My name is Roger.
Without doubt the best way to go out of business today, is to have a cyber event.
If you use the CareMIT business security system then the impact of a cyber event can be greatly reduced.
Although the impact cannot be totally removed it can be reduced to a manageable level.
As a result, your organisation will not only be more secure, it will have the ability to adapt to today’s ever-changing business environment
Your organisation will be able to change directions without changing the underlying capability and security.
You don’t need to reinvent your security paradigm with each system change, so your organisation will be able to flourish.
The underlying security systems will improve your organisations capability to get things done.
We love this stuff, we have grown significantly in the last 12 months, we have won personal and professional awards.
More importantly we understand the problems and issues associated with the bad guys and why they are targeting you.
In the first part of this video I will explain the problems that you and your organisation may be facing when it comes to not having a secure and stable business environment.
I will make the case for why you need to use the information in this video, underpinned by our methodology, to have that business platform that allows your organisation to thrive in today’s dangerous cyber world.
In the second part of this video I will deconstruct the CareMIT Business Security system in a way that you can understand why you need it in today’s rarified and ever changing business world.
I will also show you how to get a free copy of my second book (Cybercrime, a clear and present danger) and once it is printed get a free copy of my third book (business security, because it’s not rocket surgery) delivered to you at the same addess.
First I have made some assumptions.
Your organisation is thriving.
You know what you are doing correctly to make it thrive.
You have thought that you need better security for your organisation but do not know when and where to start.
You are not looking for a single protection that will do it all – one ring to rule them all, because you know that would not be a prudent strategy.
You have made some unsubstantiated statements along the way, in your business and personally – we are too small to be a target, we have nothing worth stealing and it will never happen to us.
Bottom line, you would like your business to survive and thrive today and still be around in 10 years time without experiencing the detrimental impact of a cyber event.
I am going to cover why cyber and the digital world is so misunderstood by looking at risk, governance and compliance, why your ICT department is overworked because of the technology that you are introducing to your organisation and why you need to train your staff and managers on what they understand is bad and what to do when something happens with a continuous improvement strategy.
So if you like what you hear and would like to understand more about this strategy then it is easy enough to register for a chat by clicking on the chat link under this video which I will explain later.
So why do we make such a big deal about protecting your business using our system and method?
We don’t have to, there are plenty of other ways for our clients to protect their businesses.
Information is readily available to anyone and everyone on the internet.
Information based on best practice, cutting edge technology and a misrepresentation of how the bad guys target everyone.
All of this information sold to you by sales people looking to make a quick buck.
So why our system, why the goal of building a secure reactive system for your business?
well, without a holistic paradigm around your business none of those other components will be effective.
To understand you have to look at what Moore’s law, cloud technologies and your business have in common.
In 1965 Gordon E Moore, the co founder of Intel came up with an observation.
He observed that the number of transistors on a circuit board doubled every year but the cost of that board would half.
This simple rule up until 2019 was the driving force behind the leaps we have made in technology in the last 40 years.
It has heralded the introduction of new technologies like machine learning and the internet of things.
It has also added to the burden of doing business by requiring our businesses to constantly update and upgrade our systems even though our internal attitudes are that there is nothing wrong with it.
If its not broken why fix it.
In 2014 a new technology was introduced to business.
This technology became known as the cloud.
It was a way for SME’s to leverage other peoples computers to run their business.
It changed the costing and expense of doing business from a significant capital expense (CAPEX) to a monthly cost (OPEX).
Thousands of dollars to buy hardware, operating systems and capability replaced with a monthly operational expense based on the number of people using the system.
This allowed anyone to use the best technology (cutting edge to bleeding edge) without the monumental costs and investment of owning and running that system.
So faster and faster computers in locations where you are hiring only part of the system – think Office 365, allows any business to scale, grow and adapt without the added cost to revenue.
This is the part of business technology that all business now embrace.
Cheap computer cycles for any organisation and operation to use as they see fit.
The problem with all three systems is that we lost sight of two things – security and privacy.
