RCR 007: Cyber Risk Management Basics - CISSP Study and Training!

Description:  

Shon Gerber from ShonGerber.com reveals to you the steps each week the information you need to best protect your business and reduce your company’s cyber risk. Shon provides cybersecurity for business training and how you can begin to address the cyber risk for your daily business.

In this episode (Part 4), Shon will address, Cyber Risk Management. He will cover the fundamentals and what you need to consider when evaluating the cyber risk for your business.

Transcript:

Welcome to the reduce cyber risk podcast where we give you the tools you need to meet your regulatory requirements while helping keep the evil hacker hoarded Bay hi my name is Sean Gerber and I'm your host for this action packed and forwarded podcast join me each week is I provide the information you need to best protect your business and reduce your company cyber risk okay this episode where to talk about cyber risk management and you hear about this term quite a bit on the internet wherever might be when you're dealing cyber risk and where it talk about how do you manage and mitigate your risk previous episodes in previous pieces of this that it doesn't matter how much money you spend your not going to be able to mitigate here is completely just no way around it so we're talking about a cyber risk how do you make a gain or what cuz you should you consider while doing it so we'll get what is cyber risk it's a function of threat vulnerabilities likelihood of event and impact a little bit so what's your threat how are you only heard that the events going to occur and then doesn't care what's going to happen right what's going to eat your whole site example of China hacking the Russians are hacking what is a nation-state to deal with a nation-state and your vulnerabilities are basically a hack system do you have a front-facing webserver do you have do you have lots of employees that accept emails basically they are your buttons multiple vulnerabilities until they can get in ability that has never been demonstrated ever after being in a place where I'm user of days before there's usually a really bad idea the reason is because you don't know what's going to happen when you use it you make it you can make the assumption that the moment you do use it you're probably going to get caught and if you get caught then it's going to potentially unravel and many many other way that you have into a network so 0 days are not a good idea as much as the the movies theaters will and the movies Hollywood will say is that yeah everybody not so much any of that goes on in the NSA is way smarter than me the other countries of got there people that are way by far than me but I will tell you that your days are just a bit wild wild west and things can go very badly very quickly with those so that's in Wichita Kansas where I'm from and they do manufacturing and what is the likelihood that the Chinese grammar is going to hack into my system now if I'm the only one in the world that doesn't this way in the Chinese China people in China that want my technology likelihood is probably pretty high however if I'm just a manufacturing of just basically hey not the Gucci stop it just Parts in general as a really really good at the Chinese government is going to spend a second or two on me. So you gotta understand what is ransomware so what is the threat cybercriminals or Knuckleheads are trying to steal your stuff for basic make money off of you so the vulnerabilities or email I'm past systems admin privileges and so forth admin that's about you then what happens is you get an email you click on a link and now you get this ransomware that's connected to your network did that can happen to anybody happens a lot of people that likelihood is quite significant now you just got to weigh it out what is the rest of you and your company you got a company ask a lot of people are click happy and they click on all kinds of emails ransomware probably be a bigger deal if you got all kinds of intellectual property and you're worried about a government but there's Chinese Russians French Israelis whoever your stuff then that's probably it is knowing the risk and knowing how to mitigate it so mine says what you need to have when dealing with cyber risk their mindset you need to do this deal and you don't even realize it but you evaluate risk on a daily basis on a minute basis especially if you're driving and traffic you're evaluating the risk do I turn do I not was I guess you need to see me is that girl going too fast with her makeup is that guy driving your car you have to assess the threat the vulnerability the likelihood any impact impact is you become a spot on a asphalt not a good impact right that would be bad for you and your family but you have to ask yourself as you're driving is that a problem if not and you want to go hundred miles an hour and you just give driving a tank well then you know what what happened to somebody else pretty high my daily basis and its proper wrist mindset will provide you the best cyber security coverage for your business because a lot of my friends in the vendor are vendors and vindictive a great wonderful tools out there to help businesses super good tools however the challenge comes into is that they will be happy to sell you a tool you may not necessarily need there are also plenty of tools that I've seen get it put in too many M Enterprises that the tool can survive can do many things for them but it's not configured correctly so I guess Jean vendors and what they're trying to sell you cuz there's some really good stuff out there however understand what your risk you might be trying to protect your house with a I like the