ConnectWise Control
About this Webinar
Cybersecurity. The word alone can make any business leader cringe. How do I know if my company is protected? There are so many factors to consider, how do I know what is right for my organization? Am I ever really 100% safe? How have the threats changed in the past year or so? These questions and many others result in IT decision-makers lacking confidence in implementing a cybersecurity strategy to keep their organizations’ data protected and secure. In this webinar, we will discuss the common misconceptions and give them a dose of reality as well as introduce a few helpful frameworks that will imbue confidence as you shape your strategy moving forward.
Agenda
- Common Misconceptions and Questions
- Where to Start
- Zero Trust Framework
- Security First Culture
- Next Steps
- Q&A
Next Steps
Schedule a Power Hour with our team to discuss your IT security goals and make a plan to get your team setup for success today.
Adam Devereaux:
Hello everyone and welcome to another Worksighted NXT. My name is Adam Devereaux and if you have joined us for some previous events, you will know the name Matt Maines, because he’s been in the background.
Matt Maines:
Thanks Adam.
Adam Devereaux:
This is his first time here in front of the camera. Matt is our Chief Technology Evangelist, and I am the cloud and security manager here at Worksighted. Today we want to talk to you…
Matt Maines:
Well, hold on a second, Adam. What do you like to do for fun? I mean because we’re in security here, but like…
Adam Devereaux:
I like to learn about cybersecurity for fun.
Matt Maines:
Oh man, well…
Adam Devereaux:
No, I actually like camping outdoors.
Matt Maines:
That’s what we have in common actually.
Adam Devereaux:
Yeah, we both have a Camper.
Matt Maines:
Absolutely.
Adam Devereaux:
Although I have a fifth wheel and you have a travel trailer [crosstalk 00:00:40].
Matt Maines:
Well that’s true. That’s true.
Adam Devereaux:
You’re also on a lake.
Matt Maines:
That’s true. See, as you can notice the color here, just a little bit tanner than Adam but anyway.
Adam Devereaux:
Yeah, it shows who’s working more I guess.
Matt Maines:
That’s right, anyway, go ahead.
Adam Devereaux:
Matt and I have been working together for 10 years now.
Matt Maines:
Yes.
Adam Devereaux:
We both in our jobs talk to a lot of organizations about technology strategy and security of course is one of the big ones. This whole conversation that we want to have with you is not a product focus on cybersecurity, but really trying to get people to have a framework to understand it from a business decision maker perspective. Give you some confidence that this is something that you can tackle. It can be scary, confusing, overwhelming and we want to try to cut through that for you.
Matt Maines:
I think that also leads into even as an IT decision maker, that does give you some talking points of, how do I address that with the C-suite staff?
Adam Devereaux:
Yeah, exactly. Regardless of who you are, I think understanding how cybersecurity issues, threats, vulnerabilities affect your organization are powerful tools to have. Hopefully we can really bring it home in a way that, that helps you to be confident. That you can tackle this and improve your security posture as an organization.
Adam Devereaux:
We have a couple of slides here. Also, we don’t think of this as like a classic webinar. We want this to be interactive. Ask questions along the way and if we can, we’ll pause along the way and answer those. If we don’t get to those during our main section here, we’ll have a Q&A at the end and make sure that we answer everybody’s questions.
Adam Devereaux:
Also, wanted to shout out to Kylian and Rebecca behind the scenes, really helping us get this all going. It’s actually a surprising amount of work to make this happen so we’re excited. Oh, and this is a year now of monthly webinars.
Matt Maines:
Yes.
Adam Devereaux:
Yeah.
Matt Maines:
That’s right.
Adam Devereaux:
This is kind of an anniversary for us.
Matt Maines:
Take us back, what was our first webinar then a year ago?
Adam Devereaux:
How to be a team superhero.
Matt Maines:
Okay, how was it then a year? I mean, how are you feel about teams?
Adam Devereaux:
Oh, I mean, it’s just increased since then and really that’s actually a talking point around security that we’ll get into is the fact that it’s changed. What cybersecurity is has changed. What we’re trying to protect has changed. The way that people are accessing resources, all those things.
Matt Maines:
Tell me a little bit about, what’s the big underlying problem here? I mean, security, it’s such a big thing to tackle. Tell me little bit here then the major problem.
Adam Devereaux:
Yeah, for me, a conversation I had recently, well a couple of them, one was regarding a lot of different organizations in a meeting. They were going into detail around a cybersecurity event, an issue that happened. It ended up being very overwhelming for the business decision makers, the people who weren’t very technical. It was just this shell shock, what are our takeaways? Where do we go from here?
Adam Devereaux:
I realized there’s been a gap from a security conversation standpoint, where people don’t always really have a larger understanding of what the point of all of it is. It’s very product focused. It’s very reactive. We hear from someone like, “Oh, we should adopt this tool. We’re doing this, we’re doing that.” It can seem very frenetic, like we got to do this, we got to do that, we got to do this. Having a strategy, having a deeper understanding of what it’s all about, I think is helpful for everyone.
Matt Maines:
It’s not just on the IP side of things, right?
Adam Devereaux:
Correct.
Matt Maines:
That’s the confusing part. I think a lot of times it might start out with, it’s that insurance renewal time. There’s a new line item here, cyber liability insurance.
Adam Devereaux:
Yeah, or some compliance, some assessment, some questionnaire. Or worst case a breach happens, an event happens and then the organization realizes firsthand how painful and costly it can be to have a cybersecurity event happen.
Adam Devereaux:
The point of this conversation though is that, we can strip the cybersecurity part away in a lot of ways here. We can focus on the fact that this is crime. These are criminals who are trying to attack your business and make money off from you.
Adam Devereaux:
You have to start from the perspective of, what is it that you’re trying to protect? That’s what you understand well regardless of who you are is the organization itself, what you have that’s valuable, your assets, your users.
Adam Devereaux:
We find that there’s really three main categories of what you’re trying to protect. We’ll speak in a lot of generalizations in this meeting, so obviously we can’t be 100% accurate with everything we say.
Matt Maines:
True.
Adam Devereaux:
That’s the point, we’re trying to simplify some of this.
Matt Maines:
Absolutely.
Adam Devereaux:
You have your assets, your information assets, your physical assets. For many organizations it’s far more virtual because we’ve gone to more and more cloud SAS apps. You have things all over the place that your finances, your money is also-
Matt Maines:
Absolutely.
Adam Devereaux:
… something that you need to protect obviously and something that people are trying to attack. Your people, that’s a big one. You’ve worked with a lot of security, but then stuff happen.