In addition we do not know where our data is, who had access to it, what risks or vulnerabilities are now incorporated in these systems.
Add in our migration of bad security practices from our networks and terrestrial systems to the cloud then you realised that our growth can definitely be impacted by our inability to protect that data, system and users.
When it comes to security more had to be done, but as I mentioned before, where do you start, how do you do it and how can you do it without having to redo everything with every change to technology.
The same technology we embrace to improve our business brings its own unique security problems.
So with all this going on how do you come up with a way to secure your business or organisation when you do not know what to do?
There are three things that will improve your security.
One is come up with a rating capability that allows you to internally measure you business security capability.
The second is to understand the new risks that have been levelled against your business from and by the digital components that you embrace to do your business and
the third is using a combination of security requirements that when applied systematically tightens security around the business piece by piece.
so if you look at this graphic.
If our business is doing well, we will grow, usually exponentially, but if something happens, not just a cyber event, a natural disaster for instance, then that growth could be stunted in ways that we have not foreseen.
The 2 most recent events to impact business in Australia have been the bush fires and the corona virus, but there will always be challenges within your business environment.
Both problems impacted us.
No matter the business, you need to diversify.
All the eggs in one basket type issue. Well we diversified.
We have 3 capabilities within our organisation.
We are a managed service provider; a security management and coaching organisation and we teach cybersecurity at university.
We diversified to ensure we always have a steady revenue stream.
Based in Canberra several our clients are on the coast or between Canberra and the coast.
Normally it takes 90 minutes to get to our clients in an emergency, well within our service level Agreement times.
With the 6 week closing of the Kings highway, time to coast went from 90 minutes to 9 hours.
Our revenue from university was then impacted by having courses cancelled due to the corona virus.
Between November and February, we lost an average of 37% in revenue per month.
But, if you think about it, these were just normal risks.
Risks that have been around for decades if not centuries
A cyber event can be more devastating.
A loss of a database, the loss of the accounting PC, a break in supply chain deliveries or the encryption of all your data can reduce your revenue from 5 – 100% literally overnight.
Diversified revenue is one thing but having an unknown single point of failure can really ruin your day.
Single point of failure in systems often go unnoticed until after the fact.
The fastest way to improve your business security is make sure that you understand the risks.
To mitigate risk you must reduce, remove, transfer or accept those risks using policy, people and technology.
Understand that there is no such thing as 100% secure, but always having a way back to business as normal as well as improving your ability to track and increase the visibility of what’s under the hood are also important components of doing business.
These 5 factors are then enhanced by understanding today’s business world is always going to embrace the next new and shiny way to make money and we need to be able to incorporate it into the business without changing the security paradigm of the business itself.
Directors and management often forget that business security is not just about protection. When done correctly it allows your business several important capabilities in 21st centenary business.
* It allows a business to pivot.
A quick change in the way you do business can put you miles ahead of your competition, but you need to be able to do that as safely and securely as possible.
Protecting your clients, your data and your staff is important. Understanding all the risks allows an organisation to do that.
* It allows a business to change direction.
To bring on a new service, a new product usually exposes an organisation to issues within the protective envelope of the organisation.
By incorporating better security any direction change can be protected by what is already in place, then augmented with new risk reduction strategies.
* It allows a business to react to change.
The introduction of the smart phone in 2008 and the introduction of social media in 2014 are very good examples of change within business or within your industry.
Both changed the way we do business.
I do not have a crystal ball and cannot see the future, but I want to make sure that my business will see the change, apply our security principles to the change and continue to be secure.
* It creates better understanding of your supply chain requirements.
A Carpenter cannot do much without wood, a plumber pipes, a service-based industry without people to deliver their solution.
Any impact on your raw materials will impact your organisation.
Alternative suppliers, additional components, different sources.
If you have alternative trusted suppliers, then you are always in a better position than your competition who does not.
* It allows you to leverage your security requirements into other organisations. You are always working with and for other organisations.
