Cybersecurity for your Business: Where to Begin

Ryan Lockwood: Okay. I guess we’re live now. Thanks for joining, everyone. I’m seeing a lot of people come in to the webinar now, so let’s just give them a chance to get logged in. I guess, before we get started, I’m not sure if you heard, but yesterday, there was a catastrophic cyber attack here at city hall. Yeah, the [00:26] security team are looking for the alleged hacker, but apparently, he ran somewhere. They’ve got quite a few issues there in their IT department, so they brought in a conflict resolution expert to cut back on all the cyberbullying. I’m sorry about that. Lucky for all of you, it’s time to get started.

Thanks for joining us. My name is Ryan Lockwood and I’m the Head of Marketing for WBM Technologies. Today, we’re going to have a 30-minute presentation followed by 15 minutes of questions. Feel free to click on the Q&A button on the control bar at the bottom of your screen and write in your questions at any time during the presentation. Also, we’ll be sending out an on-demand version of today’s webinar in the days ahead. I know that many of you are already working with us, but for those of you who are new to our company, WBM Technologies is a fast-growing managed services provider with operations throughout Western Canada.

We got started 70 years ago in Saskatoon and now we have operation centers located in Vancouver, Calgary, Regina, Saskatoon, and Winnipeg. We provide a broad range of IT services to government, to private sector and non-profits. I hope you find this inaugural cyber security webinar helpful for your organization. This is an educational webinar aimed at giving you a bit of insight into the first steps you can take to ensure that your infrastructure from a security standpoint is moving in the right direction.

Today, our cyber security expert, Ilija Stankovski is going to be presenting. Ilija has been doing this for a long time. He’s got a diverse IT background and we wanted him on our team so badly we had to purchase his company a few years back to bring him over. He now spends his days working to manage risks associated with critical IT infrastructure and our client community across Western Canada and beyond. Without further ado, here’s Ilija.

Ilija Stankovski: Perfect. Thanks, Ryan. Thanks for the kind introduction and it’s fantastic to see so many people joining in. Looking forward to this session. To get things rolling, what I figured we can do is set the groundwork here with some basic terminology and definitions that we need to get familiarized with. We’re going to spend a couple of slides talking about some terms we’ll be using throughout the presentation today. First question is, what is cyber security? We’ve used a number of terms around describing cyber security. Typically, we use the phrase information security or cyber security, but they’re one of the same.

Essentially, the cyber security field is a discipline of protecting computer systems from abuse by third parties. We’ll talk about these third parties later, but it’s important to understand that it’s all about protection of our information technology systems. A bit of a legal speak ahead of the rest of the presentation. What I will say during this webinar is clearly not the silver bullet for all problems. All businesses have different challenges and there’s different solutions that apply to security issues. We’re going to cover a majority of topics that will be applicable, but most definitely they’ll be details there that have to be colored in depending on your business in particular.

Please keep this in mind. This is for educational purposes only and should we need to get into additional details real specific, we’d love to get into those at some later date. First question, why are you here? You must have heard about cyber security attacks in the news and the media and you’re worried about what that may mean for your business. You want to make sure that you remain competitive in your line of business. At the end of the day, you have board of directors or ownership or fiscal responsibilities and you want to make sure that you remain competitive in that space.

At the end of the day, you are interested and excited to use technology as an enable and not as a detriment to your business. If the question that we post here, these three questions and the answers are yes, yes, and yes, which I surely hope they are, you’re at the right place. That means you care about your business and you’re worried about cyber security. Let’s begin into talking about what is it that you can do to protect yourself. I will cover three basic concepts to begin with to understand what they need because these are phrases you’ve heard in your dealings in the information technology and information security space.

The first one I’m going to talk about is threat. What is a threat? In the scope of our industry, in the cyber security industry a threat and an act are one of the same. We have coined some other terms. The marketing and the media has coined some terms that you might have heard. Terms such as bad guys or cyber criminals or hackers, but essentially, they represent a threat. I’m a little saddened that the word hacker has been overtaken with a negative connotation. It used to be a word of positivity, but unfortunately, the case with that word is no longer positive.

