We recently hosted a Webinar covering the EXP IT Security Program.
Over the last 2-3 years we have seen an exponential increase in cyber security attacks among our clients. Virtually all businesses in all industries are at risk – it’s not just big business anymore! We have developed a simple program for all our clients to assess their current risk and reduce the risk of falling victim to an attack, while being cognizant of the costs.
To learn how you can improve your security position without breaking the bank, view the free Web seminar here.
What you will learn:
- How we assess risk by reviewing 10 key security measures.
- What each of these 10 measures are, how they help to keep you secure and how it impacts you when you deploy them.
- An example EXP Security Program budget.
If you need help or would like to learn more, please Tony Lesirge directly.
All right again good afternoon everyone my name is Jesse Aust and I work in the sales and marketing… I head up the sales and marketing division for EXP Technical and want to thank you guys for joining us today!
It’s a bright sunny afternoon and hopefully it will make it worth it with our giveaway at the end and also the good information that we have coming from our CEO Tony Lesirge.
So today we’re going to be talking about EXP Technical and specifically how we approach and plan and map out our cybersecurity program for our clients and what that would look like going into an initial meeting as well, so you can see our ten key areas that we focus on within that cybersecurity program
So we’ll go ahead and move into it, “Reducing Risk Without Breaking the Bank.”
And real quick just a couple housekeeping items:
Questions—There is a question box you guys can submit your questions within the webinar and we’ll get to those at the end but from now until we go we’ll just hold on to those. Raise your hand put it into chat and again we’ll get to it after we wrap up.
Let’s introduce Tony our CEO Tony’s got 20 years of experience in IT across multiple segments and industries both here in Seattle and on the Western on the Western Coast. You can see some of his key points. Not only a really good looking guy but he’s got an amazing accent so when you get to sit down with him to make you feel super at ease. And again: 20 years’ experience! I’ve been working with Tony for about 10 years and I tell you what, he doesn’t miss much!
So the format for today kind of went over it what we’ll hop right in here and I’ll let Tony kick it off with our presentation. Then again we’ll have the Q&A, and then we’ll send out a recording of this after we get done. And then at the end we’ll do the prize drawing and you have to be online to be eligible to win that. So once everything’s said and done and we do that we’ll get with you’ll get that over to you.
So, Tony, I’m gonna go ahead and pass it over you and I will get started.
A True Story…
Thank You Jessie hello everyone this is Tony and I’m gonna get things started with a true story from the field. This actually happened to one of our clients…. before we dive into the rest of the
So last year someone in the accounting department at one of our clients got a spear-phishing email and this email had a malicious PDF attached to it.
Now they opened that up and they went ahead and clicked on the link in there, which took them to a fraudulent Office 365 login page. They entered their credentials, and when they did that, they were actually giving their credentials to the attacker—the person who sent them the spear-phishing email.
Now that person went ahead and logged into their email and the first thing they did was to set up a rule that forwarded this person’s email to their own gmail account…to the attackers gmail account.
Now interestingly, the next thing they did was just sit there and they just waited and watched and they looked at all the emails going by.
And then a few weeks later they saw going outbound from this person’s mailbox, a large invoice.
And at this point they inserted themselves into the conversation. They still had direct access through Outlook Web Access to this person’s email. And they sent an email to the customer of our client and said, “Please could you pay this invoice to our new bank account? And here are the details of that…”
Now fortunately between the customer, our client, and EXP Technical we were able to stop this before the transaction happened.
And the cash was never sent and luckily the attacker didn’t get it. But my point here is that people are out there, and they do some really crazy things in order to get what seems like a relatively small amount of money.
So I’m sure all of you out there have seen the iTunes phishing emails. The spear-phishing emails that look like they come from the CEO or their business owner, or someone senior in the organization. And people are out there trying to get relatively small amounts of money targeting small businesses.
So my point is: it’s really not just big businesses that need to be thinking about cybersecurity anymore these days.
So the goal of today is to do a little education like the information I just shared with there like the story I just shared about the cybersecurity landscape.
We’ll talk about how we at EXP assess and try to mitigate the risk for our clients.
