Viewing archives for Cyber Security

New Security Challenges…and How to Fight Them

Cyber criminals are constantly getting more sophisticated and adept.

This week, Microsoft blamed a Chinese state-backed group for attacks on Microsoft Mail platforms that allowed the attacker to access email inboxes, a crucial step in any well-run hack. And a short while ago, Solarwinds had to admit their software had been hacked prior to being distributed.

So, how do you make yourself safe? We use home security as an analogy: your house is safe once you’ve closed and locked the doors and windows. But you have to do it yourself; no-one will do it for you. The same can be said of online security: your company’s security is your responsibility.

Cyber criminals are scanning and testing your company all the time. But they no longer use the doors or windows. They have ways to look like your staff or suppliers; they’re already inside your office before you’ve shut and locked the doors!

And like a terrorist, the cyber-criminal only has to get lucky once. You have to be lucky all the time, and without your constant vigilance, the cyber-criminal will find a weakness.

As the owner of the business, you can’t be responsible for all the technical details. But you can, and must, be able to ask the right questions of the people responsible for security—and stay on top of them. We recommend you ask your IT team or suppliers four simple questions:

  1. Who on the exec team is accountable for our security and risk strategy? When was the last time we reviewed and tested our security?
  2. Are our security systems up to date and comprehensive? How do we know they’re up to date? Do we have assessments or accreditations?
  3. Does staff—and that includes the CEO—get regularly trained in cyber security and social engineering? Have we ever tested that knowledge?
  4. If we do end up in trouble, who’s in charge, and what’s the plan?

Most successful attacks use tried, tested and simple methods. The reason they’re successful is because companies have forgotten to get the basics right.

If you could use a reminder on how to nail down the basics, we have a 13-point list of simple key steps a non-technical board member can take right now.

Also see our Cyber Security Knowledge Center, which includes more plain-English content related to this topic.

You don’t need to be the technical expert. But you do need to take the lead. No-one but you will make your house or your business safe. Our briefing will provide you with free, straightforward advice.

If you have any other questions about cyber security or IT, feel free to get in touch. We’re always happy to talk.

Freeman Clarke is the largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organizations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

A CEO’s Guide to the New York Shield Act

Graeme Freeman, Co-founder and President of Freeman Clarke recently spoke with one of our Directors in NYC, James Sharp, about the NY Shield Act and what it means to mid-market CEOs.

This summary of their conversation forms a simple FAQ about the Act and its implications for ambitious CEOs.

What is the NY Shield Act?

Graeme Freeman: Jim, can you please start by giving a simple summary of the NY Shield Act?

James Sharp: Very simply, the law expands data security and breach notification requirements to cover any business that collects private employee and customer data of New York residents. The law requires businesses to implement and maintain reasonable safeguards to protect the security and integrity of private information.

Graeme: So, just to clarify, the law applies to any company in any state that stores data about residents of New York State.

Jim: That’s correct. It’s a law that exposes you to heavy fines regardless of where your business is based.

Graeme: And this law has been passed?

Jim: Yes, it’s live. All businesses needed to be compliant by March of 2020.

Graeme:  So what are the key points about the new law, and what does the CEO of a mid-market business need to do?

Jim: Well the key points are very simple. You need to take reasonable steps to protect private information and to report any breaches; this is not complicated. But the CEO isn’t going to configure the firewall, install the software and write the password policy. So the business question is: what steps should the CEO take to ensure his or her business doesn’t end up with a fine?

“The business question is: what leadership steps should the CEO take to ensure his or her business doesn’t end up with a ruined reputation and a disastrous fine?”

James Sharp, Regional Director, Freeman Clarke

What leadership steps should the CEO take?

Graeme: Right, so what are the CEO’s actions to get compliant with the NY Shield Act?

Jim: The first action is very simple: start by ensuring that roles are clear. At the very top, a single member of the Executive Team needs to have overall accountability and the senior leaders need to meet regularly, perhaps every quarter, to discuss corporate data security. If you don’t have the expertise in the organization to lead such a committee, then you need to get it.

