Cyber-Resilience for Small Business: An Overview of the NIST Cybersecurity Framework

Raymond Sidney-Smith 0:03
Welcome, everybody to web and beyond live for this edition, which is for October 12 2020. I’m Ray Sidney-Smith, President of W three consulting and managing director of WCC web services. With that being the case, I’m going to be talking today about cybersecurity, because it is National Cybersecurity Awareness Month. And what I wanted to do was to spend this and actually the next two weeks, with special guests, covering some things that you should be paying attention to related to cybersecurity. And what I wanted to do this week is to really start off with a discussion on the NIST cybersecurity framework. And what this is, is a framework for small business owners like yourself, to be able to really consider what are the real issues that you need to be doing throughout the course of your business to make sure that you’re able to understand, manage, and really, ultimately, express the risks, both internally and externally regarding your cybersecurity practices. And so what I wanted to do was to talk about this kind of in a different flavor than I think most people do, which is that most people talk about this from the perspective of being really a share,

a share and shame kind of concept, which is to basically, you know, fear and shame you into utilizing these practices. And what I want you to be able to do, is to really focus on for me, the things that are practical and productive for you regarding your cybersecurity practices. So, for example, I think about this from a marketing strategy perspective, first and foremost, which is that if you are staying safe, you are projecting a message to your customers, that you care that you care about their safety, that is the safety of their data, safety of their own security and privacy. And that is something that people can’t really, they can’t buy, there’s, there’s really no value higher than protecting people’s data privacy and data security, especially when they’re transacting with you in the digital age. So I really find it to be important as just kind of a marketing edge to always say I think about your privacy first. So that you’re able to work with me and be safe and secure in that way to is just kind of a greater resilience perspective, which is that when a business is impacted, which is, you know, usually when people contact me, while I don’t handle cybersecurity for small businesses, my background and specialty and helping people in the digital space, people just contact me a lot about issues. And it’s always after the fact, when they have been impacted by a phishing attack that has led to some kind of malware infection or something else like that, that they then come to us and say, Gosh, we’ve been infiltrated. And what can we do now to protect ourselves in the future. And it’s usually it’s too late right now, they’ve lost productivity in that sense. And what I really would love to see people do is to have not lost that productivity, and to be on the on the kind of before side of that before, they’re impacted by all of this, so that they’re able to continue working without any impact on productivity. So you have lower downtime, greater productivity. And in many cases, you’ll have lower insurance premiums, and lower costs, generally, I mean, some of these larger, you know, security risks, security impacts and breaches and other ones that have happened, you know, you have like a ransomware attack, and the ransomware person’s asking for, you know, X number of hundreds or thousands of Bitcoin in order to be paid off, you know, with but at the same time, you have, on the flip side of that, even if they don’t pay the ransomware, they’re still still paying millions of dollars to be able to do the backup restores, and so on and so forth. So while your business may not, it may not cost your business, millions of dollars to restore data, it can still cost thousands, maybe 10s of thousands of dollars to restore data systems, even if you don’t pay for ransomware. So it ends up actually costing you money that you just don’t need to pay for that you shouldn’t have to if you do the right things. And and then next up is staff. And we know that unfortunately, it’s human error, and also internal human infiltration. That actually is the the highest numbers of problems when it comes to cybersecurity. And if we are cybersecurity focused as small business owners, we can both stop people from gaining access to systems that they shouldn’t have in the first place, which removes the risk there right and too, happy staff members, right staff members that are calm, given a sense of safety so that they can log in and pay attention to what they need to really gives them a sense of being able to work without fear. You know, so often now today people are always talking about how employees are the ones Who are the likeliest people I literally just said earlier, right? You know staff members are the likeliest, you know error in the systems. They allow in that first phishing attack by clicking on a link in an email, those kinds of things. If we can kill some of those things at the top of the of the chart, then what happens is we’re able to then create a greater experience for employees because they feel safe to be able to be innovative and creative and do the work they need to do in their environments without too much fear of cybersecurity impact.