In other point of view, the threat or act is essentially a group of people that may benefit or benefitting from doing harm to your business. This could be, as an example, governments, where cyber warfare is being invested in for the purposes of disruption either from a geopolitical perspective or from intellectual property perspective. These threats are very difficult to protect against because there’s the unlimited resources of time primarily and also, financing. Hopefully, you never get to be into the crosshairs of governments when it comes down to cyber-attacks.

As threats, we have the common criminals which have been now armed with a new tool being information security or cyber security. This is a very effective threat and fairly aggressive. This is where we’re going to spend most of the time protecting against. These types of threats don’t really care about the ideology or the business you’re into. They’re just looking for a quick return on their investment, so in that sense have become quite effective.

Another example of threats are activists. These are very specific in nature, have a very specific ideological statement to make and a target they are going after. There’s obviously additional threats that exist out there, but these are the top three that we commonly see either media or news or engagements we have throughout with our clients.

Next let’s cover the term vulnerability. There’s typically some misunderstanding about this phrase, so we figured we’ll play along here, a game of Jeopardy. We’ll take cyber security for 500 bucks, Alex. The answer is, found commonly in all computer software and hardware. The answer is, what is mistakes made by humans. Inherently, software is made by humans and therefore, all software and hardware will have built-in mistakes. These mistakes are important because if they’re used to disrupt the piece of software or hardware that’s built by humans, then that makes that piece of software or hardware vulnerable.

You might think, well, wait a minute. I’m a human. I make mistakes. Does that mean that I’m also a vulnerability? Absolutely. We as humans or wetware, we’d like to call them in industry, at least I would like to call ourselves as humans wetware, are as vulnerable as software and hardware and in some cases, even more than vulnerable than software and hardware. Now that we understand a threat and a vulnerability, it’s time to put all three together in combination with the term exploit. An exploit takes advantage of vulnerabilities when executed by a treat.

Exploit is essentially an action that takes advantage of the vulnerabilities we discussed earlier. Exploits can be software, it can be hardware, or it can be wetware. This is where we come in as humans. Now the remainder of the phrases that you typically hear associated with cyber security are related to exploit. These are words that surely, you’ve heard of, Trojan, virus, spyware, malware, ransomware, zero-day attack, keylogger, so forth and so on. There’s literally hundreds if not thousands of phrases that have emerged over the last couple of decades. They’re just words to describe exploits, so far so good.

We understand the threats. We understand what a vulnerability is. We understand what an exploit it. What is it that I can do as a business owner, as a business leader, or as a leader with an organization to protect yourself from threats and exploits? It boils down to basic principles of running a business, and that’s managing risk. What we do in the cyber security industry primarily is focusing on mitigating risk that is increased by the exploitation of vulnerabilities by threats or actors.

At the end of the day, if we have a piece of software and hardware that’s exploited, that introduces risk to our business. This risk is no different than anything else [10:31]. Risk of supply chain, risk of resourcing, risk of funding. We see cyber security risk as a fundamental problem of every organization and every leadership take care about. How do we mitigate risk? We manage risk by implementing control, security controls via industry standards. This phrase has become a mantra for us. This is what we repeat day in and day out when we talk to customers and we deal with cyber security problems. We manage risk by implementing controls through standards.

Again, risk, control, standards. You will see this phrase being repeated. Hopefully, it will get coined in your memory as a mantra that you can remember as you’re dealing with cyber security risk. Reducing risk by implementing controls, by using standards. What kind of controls are we talking about here? The phrase control is a fairly wide term, but implementation of controls to reduce risk is related to cyber security threats. We’ve defined three basic controls that we’re going to focus on today. People controls, technology controls, and policy controls.

Again, these controls are implemented by using standards commonly used in the industry. All the suggestions we shared today is not something we invented. We’re not going to reinvent the wheel. The controls we’re going to be suggesting today at a top level obviously are existing solutions that exist in the industry. Our common best practices and industry standards. Let’s tackle the first one, people controls. We start with people controls as opposed to technology controls where typically other cyber security professionals begin, but we decided to start with people control because the majority of attacks that we hear in the media are the exploitation of humans for social engineering.

