In this episode of Lancom TV we sit down with a special guest, Scott La Franchie from Aura Information Security. Click the play button below to hear an expert's opinion on the current state of cyber security, how it affects New Zealand businesses, and the top 3 mitigation strategies you can use to safeguard your business from a cyber-threat.
⇒ As promised in the discussion above, here is the link to download your free copy of the Aura Information Security's checklist resource, expanding on the Top 10 Critical Control and Mitigation strategies to safeguard your business.
Hi guys, welcome back to Lancom TV. I'm sitting here with Scott. Hi, Scott. How are you today?
I'm great, thank you.
Scott is the Head of Cyber Security Products for Aura Security and he's here today to talk to us about cyber security, very classic. So Scott, thanks for coming and joining us today. There is so much we can talk about cyber security and I'm sure you have a wealth of information we could be providing to our audience today, but what I was wondering and what I wanted to chat to you about is just this whole idea and this notion of cyber security becoming part of board rooms, right?
So, a few years back if I remember correctly, we never had that discussion at any given day. We would talk about security maybe once or twice a year and that's probably about it. And then this whole new wave of attacks and ransomware and all sorts of issues came up. And now, every time you walk into a meeting with a CFO or a COO or a business owner, you kind of have to touch on the topic. So, it almost became a thing that cyber security has to be a part of a business's strategy, isn't it?
And so my thinking or my questions for you today as a cyber security specialist is what does that mean for businesses? Because there is so much we can talk about and do you have a top three or top four giveaways or a checklist or a to-do list that you usually recommend people to start when they're talking about cyber security?
Yeah, so you've hit on a really important point, that it's a massive topic and it's really hard for everyone to get their heads around this kind of topic, especially boards and business people. So, it's always been a problem, that's what's really important to know, it's always been there. But it's getting worse and there is a lot of reasons to say why it's getting worse, but the reality is, the more we're on the internet, both as individuals and as businesses, means there is more targets for people out there and the technology of which these attackers use is more automated and readily available. So you kind of have this, you know, more targets, it's easy to do, you know, it becomes a bigger thing for the whole wider world, so not just New Zealand, but also for...
Yeah, that's true.
New Zealand especially is not as mature. So we, as a cyber security provider of both consultancy services and products, have found there is a bit of a challenge of raising maturity in the market and that's the biggest thing to make people aware. Awareness is probably the hardest thing to really help businesses get that level of understanding that this is a problem that does affect them. Just because we're isolated doesn't mean that we're immune.
That we don't a problem, exactly. So, you touched on a very important point, education, right? And that's hopefully the goal of today to try and bring a little bit more of education to our audience today watching us.
So, how do we go on about doing something when it comes down to cyber security? What a business should be looking for? I'm sure there is a million of solutions out there? Is there a recommended path that you usually talk through when you engage with people?
Yeah, there definitely is and we've had thought long and hard about this. So, we tend to need talk at a high level to businesses while this is not just the IT manager, it's not just, you know, just the CTO, the start is, as you've indicated at the start of this session. At the board level, CEO level, it needs that awareness. And look, that's where the education has to start. But once you've gotten that awareness and showing them this is a risk that can be managed, we've put together a list of things which people can start off. We kind of call them "The Aura Critical Security Controls." There are 10 of them and we don't have to talk about all 10 of them today, but those things are sort of ideal start points for any given business, regardless of size, to start thinking about.
Okay. And so if we just, maybe, talk about the top three of those sort of top 10 and we can always give away the further information on what those are to those watching us today. So, what would be the number one recommendation that you give away then, Scott?
Well, first of all and, you know, this is a freebie, it's you need to keep your systems and operating systems patched and up to date. So, it's key. Attackers are, by inherent, automated and a little bit lazy, so they'll compromise things that are known. They won't try and be unique, though. So, it's important you patch your systems first. That's one of the key things you can do and most businesses can do it themselves and they have to pay another product for this. This is just...get your patch program in place and regularly done. And, you know, that's where, you know, we can help with people doing that as a plan, but you can do it yourself or have a partner to help you keep your patch plan in place.
All right, absolutely. So patching is the number one. So, if we move on to number two. I've done all my patching, what do I do now?
So now it comes down to what you're gonna do on your network. We call this "least privilege access" and making sure that the only people in your business that need to have access to something do have that.
Right, so it's just narrowing down that permissions list essentially, so if you don't have to access HR information, why should you or...
...management information, why should you? And why is that important to organizations, Scott?
Well, we like to operate on the best case set, you know, you will get hacked. There will be a compromise. Maybe you've actually been targeted and maybe just by an automated scattergun approach. What we saw with some of the WannaCry and NotPetya attacks, whereas people got compromised through just automated attacks, so these things will happen and if you do get an end-user compromised, then the amount of damage that person can do, if that end-user's credentials are stolen is limited to what they can access.
Yeah, excellent. So it's not even just about, you know, how much you want to protect information from your staff, it's more thinking about the worst case scenario. What if Bob was compromised, what could that hacker or that person see if they got access to their account? Fantastic, I like that. Because in the past, I guess, there was a lot of thinking around, you know, who should access what from a management perspective and from a HR perspective, but now we're going one step further and thinking about worst case scenarios and really thinking about, you know, I'm just one step from being hacked. What should I put in place to avoid that?
All right. And so we're left with point three and...what is that?
Well, point three does get into technology. So it is, first to really about, you can do things inside your own systems to manage these things, you know, with a bit of planning. The other part is, sometimes requires a bit of investment, but this is really important, so we like to think of this as multi-factor authentication.
Oh yeah, I've got one of those now.
So, we tend to have this on... this is where, if you want to log into your bank account and it's the first time you've done it from a particular device, often they'll send a text message to your phone that's registered.
It's been around for a while, isn't it?
So, it's usually just having two items that require...you can't just use a username and password to log into a system, especially if it's the first time. It requires another form of proof of identity which tends to be sometimes text message, phone, like systems. So that's something which is really key to...because we assume your username and password will get compromised, but if they don't have your mobile or the other unique personal identification information, they can't log in as you.
Yeah, so you're still having that extra gate to avoid people getting through your account.
That's right. And the idea and this again is, you don't have to be 100% foolproof, but it's being harder than that other guy to be compromised. Then the attackers are by nature slightly lazy and automated, they'll go for the softer target, so you need to be the harder target.
And there are a million of options when it comes down to multi-factor authentication. There are a number of solutions that business should be looking to put in place today. Some of them don't really cost a lot of money, so it is an easy one to, you know, talk about with your IT provider or your internal IT department and sort of get that in place before it is too late.
Yeah, and you don't have to do it across all systems, you know, you can start small, you can do...
Maybe start with emails?
Yeah, yeah, you can start with your admin controls for the key systems. If you've done point two, we've controlled your admin logins, you know. You can start there and then you can move down the chain to everyone. Because sometimes applying that to an entire customer base or user base or your internal staff is really hard, but you start with the critical things and you move down, that's planning.
Yeah, yeah, fantastic. Look, three points. I love them and the great news is all of them, you know, are things that people can go and action today. So thank you so much for the insights, Scott. I really appreciate your time and, as we said at the beginning, there are probably seven or a few others that Aura Security would recommend businesses to be looking at as a starting point. So, we'll be giving those away to anyone watching us today. There will be a link that will follow through to download.
So, thanks so much. I really appreciated chatting to you and hope to see you again.
Yeah, thanks for having me.
See ya, guys. Bye for now.