Matt Maines:
I was going to say and it’s about keeping and making sure they are who they say they are. That’s probably the biggest thing is because I would say what people want to steal is the identity to pose as somebody else to create that, to do that crime.
Adam Devereaux:
Yeah, exactly.
Matt Maines:
It’s like putting on that virtual mask.
Adam Devereaux:
Yeah, we’ll go into a little more detail, but this is one point that we’re going to keep harping on. Is the fact that, your user identities, your business identities are really a core of any effective security strategy. Also, understanding like what your security perimeter is now in the modern world.
Matt Maines:
Then back to that finance piece too, just about the identity of what power does somebody have to do-
Adam Devereaux:
Exactly.
Matt Maines:
… are there steps to take in when I just do an SEH? Is there two forms of authentication just even inside, outside of technology just within your own business processes?
Adam Devereaux:
Exactly, so we also wanted to say you aren’t alone in this. Obviously there’s no such thing as perfect security, but there’s a lot of different things that you can spend your time, money and resources on. None of us can do everything, so as an organization you have to decide and find a way to focus on, what makes sense for you to adopt? What kind of controls make sense for you to put into place?
Adam Devereaux:
Security is not always fun because in many cases it’s something that is a sliding scale of convenience and efficiency with security, right?
Matt Maines:
Right.
Adam Devereaux:
We’d like to be able to leave our house and our car and everything unlocked, but that’s just not the reality of the world. There’s a security level that’s appropriate for you and that’s what we want to help you figure out.
Matt Maines:
Well think about that too like within a neighborhood you might have more trust in one part of an area versus another. I mean, do you find that as well insecurity? Anything US bound is great. I mean, what are the false positives a little bit in that as well?
Adam Devereaux:
Yeah. I think that’s a good example and talking point as we get into it here. That when we talk about security controls, those can be multilayered. A security control, for example, is you having a password to get into your user account, right?
Matt Maines:
Correct.
Adam Devereaux:
As you move to the more valuable things, you might have multiple controls along the way to help make sure that your essential systems and processes are protected. What we found is a lot of this identity theft essentially that’s going on, the user impersonation or user credential theft means that, you’re vulnerable in ways that you don’t really even realize. That’s one of the things we want to talk about is some examples of what we’ve seen that can spark your thoughts on here.
Adam Devereaux:
Again, it’s your information, it’s your finances, it’s your people. The whole point of the conversation too is that, you understand that stuff. If you partner with people who do have the cybersecurity knowledge and make sure that the whole perspective is taken into consideration, you can make a comprehensive security strategy ultimately out of that so threat vectors.
Matt Maines:
Yeah. Let’s dive in now. What are some examples? What are the three big ones that are, I don’t know, providing those threats to us?
Adam Devereaux:
Yeah, so again, this is crime. It’s cybersecurity, but it’s just security at the same time too. If the computers weren’t here you’d still have to protect those three things. What the internet has done for security issues is the same thing it’s done for improving business and communication and collaboration. It’s made the whole world available to our fingertips, which means it makes your organization available to the attackers fingerprints, to the criminals fingertips rather.
Adam Devereaux:
The big three threat vectors that we see, and I’m not talking about the security vulnerabilities here. What we’re talking about are the ways that a criminal tries to make money off from your organization. They fall into the classic crime categories of extortion, theft, and then financial process injection is what I would call that.
Matt Maines:
What’s an example of that? Break it down to me, what’s the water cooler talk that maybe you hear? What do I read about in the press type of things? What’s the media terms or some things that you end up seeing there?
Adam Devereaux:
Well, I’m sure you’ve heard of ransomware.
Matt Maines:
Okay, so just back me up, explain it a little bit here of how does that work?
Adam Devereaux:
Yeah, so typically, now this isn’t the biggest threat that we see out there, but it’s still a big, big issue is that, ransomware is like a type of virus that gets onto your computer or one of your user’s computers. It will try to encrypt your information. If you have like network drives, if you’re using cloud file storage, whatever that user has access to, it will try to encrypt that in a way that you can’t access it unless you pay them money. This is why it falls under the category of extortion.
Adam Devereaux:
They try to lock down your information and really the key thing they’re trying to extort you on is your need to stay up and running. For most organizations, once those files are encrypted, they’re stuck until they can get that fixed. There’s a lot of ultimately lessons to be learned from an attack like that like your ability to recover…
Matt Maines:
Then typically you see this done in like a Bitcoin transaction type of thing, that’s usually where you see this. Then now you’re dealing with a shady currency. Anyway, I meant who’s affected here? It’s basically anybody.
Adam Devereaux:
It’s basically anybody. They target at nonprofits, they target medical organizations. That’s one of the big changes is that, the criminals out there are attacking specific organizations and the prices have gone way, way up.
Adam Devereaux:
I mean, it’s six figures is often a starting point depending on your organization. You may be able to negotiate with them. Again, negotiating with the criminals, hoping that they’re trustworthy criminals. There’s organizations that have ended up in really dire straits and have gone out of business because of this type of attack.
Matt Maines:
Okay, so bring us onto the next one here of theft like. What have we got?
Adam Devereaux:
Theft often means it’s like your personal information that they may use to compromise your employee’s personal finances. W2s being leaked is one example, trying to trick people to send W2s out to them. Impersonating somebody, a VIP in your organization, competitive information, personal information, financial information about your clients.
Adam Devereaux:
One of the most basic things in the world of credit cards and PCI compliance is, do not store credit card numbers. That’s just the easiest thing, don’t store credit numbers.
Matt Maines:
We all do it. Someone does it, they put it in their browser. Would you like to add it? Yes.
Adam Devereaux:
Well, worse than that. I do that too. That’s reasonably safe. It’s more like the client credit card numbers in your email box.
Matt Maines:
Got you.
Adam Devereaux:
We’ve run into this issue in real life where somebody, a user in the organization has credit card numbers for clients stored in their email. Their email gets compromised, now we have a huge issue on your hands. You have to contact all those people. They need to change their credit cards, which goes back to the other part on extortion too is reputation.
Matt Maines:
Yeah, absolutely.
Adam Devereaux:
Another way that they try to extort organizations is reputation. How does it look to actually go and talk to those criminals?
Matt Maines:
Yeah, because I have press release on something then how do I [crosstalk 00:12:46].
Adam Devereaux:
Make it look…
Matt Maines:
Maybe you have a fine to pay, those type of things. Tell me a little bit about, this is one that I’ve heard of lately, but have you heard about the gift card stuff? They send you an email.