In this case, the wetware failed in some way. There’s plenty of examples of that. Surely, you received an email that asked you to click, open, view on something in an email that’s a super duper deal or you received an email from your CFO asking for you to transfer some funds or you might have received an email from your accountant or a controller, an auditor to change some sensitive information about the way you do business such as bank accounts for some equipment purchases. These are not arbitrary examples. This is what we see in the field. A real example of threats that have been sent to our clients.

In some cases, some of our clients acted on these threats and they clicked on these links and they ended up in a bad predicament. There’s two recommendations when it comes down to people controls and by all means, these are not the only two, but we’re going to cover the first two which we think are probably the most crucial. The first one is to dedicate someone to be responsible for cyber security in your organization. Hire someone that will be made responsible for cyber security and be responsible to execute the work coming up in the next recommendations we’re going to be showing here. If we do not hire someone, if we do not make responsible someone for cyber security, then you’re going to bring a tough challenge to be able to execute these controls.

This does not have to be a brand-new role. Depending on the size of the organization, you may not be able to afford to dedicate someone to cyber security. You can make it a part-time role of an existing resource with someone at the organization is to be made responsible for cyber security. Once you have done that, now we can tackle the rest of the organization. Let’s make sure that end user’s awareness about cyber security increases. This is exceptionally critical.

This can be done through in-house training, can be done through online training. There is a variety of services out there that provide very effective online training for raising security awareness. It could be done through marketing initiatives such as posters and brochures. It can be done through simply having discussions in meetings, your weekly team meetings. Bring up matters of cyber security. It can be done through lunch and learn. There’s many ways how security awareness can be raised, but there has to be a program where you raise the end-user awareness within your user community so that the wetware is equipped to behave as a defense mechanism against cyber security threats.

Next, let’s look at some technology controls you can be implementing to reduce risk associated with cyber security. If technology is part of the problem and in many cases, it is because as you remember earlier, we talked about vulnerabilities in software and hardware. Then surely, technology also has to be part of the solution. Luckily for us there’s a very diverse and rich industry segment that provides innovative solutions that provide technology controls. Here’s a couple of examples that you can get started with. We’re going to be presenting four very simple high-level solutions that will be quite effective in the strategy of reducing risk in your organization.

The first one is about protecting email. Email as we call it a vector of attacks is a very actively pursued way of distributing cyber-attacks. Protecting it is critical. There’s a number of email protection solutions. This is not just your regular spam protection. We’re talking about email protection. Advanced email protection that looks at the content of the email, scrubs malicious attachments, eliminates links that you can click on for inspection purposes, inspects it for potential phishing opportunities. It’s a fairly advanced platform to protect. Now this could be associated with your cloud-based email or your on-premise email. It doesn’t matter where your email is hosted. You should be able to protect it.

The next topic related to technology controls is the implementation of next generation firewalls with advanced security services for your perimeter. Anywhere where your internet access is connected, you need to be able to inspect that entry point and inspect every network transaction to make sure it doesn’t carry malicious payloads. It doesn’t try to communicate out to the internet with known bad IP addresses. The concept of a next generation firewall is a fairly in-depth topic of discussion which we’re not going to get into today. Perhaps at a subsequent webinar, but it’s important to have a next generation firewall installed at your perimeter to protect your environment.

You can see a trend developing here. We talked about cloud protection. Then the perimeter protection. Now we’re going to talk about the endpoint protection. This is your laptops, your work stations, your servers, your phones, your tablets, anything that your end-users use to do their work. We need to protect those devices. In the industry, we call this endpoint protection and there’s a plethora of tools available that provide this advance endpoint protection to make sure that yes, that doesn’t have malicious files or it doesn’t run malicious processes or plays nicely with the endpoint’s memory and the browser that’s being used is not going to some bad websites.

