smart it security for small business managers
TRANSCRIPT
Smart IT Security for Small Business Managers
Eric Mannon Managed internal and external IT security teams for (2) enterprise organizations Specialty in security strategy consulting and risk management Previous titles: Director of Operations, vCIO, IT Operations Manager, Senior Architect
Certifications held: • Certified Information Systems Security Professional (ISC2)
• MCITP Enterprise Administrator (Microsoft)
• CCNA (Cisco)
• ITIL V3 2011 (EXIN)
• LPIC-2 (LPI)
IT Fully Managed IT consulting firm based in Colleyville, TX. Maintain 24x7x365 help desk and on-site engineers dedicated to assisting mid-cities business with IT support and
consulting services
Introduction
Who are hackers and why should I be concerned about them?
Understanding the challenge
Business hacking is generally not perpetuated by a 13-year-old boys sitting in their mom’s basement eating
Cheetos.
Hacking is an organized effort by criminal businesses and nation-state’s to generate revenue.
They have many similarities to your businesses. They have employees, business plans, R&D, and a P/L report.
Who are hackers and why should I be concerned about them?
Understanding the challenge
According to the 2014 Verizon Data Breach Report, 84% of all data breaches are waged against companies with less than 100 employees.
If you run one of these companies, you should know that the cost of being hacked averages around
$36,000.
Small businesses are particularly vulnerable to attacks because many owners believe they don't have the time and money to invest in software programs or consulting services to make systems more secure.
They are easy targets for the criminal organizations; therefore, more profitable targets.
Business Attacks
Phishing
Domain theft
Advanced Persistent
TreatsRansomware
Denial of Service
Confidential Data Theft
Intellectual Property
Employee Records
Client Records
Medical Records
Financial Theft
Social Engineering
Credit Card Theft
Invoice Spoofing
Bank Fraud
IT Security Concerns affecting SMB’s
Identify valuable data, threats, and plan for a
breach
Educate staff on threats and processes
Regularly audit Risk Management Plan for
changes and effectiveness
Develop Risk Management Plan
• Organize your staff with specific purpose of identifying key systems and data
• Outline your policies and countermeasures to ensure your data remains confidential
• Audit and Investigate
How do I protect myself and my business?
• Understand that your personal data is more exposed than most individuals because of business listings, SOSTX listings, and domain listings.
• Understand that you are the best target for personal identity theft. Most business owners have access to bank accounts with significant funds available, have decent credit, and poor personal security habits
Advice for all business owners-personal security
Start practicing smart personal security
Use different and strong passwords for every website service you use and change them regularly
Do not use public Wi-Fi Do not send financial information via email Use two-factor authentication when available Do not give financial or personal information to
anyone that calls or emails you. Make sure you contact them via publicly available emails and phone numbers
Enroll in a reputable credit monitoring service that monitors your business & personal credit
• Regularly evaluate and ASK QUESTIONS to current IT staff or provider. Demand to see reports and plans on a regular basis.
• Understand that installing endpoint anti-virus on your PC’s is not enough. Every attack method in the world is designed to defeat that
• User error is the greatest threat to the integrity and confidentiality of your data. Train you staff!
Advice for all business owners-business security
• Remember the fundamentals of Quality Control: the architect can not check their own work. Another perspective is required to accurately assess the security posture of a organization.
• Ignorance = Risk Acceptance
• Know your industry’s applicable laws and regulations and verify they are followed.
• Understand the liability shift for EMV cards that started on 10/15 and ensure you are using chip readers effectively.
• Do not rely on your ISP to manage your security. You should maintain a business grade firewall and have it monitored.
• Training on proper procedures according to PCI regulations with staff is absolutely key.
Advice for all commercial business managers:
• Take HIPPA and Meaningful Use requirements seriously. HHS does!
• Just because your HER/EMR is certified to be Stage 2 compliant, that does not mean your practice is too.
• You have the most stringent IT Security requirements in any industry. Meeting those needs to be considered a “Cost of doing business” just like malpractice insurance. Budget accordingly.
Advice for all medical business managers
“Stolen health credentials can go for $85 each, about 10 or 20 times the value of a U.S. credit card number” -Ryan Brichant, CTO, FireEye
• Pay attention. Do not assume your current IT resources are taking the appropriate steps. Make them document and prove that.
• The “Cloud” is not inherently more or less secure that on-premise solutions. Both have their own unique advantages and disadvantages. Each service must be evaluated on a case-by-case basis.
• Most IT/Cloud/ISP solution providers focus on usability first and security is only considered when it affects availability.
Recommendations for all general business managers
If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees. — Kahlil Gibran
1. Identify the risks to your specific business.
2. Decide how to handle the identified risks:– Accept: Accept the financial and reputational risk– Avoid: Stop doing the thing that produces the risk– Reduce: Deploy controls and countermeasures to
mitigate risk– Transfer: Shift liability to 3rd party security or insurance
providers (Cyber Liability Insurance)
Risk Management 101
@ericmannonbiz
https://www.linkedin.com/in/ericmannonbiz
“Security is not a product, it’s a continuous process”
Contact Information