Protecting Your Small Business from Cyber Threats with Craig Cummings

Show Notes

Unlock the secrets to safeguarding your small business from ever-evolving cybersecurity threats in our latest Build with BBB podcast episode. We sit down with Craig Cummings from OK Computer, a cybersecurity veteran with over 20 years of experience, to uncover the hidden vulnerabilities in your routers and email accounts. Craig shares his expert tips on identifying phishing attempts, using advanced email filters, and the importance of tools like Microsoft 365 add-ons to create a robust defense against hackers. Understand the critical differences between breaches and ransomware, and learn how stringent laws like Oklahoma's Security Breach Notification Act mandate timely responses to data compromises.

We also dive deep into practical, budget-friendly cybersecurity solutions tailored specifically for small businesses. Craig breaks down PCI Data Security Standard compliance, the significance of endpoint detection, and the necessity of password managers. We debunk the myths that small businesses are not prime targets, emphasizing the reality of indiscriminate cyberattacks and the severe risks of data breaches and identity theft. Elevate your employee training with simulated phishing attacks and ongoing awareness programs to create a human firewall against online threats. Tune in for an episode packed with invaluable insights to help you fortify your business's cybersecurity posture.

LINKS: 

Craig Cummings
https://www.linkedin.com/in/craig-cummings-okcomputer/
https://www.okcomputer.llc/
Phone: (405) 252-9691

PCI: https://www.pcisecuritystandards.org/

Patch Tuesday: https://msrc.microsoft.com/update-guide

Microsoft Defender: https://www.microsoft.com/en-us/security/business/microsoft-defender-for-business-and-individuals-free-trial?ef_id=_k_CjwKCAjwm_SzBhAsEiwAXE2Cv84zfd0diQkqVf64UgXX8M-4VSFl4d_U2YmJaZ9hCLv0CgTjio0AzhoC5QQQAvD_BwE_k_&OCID=AIDcmmifpc6xqc_SEM__k_CjwKCAjwm_SzBhAsEiwAXE2Cv84zfd0diQkqVf64UgXX8M-4VSFl4d_U2YmJaZ9hCLv0CgTjio0AzhoC5QQQAvD_BwE_k_&gad_source=1&gclid=CjwKCAjwm_SzBhAsEiwAXE2Cv84zfd0diQkqVf64UgXX8M-4VSFl4d_U2YmJaZ9hCLv0CgTjio0AzhoC5QQQAvD_BwE

Follow BBB Serving Central Oklahoma on Facebook, Instagram and LinkedIn @BBBCentralOK

Chapters

• 0:01: Cybersecurity Threats and Data Breaches
• 10:36: Small Business Cybersecurity Solutions
• 19:40: Cybersecurity Awareness for Small Businesses

Transcript

Speaker 1: 0:01

So it's not always about your data, even if you don't think you have something that's of value. They see value in your box, they see value in your router. They see value in your network.

Speaker 2: 0:11

They see value in your email accounts welcome back to the build with bbb podcast. I'm your host casey farmer here with craig cummings of ok computer. Craig is an I professional, a long-time accredited business and very active in our community. We're so excited to talk about some cybersecurity information, ransomware threats and some information about collecting payments, which is entirely new information to me, and so I think I'm going to learn right along with our audience today. Craig, welcome to the podcast.

Speaker 1: 1:02

Yeah, thank you for having me.

Speaker 2: 1:03

Learn a little bit about your business, what you do, how you started it.

Speaker 1: 1:06

Yeah, so I'm a managed IT service provider, so I provide managed IT services to small businesses and of course, that includes a lot of cybersecurity services as well. I think you would be negligent if you're an IT professional that didn't focus on cybersecurity these days. So I've been in business for about 10 years now and I've been in IT for about 10 years now, and I've been in IT for 20-something years now.

Speaker 2: 1:27

So, for a small business owner, what are some of the most common threats that they might face today?