tank thanks pretty cool with a tank right missile systems in all those things to protect my house right but in reality all you really need is a double and then you're good right you don't need all that stuff so are you willing to accept contingency planning okay so you need to utilize all the resources available when you're figuring through cyber risk okay there is the nist SP 500 - 53 which is different controls that you can Implement is also the nest S P 500 - 37 which is risk management which will walk you through how to manage your wrist properly all these things are available to provide these to help businesses what side of that is is you've got to be a cybersecurity or an IT person with big Cranium to really understand what they're saying because when I read it I get it but I'll be honest I still struggle with it and they talk on these big $10 words and their big Academia people which nothing against them they're super smart and they provide a great service but prove you're a business owner try to understand that you're probably scratching your head those are but those that cover has EastEnders available to you the Federal assessment tools out there for you to be able to a lot of the big business and we're doing compliance aspect need a cyber security risk assessment of some kind this is a good assessment tool on helping you and I know it's worth Financial places ffiec you also need to utilize is it they have around what is the risk to their business you may think you're a cybersecurity person listening this you may think will I know what the risk is high when I talk to Business Leaders brisket I think it's high in so high they have a better perspective you need to ask them or what they would do and what is the most critical to their business knowledge experts that are in the industry so if you are working in manufacturing you didn't understand people are in the manufacturing space reaching out to people on LinkedIn and Twitter on some other backgrounds Steve Gibson security Now super smart guy super guy he's a great great resource is also plenty of people that are within the LinkedIn environment that can provide you some guidance as well so I highly recommend reaching out to those as one it's true reproducible recipe can give you that information so if you look at the elements of risk we talked about will break this down a little bit what's a threat it's something that might adversely affect the information system within your business could be environmental could be business resources could be hostile individuals Billy Bob that you just fired ain't too happy about it cuz I'm using that word ain't you ain't too happy about it he comes home he went home to get something to come back Kansas where the IT guy and I think I got to watch out for access the IT guy isn't real happy and what he does he hacks into your systems remotely and shut everything down and nukes at all not a good option you need to think about all the different issues that you may vulnerability so we could harm or use the hardware business most breaches stem from some common vulnerabilities and I'd like to come back to do the basics if you can do the basics you will set yourself apart and you will dramatically reduce your risk I mean account reducing counts as you don't need anymore making sure you have long password make sure you have a password Vault the store password for people to use that password Vault don't let people have you training around clicking on links there's all kinds of little things that can be done to really do the blocking and tackling to really reduce your and again one of the things is example on his passwords that don't change there's plenty of people that don't ever change their passwords and they share it with everybody and they've never changed it some bad can happen that way is likelihood it's a chance that threat will happen to you it helps directions to put in place if it's highly likely you're going to get hacked on a routine basis that will definitely sway your Perfect protection mechanisms versus going yeah I'm a consignment place and I have hog poop and nobody really cares about my manure so I'm not really too worried that I might get hacked show me people want to hack hog confinements that shovel hog poo if you're the guy that makes the hog confinement that will put in 3000 Hogs within a space for 1000 hugs and everybody makes lots of money that's different but the guy who has them conveyor belt that shovel the Poo out of the bottom of the hog confinement probably not okay so the other element is the impact it's highly dependent on the information affected in the business credit cards and watch a problem so far they all have different impact right they consider at what threats will affect your business different you have a web presence if you got one is it something that's really important to you do eCommerce with it do not do because it's just brochure where is it managed by you or somebody else again we talked about the ransomware and 60% of businesses go out of business because of that what is your legal the other thing we talked about credit card you get half of the credit card and I think I mentioned in the previous episode and training was that you now the credit card companies will come in and they'll so you know what you can't use our credit card cuz you've been hacked or you didn't do what you're supposed to do because of the PCI requirements so that's just something else to consider cyber risk what is it the mindset and how you need to have different contingency planning as you are going down this path of securing your business and then the lastly the elements of risk that you deal with as you start considering the different rescue business alright