Adam Devereaux:
Oh yeah, it’s a common, that’s in the realm of impersonation. What does it matter if somebody really gets into our email? We don’t really have anything important in there. Well, you would not believe how many employees in your organization would end up going out and buying hundreds or thousands of dollars of gift cards because they get tricked into thinking that somebody important in the organization is requesting that they do that.
Adam Devereaux:
Sometimes it’s from like a fake external email too. It’s like ceo@gmail.com and they’re saying, “Hey, I really need your help with this. I need to send this out for this giveaway we’re doing,” or something and they do it, they fall for it. The bigger issues that we see again in the realm of getting into your financial processes is ACH payment changes.
Matt Maines:
Sure.
Adam Devereaux:
Impersonating you and then going to your suppliers or vendors or customers and saying, “Hey, can you update this ACH payment information?” Suddenly you don’t even realize it for a couple of months until you’re like, “Why hasn’t this person paid us?” Or, “We paid this company, but they’re saying that we haven’t, what’s going on here?” It could be tens or hundreds of thousands of dollars lost because it’s gone at that point.
Adam Devereaux:
Wire transfers are another one that we see with that, but even when we talk about protections and control, sometimes it’s like, well, let’s protect our VIP people first.
Matt Maines:
Absolutely. That’s a first common thing.
Adam Devereaux:
Yeah, and we think, “Well, what can the other employees really, what harm can come from if their email gets compromised from just maybe your entry level workers?” Well, a big one is payroll information changes. I get in any employee’s email, depending on how your processes are set up, I contact HR as I’m the criminal. I say, “Hey, here’s my new payroll direct deposit information.” Maybe you catch it right away after one check, but that’s still hundreds or thousands of dollars that are lost from that kind of attack as well.
Adam Devereaux:
Typically, they try to pivot as well, so regardless of who they’re impersonating, whose credentials that they’ve stolen, they try to get further into your organization. Anytime they’ve got that foot in the door, they have access to send emails as them, but also whatever else that person has access to.
Matt Maines:
No, I think this is a great quick pause here. Kylian, we do have a question in queue here, I’d love you maybe to inform the audience here. That’s a good spot.
Kylian:
For sure, so this first one is from Jeff. “What kind of downtime should an organization expect assuming they have some system like Datto or something like that specifically for ransomware?”
Matt Maines:
I think this is a great question because one thing that we talked about is somebody has your data. At the ultimate I think why a company ends up paying money because they realize their recovery process is-
Adam Devereaux:
It takes too long.
Matt Maines:
… not what they thought it was or it was too long.
Adam Devereaux:
Well, that’s a good point, yeah.
Matt Maines:
They weren’t protected the way they thought, but speak to something specifically in the Datto then and how that protects your server infrastructure a little bit.
Adam Devereaux:
Yeah, so this is a great question that gets into the realm of assuming breach. One of the key points that we want to talk about is the fact that, as soon as you give your users a business identity, as soon as you give them a log on and put them down in front of the computer, they can cause immense harm to your organization. The analogy here is putting somebody in a car.
Adam Devereaux:
Now what’s interesting is, if I ask you, “Hey, tell me about some car safety features.”
Matt Maines:
Sure, airbags, seatbelt, crash impact or…
Adam Devereaux:
Yeah, exactly. All that stuff is assuming a crash, right?
Matt Maines:
Absolutely. Yeah.
Adam Devereaux:
I’m thinking I’m safer in that car because I have things to protect me in the event that I’m going to crash. We know, most of us anyway, that a crash can happen at really no fault of our own or despite the things that we do to try to prevent that.
Matt Maines:
True.
Adam Devereaux:
Like having a good tire and making sure your brakes are kept up. Being aware and alert as to what’s going on, a crash can still happen. The same thing can happen with cybersecurity. You put a lot of controls in place. You put a lot of things to protect you like multi-factor authentication, a good firewall, you can still get attacked or breach somehow so when you have…
Matt Maines:
Going back to [crosstalk 00:17:17] yeah.
Adam Devereaux:
Going back to Datto, having a good DR system and plan in place is really essential to making sure that worst case happens, you can get back up and running. That starts to shift as we move different information to different systems, different platforms to cloud applications. When you have a server on-prem and you have crucial information on there, something like Datto not only provides local backups, but also offsite cloud backups.
Adam Devereaux:
I also look at, does that DR platform and DR sensor disaster recovery, does that have, what will you call like a platform gap? A recent attack that I am aware of, an organization out of state had where they got hit by ransomware, their backups were deleted. They had Veem and the way-
Matt Maines:
Sure.
Adam Devereaux:
… that it was configured, they were accessible from within the server environment, the backups were wiped out. At the end of the day they had no choice, but to pay. They negotiated down, but it was well over $100,000 dollars and that’s where you have to make sure that, if worst case happens, are your backups of your information somehow separated from your server environment?
Matt Maines:
The other point of that piece too is just knowing how often I’m backing up, so we call that recovery point objective. Meaning-
Adam Devereaux:
Exactly.
Matt Maines:
… is it once a day? Is it hourly because you would have to then go back to that spot. Then one thing about ransomware too is, was it still dormant there? Was it in that restore point? Am I going to restore? That’s one thing that…
Adam Devereaux:
Restore the criminals back into my environment, yeah.
Matt Maines:
Absolutely, so I think one thing about when Jeff, you had asked about that out, it will actually detect the ransomware in there. You’re rolling back to a known good point at that point too, but again, to your point and then also making sure that, how do you know they’re completely out of even if I restore back.
Adam Devereaux:
Yeah, exactly and that can delay your recovery.
Matt Maines:
Absolutely.
Adam Devereaux:
Being able to do things like spinning up VMs in a sandbox, being able to do temporary recoveries that you can validate that the environment is clean. The big thing that fundamentally, regardless of what system you have, is test your recovery. I can guarantee you it’s going to take longer than what you’re expecting. It almost always does.
Adam Devereaux:
Some people think that, “Well with our backup system, we can be back up and running in an hour or two.” Sometimes that can happen. Once you’ve tested it, you have validated it, you know it can happen. More often than not it’s all day, it’s multiple days. It takes a while to get the VMs backup and running. It takes a while to get the server back to the state it needs to be. It takes a while to get the database up and running, all those things. Test it. That’s the biggest thing is do a DR test.
Adam Devereaux:
Identify going back to the fundamental here, identify the information that you have, the systems that you have. What’s critical to stay up and running? Then figure out how you are ensuring access to those systems. Okay.
Matt Maines:
One more real quick.
Kylian:
Yes, this one comes from Betsy. “Do you have a checklist or a document we can share with our teams as best practices and reminders of things not to do in addition of things to make sure we are doing i.e. not saving passwords, storing credit card info, stuff like that?”