Speaker 1: 1:39

So, according to the FBI, phishing is still the number one attack vector, so they're basically being tricked into divulging their credentials. They or tricked into clicking on a link or tricked into opening some kind of malicious attachment, but it is by far the most common attack vector is still email. Some of them are really easy to spot because they have poor English or poor grammar, and we've all seen these emails from the Nigerian prince needing help transferring money. So those are pretty easy to spot. But a lot of them will come in and they look like they're from Microsoft and they're telling you that you need to click here to reset your password before you get locked out, and some of them can actually be pretty convincing. I've almost fallen for a couple of them and I'm constantly reading about this stuff, so some of them can be very convincing. I think you can teach your team to look for the telltale signs. Again, there's poor grammar misspellings.

Speaker 1: 2:30

Sometimes the logo will look weird because they've just literally copied and pasted a logo off a legitimate website and so it looks kind of blurry. It doesn't look like a high resolution. You can look in the headers of the email to see and the headers of the email to see. You know it might say it's from Microsoft support, but then if you look at the from email address, it'll be some random name at Gmail. Well, microsoft doesn't use Gmail accounts, you know. So there's a lot of things that are real obvious. And then you know, if they're not sure, go ask somebody you know. Or you know you can go look up the number for that company and call them directly, instead of calling the number that's in the email that you're suspicious of. So a lot of it just comes down to awareness.

Speaker 2: 3:13

And sharing that with your team and being transparent about hey, it's going to happen, whether we want it to or not.

Speaker 1: 3:19

Yeah, yeah, Unfortunately we can't stop it yet. I mean, we can mitigate some of it. But even with really advanced email filters in place, phishing emails still get through because they're constantly evolving their techniques as well. So there's a lot of third party products out there. Proofpoint is one that Microsoft 365 has a defender for office add on product that incorporates what they call safe links and safe attachments into your email. So all the links are rewritten to go through Microsoft sandbox servers where they analyze everything before it actually loads on your web page and similar kind of thing that they do with attachments. They essentially will open your attachment in a sandbox on the server before it's actually delivered to you to see if it's going to do anything malicious. If it's safe, then they forward it on to you. So that's a $2 a month per user add-on for Microsoft. So if you've already got Microsoft 365, I think that's a no-brainer.

Speaker 1: 4:21

So a breach is typically when somebody has gained unauthorized access to some kind of sensitive information. So they've gained access to credit card information or personally identifiable information of some sort, and now they have that information they can do whatever they want with it, Whereas ransomware they are going to encrypt your files in place. So you'll come in and try to access a file in your documents folder and you'll find everything is encrypted. And typically, after they encrypt your files, they'll pop up a message saying we've encrypted your files. If you want them back, you have to pay this ransom. A breach is not necessarily going to lead to a ransomware attack and vice versa.

Speaker 2: 4:59

What can a small business owner do to recover that information once you've had a data breach?

Speaker 1: 5:06

Yeah. So if you've had a data breach, unfortunately there may be nothing you can do to recover that information, because the criminals already have this information in their hand and even if they might say, well, we'll give it back if you pay us. But can you trust them? They're criminals. They can always retain a copy. It's digital data Right.

Speaker 1: 5:25

Unfortunately, in the event of a breach, there is really nothing you can do to get that information back. A lot of industries will have notification requirements. Oklahoma actually has a Security Breach Notification Act. If you suspect a breach, you are required by law to notify those people that there has been a breach of their information people that there has been a breach of their information. I'm not a lawyer, I don't know how often that is enforced, but that law exists. And if you process credit cards, then you are subject to the PCI data security standard and that stipulates that you should be notifying your payment processor at the very least, and if you suspect that credit card information has been leaked, you should be notifying those customers as well. And then if you're in like financial industry or government, obviously they're going to have different reporting requirements as well.