We’ll share ten key things—measures or controls as they’re often referred to in the cybersecurity industry—the things that we recommend you do.
And we’ll talk about how much that might cost you.
So just to give some context here about the cybersecurity landscape: today the U.S. is the largest target out there. The number one target for cyberattacks. And the US government plans to spend about fifteen billion dollars this year alone on cybersecurity.
SCORE who are an organization that works hand-in-hand with the US Small Business Association… And they do mentoring, coaching, training. They did a report that stated that 43 percent of attacks are now targeted at small businesses.
And Juniper who are a network security company in another one of their reports reported that small businesses are investing less than five hundred dollars per year in cybersecurity products and defense.
And finally, Aviva they’re an insurance company, a worldwide insurance company…and they put out a statistic that if you are breached sixty percent of your customers or clients will think about moving on because of the impact. I guess that they’re scared that their data or their information was also breached that you’re holding and thirty percent of them do move on.
So this is as we have seen an EXP: A real issue over the last two to three years. We’ve seen a growing number of attacks with phishing. with ransomware etc.
So we’ve put together… and we’ve been obviously doing things with our clients to mitigate these risks. But we decided it was time to put together a formal program to try and help our clients.
The EXP Approach
Now our approach, as with everything we do, is to try and “right-size” (if you like) our program. So enterprises out there with large IT departments, they’re going to have whole teams of people who can work on this stuff. They’re going to have huge budgets in terms of putting in solutions and services. We know that’s not the case for our clients. So we try and build these things so that they are simple enough, affordable enough, and obviously effective in tackling some of the problems that small businesses could face.
So our approach was
- Figure out what we think the key things you can do are
- Develop a way to assess the status of each of our clients and then
- Propose affordable simple solutions that can mitigate the risks
And as with all these things, this isn’t a one-time process.
We are looking to then reassess, so we’ll be looking in the future at, “OK. These were the ten we’ve decided were the right things to look at in 2019. Maybe in 2020 there’s some new things that come up.” So it’s cyclical. The idea is that we do this on an ongoing basis.
So I’m not going to read this entire slide out. I’m not expecting you to read all of it. The point I’m trying to make with this is that the cybersecurity/IT security requires a multi-layered approach. Many, many things can and should be done to help protect you. This is just a small
sample of all the things that could be done there are many, many more.
What we’ve done is choose 10 that we believe will provide the biggest bang for the buck
and have the biggest impact for our clients—who are typically, you know, under a hundred people; definitely under five hundred people.
10 Key Measures
So these are the things that we’ve picked. And we’ve ordered them in… from the basic things that you might include in a cybersecurity program. All the way down to what might be included in a more mature program. And I’ll be diving into each one of these in a lot more detail. So I’m not going to go through them one by one as we look at this slide, but you can see up at the top basic password policy moving on down.
If I had to pick one thing that we would recommend everyone do, it’s probably multi-factor authentication (MFA), which is a very strong protection against many of the attacks we’re seeing today…down to security and awareness training, which again some people don’t think about. But it’s critical for helping people spot these types of attacks because the software can’t always do everything. And at the bottom a risk assessment which again we’ll cover a little more shortly.
Now you’ll notice there’s some things that might…you might think are obvious, that aren’t on here. Antivirus might be one of them. So we’ve made some assumptions that clients small businesses out there are going to have in place some basic measures already. And we’ve tried to pick some things that we see aren’t always in place or people aren’t always thinking about.
As I alluded to before in the previous slide there’s many, many things you can do. We pick these ten. We think these are the right ten to focus on now, but obviously we’ll be constantly reviewing that.
A Simple Assessment Methodology
So how do we assess the current status of a client?
As we begin this type of exercise well we took our 10 measures. And we developed a simple way to score them: zero one and two. We weighted them all equally for the sake of keeping it simple. And then we calculate a total and convert it to a percentage.
And then you can see in this demo here, if you like that, the clients below 25% are considered high-risk.
The medium clients in orange there—that’s between 25 and 75 percent score—are in that medium risk.
