CRAIG: Hey everyone. Welcome back to the 101 Digital podcast.
I’m Craig Meyer the CEO of 101 Digital and we’ve got today, Arthur Dodd, the CTO of 101 Digital.
So, today we want to talk to you guys about the five best practices that we think any business can do to really secure themselves.
Some of these are extremely easy, things that we think that every single user should be doing today already, but some of them do obviously require a little kind and going through what actually needs to be done with it.
So, we want to talk through some of that today, give you guys a good idea of what those are and how you can do some of them yourselves and then how obviously 101 Digital can help you as well.
CRAIG: So, the first one that is, to me, one of the most important things and that every single user should be doing because I think it is something that is very simple to do is two factor authentication.
Sometimes people refer to it as multi-factor authentication, but yeah, Arthur can you just talk us through some of those things?
How to do it…why it’s so important?
ARTHUR: Yeah, definitely. Multi-factor authentication or MFA for short is something that luckily a lot of folks have gotten used to because they’ve been forced into it.
There was a lot of reluctance earlier on, but once banks started requiring it Netflix requires it sometimes, Amazon, you know, a lot of folks get comfortable with it.
It’s the idea that instead of just using a typical password, you need to have something else verify who you are, at least one time, to verify who you are and that you are the right person to have access to that account.
So, I’ve had a lot of conversations with our clients in the past several years about turning that on, in particular for email accounts.
Email accounts are largely hijacked.
Everyone’s seen ransomware come in through emails or you get an email from the accounting team that needs money wired while you’re on a beach or something like that and you’re off on vacation and it’s just “What’s going on? Why are you asking for this? Okay I’ll do it”, because the mailbox got breached.
By turning MFA on, for your individual email account, you might need to have a text message, you might need to use an authenticator app or something else that first time you get into your account on that device.
But once you do it, you’re in, you’re good. And then any new devices you need to use to get access to that email, they’re also going to ask for that.
The benefit being that if someone is off in another country and trying to log into your account with “I’m the greatest” as a password they’re not just going to get right in.
They need to have something else prompt and you usually get a text message on your phone going “Wait a minute, someone’s trying to access my account What’s going on here?”
And that’s really the benefit of turning it on. Some people can think it’s a little bit painful the first time to get used to the new method of how using MFA is, in particular for your email account.
But again, with everyone requiring it from banks to Amazon to other third-party apps and services, a lot of folks are getting more comfortable with it.
So, if your organization isn’t using it already you’ve got to turn it on you’ve got to make sure it’s there before it ends up getting forced on you.
CRAIG: Yeah, I agree. It’s one of those ones that I kind of jokingly say, but if you have it on, you can almost give out your password to someone. They’re not going to be able to get into your account without that. So, that’s why that’s so important because, again, it really doesn’t take much to do and once you have it set up as Arthur said, it’s usually something that’d not going to bug you every single time. So very very important to do that.
CRAIG: The next one I want to talk about and I kind of always refer to this as the last line of defense which is your end users.
You can have firewalls in place, you can have antivirus in place, email filtering in place, but if an end user clicks on something, you potentially have now gone through all of those different filters and potentially get ransomware or some other malicious thing going on.
So, can you kind of talk through phishing simulations that we do and the training and why that’s so important?
ARTHUR: Yeah, definitely. Security training is definitely essential to every part of your organization, just the same as having standard operating procedures for all parts of your workforce.
It doesn’t matter if you’re running a printing press, if you’re operating a machine, using technology has that same importance for any kind of training.
And this comes down to the people element like you alluded to.
So, when we think about the ways most organizations are breached today, it’s no longer a matter of pop-up windows and having to just wipe a computer and restart or fighting with a virus.
It all comes down to social engineering – how you get past people on the person-to-person level.
All the attacks these days are very focused and not scripted. It’s not a computer that’s running an algorithm to try to get into something.
It’s all about interacting with the people and finding a way to get past the people. And that’s where the training comes into play.
So. what we do is have a nice portal where we set up the training.
We get people access to it.