Speaker 1: 6:15

So unfortunately, when it comes to a breach, about all you can do is notify people and then, of course, try to contain it as well, if you can figure out. I mean you want to make sure you get them off your network or off your system as well, but unfortunately there's just nothing you can do to get that data back Once they have it. You can't put that genie back in the bottle, unfortunately. So the best thing you can do when it comes to ransomware is have good offline backups, backups that are not accessible from your main system under normal circumstances, because they have caught on. They know that backups are a way to recover from ransomware attack without paying the ransom, and so a lot of times now they will sit on your system until they can figure out how to gain access to your backups as well, so you can encrypt your backup. So you really need to have a good offline backup to recover from ransomware.

Speaker 1: 7:09

And there's a new thing and I'm glad you brought this up, because ransomware has been around for at least 13 years now, I believe.

Speaker 1: 7:16

So I hope everybody's heard of it. But there's a new little twist on ransomware, now called extortionware, because the criminals have caught on to the fact that everybody is backing up so they can recover from ransomware, and so what they'll do now is, if you refuse to pay the ransom, you're like I'm just going to restore from backup, I don't need your help, and they'll say, okay, well, we're just going to go ahead and publish this information on the internet. And so, depending on you know your customer base and the type of information they have, that can be devastating, obviously. You can imagine if you're like a divorce attorney or something like that, and they decided to publish all this information on the internet. Or if you're a CPA and you wake up one morning and all your customers' tax returns have been published on the internet and maybe they've all received an email to notify them about it, you know. So that's a new little twist on ransomware that is in response to people getting better about backing up. So they have changed their tactic.

Speaker 2: 8:19

Terrifying.

Speaker 1: 8:20

Yeah.

Speaker 2: 8:20

So for if you're listening today, make sure to back up that.

Speaker 1: 8:24

Yeah, you definitely want to have backups, but then when it comes to extortion, where you know the backup is not going to help you in that situation, They've got that data. That is a breach really. I mean, they've got that information and there's nothing you can do about it.

Speaker 2: 8:37

Unfortunately, so if a client comes to you, what do you do in that situation? Truly just curious yeah.

Speaker 1: 8:45

So I mean, if they come to me with a breach, I'm going to say you know, I'm really sorry that happened to you. You know we can. You know, obviously we can take a look at their systems and try to, you know, remove any infections that we find, but there is nothing we can do about that data that's already been stolen, unfortunately.

Speaker 2: 9:05

Gotcha. So we talked earlier you teased it a little bit about PCI, which, for our listeners today, I had absolutely no idea In our initial phone call when we were talking about what we wanted to chat about today. You're like let's talk about PCI. Do you know what that is? I'm like no, tell me more.

Speaker 1: 9:22

Yeah, so if you process credit card transactions, then you are contractually obligated to be compliant with the PCI data security standard. It is not a law, unfortunately I think it should be a law, but it is a. It's a contractual agreement that you enter into with your payment processor processor, and so essentially, there is a data security standard that you are expected to be compliant with, and this helps them prevent credit card theft and, because so much of it comes down, so they can design a secure application. But then if you go install it in your environment in an insecure way and just leave default passwords in place, for instance, it doesn't matter how well they built that application, because you've implemented it poorly and now you've opened up vulnerabilities that will allow attackers to get that information, and so that's why they have this data security standard in place to give guidance to small businesses, so they know how to properly implement their payment solution, so that they don't get hacked and so that information doesn't get stolen.

Speaker 1: 10:36

And you did say, if you're collecting any kind of payment, whether it's online or in person, you need to If you're processing even one credit card a year, you need to be compliant with the PCI Data Security Standard and they got a great length to spell that out and reiterate that on their website. So there is a PCI security standards council that develops this standard in conjunction with the payment card brands and, yes, they go to great lengths to stress that all merchants, no matter how many credit cards you process, are expected to be compliant with the PCI data security standards. Rog process are expected to be compliant with the PCI data security standards.

