Cybersecurity Best Practices To Protect Your Organization
Cybersecurity threats are on the rise. Protecting businesses from digital threats is more important than ever. Eric Montague, Founder of Executech breaks down the common threats and solutions for cybersecurity.
What you need to consider to develop best practices:
- What is Ransomware?
- What are phishing emails?
- How to protect sensitive data?
- How is my operating system affected?
- Is my business at risk from cyber attacks?
- How can I protect my business from cyber criminals?
- What technology is available to protect against ransomware and malware?
- What is social engineering?
- How to tell if I need a firewall?
- Do I need cloud backups?
- Do I need a data recovery plan?
- And more!
Need help securing your business? Not sure where to start? Our cybersecurity experts are offering a FREE cybersecurity audit for qualifying organizations. With a cybersecurity audit you’ll get:
- Detailed “Task List” Report
- Complete Network Analysis
- Risk Score & Report
- Asset Summaries
- And More!
Cybersecurity for Business Course Transcript/Overview:
Making Cybersecurity a Priority In Your IT Best Practices
Overview of cyber threats and how to protect your business
- Intro to Cybersecurity
- Infrastructure Integrity
- External Penetration Test
- Internal Breach Detection
- Next Generation Firewalls
- Intrusion Prevention
- Dynamic Blacklisting
- Content Filtering
- Intercept X
- Anti-Virus Software
- Email Security
- Spam Filter
- Geo Filtering
- Block Email from Yourself
- Account Configuration
- Suggested Security Schedule
- 2 Factor Authentication
- Revision History
- Regulatory Compliance
- Disaster Recovery
- Your Team
- CSIO (Chief Security Information Officer)
- Social Engineering
Full transcript below:
Welcome to Executech Courses. My name is Eric Montague. It is a beautiful summer day here in Utah. And we’re going to talk about something not so beautiful, the possibility of getting breached.
So in my book making something nice and secure is beautiful. So we will go through today and talk about kind of an overview of cybersecurity threats. I want to just clarify, this is by no means a course that if you follow these items, have you covered everything you’d ever want to worry about in cybersecurity. This is the course where if you did these items, you will be protecting your business, frankly more than like 98% of people out there. So there’s a lot of real good information here that we’ll go over today and just talk about what you need.
So here at Executech, we are a group of awesome IT nerds willing to help out. We have over a hundred technicians here to take care of you. We’re the most awarded it from in the Intermountain West. If you ever need anything, just check us out at mycoolnerds.Com.
We start out this presentation where we talk about you really need to worry about protecting what’s yours. So I have this fun little infographic here that my main man Gary made of a guy losing his identity is it disappears. I used to have a picture on here my hot wife, I married an 11 and I’m a 2 and I used to talk about how protecting her is what I like to protect and my family. And she got sick of me both calling her a hot wife on video and she got sick of me having her picture on our presentation. So we have this great graphic that’s much better of a guy basically losing his identity and that’s what can happen to you. You can lose a lot about your business, a lot about everything that you may hold dear and the ability to provide for your family or your employees or anything by not protecting what you have. So we’re going to go over all of that today.
Why do you care? Why does it matter to you? People kind of tune out when it comes to cybersecurity. I imagine you are taking this course because you are interested in cybersecurity. I imagine there’s probably 99% of C level executives out there that probably are not going to watch this video. And I encourage you that watch this to go share it with those that can because this topic is so important. You are at risk. It’s a very risky business we’re in, because if you hold data you are liable for that data. You are the custodian of that data is how most cybersecurity laws state it. And because you’re the custodian of that data, if it gets breached, you’re liable, regardless of a lot of things you may have done. So you got to be really careful and understand what your risk is out there.
So we’re going to talk about a few things today. We’re going to start with the infrastructure security. The one thing you want to do is understand, you want to know what the bad guys are going to see. So a lot of people have in their mind some picture of a dude 400 pounds sitting in a weird dark room all by himself with ketchup spilled on his stomach that he hasn’t wiped off and he’s trying to hack into your network. That’s not the actual truth. What happens is there are server farms with criminals out there that they’re paying a lot of money to have big server farms, in a very sophisticated approach, they’re scanning every computer, every network, everything out there to try and find if there’s a hole. And once they have that hole, that’s when the dude that probably has enough food to feed a small army in his beard. He hasn’t shaved in 10 years in there to then try to hack into your network.