We have emails go out to them that have tips on a regular basis.
We have topics that they’re going to take tests on and actually need to complete and verify that they’re watching that training.
And we keep the content current and the importance of keeping that content current, of course, is that it’s always an evolving landscape and you need to know what the latest thing is.
Similar to passwords and using MFA, the evolution of how people authenticate to something – the same goes for training because the attacks also evolve and they switch up the way that they’re doing it.
So, keeping it front of mind and just remembering like “Oh yeah, that training told me that I needed to check the email address it’s coming from because even though it says ‘Bob Johnson,’ this doesn’t look like Bob’s email” and you’ll only really get your users on board with being able to detect those things if they’re doing training regularly.
To complement that, we do the phishing campaigns, so we set up fake scam emails and we send those out on somewhat of a regular cadence, but we don’t tell the users what that’s going to be because we need to keep everybody on their toes.
We don’t even tell management or the C-levels of the organization what that’s going to be because they need to be part of it, too.
And if you think about it your higher up management and your C-levels, those are your biggest attack points because they have access to stuff that not everybody else does.
Not to say the rest of the organization doesn’t need to be protected, but when you think about who is the most vulnerable and who can give up things or who has power to make decisions in an organization.
Pretending to be them is pretty important if you’re trying to attack.
CRAIG: Definitely. And I think another thing that we’ve seen a lot lately is actually what they refer to as BEC, business email compromises, where again we’re not only just talking about malicious things from a ransomware perspective, right?
We’re talking about true business things that can happen.
Typical BEC, what’s going to happen is they’re going to see interaction with accounting, whether it’s your department or your customer’s department, and someone’s going to get in between that.
So, they’re going to get access to one of those email accounts or even, we’ve seen where they then spoof a domain.
Not even just in the sense of actually trying to send us them, but putting an extra character using a number or something to make the domain look very similar.
And then they’re going to say “Hey, we’re switching our bank account and here’s the new ACH terms and also, these are the invoices that you still owe us.”
And again, they get that information because they have potentially gotten into one of your vendors accounts or your accounts whatever that might look like.
So being able to identify those things and even knowing procedures.
So, if someone does reach out and says “Hey, we’re switching our bank,” that should be a phone call, right?
And our training talks through some of those things it’s not always just don’t open files, don’t click on links, there’s a lot more to it than just those two things.
ARTHUR: Yeah, when you go past the training and you dive into policies and procedures, it’s really fun to map out all of those processes.
All of that will always get you past the point of people making up bogus PO’s. As long as there’s that check, like you mentioned, of “Oh, before we issue any of this money there needs to be another check to make sure this is authentic.”
It could be calling the vendor.
It could be doing any of those things.
And as long as that gets done, it usually stops the attack.
CRAIG: That’s why it’s so important to continuously educate your users.
CRAIG: The next one which I wanted to at least touch on it too from a MFA perspective, is using some sort of password management tool.
Essentially, there’s a lot of them out there.
Keeper is the one that we suggest our users use, but it’s a way of storing all of your passwords, sharing your passwords and also again, doing MFA
. But obviously we want to have Arthur talk more about why that’s so important and how that tool works.
ARTHUR: Yeah, definitely. Password managers — a lot of folks have heard of Dashlane, LastPass, any of those other kind of home focused password management solutions.
But when you start entering the business-grade aspect, you need to think about something that has a certain level of security, a certain level of manageability and something that can allow you to collaborate with your team on a password sharing basis without necessarily giving up the passwords.
And that’s where something like Keeper comes into play.
Especially for our folks, like our nonprofits or others, that have a lot of rotating roles or temporary roles.
You want to think about, if they were to set up an account for a specific role in the organization and then they rotate out or they leave or something happens, let’s say they go on maternity leave, and nobody has access to that account.
How does your business get a hold of that password?
Furthermore, how do you secure that password in a way that it can auto complete when it gets used and you don’t need to think about it.
So, you’re not going to make short passwords.
You’re going to let it generate a really complex password for you because you’re never going to think about it again.