Speaker 2: 11:15

Okay, so down below in the description we'll have linked to that website so that our listeners can learn more. Now, if somebody listening today wants to learn more from you, what does that look like? How do you help in that situation?

Speaker 1: 11:28

With the PCI compliance. Yeah, so I mean they would just reach out to me and we'll sit down and have a conversation. We'll take a look at their environment and see what kind of solution they have. Depending on the payment solution, there are a different set of standards. So if you're using something like a square device that is what they call a point to point hardware encrypted solution, and that is because it is one of the it is low risk compared to other types of solutions.

Speaker 1: 11:57

You have a much shorter set of questions and standards that you have to be compliant with, whereas if you have some kind of payment solution that's sitting on a Windows machine that's connected to the internet, you are at a much greater risk and therefore you have a much longer assessment that you have to go through to be compliant. So there's a lot of what they call scoping. That happens in the beginning, where you are figuring out where the boundaries of the cardholder data environment are and figuring out exactly how they're processing credit cards, so you can figure out which self-assessment questionnaire they need to be compliant with. It's all. It gets pretty involved.

Speaker 2: 12:40

Changing gears a little bit to talk more about the cybersecurity realm, which is vast, and there's lots and lots of information that small businesses need to know about how to be cyber aware and cyber safe. When a client reaches out to you to say, hey, I need you to handle my cybersecurity, what does that look like?

Speaker 1: 12:57

So I have several different services that I can offer that help with cybersecurity. So one of the services I have is called what we call endpoint detection and response, and this is kind of like an antivirus that's all grown up now and has a lot more capabilities than your traditional antivirus. But the other thing is that it is monitored 24-7 by a security operation center. So even if I'm asleep at three o'clock in the morning and there is some kind of hacking attempt or a virus that lands on one of your computers, these guys can be notified of that and isolate that machine on the network so that it doesn't spread laterally throughout your network. So that's one of the services I can offer when it comes to endpoint security.

Speaker 1: 13:47

And then when it comes to network security, I will install a security appliance from Cisco Meraki that has a lot of advanced network security features. For instance, there is an antivirus engine built into the network appliance that will analyze packets of data as they're coming across the network, so they can detect a virus at the network before it ever lands on your desktop and stop it there. Another cool thing they can do is they have something called retrospective malware analysis, so if they see something today that they're not sure about. But then, two or three days later, they get some new intel that lets them know that, oh yeah, that was malicious. They will let you know. Hey, two days ago this file was downloaded on this machine and we now believe that it may be malicious, which is really cool that they can do that retrospectively.

Speaker 1: 14:45

So there's a lot of different solutions we can put in place that help with cybersecurity and, honestly, a lot of small businesses. It might be something as simple as a password manager too. I still see a lot of small businesses storing passwords in spreadsheets or storing their passwords in their browser, and if they click on one wrong link, all those passwords are going to be captured. You know, that's why we have password managers now, and password managers are really cheap. You know. You can get a decent password manager for like $3 a month, you know.

Speaker 2: 15:16

Yeah. So with all of these solutions, a small business might be wondering. You know I have a lot of budget constraints when it comes to my cybersecurity needs. How does that come into?

Speaker 1: 15:27

play and I certainly get that. You know I'm a small business owner myself and so I realized that there's only so much money to go around. But we know, when it comes to cybersecurity there's really a lot of things that people can do for free. You know password managers are free or very cheap. You know, like I said, password managers a lot of times do have a free tier, but even the paid tier may only be $3 or $4 a month per user. That's really cheap. You know the email protection that I mentioned that you get with Microsoft Defender for office, the safe links and safe attachments that's $2 per user per month. That's really cheap.