Graeme: OK, that’s where we come in.

Jim: Correct!

 

Head-in-the-sand management?

Graeme: If the exec team haven’t really bought into this, how can the CEO galvanize them into action?

Jim: Well one good way to start is to get the team together to workshop scenarios. How might a security breach occur? How are we mitigating this? How would we respond? Most likely you will surface of lot of unanswered questions and a lot of “head in the sand management”.

Graeme: When you say “head in the sand management” you mean leaders in the business who don’t really understand this area so ignore it?

Jim: Yes! The members of the exec team are busy, under pressure, and they stick to what they know. Cybersecurity must be someone else’s problem.

 

Is this just a lot of paperwork to keep the lawyers happy?

Graeme: Once the roles are clear, what happens next?

Jim: To comply with the law you need to have a security plan consisting of corporate data policies and procedures regularly updated and published to the employees? And you need a comprehensive training program in place to support the knowledge transfer of the policy?

Graeme: Is this just a lot of paperwork to keep the lawyers happy?

Jim: If you just create a lot of paperwork, you’re doing it wrong, and you still won’t be secure. Time and time again CEOs believe their organization has a data security plan in place, but in reality the plan is outdated or nonexistent. Or it’s impractical and no-one takes it seriously. Most breaches happen as a result of basic ignorance or people not caring.

“Time and time again CEO’s believe their organization has a data security plan in place but in realty the plan is outdated or nonexistent. Or it’s impractical and no-one takes it seriously.”

James Sharp, Regional Director, Freeman Clarke

How to make cybersecurity planning genuinely valuable

Graeme: So how do you make this genuinely valuable rather than box ticking?

Jim: The policies need to be practical, the training needs to be engaging, and there needs to be a genuine leadership commitment to making this work. If people know the basics and take this seriously then you will very likely not have a breach – it’s as simple as that. Most hacking is not very sophisticated. If you get the basics right you will probably be OK. The thing is that most companies don’t.

Graeme: What are the basics?

Jim: You need visibility into how your company’s private data is being accessed, modified, moved and deleted as well as understanding who in the organization has access to it. These actions combined with a real time security system that allows the company to generate reports and notifies the appropriate people in the event of a breach are important actions to gain compliance to the Shield Act.

 

What are the 5 practical action steps a CEO needs their IT team to take to insure compliance to the NY Shield Act?

Graeme: What are the five practical action steps a CEO should take tomorrow to insure compliance to the NY Shield Act?

Jim:  Step 1 is Data discovery and classification. An organization can only protect their private data if they know what private data they have and where it is located. There are a number of commercial tools that will automatically discover and classify a wide range of personally identifiable information (PII), including social security numbers, driver’s license numbers, bank account details, passport numbers, and more.

Step 2 is Implement a data retention policy. Only collect and store private data if it is absolutely necessary. Organizations must ensure that they have a data retention policy in place which details what data they will collect, how, and for how long they will keep it. The policy should also include details about how data should be disposed of when it is no longer required.

Step 3 is Implement an access control policy. Organizations must have an access control policy in place, which determines who should have access to what data and why, and they will need to keep an up-to-date inventory of all access controls that are assigned.

Step 4 is Adopt a real time alerting platform. In addition to monitoring changes to access controls to protect against “privilege escalation”, organizations must also monitor all access to private data and make certain they have a notification alert system in place. If a user account is accessing private data in a way that is not typical for that particular user, a real-time alert should be sent to the relevant staff for immediate review.

Step 5 is Use an advanced reporting console. Most data security platforms provide an advanced reporting console, which enables administrators to quickly and effortlessly generate reports that can be sent to the supervisory authorities, as and when required. Most solutions provide a wide range of pre-defined reports that are customized to satisfy the relevant compliance requirements.

 

Cultural Change and Training

Graeme: How does the CEO make this important to the organization to ensure it actually happens?

