Security Strong Podcast Tobin Solutions

In this in-depth Security Awareness Training, host Jeremy Cherny explores how a security incident can occur, as well as how people can best protect their data to remain secure.
 
What is a Security Incident?
 
A Security Incident is any breach in your CIA. CIA is an acronym for these 3 areas with the first being the Confidentiality of your internal and/or external data or systems meaning that a breach occurs when someone has access to your data that shouldn’t. The “I” stands for the Integrity of your data and systems so it’s safe from corruption and unauthorized changes. Lastly, the “A” refers to the Availability of your systems and data so they are working and ready when you need them. So when you think of security breaches, think of the Confidentiality, Integrity, and Availability of your data and systems. Remember that security is only as good as your weakest links so make sure that you have all your blind spots covered! 
 
Common Vulnerabilities and Exposures (CVE)
 
A CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. Every time there is a new security hole discovered in a device or software, it is given a CVE number. Over time, these vulnerabilities and security holes have been being discovered at a much higher rate which is one of the reasons why cybersecurity is so crucial in today’s day and age. Back in 1999, there were only 1,000 or so CVE’s that had been discovered versus in 2018 alone where there were over 16,000 CVS’s discovered. Another point to be made about CVE’s is that these are only the ones we know about and there could be thousands of other vulnerabilities that are out there which just have yet to be discovered. 
 
Face The Facts
 
It’s almost certain that you will face multiple security incidents over time and although it may not be a big issue, it is still important to take the necessary steps to reduce the number and severity of security incidents. It is also important to note that even though steps can be made to reduce the number of incidents, you can’t eliminate them all because over time nothing is 100% effective. Although security incidents are becoming more complex every day, education, planning, and preparation are the only actions you can take to significantly reduce the number and scope of these incidents as well as to recover from any security incident you may face. Lastly, we advocate for you to trust no one and to always verify your security with a third party to ensure that you are staying safe. 
 
Top Reasons You Will Have A Security Incident
 
Using Vulnerable Technology - If you use old technology that hasn’t been updated with security patches, or new technology which hasn’t had security patches applied can lead to vulnerability.  Failure To Follow Best-Practices For Installation & Configuration - For example, many in-home routers will have a default password set up and a lot of people never change that password where the best practice would be to go in and change it to protect yourself. Lack of Written Policies - Written policies help you have a plan in place to protect yourself from security incidents. Lack of Education For Everyone In Your Organization - When people don’t know what they should be looking out for, they’re far more likely to stumble into something dangerous. Failure To Plan & Prepare - Planning and preparing is crucial to avoiding security incidents, as well as recovering when one does occur. Failure To Monitor, Audit, and Maintain Policies and Systems - Consistently ensuring that all your systems are functioning properly will decrease vulnerabilities.  Security is Inconvenient - Many people will avoid security because it’s an extra password, or it takes more time so they bypass it leading to a higher chance of a security incident.  People Are Human - This is the biggest reason for all security breaches as everyone at some point will click s

Host: Jeremy Cherny interviews Dave Steffen, a business coach with Action Coach. 
“And for those of you that don't know what business coaching is, it's really just my job to help business owners grow and succeed and thrive in their business and do the things that are going to help them be the best business owner they can be. So that means helping them strategize on actions to take and making sure they take those actions, talk about things that they can look out for from a marketing standpoint, a sales standpoint and an operation standpoint. So whatever the business is looking to do, my job is to really help them move through that process with as much philosophy as possible.”
 
Why is security important? 
“So there are a couple of things that come to mind for me, when somebody asks me about security relative to my business, the thing that I have to be very conscientious of is I receive a lot of confidential information, intellectual property, information from my clients. So safekeeping their information is obviously of significant importance to me. “
 
How do you communicate that to your clients?
“The first thing that I do is when we when we sit down and we talk about bringing on a client, I explain how I will keep their information confidential.”
 
Anything that you want to say about today's world, with COVID-19 and people working from home?
“The number one thing that I am communicating to the business owners that I've chatted with and including my clients is, seek help. There are a number of resources available out there for you to use and find to help you work through this. This is not something you have to try to do on your own. You're certainly not alone in this environment. “
 
What are some things you did in your prior role in IT around protecting people's data?
“You know, for example, you could put your accounting system on your network. But if you don't have any kind of security measure put in place, everybody, every employee that has asked for access to that network could access anything at all. So that includes all of your financials, your general ledger. And then it also includes not just accessing and viewing, but the ability to modify and change and or delete.”
 
