Make Cybersecurity a Hassle for Hackers, Not for You.
I'm Max Clark. This is gonna be a fun one. We're gonna talk about cybersecurity and the realities of implementing strong cybersecurity security for your business stalking with a business owner because they had just had a cyber security incident unfortunately for them it's not going to be a financially impacting incident because they caught it in time and were able to unwind it I'm not gonna get into much more details than that the question and the conversation became what do we do to prevent this from happening again because now we're freaked out about it because we've had this experience and I started explaining to him basically the approach and the layers of how you layer systems and platforms and process and people or you know people and process and tools you know however whatever everyone express it and what the goal of those different tools are and why they're important now if you haven't gone down to cybersecurity modernization transformation whatever you want to call it journey if you haven't gone down and started into the cyber security journey, I will tell you that the best thing you should do is you should take a look at your insurance carrier and your cyber insurance policy, and you should start by adhering to what they want.
Speaker 1:And the reason for that is because if you don't and you have an incident and you have a problem and they find out that you're not doing what you've told them that you were doing because they require you to do it you're not getting any help from your insurance company so start there really really basic stuff security awareness training listen security awareness training is a good checkbox for you to have it is really good to train your people don't spend a lot of time doing exhaustive phishing tests trying to catch Bob or Sally in accounting because they clicked on a link phishing is a arms race and you're dealing with experts who have more resources than you do and more time to trick your team and your employees you're just gonna piss people off like to a point do it do the exercises let them see it let them understand it but no security awareness training is not going to solve your security issues but you're going to need SAT you're going to need to have a SAT program you know if nothing else it's going to check the compliance box for you this is you know it's a bad analogy but it's like sexual harassment training you know from H.
Speaker 1:R. Departments everybody has to go through it it's important that you do it just because everybody check the box and went through the sexual harassment training doesn't mean that you don't have some idiot that's gonna go and sexually harass somebody else inside of the company so security awareness training is in that same vein the best places to start though is you need an endpoint detection response system you need an EDR some people call it advanced antivirus it's not advanced antivirus it's an association wordplay just to make it so that way people understand what they're talking about like oh you had anti virus, but it's antiquated. So we've got this advanced AV tool now that you can use and said that's better. Right? So it's a layperson's explanation for what it is, but you need an EDR system in play and you need to have strong identity access management with single sign on and multifactor authentication.
Speaker 1:Now multi factor authentication can come a bunch of different ways nope you probably have it had an experience where you're dealing with you're signing to some system and you get a text message sent to you with a code on it that is better than nothing but in the scheme of things it's basically hot garbage because you're still vulnerable to some swapping attacks and all sorts of other phishing attacks that can happen outside of your control with your cell phone carrier and 5 seconds on Google and you're gonna I mean I don't have to like preach to you about this but it's better than nothing but it's not great from SMS authentication you get to TOTP systems so Google Authenticator Microsoft Authenticator you know you can put this in authy you can use one password I mean basically every system is gonna give you TOTP codes and these are every 30 seconds the number the code changes and rotates and so then when you authenticate with the system username and password goes in and then you have to put your code in and you have to look at the app and get the code Cisco Duo has an interesting variation of this which is you know push notifications to the device it says yes it's me no it's not you know very easy for a user to deal with if you're using any of the Google Workspace or Gmail products you're seeing them prompt you like hey open up your YouTube app and then click the button and verify the code right so these are all kind of in that same vein of creating a simpler and easier to use with stronger authentication.
Speaker 1:The next step up from all this stuff is security keys. And the most common on the market today is YubiKey. And YubiKey is a device that you either have a RFID interface, know, you connect to it with RFID or you plug it into a USB port. And so when you go to authenticate and you need that special code that goes on to the website, you know, you have to activate the key and then the key actually prompts and puts in the code. I think it's incredible about the keys is is you need to have it physically on your person so if somebody's trying to do something and they don't physically have the physical hardware because they're physically not you right like you could see where I'm going with this like it's hard for them to even start the other thing about these keys is unlike typing in a copying and pasting a code out of an application into something else or from an SMS it's really hard to fish when we say what's really hard it's impossible to fish these things I mean you can use sort of characters for instance in the URL and it looks like an a and it's not an a and you're on a different website you don't realize it and there's a reason why your app is like, oh, it's not copying and pasting your password into it.
Speaker 1:But you know what happens? People just take and they just type it in themselves and they give their credentials away to somebody. Security keys prevent that from happening because they won't match the URL and they won't they won't enter the thing. Right? Anyway, this is kind of like do security awareness training get an EDR and do something about MFA right like that's like the first three things you should do right security awareness training EDR and MFA and I explain all this we're talking about this and the response that made me laugh was verbatim oh man that sounds like such a hassle Yeah.
Speaker 1:Sure. It is. Like, it's a hassle that you have to go through security awareness training. You know, it's a hassle that you have to, like, pull out your app and, like, get the rotating code to sign into your website. But you know what also is a hassle?