As soon as you go to the website you need to, it auto populates the password, you don’t even see it. It logs right in for you.
Like you mentioned, if it’s using MFA, it can actually save the codes and tokens in there for how it does the MFA and it can auto complete that as well.
And then if you need to share that password to someone else in your organization, you can do that without them even ever seeing the password.
CRAIG: And I think it also makes it easier to, like you said, with temporary staff or as people come and go, being able to rotate those passwords out faster.
If you even need to because again with Keeper, you can actually have it where it’s a — I don’t even know if there’s a term for it — but a use only essentially where they can’t even see the password.
It just auto fills for them and then that’s their access to it.
So, if an employee like that is let go or leaves, you don’t have to worry about resetting some of those passwords because they never knew it.
And same even goes for myself, right?
A lot of my passwords now, I don’t even know what they are.
Which is good from for multiple reasons.
One: I can’t give it to anyone and then two: it’s going to be, obviously, a very secure password.
ARTHUR: Yeah and the other great thing about it is, when you use an enterprise-grade password management solution, it is going to secure that data so that even the company that makes the solution doesn’t have access to it.
And that’s really important especially when you look back historically at say, like LastPass breaches that have taken place in the past.
You found out the security keys that encrypt all that data were actually available to the company.
They could get compromised.
So when we talk about Keeper in particular, one of the things I’m a big fan of is that only you and your users know the main master encryption key for that solution.
So there’s pros and cons to that being that if the user loses their encryption key and they don’t remember how to get into their account, you’ve actually blown away the whole account.
But from a business security standpoint, nobody else is ever having access to that data and that’s super important.
When you use your cell phone, because they all have mobile apps, when you use your cell phone as that authentication mechanism, that’s where you’re going to set up your 2FA for even getting into that account which then has access to all the other 2FA aspects.
CRAIG: Yeah and actually that was the last thing I was going to bring up too is the mobile side of it, right?
So a lot of people will be like “Okay well now my password managers only on my computer.
What if I travel and I have to use a machine or something?”
You can pull out your phone, but also you can have it be essentially the default for even your password management.
Say on an iPhone, right? So that’s extremely helpful as well.
CRAIG: Next topic that we wanted to get into is as more and more people go remote, whether it’s because you’ve got a hybrid workforce now, you just like the flexibility of if people are sick, or snowstorms, whatever it is — people in this day and age are just more remote, right?
So, with that though, is now we also see that sometimes we have to help support home infrastructure.
So, we want to talk about that home infrastructure from an Internet service provider, potentially the end users, networking equipment and how to make sure those things are secure.
ARTHUR: Yeah, absolutely. You know, the interesting thing about home environments is that every single one is different — for various reasons.
So, there’s lots of variables and we have a lot of good solutions to secure data being accessed from the home environment, in the corporate environment.
But there does come a responsibility for folks working from home to just make sure they’re naturally doing secure things in their own environment.
And that impacts the business as well as personal life.
So, the NSA just announced a whole list of security measures they recommend for home environments and one of my favorites on that list was about the firewall or router that you’re using at your house.
The firewall or router is really the way the Internet access gets in and out of your home.
Most vendors be it Comcast, AT&T, or any other Internet provider, is going to provide you with some type of router.
A lot of folks end up using that and using the built in Wi-Fi or any other functionalities of it, but they don’t actually have control to any of it.
And what we find — and the NSA really talks about — is that a lot of those vendors aren’t applying proper security patches and updates to those devices and again, stepping back and thinking of it from a malicious attacker’s perspective.
If I know that Internet provider in your area deploys a certain type of router and they deploy thousands and thousands of those, if I’m looking for a target, I’m going to find vulnerable routers that fall within there.
So what we encourage is that everyone in their home environment gets their own firewall.
You can put it right in front of the internet provider’s.
So plug that into the Comcast box and then have all of your access go through that and make sure that that firewall is getting updates on a regular cadence.
If that firewall goes end of life in five years and it’s not getting security updates anymore, you do unfortunately have to replace it.
The good thing is, today, a lot of firewalls are way easier to configure than they used to be.