In the high risk, or the low risk, I’m sorry, are over 75% so pretty straightforward and fairly simple to do based on the criteria that we’re about to look at.
So we’re going to go through each one of the controls, the measures that we talked about. And I’ll go through what we’re looking at, what we think you should be doing, and once we finish that, as I said, we’ll go into how we do this and what it might cost.
So password policy might seem obvious. Not everyone has them, especially not with expiration. So we’re looking for a policy to be in place we’re looking for complexity rules. And by that we mean: requiring uppercase, lowercase, special characters, numbers, and at least expiration every six months.
Taking it to the next level, to get a score of two four on our measure, we’re looking for multi-factor authentication. That’s for local login, not just Office 365. Whether that be on your Windows domain or local Windows workstation. Or the use of pass phrases. And pass phrases in current security thinking–IT security thinking—what is really recommended. They’re essentially very long passwords, made up of multiple words with punctuation spaces etc. They’re very hard to crack but they’re typically easy to remember and they take a little training—for people to get the hang of creating them.
I have an example of one here.
So “3 Banana Pancakes Sunday Happy!”
You can see it’s got uppercase lowercase number a special character… It’s long, but actually pretty easy to remember but extremely difficult to hack. So once you get people in the mindset and trained on how to create these things they can be extremely effective. Combine that with multi-factor authentication and you have a very secure password.
OK, so the next one is backups and you may not necessarily think of backup straightaway when you think of security, but of course if you do get compromised, if you are a victim of a ransomware attack, then you need to be able to recover. And backups are critical.
So we’re looking for local image based backups. We’re looking for secured backup targets that’s critical! We actually haven’t seen this, but we have read that in some ransomware attacks, not only is the data encrypted but the backups are also encrypted. So then you are left with no choice but to pay the ransom.
So backup targets—that’s where the backups are stored—should be secured. Only the backup software and a very few number of administrators should have access to it and of course we’re looking for some kind of off-site backup.
To take it to the next level, we’re looking for a cloud-based disaster recovery service that’s some kind of cloud service that actually allows you to recover—run your servers or your systems in the cloud or alternatively, you know, if it’s not a purpose-built service maybe it’s a colocation facility. Maybe it’s just public cloud infrastructure that will allow you to recover in the event of an attack
Business Class Firewall
Now we went back and forth about whether to include firewalls: you know everyone really has a firewall these days but they’re not all necessarily what you would consider “business class.” And they’re not all necessarily kept up to date. So we did include this.
We’re looking for business class firewalls with up-to-date software. If you don’t keep the software up to date then the firewall isn’t capable of dealing with new exploits—new attacks that come out.
And then for a higher score: We’re looking for unified threat management (UTM) features that’s what UTM stands for. That they need to typically be licensed and enabled. They can do perimeter malware scanning virus scanning they can do content for where they’re blocking certain websites. And they can even do geo-filtering, where they’re blocking access into your network from certain parts of the world.
We’re also looking for strict rule sets. So that limits traffic not just inbound but also outbound from your network.
So for example: if one of your computers was compromised when it was trying to send stuff or communicate outbound to the internet for remote control or other malicious purposes that could be blocked from going out of your network.
Secure Email Server/Office 365
Now almost all of our clients these days have Office 365 and if they don’t, most you know they probably have some kind of email server maybe it’s Exchange. And there’s things you can do to secure Exchange or Office 365 that people may not think about.
So Office 365 comes with the free multi-factor authentication. If you have Office 365, we highly recommend you make use of that. There’s some other things you can do that aren’t turned on out of the box. And Microsoft is actually starting to do a better job with security. Office 365 actually has its own secure score that you can access. And recommendations that they walk you through but some of these things we recommend are not on by default.
So disabling forwarding to remote domains… That basically means that emails can’t be forwarded via a rule like we talked about when I talked about this story in the beginning to a Gmail account or some external account.
We can disable specific features. Not that many people these days with smartphones (and the fact that outlook just works over the internet) really use Outlook Web Access. So if you’re not using it, turn it off!
And then basic mobile device management to require people to encrypt PINs – er… to encrypt devices…I’m sorry…and require PINs on their devices. Might sound straightforward but not everyone does that.