Any favorite war stories?
“Yeah, there's obviously a number of times, but probably the one that I had the most fun with was working with a business and we were actually doing a proposal. And we had a contract and outline of a project that we were going to do for them. And I was talking with the president at the time, he kind of sidetracked the whole security piece of it and said, Well, this is really unnecessary. In my world today, he was in what I would call a state of denial. And really not sure that that was important. So I looked at him and I said, Sir, give me five minutes and if I’ll go to any workstation in your office and login and get access to your general ledger, will you sign the deal? He looked at me and he said, Go for it. Within five minutes, I had access to their general ledger. So I walked back in and said, Yep, I got your general ledger. And I said, Sir, you've got a lot of cash. You could do this project, you know. Right. He was a little dumbfounded. And he said, okay, clearly I've got a problem.”
 
What about a favorite Cybertek movie? 
“Hackers with Angelina Jolie”

Host: Jeremy Cherny interviews Jesse Gnas, owner of ACS. 
“We are basically a business that sells cloud based solutions for voice and data. And we are a full service, single point of contact for all your needs. So that includes the project management through the entire process. So when our clients order new services from us, whether it be a cloud based phone solution or data, we manage that purchase from start to finish. “
Why is security important? 
“The reason we incorporate those is because they are a very essential lifeline for our businesses to maintain their business model. And in the event, there are any security issues, we want to make sure while we partner with Tobin solutions, that we exhaust all those possibilities that could occur, because they'd otherwise be compromising the business model. “
What are you seeing from your side of things in the world of data comp and telecommunications and the demands on you and what people have been around requesting right now?
“The businesses that we currently work with, we've set them up already in an environment where they're able to take their desk phone home, and use their internet at home as a remote teleworker.”
How do you stay on top of all these different security threats that are out there?
“We really encourage having an Auto Attendant and I know most businesses love to answer the phone live and they like to take that call and differentiate, differentiate themselves. However, a simple Auto Attendant would say thank you for calling Tobin's solutions. If you'd like to speak to someone live, please press one. that eliminates 100% of the robo calls because robocalls cant’ press one. So it really increases the productivity of the receptionist and many receptionists that I see are “
What are some things you did in your prior role in IT around protecting people's data?
“You know, for example, you could put your accounting system on your network. But if you don't have any kind of security measure put in place, everybody, every employee that has asked for access to that network could access anything at all. So that includes all of your financials, your general ledger. And then it also includes not just accessing and viewing, but the ability to modify and change and or delete.”
How do you educate your customers on security around Telecom, telecommunications and phone systems?
“We do risk management in our own conversations. Is there any value to having this business turned over to you or an assessment because if someone's in denial, that they've never had a problem, we try to encourage everyone to educate our customers that if you have not had one, a virus or any kind of attack on your business, it's only a matter of time that you will.”

Host: Jeremy Cherny interviews Eric Clark, Client Success Associate at SWICKtech
“Client Success Associate is something I’m not entirely sure what the title entails. But I will say that our client’s success is one of our core values and something we put first ahead of most things. Working at SWICKtech is like working with the smartest kids in class. A lot of very smart, talented engineering minded folks that know way more than me about the technicality of what it is we do for our clients. However, it’s my job to be that middleman and speak English to our clients rather than the tech jargon.”
Why is security important?
“It’s one of the most important things we can help clients protect, in addition to their data. Cyber criminals that have success in cyber attacks have been well funded, and they invest that money back into creating businesses overseas that attack our businesses here. Unfortunately, there’s not much we can do about it legally because they’re not in our country.”
How do you stay on top of the latest security threats?
“It’s in our DNA. It’s our duty to our clients. We’ve been a Gartner client for some time, so we look at who the leaders are in various spaces and what they’re doing to stay on top of trends. We’re doing a lot of things on the cutting edge as well.”
What do you do around educating users about security and security awareness?
“Quite a bit, it’s a big focus for us. We start with some baseline things like a dark web scan. Then we work with the company and mimic what an attack could look like. A phishing attack is a good example. And no one is in trouble if they click on this attack, but we use that data to say, ‘Hey, this is what’s happening at your company.’”
What are the most important things that people can do to protect their online information?
“There’s definitely a layered approach. But the one thing that we believe is the lowest hanging fruit that has the biggest impact is multi-factor authentication. If a hacker tries to log into your account, you’re going to get a prompt on your phone. We recommend that you put that on your Facebook, LinkedIn, banking accounts just to add another layer of security.”
Do you run into people being resistant to that?
“Yeah, there’s a convenience trade for security. You can do it with some things that can run in the background that can take some of that egregiousness out of the picture for you. We try to make it as frictionless as possible. And if you want to talk about inconvenience, let’s talk about paying $50,000 for six bitcoins and losing all your data, right? That’s a bigger inconvenience, so I think the trade off is clear.”