Adam Devereaux:
Yeah, that’s a good question. We’ve done security training. We have a security awareness training program that we recommend people adopt something like that or work with us on that. I believe we may have some security handouts along those lines. We will look into that and send that out to everyone if we find. I know we have something recently I have seen.
Matt Maines:
Yup. Absolutely.
Adam Devereaux:
We’ll get something like that out yeah, [crosstalk 00:20:46].
Matt Maines:
Appreciate the questions.
Adam Devereaux:
That’s a great question.
Matt Maines:
Let’s go ahead and fast forward into the next spot here.
Adam Devereaux:
Yeah, so security framework, so this is getting back to the idea of, how do we understand and have a mental model of our security posture, our vulnerabilities that are out there?
Matt Maines:
This is a buzzword that I first see there, this zero trust I’ve seen this out there.
Adam Devereaux:
Yeah, to marketing term in some ways. Yeah, so this is about the mindset shift, away from just the servers. Previously the way that we thought about security was like a brick building. We have this really good wall around our users and information, a walled garden is another term that people use, your trusted network. You’ve got all your information, all your apps inside of there. User sits down, they log in. They’re talking to the server, that’s in the building.
Matt Maines:
Then I open up another office and then we have just a little private pipe between that, then that’s the…
Adam Devereaux:
Yeah, good firewall at the edge.
Matt Maines:
True.
Adam Devereaux:
That’s our perimeter. Well, what’s happened for the vast majority of organizations out there is, over the years they’ve shifted different workloads, different applications to cloud.
Matt Maines:
One that comes to mind is email, that’s a good first movement that organizations took. The email that was that on-premise exchange and then we moved it to the cloud, the Office 365 email services.
Adam Devereaux:
Exactly, so going back to that building though, it was never as secure as what we thought it was. In fact, there’s a fundamental flaw which was that once you get inside that wall, you have access.
Matt Maines:
You trust.
Adam Devereaux:
You’re trusted.
Matt Maines:
It’s like I broke into the building and there’s no cameras in the building. It’s like I’ve got free rein.
Adam Devereaux:
Exactly.
Matt Maines:
Would you also say the threats have changed? I mean, I’m looking at that design-
Adam Devereaux:
Yeah, they’re constantly shifting.
Matt Maines:
… say 10 years ago [crosstalk 00:22:30].
Adam Devereaux:
This is their full-time job, there’s criminals out there, that this is their full-time job to try to make money off from you and your organization. They’re going to constantly be coming up with new ways to do that. They’re going to constantly be shifting and trying to figure out new ways to exploit you.
Adam Devereaux:
We see, as soon as somebody’s email gets compromised, they’re doing searches on the mailbox. They’re looking for invoice, transfer, credit card, all of those keywords and trying to find emails. Those are, every week the threats are shifting.
Matt Maines:
It might be phishing got me in one time with a credential thing. Might’ve been an attachment another time, that’s always changing too as well.
Adam Devereaux:
Yeah, so going back to the zero trust concept here, sure, hold on one second. Is the video showing on your side? It wasn’t showing on my computer, so I just wanted to make sure that it wasn’t just a black screen.
Adam Devereaux:
The zero trust framework is this shift that as we move to different cloud based apps, and in most cases we don’t really have a choice in the matter. Part of it is reacting to this new hybrid reality and have access to information.
Matt Maines:
Great and financial software is now in the cloud.
Adam Devereaux:
Yeah, CRM, might be your P system or a medical record system or whatever kind of organization I have. More often than not that’s going to be a cloud based system. Now when we talk about this perimeter, what’s the perimeter now? Our information is all over the place.
Matt Maines:
Because I’m not logging in at my computer. I’ve got to log into this website, that website, this website.
Adam Devereaux:
Yeah, clouds for all is the term that often exists.
Matt Maines:
True, okay.
Adam Devereaux:
In zero trust, the idea here is that we have to shift and really understand that the model going forward is really around the users, where the information lives and endpoints. When I say users, it’s that user identity. What is that login that you’re giving and what is it then giving them access to?
Adam Devereaux:
You might think, “Well, we have a reasonable amount of protection because we have access to all these different logins, 20 different logins.” Well, that often drives people to bad behavior, reusing passwords. It’s painful. We don’t have good information as to logging of access, who got in.
Matt Maines:
Question for you, this is what I could see. Why can’t I use just something like last pass? Have all my passwords and even if it’s 20 different passwords at that point, I have one password and then all these passwords. Maybe explain that versus something that’s [crosstalk 00:24:43].
Adam Devereaux:
Single sign-on?
Matt Maines:
Yeah, single identity.
Adam Devereaux:
When we talk about single sign-on here, what we’re talking about is attaching a lot of those cloud apps to that user identity. Making it that your users have one main business identity, and then that gets them access to all the different resources, but in an appropriate access level and after validation happens.
Adam Devereaux:
With zero trust, the idea is you don’t implicitly trust anything, but you have the systems in place. This is an ideology and a journey that people are on, but you have the systems in place that are looking at realtime, at all sorts of signal intelligence. Like where are they accessing from? What endpoint? What authentication methods did they use? What are they trying to access?
Adam Devereaux:
This is a slide from Microsoft on it and you can see really it’s the idea is that there’s constantly evolving threat intelligence that’s informing the system. Rather than saying, “All right, I’ve got the key card, I’m now in the building…”
Matt Maines:
It’s almost like my phone is trusted with me or maybe my laptop that I get in is like a normal device. I can trigger something else that says, “Hey, I’m going to use Adam’s laptop here to log me in.”
Adam Devereaux:
Yup, and then it’s going to say, “We need more identification.”
Matt Maines:
Your identity, yeah.
Adam Devereaux:
Exactly.
Matt Maines:
Got you.
Adam Devereaux:
Or that let’s say something happens on your computer and this is where the systems are going, where now you’ve got a virus on it. Well, or something happens where you’re not in compliance from a setting standpoint, your browser is out of date. You can even get to the point where it says, “We either need an additional level of authentication or you’re blocked.” You can’t get on to the systems, [crosstalk 00:26:10].
Matt Maines:
It’s got to meet a certain law of requirements to say like, “Hey, this device is actually okay.” I boot up that old five-year-old Mac that doesn’t have a new Mac OS and hold on a second.
Adam Devereaux:
Exactly and/or maybe you can access low classified things.
Matt Maines:
Sure.
Adam Devereaux:
We’re moving towards systems where we’re classifying and labeling the information. We always worry about the containers of information before like the folders, the file server, but we didn’t have a lot of insight into the information itself. Now we’re shifting more towards identifying, classifying the information itself. Then you can have more intelligence around what you’re allowed to do with it when.