Jim: Very simply, the CEO and all the senior leaders need to show by their own actions that this matters and to demonstrate compliance and good practice themselves. There needs to be training for everyone and they need to be seen to be committed and serious about this.

Graeme: And how does the CEO get independent assurance that this has all been done correctly?

Jim: The plan needs to include regular, perhaps annual, testing and assessment by independent professionals. And independent means not your existing MSP or the people who setup your security!

”Freeman Clarke Principals bring real life experience and leadership talent to help mid –market companies’ establish a strategy and insure it is executed properly”

James Sharp, Regional Director, Freeman Clarke

Midmarket Business Cybersecurity Crisis Planning

Graeme: And what does the CEO need to do about crisis planning?

Jim: You need a simple, flexible crisis management plan that is actually useful in the unlikely event it’s ever needed. The plan should focus on clarity about authority, escalation paths and the technical, legal, public relations and investor relations teams required for true crisis management.


In the meantime, see our Cyber Security and Compliance Knowledge Center


Freeman Clarke is the largest and most experienced team of C level IT leaders. Our team is available on a part-time basis to work with mid-market companies CEO’s to implement a “data security program” that includes all the administrative, physical and technical safeguards enumerated in the Shield Act.

The 3 Key Ways to Transform Your Business with Technology

The lockdown created an urgent need for many businesses to switch to home offices. It wasn’t easy, but it was doable: getting people connected and working from home didn’t hurt so much.

But for many mid-market business leaders, the rush to telecommuting exposed troubling strategic challenges:

For nearly every mid-market business, security issues became even more acute. The lockdown quickly exposed weak and out-dated security and authorization processes. The result? Companies are falling prey to cyberattacks. Or at best they will struggle to demonstrate regulatory compliance.

These issues call for transformational changes. And although they won’t be easy, they’re not as hard as you might think.

Transformation 1: Using IT infrastructure to add value

Companies need to ensure that their IT infrastructure matches their business strategy.

For example, we often recommend outsourcing basic IT support of cloud services. This frees up in-house people to focus on value-adding activities. Depending on your own company strategy, it may be better to in-source strategic software development, business process improvement, back-office systems configuration or data analysis.

Transformation 2: Integrated systems, processes and controls

It can feel daunting to move away from legacy ways of working. But simple, well-structured processes and systems cost less, improve customer service, and allow for compliance and business continuity planning.

If your systems and data are rationalized, you can integrate with external services, so as we mentioned above, outsourcing can become part of your strategy.

And, for many business service providers, your ability to integrate with your clients’ systems provides a point of difference and creates a barrier to exit.

Finally, this transformation creates a platform for adoption of AI/ML and for creating new online channels.

Transformation 3: Innovation and digital initiatives

Both consumers and business clients expect almost all products and services to be online. Most innovations now have digital at their heart, and digital experiences are now practically inseparable from your customers’ experience of your brand.

This tech is much more than a necessary evil. To create a high-value and agile business, CEOs must embrace tech as part of their strategy.

These are uncertain times. But many CEOs see opportunities to restructure their business, to enter new markets, and to scale up. The above three transformations offer an approach to plan for your own breakthrough.

Need help? Many CEOs work with Freeman Clarke because we take on uncomfortable changes and challenges with reassurance and guidance. Transformational change requires experienced and expert IT leadership.

We are the largest and most experienced team of IT leaders. If you want to know more about how we can help, then get in touch.

Visit our Technology Roadmap for Growth Knowledge Center which includes all content related to this topic. You may also want to look at our Digital Transformation Knowledge Center.

Freeman Clarke is the largest and most experienced team of part-time (we call it “fractional”) CIOs and CTOs. We work exclusively with ambitious organizations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

Cyber Security is a Leadership Challenge

These days perhaps half of all companies face a cyber attack. The usual response is to insist that it’s the IT team’s problem. But in our experience, the buck stops with the CEO. This short video explains how you can quickly educate yourself about cyber security and how Freeman Clarke can help.