And then, of course, I always think about this from an innovation perspective, if we’re doing the right things in cybersecurity. In our businesses, we’re actually also doing really great things in terms of innovation and being flexible and adaptive in a dynamic environment. If 2020 hasn’t taught us anything else, it’s the fact that being in and around, you know, a situation that is constantly changing and uncertain. For so many of us, we have to be able to be that flexible and adaptive in the face of almost anything. And we have to kind of consider it as an ongoing natural disaster, you know, this whole COVID-19 pandemic, if we think about the cybersecurity risks as basically an ongoing thing, right, it’s an ongoing natural disaster. We’re capable of of watching it in slow motion and understanding how to respond to those things, but it actually will create new and good things on the other side of this. In one case, in point, I mean, something that I’ve been talking about quite often, in these past, you know, almost year now is explaining to people how their ability to create a take a physical retail environment and make a digital now gives them on the other side of this pandemic, a real rate, solid business, that will be future proofed to some extent, and it’s diversifying revenues, it’s creating multiple revenue streams, as opposed to just one and maybe creating new products, because, you know, delivering your services through the web, as opposed to just in a physical environment or over the phone and email is giving them a greater and potentially broader audience in order to serve. So these things are really, really powerful, we’re really on the, the, stop thinking about it from a fear based perspective, and then really start thinking about it from how can you make this a business advantage, and then cybersecurity becomes a much easier thing. So what I wanted to do was to cover how the NIST cybersecurity framework is structured, I don’t want to get too far into the details I want to cover by showing you some of the pieces here, so that you’re better able to understand how it’s put together, and so on and so forth. But I do want to cover some of the background details. So it’s a little bit more useful to you, in, in essence. So what I’m gonna show you first here is this is actually the slide deck from mist themselves. NIST is the National Institute for Standards and Technology. And they are a government agency that provides these really great resources for small businesses, they actually have a section on their website dedicated to small business cybersecurity, and I’ll actually show the show that to you at the end. So you can find out more resources on it. But in essence, this all started in terms of the the framework itself started in 2013, when an executive order was was issued 613 636, which in essence, culminated in the cybersecurity Enhancement Act of 2014. Then again, in 2017, under President Obama, I’m sorry, under President Trump, we had executive order 13 800. And that actually ended up strengthening some of the pieces of the framework and actually added another component here to it. And we’re not going to talk about that today, because it’s really not necessary. But you know, there basically has been this history over the past 10 or so years of helping to put together the framework so that what we’re about to talk about, could come to pass. So we had, we not only had the framework come together itself, I’m now trying to find my screen here seems to be missing. Let’s go ahead and move this over here. My apologies, I don’t know why this is, there we go. So we have the the framework itself, which is, is basically the five parts that are on screen right now. And if we can think about it from the perspective that the five parts which are to identify, protect, detect, respond and recover, those five are what we call functions. Those functions are those five pieces, the ID, PR, and so on, so forth. So identification, protection, detection, response, and recovery. And so what what those are, are basically the groupings under which outcomes for your business are looked at. So whenever you’re thinking about your business, the framework is supposed to allow you to have this common languages they talk about so that you’re able to describe what the outcomes you want from any part of the framework. So when you’re dealing with a cybersecurity risk, how do you want to describe the outcome That’s really where categories come into play and sub categories. So categories are really outcomes that are more broad, you know, broad in sort of scope. So we might talk about identity identity management. And we’ll talk a little bit about identity management shortly. So we can talk about identity management. And that’s a broad category, right? So that’s a category within the sub category, we

might then talk about access level management and how we’re going to do user account management within a particular business. That’s going to be our sub category. And how we define sub categories within the system are those specific outcomes, we’re going to set user account levels to the least privileged user level whenever anybody else it whenever we create new user accounts, right. So the administrative assistant doesn’t need access to the financial systems that the accountant needs, all they need is the least privileged user account access in order to be able to do what they need in the world that they’re working on, then we come to the final stage of the kind of strategy. And so we go from the perspective of the outcomes, specific outcomes, categories and subcategories. And then we get to this final section, which is basically the informative references. And the framework basically has these four levels, right function category, which is, you know, high level outcome, subcategory specific outcomes. And then finally, informative, informative references. Those are basically resources, they may be standards, they may be guidelines, they may be practices that you want to implement in the business to be able to make sure that you’re adhering to those pieces. So in essence, that is the the the framework in a nutshell, right, it covers these, these broad areas and pieces so that you’re able basically able to understand what’s going on in those spaces. What I wanted to do was I wanted to cover the five different functions, and what I tend to guide businesses on doing in those five functions to be able to stay cyber resilience. And so there’s this term we call cyber resilience. And cyber resilience is the functions for being able to follow those five functions right in and staying on top of all of the various areas within the business. So I wanted to cover each of these and talk about some of the pieces that you can use to stay cyber resilient throughout the process. And of course, that takes us first to the idea of identification or ident. Identifying. And identifying really comes down to the idea of identifying all of the areas in which you need to pay attention to when it comes to your own cybersecurity footprint, I actually usually start people out in this particular area, which is that most businesses don’t know this, but you have a, you have a footprint, you have a business credit profile, and so your financial world, and really everything you do as a business, legitimately on on, you know, with financial institutions, with other businesses, and so on so forth, are actually tracked using something called your DMV number, your Dun and Bradstreet number, it’s a credit file just like you would in your personal finances, you know, you have the three major credit reporting bureaus, and so on, so forth. So I usually start with businesses when we talk about identifying and the system

Unknown Speaker 13:17
is just to

Raymond Sidney-Smith 13:18
take it down to a very practical level, right? If we just jump from categories, and subcategories and so on, so forth to one of the informative references, really just a generalized practice is to go ahead and make sure that you’re, you have a dnb number, that you’re tracking your credit profile, and making sure that there aren’t other bad actors who haven’t already gotten in and gotten access to your data, and gotten access to your financial records and have used them in appropriately. This is a good first step, I would also recommend that you go ahead and do this, with the three major reporting agencies, the personal credit reporting agencies, you are allowed a free credit report, according to federal law once a year from them, it’s not going to give you a credit score, but it’s going to give you the report itself. And you can go ahead and submit for that you can gain access to the credit report, and you can actually make sure that, you know, something bad hasn’t already happened. Many times, I I’ve talked to clients, and they don’t realize until after the fact that something has happened. And once they’ve done the research, they find Oh, you know, what, we’ve been having this problem for quite some time, didn’t realize it, but now we recognize that somebody has been utilizing our name, usually in by mistake, it’s usually not that they were willfully doing it. And so therefore, you know, going ahead and, and not knowing why certain things were happening in the business that were, you know, getting mail that wasn’t theirs or other kinds of things of that nature. So I see a message from Karen, she’s saying that I see a question. I’m not quite sure I understand the question Karen. So if you want to restate the question, I am seeing your questions. So if you have any questions, feel free to throw them in the chat. But I’ll answer those when I get to the end. So just make sure that you go ahead and structure your kind of first step of identity identifying is to make sure you know what your credit profiles look like what your business profiles look like. And, and that way you’re kind of staying on point in terms of keeping information fresh for yourself. The next area I always tell people to do is to really look at the, the core infrastructure that you have around the business. So for example, this website, for example, has safe home.org. And while a lot of business owners, maybe, oh, not to worry at all, Karen, I just I, that’s fine. I’ll respond to these things once once I get to the end. But feel free to ask your questions in the chat. And I’ll try to answer your questions when we do get to the end. So So when when we’re on talking about the the notion of physical safety with regard to the business, there are physical access issues that we always have to think about. And many times, we actually don’t know what kind of security we have in place. So just think about the places that you can go to to get that data. So I think about your home security systems, if you have a home based business, or if you’re working from home, if any of your staff members or employees are working from home, you should also be considering what kinds of safety precaution precautions physical safety precautions are being taken about the digital security of your business. If you’re you know, employees or you have a general, you know, practice of leaving your phone out on your kitchen table next to your front door. That’s a problem, right? Because anyone can just walk through your front door, grab a phone and run with it. And guess what, that’s a that’s a risk. Now, not saying you have to change anything, but you should know that that is a risk, right. And that’s where things like safe home.org, you can go through look at their resources to see what kinds of home security systems what kind of smart home security systems are available to both increase your security across the board. Okay. I also recommend whenever you’re doing this kind of work, if you are in a commercial environment, I would suggest that you actually go to your commercial building manager and talk to them about what kinds of security protocols they have in place, you might have things like a sauna troll at your castle system, one of those types of commercial base systems in your office in the building, you may not know