Adam Devereaux:
Maybe I can forward important documents to outside people if I’m in certain contexts or internally if I’m from a trusted device. If I’m from my home computer, I can’t access some of those things, but I can access other less critical things. It gets complicated. We don’t want you to get overwhelming with this, but this is just an understanding that the identities and devices are really the forefront. That’s the new firewall in some ways is, the control plane for access becomes around the user identity and what they’re granted access to.
Matt Maines:
Then like in a Microsoft example here, we’re looking at where we see this as, your email address is what you look at as your identity and using that same authentication. Once I’m in on that side of things, then it’s like, okay, I can use the same email address. Again, when I go back and do my last pass, that password for this password to this, but you’re talking about that account entirely.
Adam Devereaux:
Yeah, exactly. That means if I change that main account it’s for all those. Yeah, that’s one of the big problems with using any sort of password manager, is the fact that you’re going to give… You have all this overhead of giving people all these different logins into different applications, but you risk cutting off access to those apps is also very difficult.
Adam Devereaux:
Whereas if you have a single sign-on, what’s called an identity and access management platform in place, then when they’re accessing those other applications, it’s all through that one control plane. When somebody leaves or for some reason maybe an identity is compromised, we can cut off access to everything.
Adam Devereaux:
Yeah, this is a diagram of saying in this case, Azure Active Directory, which is your Office 365 log on is in Azure Active Directory can be an identity and access management platform depending on how you’re using it, what you’re connecting to it.
Adam Devereaux:
Now, regardless of essentially what core license you have, whether you’re in the Business Basic or you’re in the Enterprise, you can use single sign-on with really any cloud app. You can custom cloud apps.
Matt Maines:
If I move to Office 365 as my first step, we just haven’t done anything. Maybe a little bit of teams, but you’re saying that identity, that SSL platform is there currently?
Adam Devereaux:
It is, anybody can use that, that’s in Office 365 to link your cloud apps back to your identity. This is really exciting stuff because it cannot only make it more convenient for your users to access things, increase your security, but also make it more convenient to set people up and provision user accounts and everything else.
Adam Devereaux:
There are, as this says, thousands of pre-integrated applications. It does depend on if that application for the most part, depends on if that application supports single sign-on. Typically, that’s going to be through a bunch of protocols, mumbo jumbo. Can that application connect is one of the core questions you have to ask, but now you can create custom integrations as well.
Matt Maines:
I want to back up real quick for that last, back on that last slide. When you were talking about customers today that still have server on-prem and when I log in my computer it authenticates to that piece. Maybe talk like, how do I transition? I want to get there. I want to do some of these identity stuff. Walk me through maybe a little bit of, is there a hybrid way to do this or like…
Adam Devereaux:
Yeah, exactly.
Matt Maines:
Well how do we do that?
Adam Devereaux:
When we talk about the endpoint intelligence, a lot of times we have to move to a cloud endpoint management system to really effectively do that. In the Microsoft 365 world, that’s Microsoft Endpoint Manager and you can Azure AD join devices now.
Adam Devereaux:
There’s a mapping that we can help your organization with of understanding what was in the on-prem world, the Windows server based solutions and what is now in the cloud native world? It is possible to move entirely and get rid of servers and use a cloud management platform that gives you a lot more capabilities. It’s also possible to go hybrid where you’re in both worlds for a period of time until you can move those final applications, those final resources or things that you need to access that are still on-prem.
Matt Maines:
Okay, so with all this information, I guess, what can we do?
Adam Devereaux:
Yeah, so going back to the first conversation point here, what I want you to focus on and think about is, what are we trying to protect? The software that we use, where information is stored, making sure that our users are well trained. We wouldn’t put somebody in a car who’s never been trained how to use it before.
Matt Maines:
Good onboarding?
Adam Devereaux:
Right, we’re required to put people into training before they can get into a forklift. For the people who have forklifts-
Matt Maines:
[crosstalk 00:31:24].
Adam Devereaux:
… out there, you know that it’s a huge liability to just put an untrained person in it and say, “Go pick up that pallet.” We understand that grave physical harm or death can arise from that. Well to your organization, putting somebody in front of a computer that’s not prepared and doesn’t understand the risks can cause similar grave harm to your organization as well. Understand that the user identity is a powerful thing once we give that to them.
Matt Maines:
Would you say that’s important so matter if it’s, let’s just say I do shop work out on the floor and I just put time in my computer. That’s all I really do, still important?
Adam Devereaux:
Yeah. It’s still important. That’s a good point too in terms of developing that security plan that’s appropriate. We do have some frameworks that are out there. We have a handout attached on here too regarding the CIS top 20 controls.
Matt Maines:
CIS, what does that stand for then?
Adam Devereaux:
That’s the Center for Internet Security.
Matt Maines:
Okay.
Adam Devereaux:
There’s NIST and a lot of other… If you look at Australia, England, lots of governments and organizations out there are trying to make frameworks that can help people. They’ve been challenging the past because a lot of times they’re overwhelming. They use a lot of jingo, they’re getting simpler and this is one that we think is a good review starting point.
Adam Devereaux:
Those are something that you can use to help review where you are right now. Understanding what are the things that are often effective? We’ve developed what we call security essentials, which are what we find to be the most critical core controls that organizations put into place. Having multi-factor authentication in place, tightening up some of the security around Office 365, Microsoft 365 specifically, endpoint security, DNS filtering and a constant security control evolution as well.
Matt Maines:
One thing I want to hit on right here, because I think this is the big one. You always hear the password debate of, “What do I do with my password?” Now we’re talking about this identity is my main identity, so my old eight character password expires after 90 days. Change it again. Don’t remember history. What is my new standard here?
Adam Devereaux:
Yeah. There’s still controversy around this, but the recommendations officially have changed.
Matt Maines:
This comes from like NIST?
Adam Devereaux:
This comes from like NIST from Microsoft, a lot of other top security organizations. They say this whole making people change their passwords every X number of days was not really that beneficial. We actually were causing more harm than good by doing that. We were driving people to like…
Matt Maines:
Password one, two, three, four, five. One, two, three, four, five, six.
Adam Devereaux:
Yeah, like change it and really once you have a secure password, for the most part it’s going to stay secure unless you’re reusing it for something else. This gets back to that training.
Matt Maines:
Okay. Yeah.
Adam Devereaux:
That password that you use for your business identities should only be used for business identity. Not for Spotify and not for Facebook or any other online services. It should be just that, that’s a unique password to your business identity.