There’s a number of innovative solutions that you could use there. Chances are you already have some portion of this in your environment, so that’s a good sign. The fourth technology controls may look very boring and not interesting, but very critical, and that’s backup, backup, backup. I couldn’t stress this more. Having the ability to resort to previous states of your unstructured data, information, files, servers is exceptionally important. During a cyber-attack, which you will experience or you have experienced already, having backups is going to be a lifesaver to be able to go back and restore to a previous state prior to the attacks.

I cannot stress more how important this is. Backup is nothing new. It’s been out there for a long time. I’m quite confident although legally speaking I cannot say that I can guarantee this, but I’m very confident that by implementing these four basic technology controls in your environment as a business owner will help you reduce risks significantly. You will see less attacks. You’re going to see less impact to your business and you’re going to essentially become more productive.

The last security control we’re going to cover is policy controls. What is policy control? This is where some people lose steam because it gets a little dry and a little more legally in terms of the language that’s being used, but essentially policy controls are about governance, documentation, and legal protection. It’s about writing down the things you are going to commit to and making sure your end-users are committed to those very same things. There’s a couple of things we’re going to suggest to start with here to get you going. There’s again plenty to choose from, but I think that these two are the most important ones to focus on.

The first one is to document a security incident response process. This is a simple checklist that will help you guide you through a cyber security attack. This is what you will follow when and not if you are under a cyber security attack. During attacks, a funny thing happens, you get emotional, the anxiety levels go up. Everyone is trying to get rid of this attack that’s happening right now in this heightened stint of anxiety and high emotional state. Having a place to go to which gives you a clear set of steps to follow that you’ve written when you were at peace and in a quiet state is going to be a very tremendously useful tool that will help you steer through the recovery process.

There is some incident response process that are a handful of steps, but typically, no longer than five or six steps that are outlined on how to respond during an attack. Essentially, be prepared and follow the documented process and that will eliminate the emotions like fear and doubt while you’re dealing with an attack. The second policy control that we’re going to recommend – this is a new development and we’ve received some questions around this particular topic even prior to this webinar and that’s the impact of using insurance policies when we’re dealing with cyber security attacks. If you were to phone the insurance company that provides your insurance policies for your business, chances are they already have a cyber-attack protection policy. It’s a very good idea to contact your insurance company and get some additional information and sign up for one of these policies.

This will help you with financial support if your business gets disrupted via cyber security attack. No different than a fire or a flood within your offices. Ultimately, you want to protect your business, so having some sort of a protection in terms of insurance policy is a good idea. Guess what, it’s going to be much easier to get lower premium rates or not having challenges when you submit a claim related to cyber security if you’ve demonstrated that you have taken steps to protect yourself like following these controls we outlined today. It’s a good idea to implement some of these controls to start which show progress before you tackle this business of getting an insurance policy.

A bonus suggestion. We covered people, technology policies. There’s one more I’d like to point out and this is about finding current state or keeping tabs on success. How do I know I’m doing the right thing? I’ve implemented technology controls. How do I know they’re working? I’ve trained my people. How do I know they’re ready? This is all about performing assessments. About once a year, hire someone from the outside world, a third party, a neutral third party who will not be a threat to the organization and that will assess your environment. Find the weak spots, confirm that the things you have implemented are working, find out other things that are perhaps not working. This will then drive recommendations and will drive suggestions that hopefully will follow.

This concept of ongoing evaluation of risk by implementing controls by using standard is going to be part of the language in a cyclical process. You’ll do an assessment. You get recommendations. You follow on. Next year, repeat the same thing. At the end of the day, risk will never go down to zero, but we can bring it down from your current value to a much lower value. This is what we do as part of the industry. We always look for ways how to reduce risk. Make sure however that your risk assessment is completed by a neutral third party. Someone you’re not dealing with. Not your IT services provider. Not your existing staff. Someone from the outside who doesn’t have a biased view on your environment.

Let’s summarize here. We talked about ways of reducing risk associated with cyber security and what we’re saying is, we need to implement security controls to reduce risk by using industry standards. You’re catching on the mantra already here. As part of people controls, hire a cyber specialist, make that person responsible for cyber security. Implement end-user awareness program. Don’t care which kind, just make sure there’s one there.