But the thing that you want to do, the first thing that you should do when you’re worried about cybersecurity is how an external penetration tests done. Check in on your network, see what it’s going to look like. When one of those server farms scans you, you want to know what it’s going to look like to the bad guy. That helps you know if you’re even going to be a target.
Another thing that’s important is internal breach detection. Unfortunately, cybersecurity really isn’t a technical issue. It is a human issue. Most cybersecurity breaches occur because a human made a mistake and so there’s a lot of great internal breach detection software out there that’ll notice when one of your employees or somebody has done something wrong and are sending out data.
For example, there was a big Nissan ad I think about a year ago that offered 80 months, no interest financing or something and it was a really good click bait for someone to click on and people would click on it and nothing would happen. They’d wonder that was weird. It didn’t take me to Nissan site and it actually just say executed something to sit and track your computer for every time you entered a credit card information and then it sent out that credit card information to someone to use. So internal breach detection would stop something like that.
A lot of people ask, do I need a firewall? We get that question all the time. So obviously, the question is yes, you got to have a firewall. Everybody should have a firewall.
One of my favorite stories when it comes to firewalls, I was working with a CPA firm and I tried to sell them on a firewall. They didn’t have one. They’re holding everybody’s accounting data and they did not want to buy a firewall. They did not want to spend at that time it was like $1,180. They did not want to spend money on a firewall.
And then two months later I come into the business and they’re installing this two inch thick glass at the entire perimeter of the reception area with this huge magnetic thing to where you had to swipe a badge to get in and I went to the owner and I’m like… we’ll call him Bob. So in case this client watches this video remembers this story, I’m like, “Bob, why are you putting that glass out there? What’s the deal?” He’s like, “Oh, I’m so worried about someone breaking in here and stealing our files. I’m responsible for them.” And I’m like, “That glass had to cost $10,000.” And I’m like, “You have no idea that you’re getting pounded proverbially on that glass every day throughout the internet and you’re not willing to have a firewall.”
I love this little graphic I have right here that says, please close the gate and everything on the sides is open. And if you don’t have a firewall, you literally have your pants down on State Street and anyone can take advantage of you. So be really careful.
A couple things that you want to evaluate when you’re buying a firewall. So the three most common things that I talk to people about to have is one, have intrusion prevention. So most sophisticated firewall brands out there, we like SonicWall, but there are many others, most sophisticated firewall brands, they have some type of intrusion prevention service. And what that is is they have a tons of firewalls out there in the industry and they’re all reporting up to a headquarters of when breaches happen. And then they distribute down to every one of those firewalls, a bad IP address or where someone’s trying to attack from. And so some person being hacked in Florida is benefiting someone in London, right? So that they know who’s a bad actor out there.
Another thing is dynamic blacklisting. Firewalls have rules inside of them that say, allow these types of information or these types of activities in. But even inside of that, you want to look because sometimes even inside of those rules that are allowed, you have a problem and you want a firewall that can blacklist once it sees a problem.
And lastly, you want a good firewall that can content filter to block inappropriate stuff from coming into your office, whether that’s pornographic content or anything like that.
So next we’re going to talk about security software. So we’ve talked about infrastructure. Now we’re going to talk about software that you can have on your network to protect you. So one item that’s new, Microsoft just came out with a fabulous product. It’s called Azure Security Center. I like Azure Security Center a lot. What it does is it connects your server to Microsoft and then Microsoft has all of these templates or rules or wizards, whatever you want to call it, where they know how to properly maintain a server so that it’s secure. Very economical, $15 a month per server, and that Microsoft Azure Security Center will continually alert me or a technologist or whoever it may be. If you’re a business owner or professional, I would highly recommend you ask your IT professional to institute this. And I’d also make sure that whatever the reporting is coming out of that you both get those reports to help keep us nerds honest and make sure we’re doing a good job.
Another product that’s really great is called Cloudflare. So Cloudflare protects you from getting hacked. So Cloudflare is used when you have internet facing websites, exterior facing applications, things like that. And what it does is it protects the IP address of where that’s located. So an IP address is a unique identifier of where your stuff is and it’s very unique to you. And if a bad guy can get that IP address, then he can do a lot of damage to your network. So we want to stop him from knowing what that IP address is and Cloudflare’s a way to do it. It randomizes all kinds of stuff and does great algorithms that smarter people than I put together and stops people from getting to know your IP address. So it’s really, really powerful.