If you have taken care in protecting your business from a cyber event, then you are going to be cautious with trusting someone else who cannot prove they are at the same protective standard as you.
* It protects your reputation. A cyber event will impact your business in number of ways, but the reputational hit can cause significant issues.
Impact on revenue, capabilities and people will be significant just by impacting your reputation. Recovering your reputation can take years.
This is where the CareMIT business security system (CBSS) comes into play.
We have studied data from hundreds of organisations, and we have crunched the numbers.
From those numbers we have come up with our tried and tested solution.
There are 6 areas that all businesses need to address to be a secure organisation.
* Risk and Governance.
Looking at the risk management of the business and understanding the governance requirements for your organisation and industry.
Calculating where you are, where you need to be, how you are going to get there and, in addition, what is the risk appetite of the organisation.
Risky business or safe as houses – your choice.
* Policy and Compliance.
Creating procedures and processes, implementing policy, initiating plans and using that documentation and system to reduce the risks to the organisation.
This allows an organisation to be more flexible and reactive, while ensuring that everyone knows what is expected of them.
* People and Education.
The importance of education and training cannot be over exaggerated.
Teach your staff to recognize threats and implement responses is one of the best inexpensive cyber defences available.
Since phishing is the number one attack weapon of the digital criminal, enlightening your staff to the ways of the bad guys can only be a bonus.
* Technology and Frameworks.
If you think that the store bought, ISP provided internet connection device is going to protect your organisation then you are wrong.
Upping your game to business level requirements is a huge leap in building security.
Implementing the NIST framework also shows the seriousness of your resolve in protecting your organisation.
The NIST system gives you a score up to 4.
It allows you to understand where you are with security but also allows you to compare your score with others in your industry or in your supply chain.
* Resilience and Detection.
No matter what, your business needs to have the ability to get “back to business as normal”, but it also has to be able to do that “as fast as possible”.
Thinking through resilience needs to be done well before an event.
The detection of a cyber-attack has to be based on changes that can be seen within the network.
You need systems that will see these changes and report them to someone or something that will action the alerts.
* Continuous Improvement.
Business changes, technology changes and we never want to be in the situation of not being secure but also, we do not want to be locked down by a system that does not allow change.
We have incorporated systems that allow for change without changing the security level and without having to reinvent the whole system again or with every change.
For you to get a better understanding of the security around your organisation we have developed the CareMIT Business security score card. (picture from the website).
Thousands of organisations have used the score card to quantify and benchmark their security and to understand the gaps between what is in place, what they think is in place and what they need to have in place.
This allows organisations to focus their energy on the areas where change or improvements are needed.
I am going to encourage you to pause the video, go to this URL https://caremit.scoreapp.com and complete the 48 yes or no questions.
Its free, takes about 10 minutes to complete and within 10 minutes of completion you will have a report delivered to your mailbox, the report will instantly give you a ranking in those 6 areas of your business.
As a bonus for taking the time to complete the scorecard I will post you a copy of my second book and once complete I will post you a copy of third book when it is published.
Pause the video, do it now and I will be here when you get back.
When you come back, I will go through each of the steps and you can benchmark your score against my commentary.
OK welcome back.
What does the report prove in your risk management and governance mark?
I want you to think of this.
Your business has recently improved some systems, implemented some changes in how you do business.
A new computer, new phone system, a better internet connection, moved to the cloud in certain areas.
Most of these decisions were based on 2 factors – improved business capability or reduced cost.
The security of these systems was probably not addressed correctly for the simple fact – what questions were needed to be asked.
What Problems and challenges needed to be addressed? Unless you know and understand the capabilities of the cybercriminal asking the right focused questions can be difficult.
The risks to your organisation can come in several ways.
How much damage a cyber event does can also be measured:
* A cyber event could cause you to lose customers.
How many customers would you need to lose to take a hit in revenue and profits
* Any cyber event could cause Business disruption.
How long can your organisation be incapable of delivering products or services before it impacts your capabilities to bring in revenue and new business.