From technology controls, start with these four basic constructs. Protect your email through a cloud-based solution. Install next generation firewalls at the perimeter. Make sure that your endpoint protection devices are protected and what we call this defense in-depth strategy, cloud perimeter endpoint, and make sure you backup, backup, backup. Backup your data, your systems, the critical systems, critical databases applications so that you can recover when an attack occurs.

From policy controls, make sure that you have security incident process documented in your response process and talk to your insurance company to get an insurance policy that will help you when things go sideways. This is where we enter the Q&A session of the webinar. Hopefully, the information that we shared so far, that I shared so far resonates with you. I’m excited to see what kind of questions come along so I’ll turn it back to Ryan here to get us started with questions.

Ryan Lockwood: Okay, great. Thanks, Ilija. Yeah, we’ve got about 25 minutes remaining for questions. Please take a moment, click on the Q&A button, and write your question into the text box. I’ll give you a minute to do that. In the meantime, I just wanted to say a word about our annual client event. Connection 2020 – The Data Driven Experience is going to be held in Saskatoon on Thursday, January 30th at TCU Place. This year, we’re super excited to welcome more than 400 IT and business leaders from across the country to explore themes related to data, analytics, security, AI and the cloud.

We’re going to have some really interesting deep dives into the companies that are using data for business transformation and generally, just learn about many of the exciting new successes that are coming out of the tech sector in Western Canada. This year, we’re excited to welcome Kevin Peesker, President of Microsoft Canada to deliver our keynote address. If you’d like to learn more about that, go to wbm.ca and hope to see all of you there.

Okay, first question that came in from Twitter yesterday. Hypothetically, if you are the victim of a ransomware attack, do you pay? Ilija.

Ilija Stankovski: Yeah. This is a very interesting question and a very challenging question because it involves ethics. I’m of the opinion that one should never be put in a position to be required to pay. I know that sounds a bit of a nebulous answer, but I prefer not to pay. Let’s put it that way, but I have to be prepared in a sense in order for me to be in that position. In that sense, historically speaking, the preferred approach has been to never engage and never pay, but that is also changing.

Ryan Lockwood: Ilija, if you do pay, does this validate the criminal’s model and expose everyone to further risk?

Ilija Stankovski: Yeah. This is where the ethics and the evolution of this particular problem is coming in. If we get to a point where we start paying to recover from a ransomware attack, if you remember in one of the slides we talked about, these threats that are out there, the actors, that was basically criminals who are looking to return on investment for their efforts. If there’s a payout, that provides an incentive for the criminals to continue doing that. There’s this negative feedback that’s introduced by the cost of paying. Again, it’s a really tough question.

In the insurance companies, we talked about the insurance policy as a recommendation here. If a business is faced with this particular problem, if an insurance company can make that go away, it further perpetuates the problem, but then the business is protected. It’s a very tough question, but it always boils down to this. Be prepared so that you’re never in a situation to make this tough call. Do I pay or do I not pay? If I have my backups in place, if I have my protection mechanisms in place, then when I’m under cyber security attack, and let’s use ransomware as an example, this question should not even come up.

I should be able to quickly recover from that scenario very effectively so that my business is not disrupted. I don’t have to pay and then, I move on. This obviously requires some [29:39] from investments and implementing the controls we talked about today. As a final statement on this question, as you can see, I’ve thought about this quite a bit. Get yourself in a position where you’re not even bothered to ask the question.

Ryan Lockwood: Okay. Thanks, Ilija. Next question then. What is the greater risk, physical security or cyber security? How much should I spend on each? I guess, we’ll get you to focus on the cyber part of the question.

Ilija Stankovski: Yeah, of course. This is an interesting aspect because physical security almost intuitively comes into people’s minds. That’s something you have to pay when you open a business. You buy office spaces. Of course, I’m going to have to put an alarm system and a lock on the door and protect myself, but paying for cyber security does not come as an intuitive response. It’s something that you way down the road you may start thinking about and you’re in this webinar today because you are thinking about it. I would say that cyber security has to be an upfront investment from the get-go. It has to be a complete buy-in with the business leadership to make sure that you’re going to make those investments.