Ransomware is a big issue in our world today. If you don’t know what ransomware is, ransomware is when someone does something to your computer and then they require a ransom of you to be able to get your stuff back. They may encrypt your computer, they may do many things to where you got to pay them money to get it back. And it’s quite interesting. It’s a very sophisticated attack. People think that it’s not that sophisticated or it’s automated. We’ve seen clients get attacked by the same person before and one company that was a perceivably low value company, they asked for $500 for ransom and then another company by the same person with the same exact attack wanted $25,000 from them. So they really researched before that ask for that ransom. They’re going to research you and find out what you can pay.
And the only product on the market today that can block against ransomware is a product called Sophos Intercept X. We have not had a client two date get ransomware if they’ve had Sophos Intercept X, very economical. It’s only $3 per user and it really makes you safe. It’s a phenomenal product.
Do you have a VPN? That’s a really important question to ask yourself. If you are housing stuff internally at your building and you’re allowing people to get in, in today’s world, you simply have to have a VPN. There’s really no other way to really protect information if you don’t have a VPN. So I would be asking your IT professional if you house information that people are accessing externally and you don’t have a VPN, I’d be asking them why and I’m finding out what the reasons behind that are.
All right, let’s talk about email security. There’s a lot of important things about email that you have to worry about, about making it secure, but I want to start out by talking about the dangers of email.
I can send an email saying that I am [email protected]. It’s called spoofing. I can send it easily and I can send it to somebody and they’re going to think it came from Bill Gates. Just because you receive an email that looks real or looks from a certain person, that does not mean it came from that person, nor does it mean it’s real. So you want to be really careful when it comes to email. It is a very good, target rich environment for criminals. So be very careful when you are looking at email. If someone’s asking for wire information, send me W2’s, click on this link to track a package, stuff like that, just be very, very leery of that, of whether or not it’s real.
A good thing if you are going to communicate sensitive information over email, you have to use encryption. All cybersecurity laws out there state this and if you send information that was sensitive across email and it got captured somehow you would be in trouble if it wasn’t encrypted. So make sure you’re using encryption email.
Make sure you’re using a spam filter. Sounds pretty simple, but using a spam filters critical. It stops a lot of unwanted material coming in. And your more sophisticated spam filters, they can do what’s called geo filtering. So we’ve got a map here that shows some of the hot spots of where bad email comes from in the world. And a really good spam filter can do geo filtering where it comes in and it says I’m a plumber in Utah. I don’t need to get email outside of the United States ever so I can block anything from outside of the United States. Or maybe you do business with the UK or something like that. You can block all other regions and that really stops a lot of problems you may have.
Another thing that’s very important to do in your spam filter is just, I don’t know how to say this other than you block email from yourself. And what I mean by that is if I’m [email protected], which that is my email, by the way, anyone wants to spam me. If I’m [email protected] and I send an email to Bob at my company, Bob’s going to receive an email, it’s going to say Eric from executive.com. My server knows if I really sent that. So if Bob receives an email from [email protected] that didn’t come from my email server, that’s a red flag. So you can go into your email systems and say if my internal server did not send this email, block it because that blocks a lot of the spoofing that occurs and it’s really important.
A couple other items that you want to do, just some checklist stuff when it comes to email security. One, you want to do a blacklist check. The most common product for this as MXToolbox. You can go anywhere out on the web and just do a blacklist check. You should check about yearly, maybe twice a year to see if your URL, executech.com or amazon.com, you want to check and see if your URL has been blacklisted because that really interrupts your ability to send email.
If you’re using a Microsoft Office 365, I highly, highly counsel you to go to securescore.office.com. This website right here, it’ll save you worlds of hurt if you go there and determine what your a security score is. It’s a little bit of smoke and mirrors. I’ll be honest, it’s going to give you a score of 0 to 365. I wonder where they got that number. You want to be above 100. So don’t think that if you’re 150 you’re bad on the scale from 0 to 365. You want to be somewhere above 100. If you’re below 100 you want to fix it. If you are above 100 you’re probably good.
Search for the Google app Security Check or Google the Google app Security Check and you’ll be able to find that and it does the same thing, not as in depth as Office 365 does, but it still does a really good check.
Another concern that you want to keep in mind when it comes to cybersecurity is a something that’s coming out lately a lot is called smishing. You know it’s kind of spamming through and phishing through text message. So you want to be really, really careful on that one just because, just like I said earlier, just because you get a email you think is legitimate, same applies now to text messages. So be very careful. You’ll start to hear that term of smishing a lot more in our world.