what kinds of security protocols that they’re using, as a relates to it, you might just use your key farm to get into the elevator or the building or the office who has access to those, how do they log who has access to those? And do you have access to those logs on a regular basis so that you can see, well wait a second, you know, I have the staff member who comes to the office from nine to five, but for some reason they’ve been coming in from, you know, 11pm to 3am, every day, that might show you that someone’s maybe stealing from you, you know, to taking data, it might also mean that your staff member is just working late hours, they’re a night owl, and they get stuff done late in the hours. But it actually helps you to understand what kind of risk you have out there. Right? This is about understanding risk and identifying what data you have available to you. This is also a really great time to identify all equipment, all software, and all data that is being collected by the business. So equipment and software is what are the various software that you are using, and on what equipment that could be computers, tablets, laptops, computers, servers, as well as in web services. Many times businesses have dozens and dozens of different kinds of web based services that they’re using, and web connected devices that they are transmitting data about. And you need to make sure that you know what data it is, I like to just create a simple Google Sheets workbook and putting all of that data into the Google Sheets workbook. So we know Okay, this is all the equipment in the business. This is the inventory of that this is good for accounting purposes anyway, because right we’re depreciating our assets over time anyway, and talking to our accountants about that. So we got that, we then put our all of our software and make a list of all the business software. And this really helps us have some of those hard decisions about, okay, we have three different pieces of software, at least in my world, I have three different software pieces of software that can do everything. Which ones do we really need. And do we need to create an attack surface that is the number and breath and volume of places where cyber criminal can attack us. So we call it an attack surface. We can reduce that by having one software that does everything we need it to do and not have three pieces of software that do the same function. So if you have a lot of overlapping functionality, we’d get rid of one of two of those. And guess what, we’re now saving money and we are reducing our cyber risk. So that can be really great. Just doing identification. I can help us do that, then we want to make sure data data is in all kinds of mealy little places, right? We can have data on our local machines, on our desktops, on our phones, on our tablets, on our laptops, and so on and so forth. But we also have lots of data in the cloud. And this could include OneDrive, and Dropbox, and many other file sharing tools, it could be our own websites, and making sure that our websites are secure, so that we’re not just placing data nakedly up in the cloud. They’re just making sure that we’re we’re putting our data, we know where it is, and whether or not it has the appropriate safety and access protocols to make sure those are safe. So that’s part of the framework. That’s all under NIST identifying functions, making sure all those pieces are together, very easy to do. One other thing that I really like using is the concept of a, this this tool called spies. So spies is a cybersecurity search engine. And in essence, what you can do is you can actually go to spy se.com. And I’ll put links to all of these in the in the notes below, and in the description below later. But in essence, what you can do here is you can go ahead and type in a domain, I’ll type in google.com, just for the fun of it. But if you type in google.com, you will then see all of this information about the google.com browser. So you would type your own website address in there, and any other website addresses. So your if your email address domain is different than your business domain, if you have multiple services, for example, you know, I run a digital community, I’ll talk about that, at the end, I run a digital community, I want to be able to know what’s happening with those digital communities and all of the various sub domains associated with it. And you can see here, it looks at DNS, and you need to need to know what these things are in order to be able to benefit from seeing this. But you can see all of the various data that is embedded in here and seeing what is happening with your data. And really sometimes what is happening with your clients data, because it’s databases that’s holding client data. Usually, that is that is happening on the internet, it shows you related organizations. So here goes Google, you can see all the various other related organizations to it, all of the underlying certificate security certificates related to it, all kinds of fun things, you can see the email addresses for the organization that are exposed to the web, and what that means for your business. I’m just really, really interesting information that you can capture and utilize just to, you know, get a better idea