And then again taking it up a notch: subscribe to an advanced threat protection service to filter your email. That could be through Microsoft, but there’s plenty of other third-party solutions out there as well that will do things like trap links that are sent to you via email, and essentially quarantine the link, make sure that the site it’s taking you to is good and then allow you on to the site.
They also use AI to do things like look at phishing emails, to do attachment scanning. So these services including Microsoft and others are becoming more popular.
The other thing you can do—which is really directly aimed at stopping phishing and spear-phishing—is you can put a banner at the top of emails that come in from external recipients. And the idea with this is that if someone’s spoofing (that means pretending to be someone in your organization but they’re not) you can see that that email actually came from an external recipient because there’s a little banner that tells you that. So it may look like it comes from, you know, “jesse@exptechnical…” but it’s really come from a gmail account. So that could alert users to that.
Multi Factor Authentication
As I said in the beginning, if I had to pick just one thing… he asked me “what’s the one thing I should do if you… out of all these things. It would be multi-factor authentication.”
We think that it would probably stop 90% of the compromises we’ve seen out there just by turning this on. And as I mentioned you can do that with Office 365 at no additional cost.
Now if you want to take it to the next level, you can sign up for a third party service—or indeed through Microsoft—to have multi-factor authentication for your Windows logins you can have it integrated so that that also works the same way for Office 365. You can integrate it with almost any VPN solution so that you really have two-step authentication for all of your users all of your people however they’re connecting, whether it be to your servers; whether it be to Office 365; or indeed some third-party software as a service application.
SRP & Local Admin Rights
Software restriction policies (SRP) and local administrator rights… The idea with these is to block ransomware if your users if your staff have full local admin rights on their machines obviously they have access to a lot of functionality. That they… that can mean that a machine can become encrypted, and then that can spread to the network and other machines on the network. In addition, we can apply what we call “software restriction policies.” And what they do is limit what applications can run on the desktop. So between those two things one or the other we’re looking for it to score one point. And then if you have both we would mark you as a two for that one.
Security Awareness Training
So no matter how much technology you have in place that can’t mitigate for human error. So security awareness training is something that we are really recommending that everyone do these days.
Now that could be as simple as an in-house training that’s done for new hires. We actually did a webinar a few months ago and we have a video that we can share with you if you like. It’s freely available. That is a 15 minute training session. So that would be sort of initial score one for that.
If you wanted to take it to the next level, there are subscription services out there. KnowBe4 is just one of them. There’s others available that provide this training for people.
And many of them also include what they call “simulated phishing.” So essentially the service that you subscribe to will send phishing emails or simulated phishing emails to your staff and then tracks who’s clicking on them. And then we can target those people with additional training. And this would probably be in my top three recommendations. You can put all the technology in the world in place but if someone deliberately clicked something, goes to a website, enters their password in a website that’s malicious, the technology can’t always stop that. So training is really important and we highly recommend it.
IT Security Policy
Now we’re getting into the policy/procedure assessment pieces. They aren’t necessarily technologies they’re more documents processes that you that we as your IT team and you and the people within your organization can read sign off and follow.
So we’ve identified three key policies we think everyone should have. They don’t have to be huge documents. They don’t have to be three different documents. They can be one document and they could just be part of your company handbook… And that’s
- the acceptable use and security policy,
- some kind of mobile device and remote access policy,
- and a sanctions policy that defines what will happen if these policies are breached.
So again, they could go in a company handbook everyone has to read when they join the organization.
And then if you want to take it to the next level we’d be looking for a sign-off recorded sign-off that people have read and agree to these policies.
And of course, you could have additional policies that one other one that is relevant especially if you’re in a regulated industry would be data classification policy.
But there’s a long list of IT security policies that you could put in place and actually as we move to the assessment piece we’ll touch on some of those other areas now.
IT Security Procedure
In terms of procedure, we’re really looking back at IT to the IT department whether that’s outsourced, or someone within your organization for these procedures. And they should be written.