A key component to cybersecurity is how you configure the accounts of the users that have access to your system. You are a custodian of data and it’s important for you to make sure that the people that you’re giving access to that data have been configured correctly. So some key components to that is if you are regulated in any industry, you are going to be able to have to provide auditable trails of how a user was created, who approved that user to be created, when were they removed, and you also need to do some quarterly reviews to make sure everybody’s there.
Some of the things that are most important when it comes to account creation are right here, this block. You want to make sure you have two factor authentication. If you don’t remember anything about this training today, please turn on two factor authentication. It’s critical. It blocks most problems in our world today.
You also want to password with eight complex characters. You want that password to lock out after five bad attempts. So if someone gets into your network and they’re trying to hack in with a password generator, you want the user’s account to lock out after five bad passwords. And you also want passwords to expire after about a quarter.
You want to make sure your network has backups and you also want to make sure you have good physical security. Do some penetration tests. You want to make sure you have good UPS backups, you want to have fire suppression and things like that. So very important information when it comes to setting up your users.
When it comes to creating accounts, you’re going to hear a term much more in our world today called data loss prevention or DLP. DLP is a security parameters that you can put around data that block what can be done with that data. For example, if you have a credit card information, you can put a DLP policy in place that won’t allow any emails or word documents or PDFs, anything to leave your company’s cloud provider or your company’s domain or your company’s server won’t allow it to leave that with that DLP restriction.
Or you can even say we don’t allow any access to data outside of certain areas to really make sure you have control of your data. I don’t allow it downloaded. I don’t allow it printed except by maybe a certain amount of users, things like that. So data loss prevention is really helpful.
A key in cybersecurity is backups. We always say, probably heard me say it before, backups are the Holy Grail of computing. You really want to make sure that you have good backup systems.
A key component to a good backup plan is having images. Images is where you take a replica of your server and you do it nightly or real time to make sure that everything that’s on it is out wherever that replica is placed, because just a data backup is not enough. You want to worry about configurations of your server, security settings, things like that. So an image takes an exact snapshot of your server or your computer and puts it somewhere in the case that you that you need it.
Couple of things to consider when it comes to cybersecurity is you are probably regulated. If you don’t think you’re regulated, you probably are. Maybe you’re not. We are located in the state of Utah and every company in the state of Utah has to meet minimum cybersecurity laws. It’s a Utah state law. Most other states have the same type of law. That is new just within the past year or two for a lot of states.
A couple of the compliance schedules we listed here are most common ones. PCI compliance. If you take credit cards. HIPAA, if you are in the medical field. NIST is just a general good guideline of how to keep things cyber secure. Red flags is if you’re in the municipality or civic world. You have to follow red flags rules. And if you’re a financial industry or some type of servicer of financial information in any capacity, a lot of those organizations follow what’s called SOC 2, which is service organization compliance.
People consider a lot of these problems of cybersecurity being a technical problem or we need technical preventions to them. The simple fact is these are all human issues. Without the right intelligence and people being aware of it and trying to protect the organization against it, you will have problems. So your team is critical.
One of the things you may want to consider is whether you’re not, you have a chief information security officer. Many organizations do today, where they didn’t awhile ago. Or you can go to what’s called an MSSP or a managed security services provider that focuses just on security to take care of some of your needs.
Another thing to keep in mind in your team as you may want to perform some tests on there. You’ll hear in the technology world something called social engineering and it’s where we will perform a test on your people to see if they’d fall for some of these phishing scams. And when I say we, I mean technologists in general. Obviously, Executech can do it for you, but any of the technology firms can take care of it. It is where we will test your users. So let’s say you’re a business owner. You have 50 employees. We’re going to test all 50 to see if they would fall for some of these phishing attempts or scams. And then we’ll come back and tell you how well your team did. We can train them on not allowing it to happen again. And then sometimes we even retest them to go back and see if they learned anything.
And obviously, the most important part of cybersecurity is you. If you are not becoming keenly aware and how dangerous it is in our world today, you really need to think about it and do a better job. If you’re an employee of a company and you think about how you’re being a good steward of that company and the data that’s being held. If you’re the owner, you have legal obligations as well as to what you have to do with that data that you’re protecting.
So if you want to know more about any security or the needs of your business, you’re welcome to contact us. We’re happy to do a free cybersecurity audit for you to help you. No obligation. We’d love to do a security audit for you and show you where you might need to improve and help out your business. Thank you for spending time with us today.