How CEOs can guard against malicious actors. Now! – Interview with Cybersecurity Expert Joe Ciancio

EP 7 How CEOs can guard against malicious actors. Now! – Interview with Cybersecurity Expert Joe Ciancio

JD: Joe Ciancio, CEO of Maxsum Consulting, helps businesses to enable opportunity and realise their potential by developing, managing, and protecting their IT systems and infrastructure. Joe, welcome.

Joe: Morning. Thanks very much for having me, John.

JD: Absolute delight. So Joe, how did you get into IT managed services and cyber security?

Joe: I guess it’s it’s not just something that you wake up one morning and you decide I’m going to get into managed services or cybersecurity. It certainly wasn’t the case in in my journey anyway. I’ve been in the game now, 22 years in this business and another five or six before that.

But in that time, since I started Maxsum in 2001, the whole industry has changed. A lot. Managed services has been around since the days of, early IBM mainframes. When IBM, I think in their top end business, they still make most of their money by leasing out equipment and then having service contracts to go along with that.

But when I started the business like I say in early 2001 it was more about just selling hardware. A lot of the time, you might charge for some services to set up a computer every now and then, but it was mostly about selling hardware and package software

JD: Yeah.

I remember that, we met when you actually sold me one of my first laptops after I retired from Deloitte

and then you probably wished you hadn’t because I was constantly thinking that you are my computer support desk, which

Joe: Yeah. And, that’s really how it started out. We sold a whole heap of computers and we actually used to build them ourselves back then selling computers evolved into supporting clients on an ad hoc type basis or time materials basis where, people would call us.

And that continued for several years. So that was the second evolution of the business. The third one was between 2008 and 2010, where that concept that IBM and the likes, those larger organisations, having a managed service around your technology started to drop down into the SMB space. That’s when, we started putting together contracts,

JD: Yeah.

Joe: a service contract that would cover, most of your day to day business as usual support type functions into a monthly contract, into a fixed fee.

But if you don’t really understand your client’s business technology for technology sake is pointless it has to serve a purpose delivering what we call, a virtual CIO service to clients. So chief information officers aren’t typically, a role that an SMB organisation would have or could afford in their business.

The fourth, where we are right now is obviously building on top of that. But having a, a. A focus on security and manage security. So part of that evolution, like you said before, John when I’d sold you on a computer and you started calling for support, the evolution has been that if you provide a computer that your IT guy is securing the environment, right?

JD: Yes. Yes.

Joe: Yeah, so providing a managed sort of strategic approach to security has been the most recent evolution for our business.

JD: okay. , with technology, the average small to medium business owner probably can’t keep up with all the jargon. So help me understand what is managed services what’s managed security and how does that relate to cyber security, which is what we all seem to hear about.

Joe: Yeah, , that’s a really good question because there’s often a lot of a lot of confusion between the terminology.

JD: Yeah. Okay.

Joe: Our view of it, and others might have different view, but a managed services, I guess the overarching. Banner, right? Anything, anywhere where you’ve got a contract in place with a fixed set of services that are delivered on a monthly annual basis, we call that a managed service, right?

So the really important thing is that it’s clear on what’s being included and what’s being excluded as part of that service. The way we view it is that there’s a very clear distinction and a delineation between managed support, managed IT support and managed IT security.

The managed support is around business as usual. Your existing systems, your existing network, your existing computers, your existing software. If you’ve got a problem with it the remediation of those issues is covered under that managed support agreement, whereas security is very different.

A whole different mindset. There’s different skill sets, there’s different technologies. And from a business perspective, it’s looking at a whole different aspect of your business, the accountability for data security or security within a company, the accountability sits with the directors.

That’s the approach that we take is working with company directors, boards, executive level teams to understand, what data they’ve got, what systems the data is stored in, and looking at providing a , managed cyber security approach to keeping all of that information and data and systems secure.

JD: So I guess in my words, so you’re providing me with my IT services,

and you’re constantly you’ve got technology that’s constantly running that actually it’s just looking at the basic health of my IT systems.