about what you have exposed there on the internet. And then, of course, this leads us to I’m sorry, I thought I was actually sharing this on screen. But you can see here, this is what I was talking about on screen now, which is the the spies search engine and seeing all the various data that you can look at and track about the the domain and domains of your business. Okay, last but not least, is then creating some level of policy around the organization. And I find this to be one of the most daunting practices, which is going out and really identifying what are the policies that we that we need in order to be effective in the business, I think, you know, having a digital device policy is going to be really important. And making sure that you go out there and making sure that you have some higher level policies like an SPF policy on your email, which is basically a type of technology you know that you’re you’re implementing some code up there in the cloud, that basically protects the identity of your email going outbound, and inbound for your email on transit, you can make sure that you have either DK DKM, or demark, which are other types of email based authentication. You can have some digital device policies, as I said earlier, making sure that you’re telling your employees which devices they can bring to and from the office and connect to services, making sure your website has TLS encryption, basically, that little lock icon on your website is really important. And making sure that your payment services are PCI DSS compliant. So this is one of those cases where it sounds more complicated than it really is. But you know, if you’re using a, you know, a reputable point of sale system, then you’re likely going to have a fairly secure connection to the payment systems that are collecting and transiting your, your clients data information on the web, and other places. You just want to make sure you have all of those various policies kind of outlined, and figure out what policies you need. You know, you don’t need every policy, especially if you’re a solo practicing attorney, you may not need all the policies that say small retail shop may need or if you’re doing multinational services or multinational product based business, you’re going to need some other policies as well. do recommend that everybody have a terms of service as well as a privacy policy on their website, it’s just good protection for you and making sure that you have, you’re using a good template from which to create those, I think termsfeed dotnet has a great one, as a policy generator for those kinds of things, and so on, so forth, but just making a decision in that identify stage of what policies the business needs in the cybersecurity space. Okay, let’s move on to protect protect is really a is really the the core functions of what most people know when they think about cybersecurity. And it is the space where we spend the most time. But the reality is, is that all five parts of the framework from identify, protect, all the way through the recover stage is all going to be important for us to be able to understand what the, the full protection of the organization can look like. That being the case, when we talk about protection, there are a couple things, there are a few things that I like to talk about. And I’m just going to cover them very quickly, together. First and foremost, is an electronic data policy regarding disposal, or at least the sanitization of that kind of data, you can easily go to Google as I just did. And you can do a search, I typed in electronic data disposal policy template. And there are just pages and pages 100 8 million results rendered. But you can go through here and find lots and lots of examples of a of a data policy. And this is really the first step right, like what data are you going to have? Which data? What data are you going to keep for some period of time and then delete? And what data are you going to immediately delete upon receipt and review analysis and synthesis, right, we need to make some hard calls as it relates to what data you need to of course, you’re going to have to keep data that that complies with various laws, maybe their financial or tax laws that you have to apply by, or other kinds of state laws, according to your industry that you have to keep for some period of time, then you need to get rid of that data, or keep it for some period of time, and then keeping it for some period of time and then deleting it and having your staff aware of what that process looks like how long are you going to keep email? How long? Are you going to keep documentation? How long are you going to keep other kinds of, of reference files, internal and external reference files. This is all important, not just from a cybersecurity perspective, I would also push that it’s probably a good position for ediscovery

or electronic discovery. If you’re sued, and you have data that is, you know, since the beginning of the business, guess what, you know, the law firm on the other side, the lawyer on the other side, that law firm trying to litigate the situation, they’re gonna want that data, they’re gonna go ahead and ask the judge for all the data they can possibly get. Now, of course, you can fight back against that and say, what’s the, you know, how is that pertinent to the case involved, and make some site make some argument to that effect. But just know that what’s good for data sanitization and data disposal is also good for discovery, it turns out as well. Okay, next up, I want to kind of take us along to the idea of then, from a protection perspective, what can we do that we call what we call at the edge at the edge means wherever we’re connected to the internet, that outermost point where data is basically got its first point connected to the outside world, that is usually met by a router or hub or some other kind of data piece. When you’re connected from your tablet, your laptop, your computer, you’re connecting through a router, or some other device that connects up to your internet service provider, and out there to the world. What most of those have, and some of them don’t, now that many of us are working from home, or some hybrid of home and at the office, many of them have a firewall. And those firewalls are sometimes

Unknown Speaker 28:57
good,

Raymond Sidney-Smith 28:58
they’re sometimes not so good. And so I tend to actually recommend people to have stronger firewall tools. And one of those firewall tools is called firewalla. And firewalla is a tool that allows you to be able to plug you just basically plug this device into I’m going to bring it up on screen here. You just plug it into your network, and it acts as kind of a sentinel, it kind of monitors your network, and it gives you a whole bunch of power. Now they run in different versions. So you can see here they have like the baseline which is the blue, they have a red gold, and then they have this much more next generation one which is this multi gigabit version as well. But in essence, you can put these small devices onto networks and they provide you with all kinds of optimized security functionality. So they can not only protect you against hackers on your network, this can include it like if you have any key employees or If you have employees who are working from home, you know, they’re on home networks with home, you know, routers, those are not designed to protect a business, certainly not designed to protect customer data. And so something as simple as a firewall, a plugged into the into the home network can really seal a lot of the cybersecurity, you know, holes, and really protect the system. In addition, it gives you a whole bunch of other features, I mean, privacy protection with a VPN. So even if you’re you take your laptop, or I take my iPad, here, I have all my notes on my iPad here, I take this iPad out to cafe, with the VPN on it, I’ve basically created a secure tunnel, so that the public Wi Fi isn’t picking up all of my interaction and data. While I’m out there in in the wild. In essence, you can block ads through firewalls. So just a really, really powerful tool. Now, can contrast that with pf sense, pf sense is actually an open source piece of software. So if you’re of the geeky, or, you know, side, like I am little nerdy, and you like technology, you can install pf sense, you know, directly on a Raspberry Pi or any other, you know, appliance that can run the software, if you’re not as geeky, you could just basically buy one of these appliances, and they come in all kinds of varieties and solutions. And so here you can see that they have various levels of from a really tiny, small office in version, all the way up to much, much larger business versions that can basically run a lot of data over the system. But in essence they are. They’re they’re basically, as they say, it’s a firewall, it’s kind of like a gatekeeper. And it’s a security guard who sits there and says, okay, you’re allowed in and you’re allowed to interact with the network, no, you’re not allowed to interact with the network. And anything that’s happening inside of the network is protected from the outside world. So the outside world sees nothing, because pf sense basically puts up this gate. And so what’s happening inside the network stays in the network, it’s kind of like what happens in Las Vegas stays in Las Vegas, right. And so pf sense can actually be a very, very powerful tool for being able to protect against these kinds of cyber threats, by in essence, creating a firewall and giving you controls, you can like login to the PF sense and say, Hey, I don’t want any of these things to be, you know, bothering my system. And, and getting in the way, a couple of other notes here. Under protect, it’s really, really important for you to be able to have and update your computers and devices. So if your, if your computer or device has a functional a digital function, that is it’s powered by a battery, it likely needs to be updated, if it’s communicating and, and and transmitting data on behalf of the business. If there isn’t a function for being able to update it, I usually recommend that you check it I mean, you need to find a tool that can do the same thing where you know that it is getting regular updates, both security and feature updates. But for me, mostly, it’s security, if it’s already doing what you need it to do, let it keep on doing it, but it needs to be able to get security updates. If the tool is not sufficiently sending regular security updates, then, in essence, they’re not doing the right job that you need to stay protected today. So when those kinds of things happen, you need to make sure that you’re getting rid of those devices that are not keeping update up to date and not getting you and keeping you protected. So if you’re using Windows or Mac OS, Android, or iOS, or iPad OS, all of them provide regular updates. And while it can be a little bit frustrating, I know very well that that reality, because features change, and so on and so forth, you must at least

