Updated: Jun 2
There is cyber hope. That’s the feeling I had after this Expert Tips panel ended. These professionals work in the complex field of cybersecurity on a daily basis, so they are the best analysts of the current state of security and what more needs to be done. Surviving the next cyberattack could make or break a company, so when experts offer free advice, we need to pay attention.
In a panel on April 13 hosted by Techvera, four cybersecurity practitioners shared their perspectives, but they also shared a confidence that is very helpful. Those of us who are non-techy business owners may be uninformed or overwhelmed by the cyber risks a business faces, but we CAN take some positive steps towards a better security posture. Plus, help is available. Below you’ll find a summary of the panel’s discussion, from my perspective as an ordinary citizen who wants to do better in my business and for the world.
Experts featured in this discussion include:
David Evenden, former NSA security analyst and CEO of StandardUser Cyber Security.
Matt Lee, Senior Director of Security and Compliance at Pax8.
Jim Lippie, CEO of SaaS Alerts.
Reese Ormand, moderator, Founder & CEO at Techvera.
The panel video is available for replay here on LinkedIn.
Inaction is the biggest threat.
Doing nothing is the worst possible security posture. When asked about the biggest cybersecurity threat facing small businesses, Jim Lippie immediately said, “Inaction is the biggest threat.” Matt Lee says executives need to be involved in their company’s security and to lead the way. David Evenden added, “The threat is not existential, it’s 100% internal. Not asking the questions and having the internal conversations is the biggest problem.”
The panel highlighted some common assumptions of many business owners.
- “My business is too small, and no one cares about my data.”
- “We don’t even have sensitive data.” (Every business has sensitive data.)
- “The convenience is worth skipping Multi-Factor Authentication (MFA).”
Threat actors set out to steal data that will create a profit for them. They often don’t care about it. They are simply looking for easy targets and ways to gain access to data that matters to YOU. Then you are incentivized to pay a ransom if it’s stolen.
Processes, policies, and enforcement.
Where is your data? These experts agreed that many companies do not know. Information that is stored haphazardly, without a plan, is at higher risk of compromise for the organization. According to Evenden, some leaders don’t understand that their business data is actually what pays their own salaries.
“Overall file organization and storage is a big deal. When organizations don’t have insight into their processes, users can download info and take it anywhere,” said Reese Ormand.
Businesses should have processes to monitor their files and confidential information, define who should have access to various levels of data, and make sure these policies are followed. Otherwise, employees create their own file storage systems, data is scattered across multiple platforms, and the risk of an attack attempt proving successful is increased.
When access controls are set up properly and MFA is enabled for every user, email compromises are greatly reduced.
Jim Lippie quoted some statistics: one third of all breaches are from internal actors, and 19% of all file shares are external to one’s organization. Whether data is improperly shared accidentally or on purpose, all of these factors increase risk.
In the discussion regarding access controls and proper permission levels, Brian Krebs was quoted: “Someone recently asked me how I defined security. I really had to think about that. Fundamentally, it seems to be about making it easier for users to do the right thing, and/or harder for them to do the wrong thing.”
All the expert panel members agreed that educating employees and providing them with direction and security processes is critical.
We are on the same team
“We are FOR you,” Evenden said. It can be easy to assume that technology gurus are apathetic because they see so many problems every day in the cybersecurity world. But the majority of cyber professionals deeply care about the people and companies they work with. This new type of warrior is on a mission to protect the world, since we are so often linked together.
Ormand added, “The security team and end users are on the same team. The value of security has to be preached from the top down.” All the panel experts agreed with this.
Just take some steps
Evenden explained that it can be daunting for businesses to get started with cybersecurity, so calling a professional can help. “If you don’t know where to start, engage someone. Don’t do it yourself.” Professionals can assess needs, make recommendations, and provide support.
Lee encouraged every individual to have a password manager, as a basic first step in increasing cybersecurity.
Lippie stressed the importance of MFA on ALL user emails, including on guest accounts in a Microsoft365 environment.
Ormand reminded us that “it’s critical that leaders engage with cybersecurity, since ransomware and other breaches can have a catastrophic impact on businesses.” These catastrophes can be avoided with measures like security controls, user education, and phishing simulations.
Some new terms
There were a few cyber terms I enjoyed hearing about in this discussion, which can help explain some of the challenges and solutions in cybersecurity.
Data sprawl: the inconsistency of data storage and sharing within an organization, which means that same data can be difficult to monitor and protect. Often this occurs if there is not one central plan and policies for handling data, as well as processes to enforce the policies.
Unsanctioned IT: employees within an organization create their own systems for data storage and sharing. This may be the result of the organization failing to provide a plan, or perhaps employees think the sanctioned plan is too complex. In either case, this can cause additional risk when an organization’s data is not handled according to established and consistent policies.
Leave it to the Professionals?
To sum up, there are some things we each can do to secure our own data and our company data. It’s also incredibly helpful to work with a professional team to set up your computer network and ensure that all the proper settings and controls are in place.
It’s up to each one of us to decide how this works in our own lives and businesses, but we need to take some steps.
How are you taking new cybersecurity steps this year? We would like to hear them! Contact us with updates and to ask any questions. We are ready to help when you need us.
Katy Munden Penner is a Writer and Content Strategist for StandardUser Cyber Security, and a Social Entrepreneur connecting people with great causes.
We at StandardUser Cyber Security are on a mission to share cybersecurity and cyber safety education with everyone, to make our world a better place. Are you with us? How can we help? Let us know today.
Whatever your cybersecurity challenge, we can help you keep your business running. We are a defensive and offensive cybersecurity company, using over 30 years of experience with active commercial and government work and proven security methodologies. We also educate teams and professionals who want to build on their skills.
We set the standard for cybersecurity excellence.