Making sure that my backups are actually operating automatically on time and they’re completing properly that I’ve actually got the current versions of supported software. I’ve done my updates and I’m not doing anything daft

on the managed security side of things. You’ve got completely different software, which is looking at penetration risks and a whole raft of other bits and pieces with that sort of be right.

Joe: Yeah, so we’ve actually broken some of that stuff out looking after backups, for example we put into security,

JD: Yeah, of

Joe: right? Because that’s a really key element of any any considered approach to cyber security, because if you have, let’s say, a ransomware incident on your environment the only thing that’s going to get you out of trouble, short of potentially paying a ransom and maybe getting your data back, are your backups.

That’s a really important part of backup. The biggest component though, that we’ve built into our managed security approach is, around the concept of detection and response.

JD: John here. Sorry for the interruption. This interview was shot for my CEO Masterclass because every CEO needs to know how to safeguard their business from malicious actors. And Joe spells out what are the #CriticalFewActions™ you can do to get started now. Back to the interview.

Joe: A lot of organisations may have heard of the notifiable data breach legislation. I’m not sure if you’re aware of

JD: Tell me about it.

Joe: Yeah, several years ago, you probably recall there’s been some, there’s been some fairly big name data breaches in, in the news.

JD: Yeah. Optus And,

Medibank private.

Joe: Yeah. And even prior to that, there was some in the news that the government started saying we need to focus organisations on data security and deter them from taking a really lackadaisical approach to security and thinking that it’s not their problem.

So they introduced this Notifiable Data Breach Scheme, part of the Privacy Act which says that if you have a known or a suspected breach of data from your organisation, and if there’s serious harm come out of that data breach, then you need to report it within certain timeframes.

And if you don’t have the right protections in place or approach to security there, there was provisions for fines up to $2 million.

JD: Wow.

Okay. That’s serious.

Joe: It was until last year when Optus and Medibank happened. And, with the scale of those data breaches and the size of those organisations the government said Clearly that’s not a big enough stick.

, So the they’re currently in the process of putting legislation through Parliament, which says that those fines will increase up to $50 million or 30% of revenue, whichever is greater.

JD: Wow.

Joe: Now, organisations are starting to take a little bit more notice of these things, and other initiatives that the government put in place through the Australian Signals Directorate, and a branch of their organisation called the Australian Cyber Security Center, put together a number of guidelines around security that organisations Should be following.

So one of these guidelines is called the Essential Eight, where they talk about these eight steps or eight initiatives that you can put in place to best protect your environment. Now, that’s a really narrow set of things to look at in the world of cybersecurity. And we take a bigger picture view of it.

And we use a framework called the NIST Cybersecurity Framework. NIST is the National Institute of Standards and Technology out of the U. S. that produced this globally recognised framework. And it’s split up into five functions. So it speaks about identifying, The data and assets that you have within your organisation, because only once you know what it is that you’re protecting, that you can actually protect them.

And then from there, you need to be able to detect and respond to any anomalous activity happening within your environment. And then you need to be able to recover from those anomalous events. So most organisations have been purely focused on. That one function of protecting things.

You spoke earlier, John, about your backups. Your backups, your antivirus software, your firewall, all of these things are technical protections you can put in place to secure your environment. most organisations and a lot of IT providers, when they talk about cyber security, that’s really what they focus on because that’s what they know.

But taking a bigger picture view in the context of that cyber security framework from NIST the really big missing component that we see time and time again is around detection, And response. So that’s having systems in place and people in front of those systems to detect if there’s anomalous activity happening within the environment at, three o’clock in the morning on a Saturday when there’s no one in the office and actually taking action at any point in time, 24 seven.

So that’s the really big missing piece that we’ve seen around that detection and response component. Okay.

JD: I can understand that, governments, banks, telcos insurance companies, I’d expect that they’d be easy targets and you’d be hammering away at those if you’re, artificial intelligence assisted batty in some third world country,

but, is that really a big deal for small to medium businesses?