turn on either automated updates so that you’re getting the regular security updates. I don’t care about the feature updates, I care about the security updates, make sure the updates are secure. And go ahead and keep yourself buttoned up in that sense. The reason for that is that the more updates security updates you get the lower you have a risk of something that some cyber cyber criminal found out about right, you know, we have cybersecurity researchers, white hack researchers who are out there studying devices and learning about cyber risks on these various devices. They go, Oh, look, there’s a there’s a Apple, you know, threat that that can be exploited. They let Apple know, Apple builds a fix for their system. They push it out to their users. And now it’s up to the user usually, to say yes, I want to update this particular version so that I get the latest security updates. When you get those security updates, you now have blocked out that cybercriminal who is now looking for devices at a particular version to go ahead and infiltrate their systems. So if you You can go ahead and get yourself protected, then you’re removing yourself from that class of victims. That that, you know malware criminal is out there, infecting other computers with. So just staying up to date in regarding those security patches, you can usually turn those on in a in a, you know, automated fashion, you’re usually pretty good to go. Now, there’s something that I think I’m probably in the minority about. But when we talk about the NIST cybersecurity framework, one thing they talk about is installing software that is going to protect you basically is going to monitor your system. For these kinds of things. I’m actually quite against it. On the Windows system, we have Windows Defender, which is Microsoft, Microsoft’s and built in Windows malware protection tool, it is purely sufficient for what you’re going to need on the Mac OS system, you can potentially install other kinds of malware protection tools, like you know, some kind of antivirus and other kinds of things, they tend to actually be more buggy and more viruses than actually not having anything, if you just stay up to date, you’re likely going to protect yourself more if you’re not visiting, you know, websites that are known for for infecting you with malware, you’re going to be better off, not having anything and just keeping it up to date, then installing something that’s going to create one more cost to the business and to potentially a greater attack surface. Because you better believe that those cyber criminals are out there looking for exploits in the software that you have installed for antivirus and anti spyware and otherwise, right, they’re trying to attack those tools, as much as they are trying to attack the operating system as well. So no reason to really get yourself bent out of shape in that regard. If you’re currently using an antivirus software, that’s fine, continue using it if it’s if it’s updated regularly, and it works for you. My personal opinion is that we no longer need those because we have Microsoft Windows Defender doing the job. And as long as the security updates are being done and applied to all of our systems, right Android, iOS, iPad, OS, Mac OS and Windows, as long as those are being updated with their security updates. That’s the most invest we should be doing in those capacities. Next is backups. I’ve actually done a three part series on a colleague’s podcasts, and I’ll put links to these in the video notes. But you shouldn’t have effective backups for your systems. Full stop. Next up is encryption. encryption is this very complicated world, right? When we talk about algorithms and computers, technology and whatnot. In essence, what we want to really think about is encryption is a shield to the data so that other people don’t have access to that data. In multiple types of environments, those multiple types of environments are in use