So you simply pop an app on your phone with most of them, it walks you through the steps, it has you scan something and it’s up and going.
So it’s not as complex as it used to be.
If you find a well-known reputable brand shopping at any retail store, you’re going to find enough firewall features to protect you from using the traditional router.
CRAIG: Yeah, I think that’s all really good advice.
I feel like a lot of us here internally, being obviously IT savvy, some of us may have pretty robust internal networks but, like you said, you don’t have to go to those lengths.
It’s just having something that’s reputable put in place and again, that’s where we see sometimes where a certain vendor has some sort of breach or they push out a zero day, whatever that is, we like to try to make sure we get that then out to our customers and so that they know too because, again it’s their home firewall, they may need to do some sort of update on that as well.
CRAIG: Then the last one we wanted to talk about is just the scheduling of patches and firmware updates across not only the machines, so you know your desktops, laptops servers, but also all of the other equipment.
You’ve got networking devices, switches, firewalls, wireless access points, potentially even cameras.
Anything potentially on the network could need firmware updates because of, again, security threats.
So we want to go through some of those things, how we do it, how some of that’s automated, and why it’s so important.
ARTHUR: Yeah, definitely. From a business environment, there are so many layers of internet connected devices and access, be it workstations, laptops, servers, like you mentioned, cameras, networking equipment.
And it’s always good for every business to make sure you have a policy in place on how all of those items are getting updated.
If it’s simple security patches, if it’s firmware updates to fix issues, even if it’s a matter of knowing what the security release cycle is for those vendors.
And again, going back to the idea of end of life, those devices won’t be getting updates forever.
So, what do you do when something like that happens?
So, for every one of our clients, we have their full networks mapped out.
We know what all the equipment is going to be that’s touching that network. And we have policies in place for how patches go out.
We work with clients because when people hear about updates and patches taking place one of their biggest worries is always, “Is my computer going to reboot in the middle of a really special project?”
And nobody wants that.
And if you don’t have proper patch management policies in place, you usually do fall victim to that.
So, we work with the client to understand, based on their segments within their business, so the production floor might work differently than the accounting office.
And we set up specific patch management policies so that, say every evening any critical security updates are getting pushed automatically and those computers are going to reboot to get those patches done on a regular cadence.
Any optional updates might take place weekly or monthly.
Anything that’s going to take down a piece of equipment that’s critical to operations might get patched manually on a regular cadence or it might be something that happens every month as well.
So, however it gets structured for your business, from a security perspective, sooner is better but make sure you have a plan in place and that everybody in your organization knows what that plan is.
When you look at the home environment, the teleworker environment, now you’re exposing a whole bunch of other devices possibly to your business.
If those are connecting to your business so, we’re talking about home devices: baby monitors, smart plugs that you’re using to turn stuff off and on, your smart speakers that are listening all the time.
And the NSA talks about this in their latest release too of make sure to keep those things up-to-date all the time.
If you have a 15-year-old MacBook that you’ve never updated because it still runs like a tank, you know, it’s probably not getting security updates from Apple anymore.
So that’s something you really got to think about. And how does that pertain to what you’re trying to do with work, as well as your home life?
Turn off webcams or cover them up, unplug devices that simply don’t need to be online, even reputable vendors.
Sometimes they have a zero day attack and they can be breached, but if you have a device that you use, say every three weeks, just unplug it.
You’re going to save on your electric, you’re going to take it off the grid.
Nobody’s going to be accessing that device and it lowers your threat landscape.
CRAIG: Yeah, definitely. And again, us being in the IT space, at my house I actually VLAN off all of those things, but, again, like our typical end user’s not going to understand those things.
But, like you said, either unplugging those things that are maybe old and don’t need to still be plugged in or just make sure that the firmware updates are done.
Those are extremely important things.
CRAIG: I hope that these five different topics can really help all of the businesses out there.
These are all things that we do for all of our customers today so if you ever need any help with these things, you can reach out to us.
You can go to 101digital.com and really appreciate you guys tuning in again.