Joe: Absolutely.

JD: and why?

Joe: The Australian cybersecurity center puts out a report every year that shows the number of reported. Cybersecurity incidents. So there’s a lot more, right?

JD: Yeah.

Joe: But if there’s one graph in that report that shows the number of incidents by, size of organisation,

JD: Yeah.

Joe: The biggest bar in that chart is for small to medium sized businesses, because they’re the ones that don’t have the time, the resources and the knowledge and the money in some cases To adequately secure their system.

These malicious actors, they know that the banks can spend billions or, hundreds of millions of dollars on security every year. A small to medium sized businesses doesn’t have that size of resource. So

JD: of course.

Joe: they’re just a bigger target because they can’t secure their environments as well.

JD: Do you want to walk me through a a client example just to help us wrap our minds around what really happens?

Joe: I’m glad you asked that question. Got lots of examples of what happens in a typical cyber event. So the weakest link in the chain when it comes to cybersecurity incidents is inevitably a human. So the stats say that 93 percent or more of these cybersecurity incidents occur through phishing, Or other email compromises.

So

JD: do you mean?

Joe: when you’re, so that’s when you receive an email. In some cases a phishing email could purport to be from your bank saying that you need to reset your password. In some cases it can be like a Microsoft, an email that looks like it’s coming from Microsoft saying that you need to Reset your password in that environment.

And in some cases there, it may not be phishing, but they’re what we call business email compromise attacks. So I’ll give you an example. We had a client who’s Environment was totally secure. It was actually one of their vendors or partners whose email was compromised, their email system was compromised.

So in this vendors email system being compromised, these malicious actors were able to monitor the email. Emails going between these two organisations. And through that it was happening for a period of several months. And through that period, they came to understand that the CEO was going on leave.

For several weeks was going to be not very contactable for a couple of weeks. They also knew that the CFO was new, had only been there a couple of weeks as well. So the CEO went on leave and a couple of days later received a an email from the CFO and saying, Oh, look, we need, Oh, how’s it going?

I’ve arrived on, on, on leave, it’s all going well. And these sort of innocuous emails went back and forth several times. And then at one point the CFO got an email from the CEO saying, Oh, look, we just need you to transfer some money. From this account to another account.

And this happened over the course of several days. And by the time they found out that it was actually malicious, the organisation had transferred $400,000 into an account that went nowhere. So again you can have all the technical protections you like in place, but if you don’t. have a level of awareness and you don’t train your staff in what to look out for.

And also if you don’t have the right business processes in place to check. All right. You might have a policy to say if there’s a transfer over 20, 000, that’s being requested by anyone you have to, Verbally check with someone over the phone or face to face that these things are actually legitimate.

So it’s not always about the technology in most cases, it will be a person, a human who is either tricked or isn’t aware of what they’re doing. And these things can happen quite easily.

JD: Wow. Jeez. Can you tell me a little bit more about an example of this ransomware, how that sort of has happened that you’ve said?

Joe: Yeah. Again it’ll typically there’s a couple of different, what we call attack vectors, ways in which these malicious actors can get in. So in some cases it can start off from a, an email phishing attempt. So again, I’ll send you an email saying, need to reset your password. It takes you to a Microsoft site.

It looks legitimate. It attempts to change your password. And eventually it’ll let you through. But what has happened is those malicious actors have captured your password.

JD: Yeah,

Joe: They’ll use those credentials to then log into a computer on your network or a server or something like that.

From there, they’ll deploy email that in the background is. Is being deployed to all the devices on your network in your environment, and it’ll sit there quietly for several days or weeks or potentially even months. And one morning, it’ll set to go off it at some point typically you’ll come in the morning, turn on your computer.

There’ll be a a window pop up on your screen saying all of your files have been encrypted to access any of your files, you need to pay us a ransom, typically in Bitcoin so that it can’t be traced and then from that point, in most cases, you won’t be able to access anything at all and unless you’ve got really good backups that have got everything backed up securely You’ve really got no, no choice to, other than to restore from backup, or in some cases people have paid ransoms and gotten their data back, but in most cases they’ll pay the money and not get anything.