Speaker 1: 16:01

You know there's a lot of things you can do for free. So, like a lot of people, when they go buy a computer, they go to the Best Buy and they buy a computer and they take it home and they sit down and they log in and they're logging in with a full administrative account and they don't even realize that there is such a thing as a standard user account. It doesn't have admin rights and Microsoft has been telling people for over a decade now don't use an administrative account for your daily use account. But most small business owners are still doing that because they don't know any better, and Microsoft has previously stated that Just using a standard user account instead of an admin account would stop something like 80% of targeted malware attacks. And that is free. All you got to do is implement it. There's a lot of other free things that you can do. Obviously, there's a lot of awareness training out there. That's free. The FTC makes a lot of information available. The SBA has a lot of information good information that's free. The FTC makes a lot of information available. The SBA has a lot of information the good information that's free. So, yeah, there's a lot of things that can be done that are really effective that don't really cost that much.

Speaker 1: 17:18

Oh, patching as well. You know Microsoft. I read yesterday Microsoft once a month. Microsoft has Patch Tuesday where they release most of their patches. They will release patches out of band as well, but yesterday it was Patch Tuesday and they had a record. They had 147 patches released yesterday. And a patch is what A patch is? An update for software of some sort. So Windows has patches, office has patches, and a lot of these patches are security patches, so they are fixing a known security vulnerability. Oftentimes it's something that they've seen being exploited in the wild. So it's really important to install these updates as soon as they become available, and I still see a lot of small business owners that are not patching. Again, that's one of the most effective things you can do, because it is literally shoring up that vulnerability. It's eliminating a vulnerability when you apply that patch. And it's free yeah, all you got to do is install them.

Speaker 2: 18:17

So check for those updates.

Speaker 1: 18:18

Yeah, yeah.

Speaker 2: 18:20

What are the consequences for a small business if they neglect to implement some of these things?

Speaker 1: 18:27

Yeah, you know. So the consequences can range from just a nuisance to going out of business. You know, I was listening to a story on the radio the other day. They were interviewing this lady, I think. She was in Nevada, she had started some kind of business where she was selling stuff online and she kind of said it all up herself in the beginning, the way most of us do. She didn't get a lot of input from any kind of cybersecurity professionals and at some point she was doing very well and somebody started DOSing her website. So DOS stands for denial of service. So basically they're just sending an enormous amount of traffic at her website and it takes it down, it takes it offline and while it's offline, of course she can't process any sales. Nobody can buy anything from her because her website's offline. So she calls her web host and they're like well, there's really not much we can do about it, you just got to wait it out. Well, this went on for months and she eventually went out of business.

Speaker 2: 19:21

She had to close, close shop and when we're talking about those hits, we're not talking about just like 10 or 20. It's like thousands of hits on your website. It's like overloading it exactly, yeah, yeah so, in your experience, what are the biggest misconceptions that small business owners have about cyber security?

Speaker 1: 19:40

I think the biggest misconception I hear is that you know that doesn't apply to us and they might convince them. They might tell themselves we're too small or we don't have anything that's that valuable, and so that just doesn't apply to us. I think that is the number one misconception.

Speaker 2: 19:55

Yeah, I would say. If you're online, it applies to you.

Speaker 1: 19:57

Yeah, if you got a computer that's connected to the Internet, it all applies to you.

Speaker 2: 20:01

Sure, and that goes for your. I mean, we're talking about small business, but that goes for your personal information.

Speaker 1: 20:07

Exactly so. You want to be very careful about who you share your personal information with, because we're kind of veering off into privacy, which is related to security, but not quite the same thing. I tell people. You know, security is all about protecting the information that you have that's in your possession, where privacy is really about trying to protect information that you've already given somebody else. It's really, once you give it away, it's out of your hands, right? Really, when it comes to privacy, the best thing you can do is just be very careful about who you give that information to.