Adam Devereaux:
We do recommend longer is better. If you can get to like 14 characters, a way to do that is to have a passphrase. We’re talking about that. We changed, updated my password recently.
Matt Maines:
Okay. I have to admit, I did the same thing. I probably hadn’t changed it in a long time. We implemented this out and it’s so ingrained. I mean at least-
Adam Devereaux:
You keep typing in the old one in.
Matt Maines:
… once, maybe twice a week I’m still hitting that old password.
Adam Devereaux:
Yeah. I won’t tell you what it is of course, but it’s a phrase from a show that struck me. I’m like, “Oh, that would be a good password. It’s sticking.” It’s just the full words and then some special characters. It could be a lyric from a song. It could be whatever phrasing, even just a couple of words put together that you’re going to remember.
Matt Maines:
Talk to me too about-
Adam Devereaux:
It doesn’t have to be cryptic.
Matt Maines:
… a little of the physical security too, like locking your screen. If I walk away what…
Adam Devereaux:
Well you mentioned the shop floor users.
Matt Maines:
Yup.
Adam Devereaux:
This is an example of where we might have differing policies depending on what we have in our environment. For the average office user who maybe can literally lock their door maybe. If the computer doesn’t lock after a couple of minutes of me walking away from it or not using it, it’s not as big of a deal because I have more physical control.
Matt Maines:
Sure.
Adam Devereaux:
Whereas if I have computers on the shop floor or in more semi-public spaces, maybe that is more critical for me to have that lock or know that I’ve restricted what that machine can access and get to. It’s not that networks don’t matter, they do, but the focus is shifting. It’s not a be all, end all of security to have a trusted private network.
Adam Devereaux:
Part of developing a security plan is understanding, what are our risks as an organization? What is our environment like and how do we develop a customized plan? Yeah, locking your computer screens automatically after a period of time is also good best practice.
Adam Devereaux:
Again, focus on the identity, modern endpoint management, making sure that you have insights into them regardless of where they are. We really ran into the limits of a classic active directory with people working all over. When we can’t contact those computers, we can’t apply policies to them.
Matt Maines:
Right outside of the network.
Adam Devereaux:
[crosstalk 00:36:41] network yeah.
Matt Maines:
I mean this is a good example too. With all the employees starting to work from home. Those computers now can’t talk back to the network. I grabbed my desktop and brought it home and what happens to that then? That trust relationship becomes broken at that point too.
Adam Devereaux:
That can happen.
Matt Maines:
I don’t have any visibility to it maybe.
Adam Devereaux:
Maybe a big one too is like, if I locked somebody’s password on the server or I changed somebody’s password on the computer, they can still log into their computer. If I’m not VPN-ed in and actually talking to the domain controller, they can keep logging into their computer because it’s using the cache credentials.
Adam Devereaux:
Let’s say, I do want to create a policy that says everybody’s computer screen locks after 15 minutes. If I’m not using a cloud management to push those down, then it doesn’t apply to the computers that are outside of the building. Deploying computers becomes very painful.
Adam Devereaux:
There’s lots of reasons why when we look at endpoints, your hardware, making sure that we have a modern management plane in place. The other side of that then is software, how do we protect access to it and understand where our most critical and important pieces of information and processes live?
Adam Devereaux:
Then when all else fails, make sure that you have a good backup plan in place. There still are ways that you can backup cloud resources. The challenge too is that a lot of cloud providers become responsible for that themselves. Don’t be afraid to question them about those things because we have seen where they weren’t doing…
Matt Maines:
A good example would be my financial software and I need to roll back to, or how do I get… When I had QuickBooks on-prem it was really easy to me to go to the quarter end before like how do I do it in that new platform?
Adam Devereaux:
Ask those things, exactly.
Matt Maines:
These are some questions to think about when I’m onboarding to a new piece of software.
Adam Devereaux:
How do you maybe take a routine snapshot of your finances? How do you export or what does their backup in compliance look like? We still have to do due diligence with those software providers because we have seen cases. Blackbaud is a good example recently with that. I think they got hit by ransomware.
Matt Maines:
They did, the breach.
Adam Devereaux:
Their whole system was down for like a week.
Matt Maines:
That is a donation software for nonprofits.
Adam Devereaux:
Yeah, nonprofits are using that and down and nothing you can really do about that. You can’t assume that a cloud provider is always going to be up. Part of DR planning is understanding what do we do if worst case scenario happens and the internet is down? Not just at your building, but it’s just down.
Adam Devereaux:
In theory, those things can happen, but it’s not likely, but just understand how does our business run? Then what are our vulnerabilities then if people can get to that information or if people can attack our ability to do business?
Matt Maines:
I was going to say at that point too, it’s also important to communicate with your clients or customers in that regard as well. Letting them know like, “Hey, I’m in this issue.” Having those different communication methods pre-established is fantastic.
Adam Devereaux:
Yeah, exactly. It is still a confusing topic. There is still a lot that we can go into. It’s hard not to go into some of those rabbit holes. We want to make sure that you walk away with this feeling and understanding like, it is a lot and it is important for everyone to understand this. It isn’t necessarily just hopeless and overwhelming and confusing.
Adam Devereaux:
It’s understanding the core first principles of what we’re trying to protect. It’s making sure that in the event that something bad happens, that we can mitigate and reduce the risk. The total vulnerability that’s present to us and make sure we don’t literally crash and burn as an organization.
Adam Devereaux:
It’s really focused around the fact that, there are criminals out there who are trying to cause harm to your organization and it’s a classic crime with a new face. Those things are scary, but you can’t understand what the risk is here. Again, it’s often extortion. They’re trying to steal stuff from you. They’re trying to inject into your financial process. While ransomware and other types of what we call technical breaches are still a big risk, the user credential compromise is really the one that we see the most.
Adam Devereaux:
Hopefully we’ve not just scared you, but given you some hope that this is something that you can tackle and really have success with. If not, please reach out to us and we can have a more in depth conversation. Or if you want to continue this as next steps, you can reach out to your account manager or schedule a Power Hour on our website.
Matt Maines:
Tell me a little bit about all these things and maybe talk a little bit about… There are some customers on here that maybe subscribe to security essentials. What are some benefits to having partnered with Worksighted? Walk me through just a quick example of a breach, what it looks like from a Worksighted because now with you being cloud manager, walk somebody through a little example of, “Hey, my email got compromised.” Bring us up from a high level view of a little bit of a process.
Adam Devereaux:
It sounds like a good, another webinar to do, right?
Matt Maines:
It does, right?
Adam Devereaux:
Yeah.