Email is typically The primary attack vector in other cases. The other way is that organisations don’t focus on having their software patched. So you mentioned it before John, that the support. typically looks after patching of your operating system. So your windows or your Mac environment, keeping all those software updates up to date.

If you don’t have those software up to date or your windows software up to date, that leaves, holes. Insecurity that those malicious actors can get in. And the other big one is not only Microsoft software, it can be third party applications as well. Specific pieces of software. that that you use to have your, to do your day to day work.

If you’re not using the latest version of, let’s say, Acrobat Reader, for example those software applications as well need routine patching and updating to make sure there’s no vulnerabilities that that you’re leaving there.

JD: Having a managed security service really is just another insurance policy. It’s not going to guarantee, but it’s going to give you at least level of defense that’s better than your average koala bear. Is that right?

Joe: Absolutely. And there’s a couple of really good points you touched on there, John. So no, no approach to security is going to 100 percent protect you and make sure your environment’s secure. We often use the analogy of securing your home. When you secure your home, you want to understand what it is you have in your house so you can adequately protect it.

You could have an alarm system that calls a monitored alarm service to be able to detect and respond to any event happening in your house. And, in a people often think that in terms of theft when securing your home, but there’s other considerations. There might be fire or flood, right?

If you live in a fire prone area, you’ll have a fire, you should have a fire plan.

JD: Yes.

Joe: On how to recover from that on and what to do. So we use the same analogy in cyber security. You really need to know what it is that you’re securing. So what data assets you have, what systems they sit in, what software that is used to access it.

Because it’s only then that you can know what it is that you’re trying to protect, but also with respect to insurance, cyber insurance, unless in detail what it is that you’re securing, you can’t have the right cyber insurance policy in place. You can put all these systems all these protections around things.

It’s not going to 100 percent guarantee that you’re not going to have an issue, but what it’s going to do is A, reduce the risk and B, increase your ability to recover from a potential malicious incident. If and, probably when it does, yeah, and insurance,

JD: well inevitable.

Joe: To, to a varying degree, whether it’s a minor or a major incident.

There’s a scale within that incident range, so the really, the worst, ransomware attack, or you have all of your staff’s personal details. Leaked to the dark web, that might be one end, but another end of that scale could be I’m sure you’ve seen it in the past, John, when you received an email from a business, and there’s 50, 000 email addresses in the to field of the email.

And you can see all of those emails, technically, that’s a data breach. If you read the notifiable data breach legislation. So that’s one end of the spectrum. And, the other end of the spectrum could be something catastrophic like a ransomware attack.

JD: yeah. A formal attack.

And so what do I need to do as an absolute minimum as a business owner? Because I take it, there’s obviously I can do a little bit and I can go to a full extreme. And recreate the Australian cybersecurity capability. What should I see as being my starting point as a minimum?

Joe: Yeah I guess it, it does depend on the size of your organisation, right? So if you’re a really small business, if you’re less than 10 years is, the really basic things, right? Having the right type of antivirus software in place, having a firewall in place, keeping your computers up to date and And again, at a bare minimum, pressing that windows update button every week is not going to hurt you.

But keeping that software up to date is really important. And I guess the other one is really being vigilant. So when you’re getting those emails, just, and they’re asking for either. Personally identifiable information or asking you to reset a password or a username or something like that. Just, ask yourself the question.

Is this real? Could it be real? Instead of blindly clicking or typing, actually, call your bank if they’ve sent you an, if they have sent you an email. Call your bank from the phone number that’s on a website. And say, Hey, look, I got this email. Is it legit? Yeah. And just being really vigilant, keeping your staff abreast of what’s happening in the cyber space is really important as well.

So

JD: Two factor, multi factor authentication, is

Joe: absolutely

JD: that’d be a starting point as well?