* A cyber event comes with Fines.
What are they, what is the trigger point for fines? Who will you be paying the fines to?
* A cyber event can become a Legal problem.
Are you going to get sued, have you made the process as hard as possible by doing everything that you can?
Ambulance chasers are out there so you need to make your business hard to sue to a level that it is known that you have done everything to protect their data.
* A cyber event will be a public relations nightmare.
You must explain what happened, why it happened and what you should have done to avoid it happening again.
* A cyber event can compromise client and staff records as well as data.
What was exposed, what information was stolen. Was it used or was it sold on the dark web?
* A cyber event can be a direct financial loss for you and your business.
An incorrect payment to a scammed bank account. Is it recoverable?
* Who do you need to notify when it comes to a cyber event?
Do you have Industry watchdogs, compliance requirements, privacy issues?
* Has your cyber event compromised credit card data and are you needed to rectify the situation with Credit card reissues, identity repair, and credit monitoring?
* After a cyber event what remedial steps, lessons learned, and forensics are required or needed to get back to business as normal and to discover what happened.
As you can see, a cyber event can literally and figuratively turn your business into a smouldering wreck.
Not understanding the risks will heighten the impact of an attack.
so how did you score on Risk and governance.
A low score in this area could mean that you are exposing your organisation to unnecessary and unknown risks.
This exposure can have negative, detrimental effects on cash flow, revenue and profits within the organisation.
Struggling to understand your digital business risks and governance could impact your business significantly.
A low score in this area usually means that you must step back from the business and look at your risks in a different light.
If you interested in improving this score, or any of the scores you need to register by clicking on the box on this page named “request more information” and we will get back to you and organise a one on one with one of our team.
It is either zoom or skype, super convenient and it gives you a chance to get some personal feedback on these principles.
We can help you start to customise some strategies and see if there is a fit between your organisation and ours.
So, the next area is the policy and compliance area of your business.
we now better understand the risks within the business so now we need to do something about it.
When you look at risk there are 4 ways to mitigate a risk.
You can accept it, You can transfer it, You can remove it, or you can reduce it.
All 4 mitigating principles can be achieved with the next 3 areas of the CBSS.
They can work individually, or they can be combined to achieve a removal of a risk.
The traditional approach to mitigate risk does not normally work for SMEs.
There are 4 areas where a business can use a policy and compliance to mitigate those risks:
* Write a policy that everyone understands and have that policy enacted in the business.
everyone now knows their requirements and business has a way of protecting itself.
For instance an internet policy explains the business expectation when it comes to staff using the internet.
* Implement a procedure.
If you want a specific way for something to be done, then a procedure allows staff members in the organisation to do what needs to be done.
It can be used by anyone who needs access to that job or procedure.
* Write a process
The best example of a process is changes to your most important asset. Your organisations point of truth.
Your customer database, your accounting system anything that you know to be correct.
A 2-person process needs to be enacted to ensure that if you are requested to change information in that system that there are checks and balances incorporated.
for instance, email to change bank details needs to be verified by another person from your known point of truth.
* Create a plan – best example of a plan.
Business continuity plan.
how to keep the lights on and the business working in the event of an issue.
Everyone in the organisation knows the plan and knows what is involved and who is involved.
With all 4 there are standards that can be created by the organisation. what is right for you may not be right for someone else.
The policy and compliance component is all about efficiency.
Transmitting information across the organisation in ways that everyone understands, more importantly everyone knows their responsibilities to themselves, the working environment and their organisation.
The third area we have to address in CBSS model is people and education.
Not only educating the front facing people on what to look for and how to react but also we need to look at the additional costs of training staff in the myriad components that make up a business in todays digital environment.
When it comes to purchasing any digital component for a business there are two additional questions that need to be asked apart from cost.
How much will training be and how much to implement best practice and what is the continuous update process for the life of a product.
People learn in different ways but business security has to be taught in a fun game field way to ensure the right information is gained.