Speaker 1: 20:47

And unfortunately, there's a really famous security researcher, a journalist, named Brian Krebs. He's previously stated that if you're an American citizen, your social security number is on the dark web period Because there have been so many third-party data breaches over the years. We hear about them all the time. You may get a letter occasionally saying that you've been in a data breach. It'll be some company you've never even heard of no kidding, because it's some B2B data broker, you know and so this stuff is happening all the time. So there's a good chance that your information is already out there on the dark web. And which brings me back around to something else that small business owners and anybody really can do for free is freezing your credit. It's something people don't always think about when it comes to cybersecurity, but identity theft is one of their goals of these criminals and obviously if you're a small business owner and somebody wrecks your credit, that can be problematic.

Speaker 2: 21:41

No kidding, there goes your buying power, exactly no-transcript. Business life and credit are affected.

Speaker 1: 21:45

So you can actually freeze your credit, such so that if some identity thief goes and tries to buy a car or something like that in your name using your stolen identity, they will not be able to check your credit score. Therefore, they're not going to issue credit. So the credit freeze is really um, it's a really effective tool and it is free. It takes it takes about 20 minutes to set it up, sure, and it works very well yeah, so going back to, because I think I pulled you off in that, on down that yeah but um, employees have a big role to play when maintaining cybersecurity.

Speaker 2: 22:24

So how do you train your team? How do you share information with them? You just mentioned sharing information. You need to be selective about who you do that with, but you have to share that kind of information with your team.

Speaker 1: 22:35

Yeah, I think there's cybersecurity awareness training. Obviously there's a lot of companies out there that can help with that. I can help with that, obviously, if you're a customer of mine, but there's a lot of free stuff available out there from, like I said, the FTC, the FCC, the SBA, nist. There's a long list of organizations that provide free cybersecurity awareness training. You know, another thing you can do is what we call simulated phishing attacks. So we basically simulate a phishing email and see who clicks on it and then you go and counsel that person so that you're not just beating everybody to death. Some people get it a little faster than other employees are going to get it right, and so the simulated phishing can help you target those people that really need more education. You know, there's probably a long list of tips I could provide, but you know I would just say take cybersecurity seriously. I don't care how small you are or how insignificant you think your data is. You will be targeted eventually. And I should back up A lot of these are not really targeted attacks per se.

Speaker 1: 23:47

They are. You know, I like to use the analogy of a car thief just walking through a parking lot and checking for doors that are unlocked. You know they're not necessarily targeting your car. They just picked your car because it was vulnerable, and that's how these hackers work too. They're not necessarily going out and targeting Joe's Plumbing or whatever your business is. They have tools that automatically scan the internet, looking for vulnerable systems and users and networks, and when they find one, they're just going to exploit it. And it's not always about your data. Even just your box, your computer, is valuable to them. You know the FBI was on TV a while back talking about a massive botnet attack where these hackers have taken over home routers and small office routers and turned them into a giant botnet that they're using to attack US infrastructure and they find a way to use it.

Speaker 1: 24:41

And they will find a way to leverage it and monetize it. Sure.

Speaker 2: 24:44

Exactly Well. Thank you so much for being here today.

Speaker 1: 24:46

Yeah.

Speaker 2: 24:47

Linked down below. We will have a plethora of resources for anybody listening today, all of the ones that you mentioned. Anything we can Also linked below. We will have Craig's contact information If you want to connect with Craig and learn more about him. You might also see him at a future BBB event. About it. We might also see him at a future BBB event?

Speaker 1: 25:04

He attends those from time to time. Yeah, maybe this evening.

Speaker 2: 25:06

Yeah, oh yeah, maybe this evening.

Speaker 1: 25:07

Well, it'll be too late before our listeners are able to hear yeah, that's true, that's true.

Speaker 2: 25:11

Anyway, Craig, thank you so much for being here.

Speaker 1: 25:13

Yeah, thank you for having me and for all of your tips.

Speaker 2: 25:16

They really are so, so helpful and, I think, so needed in the very cyber world that we live in today. Thank you so much for listening to the Build With BBB podcast. Make sure to share this episode with your fellow business owners and friends, and we will see you in the next one. Bye, friends, bye.