if making sure your employees are not using personal devices for the work making sure their business grade and if so having a policy in place to manage that. It doesn’t just go deep into security and the technical aspect of an assessment. But it also talks about policy and practices, which is extremely important, as a whole for your company. There’s a few more things here like this goes more into the actual setup and operations of your of your organization, such as you have server number of workstations. How old are your workstations and servers? As of course your workstations or computers get older, there comes more risk associated with that, as well as servers, and how those are managed. Talked a little bit about helpdesk. Of course, when we get into the IT side, are you using break fix? Or do you have a managed IT service provider now, and the pros and cons of each and how that specifically affects your business.

Sam Haest
But overall, of course,

Davin Chitwood
this is our goal.

Sam Haest
It’s just like you like your traffic lights. That’s how I always mentioned this, you like a green. So this is what you look like. When you listen to your professional your cybersecurity professional. In the end, you would have a audit score of 100. Because you’d have all these security recommendations. So that is your end goal, especially as being a customer of us.

Davin Chitwood
That’s exactly right. Of course, this doesn’t happen immediately. This happens over time. But this is the end goal where you can and it’s a great visual to use take to your your decision makers where you understand their gaps and how to fix them. And this is where we want to take you. So what do you do after an assessment?

Sam Haest
And just kind of want to take a little note here in the chat, though in there. How many of you have ever had a computer broken down for at least 24 hours, and it was making you unable to get work done? Just put it in the chat.

Davin Chitwood
And the reason we asked that is most likely you your computer broke down for a very long time now you’re unable to work. It’s because you didn’t take the preventative measures to prevent that downtime that you’re trying to avoid. And most likely, you didn’t take action. Now, what you do after an assessment, you know exactly where you’re vulnerable. You know exactly what your gaps are. And now the only thing you have to do from this now is take action actually Do what the actual professionals have told you apply those recommendations. And that may be a multiple step process as, okay, we know exactly what we need. Let’s go review with our board or review with our decision makers, and show them this, tell them what the next steps are and how we can do that. And this isn’t a very, very important part where you utilize your information security team, here at Iron tech security, we can hold the assessment for you tell you all the recommendations, but we just don’t, we don’t end it there. We don’t just say, Okay, here’s what you need, go make it happen, we actually tell you exactly what you need exactly how to fix it. And we let you know that we can fix all of this for you all in one sweep, we can take care of these vulnerabilities address these gaps. And we fully understand the risk associated by not doing this to your business. And we want to consider ourselves a partner with you. Because if you’re protected, and we’re doing a great job, then that’s a win win. So the main thing is you take action, after you understand your vulnerabilities after you understand your gaps. And it’s extremely, extremely simple. To get started, we are currently offering a free security and risk assessment. Today, you can schedule it right now, there’s going to be a link that kindy is going to put in the chat, all you have to do is click on that. It’ll take you to a calendar, where you can pick your date and your time. Specifically that works for you. And once you schedule that, it’ll go it’ll schedule directly, and you will get a confirmation email. Or you can add that directly to your to your calendar. It doesn’t take maybe 45 seconds, very, very simple and easy. But I know a lot of people stated that they have not had a a security and risk assessment past a year. And that could have been even multiple years. And if not, it’s extremely, extremely needed. Like we said before, this is a very, very little time commitment. Maybe two meetings of 30 minutes most likely will be two meetings of 15 minutes. And if you can’t carve out 30 minutes, or an hour to an hour to better your business, then contact us and we’ll see if we can work something out for you. You can email us, you can call us at that number. But we are here to help you. Like I said before you does not you do not need to have a specific personnel are a specific type of employees to help you with this assessment. Your IT team is not needed. You can include them. But you don’t have to. We work with you. And we make sure you understand specifically how this can be addressed to your business, your operations and the risk associated with that.

Sam Haest
Do you want to do a quick q&a Here, Devin?

Davin Chitwood
Yeah, if you have any questions in the chat, please put them in there.

Sam Haest
We haven’t watched that already. Yeah, yeah, we

Davin Chitwood
have one that I hope we addressed earlier. If you would like more details, let me know. And we can dive into the details of that assessment a little bit more,

Sam Haest
let us know specifics.

Davin Chitwood
This assessment is also something like we said before a great visual that you can take to your board you can take to your leadership, help them understand exactly where you’re vulnerable at where those gaps are. And then you when they say okay, how do we fix it? Well, you already have someone to fix it. That’s us at Iron tech. And it’s completely free, very, very easy to get started very easy to sign up, but doesn’t cost you a thing. No requirement after. You can take this sediment with you after and Do with it as you will. But we’re here to help educate, answer questions. Do whatever you need us to do to help protect your organization.

Sam Haest
We have another question here. Devin says how we can gather information about the business.

Davin Chitwood
No problem, you can go to iron tech security.com. Or you can simply email us at sales at Iron tech security. I’d love to talk more about us but also learn more about your organization and how we can help you feel free to give us a call or schedule that assessment. That’s a great way where you can get to know us. We can get to know you that first meeting is a lot of information gathering where we go back and forth learning about each other. And so that’s a great way to learn about us and tech security and kind of start that conversation.

Sam Haest
Yep, website addresses in the middle of the slide here.

Davin Chitwood
Any more questions, feel free to put those in there. We’ll stay on as long as we need to to get those answered but I think that’s

Unknown Speaker
everything. So, I just want to thank everyone for joining us this afternoon and you will be receiving an email with the recording link. So feel free to share that around if you would like and we’ll see you guys next month.

Sam Haest
Thank you guys for coming. Have a good day guys soon.

Unknown Speaker
Alright guys. See ya.