A N D, h o w to m a ke i t m a tte r to t h e C - S u i te- October 27, 2017 -

7 Deadly Cybersecurity Sins SMB’s Should Avoid

C o r e Q u e s t i o n s

• What is an SMB? • Are SMB’s really a target? • Where do the 7 Deadly Sins come from?• What are the 7 Deadly Sins of Cybersecurity? • How do we make this matter to Business Owners and C-Suite Executives? • What’s Next?

W h a t i s a n S M B ?

• Small and Mid-sized Business• 4.8 Million businesses have less than 5 people (Micro)• Small Businesses: LESS than 100 Employees and LESS than $50M in annual revenue• Mid-sized Businesses: BETWEEN 100 and 999 Employees and LESS than $1B in annual revenue• Large Businesses: 1000+ Employees and MORE than $1B in annual revenue

• Less than .08% of all companies! • However, near 50% of employees work for large enterprises (US Dept. of Commerce)

W h a t i s u n i q u e a b o u t a n S M B ?

• Cash flow is King - Capital Expenditures are not always planned in advance • Full Time Employees - Challenged by the depth and breadth conundrum• IT Team – Somewhere between an Army of One and a Small Team

• They need partners for additional depth, redundancy, and elasticity!• The default condition is OVERWORKED and REACTIVE

A r e S M B ’s Re a l l y a Ta r g e t ?

• That Depends on Motive of the Attackers • MONEY

• Time to Monetize • Business Associates • Easiest Target

• CORPORATE OR STATE SPONSORED ESPIONAGE • Business Associates • Low and Slow Data Collection from Unsuspecting and Unmonitored Victims • Patient ZERO

• HACKTIVISM • Stand for Something • Impact to the Industry Production and GDP

YES!

W h e r e d o t h e 7 D e a d l y S i n s C o m e F r o m ?

• Greek Theologian and Desert Father, Evagrius of Ponticus first came up with 8 • The worst offense was pride or serving only oneself

• 6th Century Pope Gregory the Great reduced the list to 7 • Middle Ages leaders revised and promoted these Cardinal Sins

1. Lust 2. Gluttony3. Greed4. Sloth 5. Wrath 6. Envy7. Pride

T h e 7 D e a d l y S i n s o f C y b e r s e c u r i t y

1. Lack of Backups and Disaster Recovery Strategy2. Poor Security Awareness by Employees 3. Weak Passwords 4. Failure to Update Network Security Infrastructure and Appliances 5. Lapsed End Point Protection and Unpatched End Points6. Neglecting Digital Presence and Cloud Assets 7. Declining to Invest in Cybersecurity Insurance

L a c k o f B a c k u p s a n d D i s a s te r Re c o v e r y S t ra te g y

• Ransomware vs. BDR… BDR Wins • Downtime is the enemy as much as the hacker is the enemy • The BDR Checklist

• Off-site and On-site • Virtualization to RUN THE CORE BUSINESS • Tested and Truly Verified• Response Plan with Accountability Chart and Downtime Estimate (RPO & RTO)

• Inventory of Hardware and Software • SLA’s on file

• Communication Plan • Employees, Customers, Partners, Public

• Secure DR data

Po o r S e c u r i t y A w a r e n e s s b y E m p l o y e e s

• Social Engineering• Phishing• Dangerous Links • Web Browsing • Access Controls • Password Management• Careless in Location of Files

We a k Pa s s w o r d s

• Dual-Factor Authentication • Rotation of Passwords • Complexity of Passwords • Storage of Passwords

Fa i l u r e to U p d a te N e t w o r k S e c u r i t y I n f ra s t r u c t u r e a n d A p p l i a n c e s

• Regular Vulnerability Scans by Outside Professionals • Updated Advanced Malware Protection • Updated IPS/IDS • Updated Hardware (Throughput?)• Take advantage of the Cloud Based Configuration or Software

Defined Network (SDN)

L a p s e d E n d Po i nt P r o te c t i o n

• Individuals and their machines are easier starting points than core infrastructure

• Anti-Virus and Malware Protection • Patching and OS updates

N e g l e c t i n g D i g i ta l P r e s e n c e a n d C l o u d A s s e t s

• Website (SSL)• Cloud Storage (Approved or Unapproved) #ShadowIT• Collaboration between partners, solution architects,

infrastructure team, and line of business• Cloud Evaluation Methodology

N e g l e c t i n g D i g i ta l P r e s e n c e a n d C l o u d A s s e t s

D e c l i n i n g to I nv e s t i n C y b e r s e c u r i t y I n s u ra n c e

• Document your cybersecurity policy• Train employees on policy • Meet with Insurance Advisors • Calculate the Risk!

• Data Loss• Production Loss • Goodwill Loss and Client Churn

H o w to m a ke i t M AT T E R to B u s i n e s s O w n e r s a n d C - S u i te E xe c u t i v e s

• FAILED APPROACHES • Sharing every detailed attack • Appealing only to fear • Assuming it is a “winnable” battle that people bet their jobs on• Asking for resources and getting denied due to cost

Oh by the way…Make all other executive stakeholders happy

H o w to m a ke i t M AT T E R to B u s i n e s s O w n e r s a n d C - S u i te E xe c u t i v e s

• WINNING APPROACHES • Systematize the Approach to Cybersecurity• Remove the Emotion • Assume WHEN not IF • Convert your thinking from COST to INVESTMENT

Sy s te m a t i ze t h e A p p r o a c h to C y b e r s e c u r i t y

• Start with the NIST Model • Identify • Protect• Detect • Respond • Recover

• Review the Following:• Practices • Process• Management• Technical Environment

Re m o v e t h e E m o t i o n

• Take Issues UP not OUT • Don’t grumble about lack of understanding from Leadership

• Restate, clarify, put down in writing the notes from your meetings! • Speak their language by understanding how they got to where they are

• Sales minded executive – Talk about the Customer Impact • Operations minded executive – Talk about the Downtime• Visionary minded executive – Talk about the PR and Goodwill Issues • Finance minded executive – Talk about the Money

A s s u m e W H E N n o t I F

• Always use the words WHEN and WE – “When we are attacked… our team plans to…” • The $ investment is shifting from prevention to identification, mitigation, and response!

• You have doors and gates on your building, but you also have cameras inside it! • It is not your job to be Mayor of Utopia or Warden of the Jail, it is your job to protect and serve without grossly

limiting freedom!

C o nv e r t y o u r t h i n k i n g f r o m C O S T to I N V E S T M E N T

• Look at 3 Year Spans of Investment • Run multiple scenarios and create weighted averages• Hey SMB’s, there is a reason banks employ so many people in RISK MANAGEMENT!

W h a t i s N E X T ?

• Create a Roadmap • Share statistics

W h a t i s N E X T ?

2 0 1 8 C y b e r s e c u r i t y Tr e n d s

1. Detection and Response budget > Prevention Budget 2. App and Web Based Vulnerabilities Rise 3. Shadow IT 4. Skill Gap and Unemployment ZERO in Cybersecurity5. IoT Hackability6. End User Education 7. Passwords Shift to Other Measures