How much should you spend on each? I guess, that depends on the type of business you’re into. I mean, if you’re a retail space and you have physical brick and mortar offices, obviously, you’re going to spend quite a bit on physical security, but not forget on cyber security. If your line of business is in dealing with information or services when there is no physical presence, obviously, you’re going to spend a little bit more on cyber security in relation to physical security. One should not come at a cost of the other and they both should be considered. I think we have to change that in our language. That cyber security should not be an afterthought. It should be an intuitive response that I immediately have to invest in.

Ryan Lockwood: Okay. Thank you, Ilija. We’ve got quite a few questions coming in here, so from Karen. Does WBM have a security incident response process to share as an example?

Ilija Stankovski: Yes, we do and I would be happy to share it. We are a firm believer that sharing information is a very effective way of raising everyone’s awareness and protection levels. I would be more than happy to share ours. It’s a fairly simplistic process to follow then we can perhaps provide a link to it in the follow-up emails that will be going out after this webinar.

Ryan Lockwood: Yeah. I can attest to that. We’ll certainly follow-up with that. Thanks, Karen. Next question from Jake. Can you share your thoughts on the idea that small or medium-sized businesses may think that they aren’t targets for cyber-attacks?

Ilija Stankovski: The size of the business is a [32:23] irrelevant. Think of it this way. If you are a criminal who is looking at this problem purely as a financial investment and if I am going to construct an automated method of executing cyber-attacks, the target audience to me is irrelevant. At the end of the day, if my attack impacts a business of 10 or a business of 10,000, obviously, the payout would be bigger but the size of the organization doesn’t matter. Everyone is a target. If you are an organization of two consultants doing some very critical work or an organization of 500 or 1000 or 10,000, everyone is a target.

The small and medium business argument that should not be worrying about cyber-attacks I think it’s something we should avoid and treat every business as a potential target because at the end of the day, we’re looking at what the threat is. Who are the actors who are trying to impact our business? They have no knowledge of how big or small the business is. They’re looking at your online presence. If you have an email address, if you have a website which you probably do, then you’re a target regardless of the size.

Ryan Lockwood: Okay. Next, we have a question from anonymous. Hopefully, that’s not a member of the hacker group. Where should an organization go to learn more about the cyber security insurance offerings available?

Ilija Stankovski: That source is your insurance company. Chances are you have an insurance policy for your business and approach them to look into what offerings they have in this area. If your insurance company that you currently work with does not have any policies related to cyber-attack or cyber security attack protection, then perhaps you need to seek out a new insurance company if that’s even a possibility. I mean, obviously that’s a complicated answer. Finding a new insurance company can be fairly daunting, but at the end of the day, this is a fairly new thing. As we said earlier, the aspect of payouts during ransomware was always an easy one. You never pay. That was the predominant line of thinking and I still believe in that. Again, given they have the protection mechanisms.

However, going through the hassle of paying out ransomware has become easier because the insurance companies, they don’t just provide you the policy, but they also have services. They will take care of getting a cryptocurrency account so that they can pay bitcoins. You don’t have to deal with any of this. They’re taking that problem away. They have again perpetuated the problem a little bit. It makes it easier for you and again, this is a sticky area I think to get into, but insurance companies are providing a service. They’ve recognized the benefit because at the end of the day, insurance companies are running a business as well and they want to make some money too.

If we can make this problem go away for policy holders then why shouldn’t we? In a roundabout way, what I’m essentially saying is, your insurance company is the best place for you to ask that question and see what policies they have. If they do not have them, ask them why, why don’t you have this? This is a real problem. Ultimately, if possible, seek other insurance companies who provide this as a policy.

Ryan Lockwood: Okay. I’ve got a couple more questions here. We do have more time if anybody else would like to ask a question or two. Dallas has asked, you identified government as a common threat. Can you please give an example of how government can be a cyber threat?