Joe: authentication. Absolutely. That’s another really big step that you can take. So having multifactor authentication on any system that you use is an absolute must these days. And it’s at that level of importance that if you’re using some piece of software that doesn’t have the capability of multi factor authentication, you probably should start looking elsewhere.

JD: Okay.

Joe: Yeah it’s really, yeah, it’s that serious. If it’s a web based if it’s a web-based application yeah, and it doesn’t have multi-factor authentication, Yeah, you should be asking questions.

JD: Okay. And then so that’s my, probably my bare minimum. What’s the next logical step to get somebody like you involved and what does that actually really mean?

Joe: Yeah so from there any business of any decent size, you should be taking a bigger macro view of it. So again we focus our attention on that cybersecurity framework from NIST and those five pillars. Those frameworks scale to really large organisations and our approach is that.

Even a small to medium sized business. You don’t need to go to that massive scale and that level of depth, right? But at least review it and pick up on pieces that are relevant to your business and the really important thing. So the way we approach it is that we start off working with clients to undertake a cybersecurity assessment.

So we sit down with the client, business leaders in the organisation, we run through. I guess two different components. One is a business and a business governance review with regards to cyber security and the other one’s a more technical review. So in the business or the governance review we look at, what type of activity the business is undertaking, what some of the risks are from a business perspective, the data that They retain within their organisation and how sensitive that is.

If they have cyber insurance in place, we’ll look at the policies. We’ll ask them about their policies and procedures. So at a bare minimum that they really should have a an acceptable internet usage policy, they should really have. Things like, a work from home policy around it, a bring your own device or buy odd usage policy a whole raft of things that aren’t specifically technical.

But fit into that broader view exactly and framework of security. So in any case, we run through that whole assessment. We present to clients where the organisation sits in context of that framework and where the gaps are. Right? And the gap isn’t from having, What they have in place to having things that, National Australia banks should have in place.

It’s about having what’s relevant and applicable to their size business.

JD: Yeah, sure.

Joe: Yeah. And then putting together a program over, you can’t go from zero to a hundred in a week, right?

JD: Nuts.

Joe: No, it’s about putting together a program. It might be six, it might be 12, might be 18 months. To get them to that point that is applicable and appropriate for their level of activities.

JD: Gotcha. Gotcha. And so do you have, can you provide a bit of a checklist or some of this NIST information that people can have a bit of a a flick through?

Joe: Yeah, we’ve got a obviously the full assessment, takes several hours to run through the questions and then we provide a report, those kinds of things, but we actually provide a sort of a cut down self assessment. online that we can we can forward through to anyone so that they can at least get a bit of an idea of the sorts of things they need to start thinking about.

Because a lot of times, when you’re, unconsciously incompetent, you don’t know what you don’t know. So at least running through that self assessment, you can start to think about, Oh yeah, I hadn’t even considered that.

JD: Yeah, look, I think, some of the great advantages of these sorts of self assessments and checklists is simply that they actually provide a useful education framework.

And it’s the questions that help you realise how much you do or don’t know, which is always, I think, really helpful. If I’m a CEO

looking to start getting more sophisticated and better protected in it, what would be the #CriticalFewActions™ I should start doing tomorrow? If I did nothing else?

Joe: Yeah. I think it really starts around asking questions, right? So if you’ve got a if you’ve got an internal IT team, it’s really about asking about. What protections are in place, but again, in the context of that larger framework, it’s asking perhaps some of your business leaders or management people in your management team about what policies and procedures are in place as well.

JD: Yeah.

Joe: Asking, some simple questions like are our staff allowed to access company data or emails from their personal devices?

That’s a really big one that a lot of organisations haven’t thought about.

In 98 percent of cases, I would say that. Staff can access data from their personal devices, phones or

JD: their email systems, of course.

Joe: Exactly. But what most business leaders don’t understand is that when that employee leaves the organisation, or they have their personal device. Stolen or it’s lost all of that data is totally then outside of the realms of being managed or tracked

JD: Yes.