at rest, and in transit. Now, most of the time, if it’s in use, it’s usually unencrypted because it’s locally on our system or on the server being utilized. And therefore it’s protected by our firewalls. When it’s in transit, definitely, we want that encrypted, right? If there’s any messages or security information, or private information that’s being transmitted across the internet, insecure, unencrypted, that’s basically sharing it with the rest of the world, it is the World Wide Web, right? Then we have the idea of at rest. So when we take data down onto our systems are pushing data up to the cloud server, basically, a web based server, the web based server should be encrypting that data because it’s outside of our firewall. And we don’t want the people who have our data in the cloud, to just have ready access to the data of our clients and customers. Okay, so we want to make sure that we have those encryptions. So that’s the part of protect, and there’s nothing more that I can really say about that other than talk to the providers, you know, talk to your to the folks who are who are providing you with software and say, Hey, is this encrypted at rest is encrypted in transit? What kind of encryption are you using? And how can I be assured that you’re doing the right things in those capacities? And then, so Karen, you have a couple questions. And I’ll stop here, because I’m going to go to detect. And so and see if these questions were related to the protect section on you’re asking, how does a company know they are being sent a validated update, as opposed to someone trying to get into your system pretending there they are your software company? And then your second question, I think it was the same question. Okay. So, great question. What I would usually do is, if you go to the website of the software provider, they will post their what they call release notes, sometimes they’ll put out a blog post, sometimes they’ll tweet about it. In essence, you want to, you want to see that the software provider themselves has notified their customers in some way, shape, or form that could be via email newsletter, as well. And in those release notes, it should say, we’re updating with version you know, and they’ll give the numbered version and date and time in which they’ve released that version. If it matches up with the date and time that you’ve Receive the notification in your software, you have greater assurance that that software update is from that particular vendor. If you have any questions, most of the time these things are what are what are called signed, they have a security key associated with them, you can actually email the software provider and say, Hey, can you send me the keys so that I can verify in the software that this is the actual and appropriate update from you and not from some near dwell? Okay, so you can do those kinds of things. If you haven’t set up with, like I said, if it’s a Microsoft, if it’s Android, if it’s iOS, iPad, iOS from Apple, or if it’s from Mac OS from Apple, you, if you turn those things on automatically, they do a lot of work in the back end to make sure that those are validated. It’s any software providers outside of the operating systems that you would want to do that kind of assurance work with. So good question. Okay, next up is detect, right, so we’ve gone from identify, to protect, then we go to detect, and then we’ll talk about response and recovery. So in the detection world, we talk about intrusion detection systems and intrusion prevention systems. And these are in the end, kind of the, the enterprise level, when we talk about these things, in terms of business, you really should just think about the concept of detection as being you being vigilant. training your staff on how phishing doxxing whaling happens. So, phishing attacks and spear phishing attacks, and whaling is really just the idea of getting information so that you can then get someone to click on a link, give you more information. doxxing is the idea of collecting information. It’s all social engineering attacks. So if I call your business and say, Hey, by the way,

Unknown Speaker 41:43
I’m your plumber.

Raymond Sidney-Smith 41:44
And, you know, when I got a notice that your plumbing system was having some problems, and I got to come over and look at them. What’s your, what’s your water account number so that I can get that water account number? And you say, Oh, yeah, well, it’s the plumber, I might as well give him the number, and so on, and so forth, and plumber, you know, you give the plumber the number of your water account, and the plumber calls back and says, thank you so much for giving me the water account, you know, what I call the water company, and they wouldn’t let me talk to you. So I need the same password on your account in order to talk to them. I’m so sorry. They’re giving me a problem, blah, blah, blah. And so you say, Oh, well, no problem, here goes our passcode account. And guess what, what they’ve done now is they’ve gotten you comfortable giving them some information. And it turns out, it wasn’t the plumber, some cybercriminal, who’s been basically using you to get data out of out of you, so that they can then call your bank and say, oh, by the way, I and I talked to the customer. And you know, and they gave me this passcode. And I go, Oh, I’m sorry, that’s not really the passcode. But it’s close. Because you know, maybe you use the same passcode for your water account as you do for your for your bank account, you know, passcode, it doesn’t matter. The point is, is that they’re collecting little bits of data across the board. So they can be able to go out and create a profile of you, right, they’re trying to understand you, it’s just like, when burglars, quote unquote, case a joint, they’re basically casing you as a business. And the more data they have, the more they’re likely to be able to go ahead and call a bank, call a financial institution, or other service providers, and then get into your systems at way. So they’re trying to use these these these social ways of being able to get data and then using it against you. So you need to train your staff in that detection space, which is all human, right. It’s all human on practices to make sure that you’re staying safe. But what we can do in terms of technology to make us more safe is one of things like firewall and pf sense and other kinds of, you know, systems in place because not only do they block things from accessing, they’re also doing some level of intrusion detection and intrusion prevention, because they have notification systems. So your router or your hub or whatever you’re using to be able to route data from the internet on the outside and inside, if you have proper router and firewall notification rules set up, when, for example, someone connects to the to a system that they shouldn’t, your router can shoot you a message can shoot you a notification in a mobile application or send you an email. I like mobile notifications better because they’re a little bit more secure from within the app, right? And a little less susceptible to to finagling and and so those notifications will tell you, hey, by the way, you have this lockdown server. And for some reason someone has been trying to log into the lockdown server, right? your firewall can tell you that and you can then say, Well, why is somebody trying to touch that that address? Why is somebody looking at that? That’s not for you to be like, Ah, I’m gonna go off for the weekend and not care. That’s a moment to step in and really figure out what’s going on. Was that just a staff member mistakenly doing something? Or is that some kind of cyber criminal trying to do something wrong in the system? We need to be village vigilant in those circumstances. And going back to Karen’s question earlier, she clarified that it was McAfee, if you, I would absolutely reach out to McAfee, if you’re paying for the McAfee software, then McAfee has an obligation to tell you whether or not that software is updated. Now, if they are downloading signatures, which is basically their little security updates, if they’re downloading those signatures automatically, then you don’t need to worry about it, because they’re encrypting those those data streams, and then they should be updating the signatures in the background for you. But if for some reason, you got a notification that says you need to interact with the system, in order to be able to update it, I would contact McAfee through support and have them verify their their key to basically tell you, Hey, this is the this is this is a true and accurate signature update that we’re doing. Okay. So just make sure that you do if you are working with a within an antivirus vendor of any kind make sure that they have some legitimising way to confirm that the data that they’re sending you is correct. Further down the detection route, right, we have the Leaning on of your software providers, this is one of those cases where Microsoft 365 G Suite, Google’s Productivity Suite, which is now transitioning into Google workspace, you need to you need to depend upon them with SAML, which is a markup language that allows for Security Assertion, then there is single sign on. And so these providers give you the ability to use them to log into systems so that you’re securing access