Visit our Cyber Security Knowledge Center which includes more content related to this topic.

Freeman Clarke is the largest and most experienced team of part-time (we call it “fractional”) CIOs and CTOs. We work exclusively with ambitious organizations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

My Company Is Under Cyberattack! What Do I Do?

What to do if and when your company suffers a cyberattack.

You can listen to the other audios in this series here.

Freeman Clarke is the largest and most experienced team of part-time (we call it “fractional”) CIOs and CTOs. We work exclusively with ambitious organizations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

How Do You Start a Cyber Security Plan?

So many CEOs, however capable, are unsure about how to start a Cyber Security plan. Gerry explains where and how to start.

You can listen to other audio clips in this series here.

Freeman Clarke is the largest and most experienced team of part-time (we call it “fractional”) CIOs and CTOs. We work exclusively with ambitious organizations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

How Can a CEO Get the Sales Team Focused on Cyber Security?

So many security risks come in through the sales team. Listen to our quick guide to getting the salespeople to take these risks seriously.

You can listen to the other audios in this series here.

Freeman Clarke is the largest and most experienced team of part-time (we call it “fractional”) CIOs and CTOs. We work exclusively with ambitious organizations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

Cyber Security: How to Judge Your Real Level of Risk

A quick guide to assessing your company’s actual risk of cybercrime, and how to get started on prevention.

You can listen to the other audios in this series here.

Freeman Clarke is the largest and most experienced team of part-time (we call it “fractional”) CIOs and CTOs. We work exclusively with ambitious organizations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

How to Get Cyber Security on the C-Suite Agenda

Cybercrime is a clear and present danger to mid-market companies. Here’s how to get your executive team to make it a priority.

You can listen to more audio clips in this series here.

Freeman Clarke is the largest and most experienced team of part-time (we call it “fractional”) CIOs and CTOs. We work exclusively with ambitious organizations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

17 Critical Cyber Security Questions To Ask Your IT Team

Suddenly the office is closed, and everyone’s working from home.

The IT team is coping, but you’ve got nagging doubts about cyber security. You ask the IT team a few questions, but the answers seem to be in a different language!

Well, you should be concerned. Criminals are ramping up their activities, because systems are more vulnerable when people work from home.

But there’s no need for panic. Most cyberattacks are successful simply because basic steps haven’t been taken.

Here is a simple checklist to ask the person in charge of IT. The answers should all be YES!

Protect your data

  1. Do we know for sure that our backups are working?
  2. Does data stored on a home user’s drive get backed up?
  3. Does our central data storage have versioning?
  4. Do we have a Data Loss Prevention system running?

Protect your remote devices

  1. Do we have multi-factor authentication set up for our systems?
  2. Will our anti-virus, anti-malware and patching tools automatically update for home users?
  3. Has everyone who’s working from home signed a communications and internet usage policy?
  4. Have we given cyber security training to the team within the last six months?
  5. Are our legal policies appropriate for people working remotely and at home?

Protect your network

  1. Do we use a Virtual Private Network (VPN) to connect remote users to the company network?
  2. Is our email system encrypted, and has DKIM, DMARC and SPF been set up on the Domain?
  3. Do we have mobile device management systems controlling all mobile equipment on the network?
  4. Do we have an appropriate system usage and data management policy?
  5. Are business applications configured to provide least-access privileges?

Stop the bad guys

  1. Is our video conferencing protected and are calls secure?
  2. Do we have the right checks in place to stop us losing money through fraud?
  3. Are our remote support tools secured against rogue access?

If you value your business, make sure the answer to all these questions is YES. And visit our Cyber Security and COVID-19 knowledge centers, which have more useful content related to this topic.

Freeman Clarke is the largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organizations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

 

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address
newnewsletterrecipient

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.

Graeme Freeman
Co-Founder and Director

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address
newnewsletterrecipient

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.