Most Organisations look at education as a one off process, once a year or when you start with the Organisation.
For the compliance and governance requirements you can tick the box.
When it comes to real business security and having an educated staff, more is needed.
Not only do you need a basic business security course with refreshers and tests every 2 – 3 months but to turn your staff into a top security team you need to challenge them.
Discussions, regular lunch and learns, daily quizzes (with prizes work best) a question a day via email, first correct answer wins a prize then compound it by making it a weekly or monthly prize.
Easily enough to set up but the impact and responses will be significant.
Your staff will challenge you and their peers, this is what you want.
This component makes you staff and teams work for you and only the most clever and intriguing phishing attack could possibly work.
Part of the business security system is to create a targeted and tailored education process for your business.
We do not know your business, you do and to put together a structured education and training package you need to put in the information to make it work.
You know your staff, but you also understand the culture of the Organisation and what will be needed to refocus that culture on the new ways of doing things.
Lets take a step back for a moment and have a look at the perspective of business security.
Defining the risks, putting in policies and educating your staff you are already increasing the security around your organisation.
We have defined the risk to the business and we know to mitigate those risks you need to do one or more of the following 4 processes.
* You can transfer the risk – make it someone else’s problem with warranties, service as a service or insurance
* You can to reduce the risk – To reduce the risk of a phishing attack we can put a policy in place, we can educate the staff and with the next component we can use some sort of technological control.
Any or all of these processes reduce the risk.
We can then revisit the risk assessment to see if we need to do more.
* You can ignore the risk.
The chance of it happening or the impact when it does happen does not create an issue for the business
* You can remove it totally.
Like reducing the risk we can use people education, compliance, policy, technology or our framework to remove the risk. Most risk removal is based on changing the way a organisation does something.
Don’t do it that way, do it this way and here is the policy, process, procedure, training and technology to do it the new and different way
I forgot, risk management is a continuous process. It is not set and forget!
That is why you regularly have to revisit your risk process just to make sure a new risk is visible, or one of your mitigated risks needs more addressed in a different way.
The fourth way to mitigate risk is a combination of technology and the utilisation ofa framework.
This is usually the first step when it comes to organisations not versed in the CareMIT Business security system.
To us technology is important, but it is not the silver bullet of protection.
There are some exceedingly clever products out there, that work well and do what they are built to do, but when it comes to technology most of the time it is a single focus or capability.
Technology also includes your basic business requirements – computers, laptops, software, printers, internet connection.
They have to be the best that you can afford, they have to be the most productive and they have to be able to last.
Remember, we are putting a systems around your organisation that is focused not only on security but has the ability for your organisation to change as needed, to adapt to digital business today and next year.
You cannot do that if your technology is old, unstable and slow.
The technology combined with your other mitigating strategies is building a secure environment abound your business, it is tightening up the system but also making it easy to change as required.
But technology, policy, compliance, people and education are not enough if you do not have a road map.
The best road map available for business is a government system called NIST.
NIST, the national institute of standards and technology have produced a cybersecurity framework called, of all things, the NIST cybersecurity framework.
This is what it looks like.
Like the our system there are sections that have to be completed.
If you have done our system correctly, some if not most of the framework is already done for you.
The NIST Framework consists of 98 question.
Each question has 5 answers, from I have not done anything in that questions field all the way up to we have completed the requirement, documented it, signed off on it and implemented it.
Each answer ends up with a score between 0 and 4.
When all of the questions are complete they are tallied up and devided by 98.
This gives you a number between 0 and 4 that rates your organisation as a secure, stable and mature organisation.
The higher the score the better. Most organisations when first completing this get a score between 1 and 2.
This is the organisations base line. It is the starting point. In the words of the hitchhickers guide to the galaxy “Do’nt Panic!
Why do you need this? well for most of us when we start down the road to better business security no one else will seem to be doing it.
this allows you to go back to your supply chain and question how they are securing their information.
If the score is the same as yours then you then you have a comparison on how they treat their systems and how they will treat your information if you give it to them.