Host: Jeremy Cherny interviews Joe Skotarzak, General Manager at MotherG-Wisconsin
“At MotherG, we’re focussed on being a managed service provider. We really strive to help small businesses manage their technology. Security is a big part of that, so it’s certainly a focus area for us.”
 Why is security important?
As we’re out there working with small businesses, every small business is dependent on some level of technology. Some of them it’s a tool that's foundational to what they do and how they compete and how they deliver. The downside is these cyber security threats. They can upset and turn the whole thing over. It’s important because it potentially could bring a business down. It’s foundational to make sure that it’s a part of every relationship and managing every client and their network.
How do you stay on top of the latest security threats?
It’s a multi-faceted approach to things. We do a lot of reading and talking. We’ve got partners who are specialists in this, both from the manufacturer perspective and from the delivery perspective. It’s a big part of all of our jobs and it’s always growing in importance. It’s a lot of reading, listening to podcasts, listening to experts. It’s a lot of talking to manufacturers and staying abreast of what they’re doing.
How do you address security awareness training for your end users and the different stakeholders that you work with?
Again, it’s a multi-layered approach. We use a lot of tools - KnowBe4 is a good one, it’s a service that really helps. They do spoof attacks to allow the business owner to have a really good clear understanding of how susceptible they are. We look at tools and resources and try to make those a part of our culture. People need to know what the rules are to keep things safe. We also make sure that our clients know that we’re their partner in this. We try to have interaction and really learn what our clients need and want.
What are the most important things that people can do to protect their online information?
The number one thing is to have an awareness and a little bit of paranoia that someone could be after you. We say that a healthy skepticism goes a long way. If something doesn’t look and feel right, maybe just take a breath before you do something. There’s a lot of phishing campaigns out there and we’ve seen an increase in them with COVID. Two-factor authentication is another big thing, just in terms of keeping your information safe. A lot of that stuff gets exposed unfortunately. 
What do you see as the future of information security?
We see it as really an arms race with good guys and bad guys. We also see that cyber security is going to be a growing business. With small businesses leveraging more and more, there’s going to be more attacks as well. The days are gone when all you needed was an antivirus software.

Host: Jeremy Cherny interviews Duane Maas, President of MC Services
“I started doing computer consulting in ‘96 so I ended up doing a lot of stuff with the internet because nobody knew how to do it - learning DNS and all the networking stuff. We do a lot of Apple and a lot of Windows, especially moving into networking environments. We’ve also done some app development as that’s exploded with iOS and Android. But really, Mac is becoming a more accepted device for a large company, so we work a lot on integrating Macs into corporate networks. At MC Services we range from one to two people companies to $12 billion dollar private companies where we do all their Mac and Windows support. In the course of that we’ve worked a lot with security.”
Why is security important and when did you get really interested in it?
I think I wrote the first eCommerce site in Wisconsin back in 1997. The first year of Christmas for this company, they got 10 orders a day. The next year they got about 100 orders a day and my code couldn’t handle it. As the internet sprung up learning about SSL and TLS became more important because it became a lot easier to steal from people. It’s amazing to me now how people are “fat, dumb and happy” out on the internet. The important thing is to have different levels of security for different reasons. There are always different levels. It’s kind of like buying insurance - how much insurance do you buy on a car. 
How do you stay on top of the latest security threats?
You have to have trusted experts to talk to. There’s a Slack Mac admins channel that I probably look at every day. The other thing is Twitter. I look at people talking about threats and stuff like that. The big discussion going on now is about the vulnerabilities of Zoom. It isn’t something that my wife or kids would care about, but if you’re using it for corporate stuff, then you need to know about it.
How do you address security awareness training for your end users and the different stakeholders that you work with?
It seems like the biggest thing right now is in corporate email phishing. It’s combined with what they call spear phishing. For example, they see that you and I talked and have had communication so they could send you an email with my name on it and you’d be apt to click it. We’re doing a little webinar on what you should be aware of and how to check the email sender by rolling your mouse over it and seeing if it is what you think it is. People have been pretty open to these webinars. The other thing is just to discuss with the corporate team their strategy for blocking emails. We also do penetration tests on our clients networks where we act as the hacker and see where their vulnerabilities are.
What are the most important things that people can do to protect their online information?
I think the biggest thing is to use a password generator. Another thing I do is tell people to take two random, common words and put a character and number in between them - it makes for a very secure password. But there are plenty of online generators or places to check the strengths of your passwords. When you get into something that’s further up, I think of two-factor authentication where you enter your password and then it texts you a code to put in.
What do you see as the future of information security?
Unfortunately I think it’ll get worse as far as the attacks. One of the other things I think about is cyber currency. It’s the only place where people can transfer money without being tracked. Also with faster computers the old types of encryption become less effective. So it’s definitely scary. Once you get something blocked, they just come around the other way.