Joe: by the business. So

JD: And how many people with their personal computers keep their virus software or their their windows up to date?

Joe: yeah, absolutely. That’s one aspect of it, but simply having a company data on an unmanaged asset that then you can no longer control is a really big risk. So there’s some of the things, I’d be asking internally, if you’ve got external It support. I guess some of the questions over and above those, because they’re still relevant, would be to ask, what type of credentials does your provider have in the cyber security space? So I think I mentioned last time we’ve undertaken our ISO 9001 around quality management certification and also ISO 27001 around information security management. So what that is saying is that we have, we work to an internationally recognised set of standards around how we manage our client’s data and also the procedures and the policies we have around undertaking our day to day work that. ensures a really high level of of security in general, right? So they’re the sorts of questions that, you should be asking your IT provider. Do you have those types of credentials?

The other one is around the framework. So what framework does your security provider work to. So is it something like NIST, which has a very broad coverage, all encompassing holistic approach, or are they focused wholly and solely on the Essential Eight from the Australian Cyber Security Centre, which whilst being great, is only a very narrow view of security as well.

Yeah.

JD: Yeah. That, really provides insight. In a lot of ways, it’s been fortunate, apart from the fact that all my data disappeared off to the the dark web with Medibank private, not

Optus. But I think both of those data breaches have really helped people understand how important this is.

And also that, that without being a scaremonger we are vulnerable, but there are certainly things that we can do about it. So,

across the board it’s improving people’s awareness. Now the trick is for people to actually do something about it. So hope Joe, that that. People listening to this will, will find that find comfort that, that it’s it’s straightforward, if not simple, to get on top of our cyber protection. All we have to do is to work with some qualified people to do that. And use some pretty good common sense and have an eye to alertness. Just as you would if you were going through a shady neighborhood late at night.

Joe: Yeah. And I think that’s a really good point. A lot of people think, again, the cyber security is just an IT issue and it’s a technical thing, but it’s not it’s about governance. It’s about risk and security. If you read the, I know it’s thrilling reading, right?

But if you read the privacy act and the notifiable data breach legislation, It doesn’t single out cyber security, right? It talks about the security of data in general. So that extends to printed information. Any other form of data that you have is encompassed under that legislation and that notifiable data breach scheme.

So for example, if you have, Personal details of a client or a staff member printed out on paper on your desk and your cleaners come in after hours or on the weekend and do something malicious with that, that’s a notifiable data breach,

So it’s

JD: yeah. I must admit when I call the call center, if I’m doing a over the phone payment and I hear someone say, oh, look, I’ll just grab a pen and write it down. I cringe if I type it into a keyboard and it was going straight into the payment management system, that’d be completely different.

But then if I’ve got a bit of paper with my credit card details on it, that really makes me nervous.

Joe: yeah. And another thing that, following on from what you said before John around Medibank and Optus, the discussion now is started around why did those organisations retain that information when they didn’t need it? And that’s going to be, that’s going to be the next evolution that Of legislation.

Inevitably, we will get there. That may stipulate that under certain conditions where you don’t need to retain certain information around clients or staff that you need to be able to prove that you no longer have it

JD: yes,

Joe: so that’s going to require another level of management around data. Especially around electronic systems that I think will make it more complex, I think, for a lot of small to medium sized businesses that, that won’t be able to navigate that, that journey on their own at all.

JD: No, Joe, this has been absolutely fascinating. I’ve really enjoyed this and and I must admit my skin’s prickling a little bit, cause I’m a bit a bit twitchy about yeah, making sure I, every time I do get asked to turn on Authenticator or dual factor authentication. I need to say yes, as opposed to. I’ll do it later.

Joe: Yeah, do it straight away, John.

JD: Joe, thank you so much for your time. I

really appreciate it.

Joe: Very welcome.

2024-10-11 TRANSCRIPT Ep 7. MTE Joe Ciancio – Cyber Security.txt
Displaying 2024-10-11 TRANSCRIPT Ep 7. MTE Joe Ciancio – Cyber Security.txt.v