Matt Maines:
Leading up right to one.
Adam Devereaux:
Yeah, exactly. The biggest thing is that we find multi-factor over and over and over again, because that’s what continually happens. We may have had some questions about that, so I’ll make sure we have time to get to those. The reality is that…
Matt Maines:
Like cyber liability insurance, we pulled just the team here and we found that over half of you have separate liability insurance. What does that mean with that-
Adam Devereaux:
Yeah, that’s interesting.
Matt Maines:
… [crosstalk 00:42:23] of it?
Adam Devereaux:
Separate liability insurance in theory, again, that’s a whole webinar content right there. We do recommend that you get it and it’s often a good experience to go through. To understand what are the things that they’re looking at, but it’s an ever evolving [crosstalk 00:42:39] as well.
Matt Maines:
It is, it’s a checklist of things, but I always try to explain it to people. It’s like when I get auto insurance, I put on the car alarm. Maybe it makes my premiums a little bit lower. Maybe I get more coverage and then it leads to the question of, what kind of coverage should I get?
Matt Maines:
I always say too, you get peers within the industry knowing some, just like anything else. Just that networking is kind of key if like, what are you guys subscribing to? How do I know what to do? Maybe I’m in a bigger risk because I have a standard I have to follow, they’re spines involved with that. I might need more coverage in that.
Adam Devereaux:
Yeah, you might be able to work with your general insurance provider and get them to add cybersecurity coverage to that. It is interesting that a lot of this is just general extortion and theft. Just as soon as it happens through email or something like that, a lot of your general liability stuff just goes out the window, which is kind of crazy. There are specialized cyber security companies out there as well. I think we’re running out of time here, huh?
Kylian:
Yeah. We’re about ready to jump into the Q&A section. I do have one question here from Chad. “If I wanted to use Azure AD SSO for O365, do you still need an on-premise exchange server to get exchange attributes?”
Adam Devereaux:
That’s fairly technical in terms of your specialized attributes. You don’t necessarily need those for a single sign-on, because you’re going to be typically synchronizing some sort of, or attaching two different properties within whatever the SSL remote app is. Typically, there’s going to be an email address. There are properties within Azure AD that you often link that to, the UPN being the primary one.
Adam Devereaux:
I’d have to know more specifically about why you would need exchange attributes in particular. You do not need exchange on-prem in order to get exchange attributes within the Azure AD account. Enough said on that side, but we’d love to talk to you more about that and understand like what apps you’re trying to integrate. We can definitely help you with that.
Matt Maines:
This is great. This is a great next question here. Go ahead Kylian.
Kylian:
From Joe, “We believe we have MFA available to us through our Office or through our M365 licenses. What are some of the gotchas or items to look out for in a rollout?”
Matt Maines:
Talk to me a little bit about basic. I would say the new default.
Adam Devereaux:
Sturdy defaults, yeah.
Matt Maines:
If I go create a new Office 365 tenet, what is security default? What does that mean? Now in Joe’s case I know that he is a mature 365, he’s not brand new. Maybe talk about those defaults and then talk about maybe the premium of that and what the differences are.
Adam Devereaux:
Yeah, so with Microsoft there are two ways now that you can get MFA in place, two main ways. One is security defaults and the other one what’s called conditional access.
Adam Devereaux:
Security defaults is just a big, easy button. It’s just a toggle. Literally you just go into your Azure AD properties and toggle security defaults on. As soon as you do that, Basic authentication is disabled. Users have 14 days to enroll. Admin accounts always are prompted for MFA. There’s a slew of different things.
Adam Devereaux:
You’re basically handling the controls for MFA over to Microsoft. They’re saying, “Hey, we’re a big cloud provider. We’ve been doing MFA for decades. We understand the threats that are out there. Here’s just a real Basic package that you can put in place.”
Matt Maines:
Basic package so can I do-
Adam Devereaux:
[crosstalk 00:46:04].
Matt Maines:
… exclude people? I can’t exclude people, but I can use my phone.
Adam Devereaux:
Yeah, so typically with Microsoft MFA with Basic you have to use the authenticator app on your phone. Your users have to enroll. They have to have an app on their phone. They have to scan the QR code, and now they get pushed notification saying, “Do you want to allow this access?”
Adam Devereaux:
Conditional access quickly is just way more powerful, allows you to have way more granularity. It’s like the firewall for user identities, but there is licensing requirements for it. To answer your core question is what are some of the pitfalls, this is something that we’ve been getting really practiced at. For every organization there’s still-
Matt Maines:
It’s different.
Adam Devereaux:
… a journey that you have to go through. Basic authentication doesn’t sound like a big deal, but we…
Matt Maines:
What about my copy machine?
Adam Devereaux:
Yeah, there’s tons of things out there that use Basic of.
Matt Maines:
That [crosstalk 00:46:54] okay, yeah.
Adam Devereaux:
Exactly and we typically have to go through a process where we identify those with your organization. Help you to come up with a plan to mitigate those and then work with your users to enroll them. Make sure that they’ve got successful enrollment and then have it enforced.
Adam Devereaux:
We have a team that is focused on that. The biggest thing I would say as a pitfall is Basic authentication and then making sure that your users are actually reading the emails that get sent out, telling them to enroll and not just skipping that process.
Matt Maines:
One thing I will say, Microsoft has, I feel like has put some pretty good effort towards the small business. I mean, with the change, the introduction of their, what I call their $20 license, which includes your Office so your Microsoft Business Premium contains that conditional access. You start to see…
Adam Devereaux:
ATP, Advanced Threat Protection, yeah.
Matt Maines:
You start to see Microsoft really addressing this user identity that they created the frontline worker plans as well. They really want to protect that identity and make it pretty affordable I would say.
Matt Maines:
I think an interesting skew too is a little bit about email, internal email and this is where we talk about the team superhero. That communication, why does it have to be done through email? You hear it all over, these threats coming in via email. Why not take that out?
Adam Devereaux:
The new frontline skews, right?
Matt Maines:
Yeah, absolutely.
Adam Devereaux:
That’s definitely a good conversation for healthcare organizations, manufacturing. There are new what they call the F1, F3 skews that give you more customized bundles for those types of employees. I would say that in thinking about Office 365, you can get just email or just the bare bones for that $5 competitive price that’s out there. Even in other platforms, you have to spend more to really be at where you need to be.
Adam Devereaux:
I would say if you’re looking at the big entry-level or as I’m moving away from having servers on-prem, that Microsoft 365 Business Premium is like your sweet spot for smaller organizations under 300.