and monitoring access through them. And therefore you can be notified when someone is not able to log in effectively, knowing that, hey, why am I getting a bunch of logins from Ethiopia, when my business is in, you know, Peoria, right? Like, the dust doesn’t make any sense that someone’s trying to login from this foreign country, when you’re here in the States. So those are the kinds of notifications that your software vendors can then your infrastructure vendors can then send to you. I do this myself, you know, we are a G Suite house. And so we were transitioning over to Google workspace ourselves. And we also I personally use Google and my own product, my own personal life. I’m the Google Small Business advisor for productivity. So you can imagine highlight Google products, both personally and professionally, it turns out, and so I have multi factor authentication turned on, on all of my all of all of my Google accounts. And I actually have a security key a physical security key for both accounts as well. So multi factor authentication says, Google is looking for where I am located, it’s looking at my username and password, which just think of it as a public key and private key, those have to be correct. Where I’m logging in needs to be someplace I’ve logged in before, and make sense that I find logging into the location that other devices are connected, maybe in the same location or in the same vicinity. And it then has me plug this little device in and press the button or using Bluetooth, you know, clicking the button on the Bluetooth fumble off dongle. And then it says, Oh, yeah, this is actually Ray. And he’s trying to log into the account. Now if I don’t do that, or you know, and all of my staff have the same security protocols if we don’t do that, and it’s for any service that we’re logging in through Google for. And that goes beyond Google, right. So if I’m trying to log into HubSpot, or if I’m trying to log into any other third party service that gives us Google Sites Single Sign On, they will not let us in, unless we do that right protocol for multi factor authentication. So and if if there is a failure to log in, it notifies me right. So it can tell me Hey, by the way, we just saw a potential person trying to log into this place, or someone put in your actual username and password like they got through the first stage, but they couldn’t authenticate beyond that, you probably want to go ahead and change your password, because someone has gotten access to it. That’s happened to me, but because I have my multifactor authentication, who cares? You know, like, I’ve not been infiltrated at all. It’s just done that, that detection and prevention for me in terms of protecting me from the logins that are erroneous, okay, so we want to pay attention to those things. All right. Finally, our response and recovery and these kind of blend together, but they’re distinct features here. One is the concept of understanding from a response perspective, you have a responsibility under state law, usually, to to deal with a couple of things data, data security, and data privacy, right. So just protecting data, protecting data security, and protecting data privacy. And these responsibilities, kind of run the gamut, based on where you might be in your particular area. So for example, I’m bringing this up on screen, but the National Conference of state legislators, they have a whole list of every state and their security breach notification laws. So what they say is, is that if you have data that is breached in your particular area. So, God forbid, but you you know, you do all the identifying you do all the protecting, you do all the detecting, but you still get breached, right, something gets through, you have an obligation in all 50 states in our union, at least in the United States to report

that something has happened, okay. And this is related to personal information of your customers, that could be social security number, driver’s license number, any kinds of identifying information about them, and telling them what has actually been, you know, infiltrated what what data has been exfiltrated in essence, from the system. So you have to be really mindful of this, of this in the sense that you have an obligation to tell the authorities what actually has happened and what you have done to mitigate that both now and in the future. So, we have we have this, you know, obligation to tell people when this happens. On top of that, in particular industries, and for different reasons, you might have greater requirements. So we have HIPAA, which is the Health Information Privacy and Accountability Act, we have the wood capo, which is children’s privacy and Protection Act FERPA, which is related mostly to student records. So if you happen to be in the education space, we have sipo, which is the children’s internet Protection Act. So you know, filtering child records from harmful or what they consider obscene content on the internet. We have the gramm Leach bliley Act, which basically created greater responsibility to financial institutions like banks and otherwise, and what kinds of data protection and privacy protections they need to place on you. So if you’re in that space, you might, you know, be might have to, you know, comply with the glba. And then, most recently, we’ve had four or five, maybe six states apply their own laws that are akin to what what we know as GDPR, or the general data protection regulation, which is an EU law, it’s extra Chester extraterritorial, in essence, because it extends to any EU citizen wherever they may be. So we’re not just talking about people who are in the EU and the EU states, or one of the covered, you know, locales of the EU. But it’s for the EU citizens, wherever they may be in the world. So if you have someone who is a German citizen, in Virginia, Alexandria, Virginia, right now, they are, they are protected by the EU general data protection regulation. And that means your business, if they were to reach out to you, you would need to comply with those. Lest you want to be fined up to the 20 million euros that can be fined against you under the GDPR. It’s insane. But it really is a reality. Now, most businesses are not going to be culpable to that. And most businesses are not going to really worry about it too much. But I do recommend that you start to think what that all looks like I did a whole episode on GDPR on the podcast, and I’ll put a link to that in the video description and in the show notes as well. So you can check that out. But those laws are now being married, or kind of being matched to in state laws. So the defining one right now, I mean, New York and other states have ones that are kind of copycat laws of the California consumer Privacy Act. Most businesses are not actually required to comply with this, because you have to have so many, you know, customers in California, so many, so much business being transacted within within California, so many employees in order to have to comply, but be mindful of the fact that this is coming. This is a forthcoming reality to to the situation. So we have these laws. And that really leaves us with a necessity to have some level of response plan. How are we going to do data breach notifications? How are we collecting client information outside of our normative systems, so that we’re able to in a pinch, send a communique? Is that calling them? Is it emailing them? Is it sending them letters? What are the requirements under your state long or do that? Then of course, I’m having some kind of business continuity plan just like you have a disaster disaster recovery plan. You have a disaster recovery plan, right? You should add this cybersecurity response plan to your disaster recovery plan just like how you would respond to a natural disaster how you would now we have to plan for pandemics? How do you plan to be resilient among in a in a public health crisis? These are things we should add into those business continuity plans to make sure recovering for cybersecurity incidents. How are you going to keep the business running while still notifying authorities and keeping your customers and vendors up to date as you’re dealing with the recovery process?