If their score is better than you, they may come back and ask you to increase your security before they will change their interaction with you.
This is what the NIST Questionaire looks like it is freely downloadable from the government web site.
We now understand that risk management for business in today’s digital world is really important.
We know that we have to apply mitigating treatments to change the risk to something that the business will function within the risk appetite of the organisation.
but, what happens if something does happen.
That is where step 5 comes in.
No matter the situation your business environment, the viability of your organisation, depends on your organisation getting back to business as normal as fast as possible.
If you cannot achieve that you are going to have problems with revenue, profit and capability.
How do you get back to business as normal?
The first thing you have to define is – business as normal. What does your business look like when it is firing on all cylinders.
When everything is purring like a 12 cylinder engine. Without that knowledge you can never get back to business as normal.
Once you know what normal is, we need to now ensure that everything is recoverable.
Building in resilience ensures that you know what normal is and you know what bits are doing what to ensure that normal is always the situation.
The 2 main systems that can be implemented are a business continuity plan and a disaster recovery plan.
Both of them are documents that allow everyone in the organisation to gain insight into how the business works, what is needed and where to get it in the event of something significant happening.
It does not end there though!
An untested plan is just a piece of paper with writing on it.
It has to be tested, both hypothetically and physically.
Things have to be turned off, disabled, discussed and tested to ensure that when everything does go to custard they will work.
The more testing the less problems will happen in a real situation.
Without the system at 100% you are not in a position to help your clients, inform governance and compliance systems and find out what happened.
Learnings, experience, forensics and picking over what happened is an important component of the security paradigm.
In the case on a cyber event, how did they get it, what was compromised, was information stolen are just some of the questions that will need to be addressed.
Not only for yourself but clients, staff, management, industry and government will require an explanation. It is important that you know.
How to detect what is happening under the hood of your business is once again something that has to be initiated well before the situation occurs.
If done correctly it can give you fair warning. There is a rule within the security industry.
The 1,10,60 Minute rule is based on the following principles – 1 minute to detect, 10 minutes to react and 60 minutes to confine.
If you do not have the detect system in place we have seen detecting a cyber event blow out to 90 – 120 DAYS.
In that time the bad guys have stolen all of your intellectual property, financial and client information and sold it on the dark web.
The stunning part of this type of crime – you do not even know that it has happened.
The detection component of the CBSS is to ensure that systems are in place to detect an infection or attack.
Those systems consist of a system information and event management system (SIEM).
When implemented correctly a SIEM will report, monitor and create pre defined alerts to be actioned by the Security Operations Centre (SOC).
You now have visibility based on a technological solution that allows your organisation to look “under the hood” at what is going on and making decisions based on fact and not gut and intuition.
Business change and because business change you have to have the systems and capabilities in place to ensure that you are going to take advantage of those changes.
The final component of our system is to ensure that change can be incorporated into your business environment.
To ensure that new, improved or better systems, training, policies, technology and capabilities can be implemented without having to change the whole structure of the security paradigm.
That is the CareMIT Business Security System.
Each component is designed to augment, interact and improve the security around your organisation with minimal impact on the business.
It is also designed to allow the organisation to see trends, focus on improving revenue by having the capability of changing direction if needed.
There are no cul-d-sacs, no ambiguity, no wasted capability.
The business security paradigm is to make your business work better, react faster and be more nimble than your competition.
What you are doing and talking about is not rocket surgery.
It is not a hack. It is not a gimmick. It is not a quick fix, do this and you are secure.
It is a complete change to your thinking on how safe and secure your business is but it also gives your business the capability to change as needed in today’s business world.
It is a combination of samples and examples of systems, best practice, personal feedback, industry led risk management practice and all implemented over a 12 month period.
100% security is impossible but this systems will make sure that you have done everything within your capability to reduce the odds of a breach to the lowest humanly possible.
I have a proposal for you. No matter the obstacle that you are experiencing in your business right now. They will get much worse with the impact of a cyb