Matt Maines:
Going to this, I want to address Joe back to it, the of gotchas. Gotcha is honestly you don’t have it turned on. Baseline security defaults is, if you don’t have them on you’ve got to get them on yesterday. Just that’s probably one of the biggest protection points I would say, is that multi-factor authentication.
Matt Maines:
The Basic defaults also turn off just that Basic authentication across the line, because what happens is, you can turn on conditional access and still leave behind some servers accounts that aren’t really protected. When we got talking into of securing just the C-suite people in the organization, the baseline is what it says.
Adam Devereaux:
That’s what I like about security defaults. It just turns it on for everybody.
Matt Maines:
It turns it on for everybody.
Adam Devereaux:
You get those exceptions that still make you vulnerable.
Matt Maines:
You’re going to have to address those things as they come up.
Adam Devereaux:
Yeah, I would say that…
Matt Maines:
That’s why when you start new, that’s why the new default just defaults.
Adam Devereaux:
Defaults to only moderate authentication. Yeah, we can definitely get a lot further into that topic, but I think that’s enough said on that topic. Good question though.
Kylian:
Yeah, these are great questions. This one’s from Bill. “Can you describe the security features of MS Defender including endpoint management?
Adam Devereaux:
Yeah, so there is really an ecosystem of security products on Microsoft side that include the ability to extend policies that apply to cloud information. Like data loss prevention, information rights management down to your endpoints. What Bill’s talking about here, Microsoft Defender is really like two levels there. Everybody that has Windows 10 has Windows Defender-
Matt Maines:
Built in.
Adam Devereaux:
… Microsoft Defender built in, but that’s the base level-
Matt Maines:
Baseline.
Adam Devereaux:
… versus what they call Microsoft Defender Advanced Threat Protection, which gives you a lot more capabilities. As you move up that stack, and the reason why there’s different licenses is it allows different organizations who have other tools in place to only buy what they need. It doesn’t mean that, that $5 license is your be all, end all if you don’t have other systems giving you those things.
Adam Devereaux:
As you move forward and look at these other security options that are out there, one thing that I would say about Microsoft is, with Microsoft Defender ATP, their cloud access security broker, with information rights management, with insider threat protection, all of these multi-layered systems-
Matt Maines:
[crosstalk 00:51:07] they lost the election.
Adam Devereaux:
… exactly, they can connect together in a more cohesive way than what we see with a lot of other-
Matt Maines:
Third party.
Adam Devereaux:
… third party products that are out there. That allows you to do things like block certain functions that users can do. It allows you to have tons of insights into what’s happening. This is part of that larger shift when we move to zero trust and when we move to even getting away from the concept that we’re not going to get breached. Keep them out at all costs, keep systems running at all costs.
Adam Devereaux:
We’re moving towards more resiliency and getting information as to what’s happened on the endpoints when there is a breach. What’s happened in the user accounts when there is a breach is more important in that world, where we can see what exactly-
Matt Maines:
What was being done.
Adam Devereaux:
… was done, what was accessed. That’s what these higher end security tools that Microsoft has allows you to do. Let me just make sure I fully answered that. Yeah, so endpoint management, I knew there was another part of this. Even at that Microsoft 365 Business Premium level, this is where Endpoint Manager comes into place. This is a merger basically of SCCM plus Intune into one cloud platform.
Adam Devereaux:
It’s basically the GPOs in the cloud, endpoint deployment in the cloud, half deployment in the cloud, security policies like enabling BitLocker encryption, remote access, that’s all what Endpoint Manager is about. It goes further with autopilot because when organizations made this shift, a lot of times the whole way that they were deploying PCs became difficult.
Matt Maines:
Right, absolutely.
Adam Devereaux:
If you were at home as an IT person and you have to get 12 or 20 PCs, laptops to set up for people shipped to your house and then ship them out, it’s logistically difficult.
Matt Maines:
It takes a long time.
Adam Devereaux:
Autopilot, when we get to the point where we can use this is something where I can have a laptop drop shipped from Dell or HP or Lenovo right to a user. When they unbox it and sign in as themselves, all those policies and apps get pushed down from the cloud regardless of where they are.
Adam Devereaux:
It’s really the future of endpoint management, but what’s interesting is there’s a lot of announcements just in the last couple of days because Microsoft Ignite is going on right now.
Matt Maines:
Ignite is going on.
Adam Devereaux:
Yeah, so if you haven’t heard of that, I’d recommend you check it out. It’s normally an in-person conference, this is Microsoft’s more technical conference. Normally it’s in like Orlando or New Orleans. Unfortunately we just have to sit in front of our computers and watch it now. There’s a lot of announcements, a lot of great new content that Microsoft comes out with, with those.
Matt Maines:
Awesome. Anything else Kylian here?
Kylian:
I think that wraps up our Q&A section.
Matt Maines:
Okay, good.
Adam Devereaux:
Yeah, so again, we want to talk about a couple things that you can do. Hopefully this gives you some confidence about the ability that you can understand the cybersecurity risks that are out there. You don’t have to understand all of the technical details because there are experts out there you can partner with, but you have to have a business minded mentality going into it.
Adam Devereaux:
You have to bring that to the security experts as well. They’re not going to just know what to do to protect your organization at the right level. There are a lot of people that will just apply a generic thing without developing a security plan. That’s something we’ve had to learn to evolve towards as well.
Adam Devereaux:
You can talk to your account manager. If you want to follow up with us, we have a Power Hour link on the website. We will have more webinars coming up soon about this as well.
Matt Maines:
Awesome.
Adam Devereaux:
Anything you wanted to close out with?
Matt Maines:
I appreciate your time, Adam. I mean a lot of insight into this and just really protecting your employees identities and understanding the applications that they’re getting into. I think this framework that you provided here is a good place to just ask some questions, to get started with things.
Matt Maines:
Like you said, even in this poll here, just to hear that half the people attending here even have cyber liability insurance-
Adam Devereaux:
Yeah, that’s good.
Matt Maines:
… which I think it’s fantastic.
Adam Devereaux:
Good information. Now with the CIS controls checklist that you can access in the handout section, I will say, we don’t recommend every control that’s in there for every organization. Some of them are certainly more in depth than what may make sense, but it’s a good starting point to understand what are some of the critical things?
Adam Devereaux:
Knowing what software you have, making sure it’s updated, making sure you have access controls in place. All of this is just a good reviewer as a starting point, but there’s so much more that could be said from there, but we’re well out of time now. Thanks for sticking around and listening to us.
Matt Maines:
Yeah. Thanks again. Appreciate it.
Adam Devereaux:
Yeah, we’ll see you next month. Thanks everyone.
Matt Maines:
Thank you.