So then we go into the recovery process and of course That requires us to go in and say, Okay, what data? Do we have backed up? What infrastructure Do we have running? What was shut down during the cybersecurity incident? How do we get ourselves back up and running. And then again, rinse and repeat in terms of communicating those things, with customers, with your vendors, with your employees to make sure that they’re all up to speed. We also want to do in that response and recovery phase, a debriefing? What did we learn from the cybersecurity incident, which will help us go ahead and be able to deal with it in the future really respond in the future, in terms of identification, protection and detection, right, we want to go through those first stages, because we don’t want to deal with the latter two stages, right, we don’t want to be in a response and recovery stage all the time, we really want to identify, protect and detect as quickly as possible to be able to mitigate those risks. So that is the the NIST cybersecurity framework in a nutshell, there are a couple of other things that you can I just wanted to mention very, very briefly, every business should be using password management. So if you are not using a password manager of some kind, that being LastPass, dashlane, one password, all of them are sufficient for being able to manage a team focused password database, that you can share passwords securely, and create long, random passwords for all of your systems, no two passwords should be the same in any systems, right? Because if I get your password in one place, then I’m going to have that password in other places, and that that increases your attack surface. But if my private key is at least different, that is the password is different across all those systems, then I have a greater chance of being, you know, capable of stopping those bad actors. If you have a website, make sure that you have some kind of website security system set on it, you usually want what’s called WTF, which is a web application firewall, basically protecting your website from these kinds of attacks, just like you have a firewall on your your office, home office, and retail networks, you would have this kind of firewall on your website properties, okay. As I told you before, you should be having to factor in multifactor authentication. While SMS codes being texted to you for logging in is okay. It’s better to use an authenticator app, or some kind of security token that is one of those little dongles that I was talking to you about yubikey and Google Titan keys are those kinds, they’re very affordable. And they give you that level of physical protection, so that you’re able to protect access on that level. If you are thinking about securing on the web, think about CloudFlare. CloudFlare is has a free plan plan that allows you to be able to set up what’s called a content distribution network or a CDN that allows you to be able to protect your website from lots and lots of hackers, you know, basically, malware and cyber criminals who can attack you. And I talked about termsfeed, termsfeed, does policy generation, and making sure that you have your browser implementing that security policy as well. So there’s a bunch of browser extensions that you can install in your browser that allows you to be able to turn on HTTPS, right, that secure transit for you browsing the web, every time you go to an HTTP or an insecure website, it’ll give you a notification and say, Hey, do you want to go along to it? Um, there’s good reasons for you wanting to do that. But many times, it’s just a good alert to you that hey, by the way, why is this site not secure? And if you’re going to be placing data into the site, like I’ll go to a website if it’s just browsing data, but if it’s HTTP, and it’s asking me to put personal information into it, like my credit card number, or otherwise, no way, I’m not giving them my data, when they can’t secure their website, how can I trust that they’re going to secure my browser in that sense. So all kinds of good things in in terms of tools, and like I said, I’ll put links to those in the in the video description. And then I just wanted to close out with this resource. Since we’re talking about the NIST cybersecurity framework. If you go to nist.gov, hover over topics, then go to cybersecurity. And then once you get to the cybersecurity section, you can see here there’s the Small Business cybersecurity corner. If you click on that, you will then be taken to the Small Business cybersecurity corner

of the NIST website, National Institute of Technology Standards and Technology. And an in here, you’ll find lots and lots of really great resources in terms of what you can do. So you can see here you can see the basics. You can pop out you can see planning guides, and all kinds of fun things and workbooks and tools and so on and so forth, for being able to get around the cybersecurity corner for small business, and it’s just really helpful to get all that information there. So We’ve had an hour together of me talking about the NIST cybersecurity framework. If you have any additional questions, or concerns or anything else like that, feel free to touch base with me and I’m happy to answer those questions. Please note that we are coming back next week and the week after that with with two guests. Next week, I have an attorney with me Michael Gips, a cybersecurity expert, really top notch guy who’s going to be talking about how to do that component when we talked about in the detect functions and the protected detect functions of the functions of the of the framework, really training staff and getting them aware, both you as a business owner, but also staff aware of how to protect yourself in a cybersecurity environment. He is going to be talking about those issues. And so I’m really excited to have Mr. Gips join us then. And then the week after that next Monday after that on the 26th. I think it is I’m going to have Vince Crisler, who is the CEO of dark cubed, and he’s a cybersecurity expert from he was once in the government, DOJ background and just top notch cybersecurity expert, we’re going to be talking about some of the cutting edge ways in which utilizing some of the cybersecurity can really be a competitive advantage in your small business. I’m looking forward to having both MR. GIBBS and Mr. Chrysler, join me the next two Monday’s of web and beyond live. As I noted at the top, I’m running a new community called web and beyond community, and you’re welcome to join us by going to www it needs to www www dot web and beyond doc community. Talking about cybersecurity, you have to go to the www Otherwise, you’ll probably get a little thing that says hey, this isn’t secure. But really it is secure if you go to www and and so you’ll be taken there and you’ll be able to sign in and join the community. It’s free and on doing events, roundtables, all kinds of fun things inside of the community. It’s nascent. So we’re just getting started. So join, ask questions, feel free to engage. I’m looking forward to building the community as we go. And so with that, that takes us to the end of this episode of web and beyond live and the NIST cybersecurity framework. I thank everybody for joining me here for this session and hopefully you have a great rest of the week marketing and managing on the web and beyond. I’m Ray Sidney-Smith with W3 consulting and W3C web services. Take care everybody