Speaker 1:Like, having a couple $100,000 stolen from you out of your bank account because you didn't have one of these systems in place and then trying to get it back or it's a hassle being, you know, locked out of all your systems because, you know, somebody did something. It's a hassle losing all your data. You know, like, it's all a hassle. Yes. It is a hassle.
Speaker 1:The point is that there's ways of doing these things that aren't a hassle and you can make it as hassle free as possible and actually get user adoption and use, which is, you know, good because then you have stronger security. It's a minimal hassle. Right? Like, single sign on systems. Like, instead of having to maintain, you know, I mean, what's what's what's the average SaaS for all?
Speaker 1:Probably a 100 apps inside of a company. Right? Like, you you really people are expected to remember a 100 passwords? No. Of course not.
Speaker 1:They have the same password a 100 times. So what do you get out of single sign on? You have a single platform that you have to sign into with your strong authentication MFA platform, then that authenticates you and everything else. It's a little bit of hassle. Sure.
Speaker 1:Because you have to do it the first time but then it's not a hassle after the time if you're in the mentality of I mean look right like locking the doors your car doors or your house doors or your gates is a hassle right but why do you do it you do it so that way people don't just pull on the door and just walk in you know like your car is in a parking lot and it's unlocked somebody is going to check the handle and probably get in the car you know is it a hassle for you to lock the car I mean is it a reasonable hassle for you to have to lock the car versus what the alternative is and what the outcome is this is probably the fundamentally frustrating thing for me when talking with companies about cybersecurity is this idea of like ROI like what's our return on investment of this how do we quantify what we're getting back you know like oh we're creating more work for people it's now hassle and like we're spending this money on it like what do we actually get like what is the ROI on a lock on your door like did it prevent you know 15 thefts this year like how would you know like how do you actually quantify that?
Speaker 1:Of course, you put a lock in your car. Why? Because if you don't, you know what the outcome is. And I feel like we're still in this inflection where we well, that's not we're not at the inflection point yet. We're still, like, building up the hill before we'd, like, jump off the cliff of just understanding that there's there's basic things.
Speaker 1:It's just a cost of having an IT platform at this point is that you have to have a reasonable level of security attached to it. So my argument here and what I'm advocating for isn't about creating hassle for you and your team. Actually, we're trying to do this with the least amount of hassle as possible. You know, that's the goal. The goal is we want you to use it.
Speaker 1:Cybersecurity practitioner wants you to use these systems because they wanna improve the security of your business. They wanna tighten the security of your platforms. They wanna prevent bad things from happening to you. I mean, that's the goal. The goal is to prevent bad things from happening to you.
Speaker 1:And we all know that in order to do that it has to be used which means it has to be low hassle as possible so if you're thinking about this from the standpoint of like oh it's a hassle and it's a drag and oh man I really you know like you're just gonna have a bad time it's just a matter of time and if you still think that you're not target you know it's not about targeting you directly it doesn't matter like you're connected to the Internet you were gonna be scanned and hit you're gonna have an email somebody's gonna send you a thing like you're just you're in a list you're you are is a matter of time before somebody tests your door handle. And if they jiggle the door handle and nothing happens, the majority of them are just gonna walk away. When I say the majority, I mean, like, 99.999 some infinity number are just going to walk away because you just created a hassle for them. Right? So don't look at it as a hassle for you.
Speaker 1:Look at it as a hassle for the people that you wanna keep out of your car. Right? Like, oh, man. Such a drag. The store is locked.
Speaker 1:Okay. Let's go to the next one. Oh, that one's unlocked. Boom. I'm in.
Speaker 1:That's the way you think about this stuff. That's what you're really trying to build here. You know? Are you making it reasonably difficult for somebody to do something bad to you? Because then it's a hassle for them and they just move on.
Speaker 1:Now, if you're a bank, if you've got money, like when I say money, I'm not talking about, like, your normal operating cash flow. If you're maintaining money for other people. Right? If you're a defense contractor and you have to have ITAR compliance, if you have intellectual property that matters to you because of espionage or market competition, like, ratchet up your security infrastructure accordingly. Right?
Speaker 1:But if you're not, you know, and and by the way, like, what's an example? You're an accountant. You're a lawyer. You know, like, oh, you don't have the money for your clients. But what do you do have?
Speaker 1:You have confidential stuff that if it got out would be really bad. Right? Like, if your customers tax returns and work papers got leaked out like could that do damage and what would happen if you're a lawyer and you're working on a case and your stuff got out what would happen there's lots of layers and there are stuff you know that that's valuable and critical that you need to protect and if you're just getting started with this again like it's I'm thinking about it like it's a hassle for you all you're trying to do is you're trying to create it make it a hassle for somebody else you can absolutely do that it's not that hard to do you just have to spend a little bit of energy and a little bit of money and you're there and you will avoid the stupid stuff like that just the person walking down the row of cars in the parking lot and jiggling door handles you'll avoid I'm Max Clark I hope this helps you if you have questions or Corrections because you know we love arguing on the Internet comment below we'll get back to you feeling