And there’s three that we’ve identified, or you could consider them for because if we look at number one it’s a user onboarding procedure, and a user termination procedure. When people are incoming to your organization how are they set up? What permissions are they given? What software are they given? And as they leave the organization, what’s done to terminate the account? Disable passwords? Save or discard their data? Etc..
An incident response plan and procedure. It really covers what IT should do along with the rest of the organization if there is a security incident; typically aimed at, but it could be some kind of disaster incident as well which really overlaps with the backup and disaster recovery procedure.
And with that we’re looking for: documented steps about how to recover data, how to recover servers in the event of an either a disaster or an incident…maybe a ransomware attack. And we’re looking for that to include testing of the procedure. And we can work with organizations with our clients to create these things.
I don’t think they can really be created in a vacuum by IT. IT can do most of the work, but it has to be a partnership with the leadership of the organizations who determine, for example, “How are we going to handle terminations?”
And again taking this to the next level—to score two points—we’re looking for records that these procedures are being followed. So every time a new user comes on board, is there a checklist? Have that checklist recorded and saved so that if there is ever an issue we can go back and say, “OK, this checklist wasn’t followed,” or “It was followed but this step was missed.”
Annual Risk Assessment
And the final item is an annual risk assessment and security plan. And we have built essentially a lightweight assessment that was developed by Pat Cooke, who’s on our team. He’s a certified information security professional (CISSP). And this is based on NIST standards. And NIST is the National Institute of Standards and Technology. It’s pretty much the de-facto standard when it comes to IT security.
So these assessments are typically done annually. They include a written document as the outcome. And they have a set of prioritized risks at the end of them and remediation tasks are defined.
And the areas covered that.. They’re in the small print here I won’t go through them all but you will be receiving a copy of the presentation as well as this video afterwards. Things like access control, auditing configuration management… These are all areas that are covered in the NIST standard.
And if you would like to score two points on this, if you go through this assessment process, we’re looking not only to do it once but for periodic review of the controls that have been put in place the risks that are being mitigated.
And then repetition of the assessment on an annual basis…going backwards here OK
So that those are the ten controls or measures we recommend.
So how do we go about getting these into our clients? Working with our clients to implement
Well step one, obviously, is to assess current state if you’re an existing client really won’t take long to do that. We recommend… We think no more than an hour by your primary consultant to go through the checklist. If you’re a new client, and you don’t work with EXP today, probably more like three or four hours to dig in, ask questions, maybe get a hands-on look at the IT. Once that’s done we can plan and prioritize what we’re going to do first, and map out the items you would like to address in what order over what period of time.
And I should reiterate here our expectation is that some of these things are probably going to be in place so when we do that assessment there’s going to be some things that we can just check off immediately, may not need to be done. Anything that does need to be done, we’re going to work with you to prioritize it.
And again that doesn’t have to take a huge amount of time, maybe an hour or two. Get the items prioritize get a timeline set and then we can begin execution.
And obviously, as I keep saying, this is an iterative process. So we would like to reassess, you know, after we get through all the items and begin again.
Example Budget—25 People/2 Servers
So to wrap things up let’s go through what this might look like in terms of cost.
So for this example we’ve picked a 25-person organization…maybe a couple of servers. And we phased it out over a 18 to 24 month period. Let’s say… so maybe the first things we do more on the basic side of things. And I should say this example is assuming we’re going to do absolutely everything. Again, probably not the case. Some things are probably in place.
So in Q1/phase 1 we’re going to look at password policy and training people on passwords. We’re going to secure email systems and an implement Office 365 MFA—under $2000 spread over three months to do that.
Phase 2: Q2-Q4
Then for the rest of that year, more than over the next say nine months… We’ll look at some
more sophisticated solutions backup and disaster recovery, and a cloud DR [disaster recovery]
You can see the cost estimated in services at $1300. And an annual cost for a service? …couple of thousand bucks.
And again these are just examples. We can customize this to meet the needs of each client.
Security awareness training—We would think about a thousand dollars to set it up, and then it’s a subscription to that service of relatively affordable just over five hundred bucks a year.
And then there’s a firewall implementation listed here as well about $1,300 bucks estimated to set that up. And then, of course, you got to buy a piece of hardware. So down at the bottom there you can see just over a thousand dollars to buy a new firewall.
Phase 3: Next Year
And finally, in the you know that takes us through about 12 months. Maybe you’ve done, you know, one of those last three things each quarter. We’re looking at more sophisticated measures like software restriction policy, like building out some IT policies and some IT procedures. And those things combined maybe looking in the six or seven thousand dollar range spread out over time.
So if we break this down over an 18 to 24 month period, you’re looking at maybe 500 bucks a month-ish. And again, it will depend on your organization—the size, what you already have in place, that which may take some things off this list.
And then annual subscription services. About three thousand dollars and a $1,000 ish investment in hardware.
So that should give you a picture of what it might take to implement all of these things. Again our expectation is that some of these things will be in place and we can customize the plan for each and every client to fit their knees fit their budget.
And that pretty much wraps up my presentation.
So at this point we’ll open it up to questions.
If you have any and if you guys, this is Jesse, if you guys have any questions, you can go ahead and just shoot them into the chat.
There’s a couple that came through while you were talking, Tony. If you don’t mind I’ll go ahead and go through the first couple of them.
OK so number one what is the most common security weakness you see in small to medium sized businesses during an initial consultation?
That’s a good question. If I had to pick one, well I talked about awareness training and people often don’t think about that. I would say that. Training employees to be aware of phishing emails.
I mean that the number one attack we see is through phishing emails. So making people… and making people aware of how to spot those, is probably the biggest gap and the one thing people don’t always think about. They jump straight to the technology: “Hey, can I get, you know better antivirus software? Can I get a better firewall?” but people are not always thought about. So I would pick that.
OK so so you’re saying when it’s finally time to to increase or address a lot of people typically go with the actual technology—the solution, the hardware, the tangible aspect versus getting the updated training. And awareness and education on the newest threats.
Let me go to question number two: “What are some of the threats that of local company you work with should be aware of?”
The most? Well I think I pretty much just said it, but yeah the phishing. Most security breaches start with a phishing email. Whether it’s spear-phishing—and spear-phishing in case I don’t think I actually said this—is a very targeted email. Spear-phishing is when the attacker knows exactly who they are sending that the email to within the organization. They typically know their role. They know who their boss is.
So I would say phishing is the number one attack. And I think the statistic is that like 90% of cybersecurity attacks start with a phishing email where they’re trying to induce people to click on links to go to websites to open attachments. So that’s what would say.
OK thank you.
OK and last one is do you think the cost of security and other threat detection will rise as it becomes more prevalent?
Will it rise? I don’t know if it will rise. I think that there will be more and more solutions technology solutions and services that will pop up in this space to address cybersecurity issues and I think that probably the types of a you know attacks that we’re seeing … there’ll be new new attacks, different ways that people try and get to you. So I think overall there will… it will require more investment in cybersecurity by organizations.
The other thing, the other factor that’s going to influence that is the cloud. I mean you know I think we’re only at the beginning of the cloud. So the kind of traditional perimeter (network perimeter)…it used to be that you know the firewall was the edge everything that you owned all your data all your systems was behind the firewall. And that’s what we had to protect but now with you know SaaS applications, Office 365 other cloud applications and even infrastructure as a service [IaaS]—that’s you know your data and your systems are all over the place essentially. So it’s harder to secure them. So I think, I don’t know…
I think actually, probably, the point solution you know… The individual solutions that cost might come down over time but the overall investment required is probably gonna rise.
OK so the individual the individual focal points of an overall security program you think that those the individual aspects singularly might rise or could rising cost whereas overall plan will relatively stay the same but it’s mostly about there’s more variances—more iterations of threats that people have to stay up.
Yeah OK exactly. Because I think there’ll be more and more competition in the space with
different solutions and that will probably drive down the cost of individual items but you’ll need to do more.
OK, that’s perfect, and I think that is the end of our questions here.
Thank you to everyone for attending! If you do have questions, please just feel free to email
me directly. it’s just “tony at exp technical.”
And thanks for listening!