Ilija Stankovski: That’s a great question and governments in general are using cyber warfare as a forefront for their offensive capabilities on a global geopolitical scale. Some governments have varying intentions. Some of them are a disruption of political discourse. Some governments have purely a financial benefit to that. I would feel really uncomfortable sharing out names of governments and countries. This is something you can easily look into, but I will give you nebulous examples here then you can probably extrapolate what I’m talking about, but large industrial complex governments will have benefit from acquiring intellectual properties from other countries.

With that being said, they will enter into programs. Officially sanctioned government programs to execute cyber-attacks against other businesses in order to extract or potentially steal some sensitive information related to intellectual property, technologies in order to gain eventually a competitive advantage. There is one type of government that purely executes cyber-attacks for the purposes of acquiring information to become more competitive. Then there’s governments who are just wanting to disrupt the geopolitical framework that we’re engaged with for the purposes purely of social disruption. The investments there are tremendous as well.

I think what makes governments the scariest – again, I mentioned that briefly in the webinar is, they have unlimited amount of time. The successful cyber-attack becomes dangerous when time is available. A short period of time perhaps this is difficult to execute and attack but when you have unlimited amount of time and resources assigned to this, it’s not if a cyber-attack would be successful just when will that cyber-attack be successful. From that perspective, government’s social spending quite a bit of their GDP towards building defensive mechanisms as well. If you look at for example, Canada and the US as countries, there is heavily-funded cyber warfare departments who are looking to protect against these government threat actors which are definitely a significant problem.

Again, if you’re interested into this area, just spend some time searching and looking for articles that point to specific programs around government-funded cyber-attacks or groups that are funded for cyber-attacks purely based on very specific ideology. Certainly, it could be advantage in acquiring information or a disruption of political processes, so forth and so on.

Ryan Lockwood: Okay. Next question from Robert. One of the key elements of protecting your business is of course, under people or end-user awareness. In your experience, what is the most productive method?

Ilija Stankovski: Okay. Thanks for the question, Robert. This is a very important topic. As you can see, people controls was the first recommendation that we shared. At the end of the day, what’s most productive? What I found was, most productive was sitting down and talking to people. Having professionals comes in and talk to people. However, it’s quite impractical if you have an organization of let’s say 500 people. If you want to bring someone in to talk about cyber security [40:15] and I’ve done that, I’ve gone to organizations and I’ve talked to people to raise awareness which is very beneficial and very effective. In practical, in terms of scaling, the first thing that I would point out is, if you have a townhall of some kind for your business, a place where all of your employees are gathered at one time, this is a great opportunity to introduce someone that can talk about cybersecurity to raise awareness because face-to-face interaction would be always very effective.

If you throw some examples and you make it a little colorful, it will stick with people. Again, depending on the size of the organization, if that’s not practical, the second most effective method is to use the online awareness and training programs. These online awareness and training programs are fairly innovative. There’s a number of companies who do this where they will first run some tests to see what the current level of understanding is in matters of cyber security and then, based on that, you will find where the weak spots are with the organization. Maybe it’s a department. Maybe it’s an individual person. Maybe it’s the executive leadership. Again, being an executive does not make you immune as a target. Then following these tests, you can target develop online training courses that people are required to go through.

Now this is going to sound a little more daunting forcing people to go through it, but it’s a required function. We have to build the awareness levels of end-user communities to be acting as a defense factor in this war against cybercrime. These online training videos will talk about threats and vulnerabilities and exploits. What we covered today. Give you examples of what they are trying to decipher. The jargon of words and provide some meaningful steps on what not to do. To summarize the answer to this, sorry if we’re going in a roundabout way, Robert, but most effective I find is face-to-face and find [42:22] community gathering where you can execute that and second most effective is online training.

Ryan Lockwood: Okay. Joanne was asking a question totally related to Robert and that was, can you provide a suggestion of a reputable online end-user training?

Ilija Stankovski: Absolutely. We’ll share that in the email feed after this webinar. Ryan make note of that. We’ll provide some names.

Ryan Lockwood: Certainly, and I know I’ve done that training myself, and I can attest to it. It’s very effective and useful on a day-to-day basis. Laurel asks, I guess, she stated, W B M is our company’s IT provider. Does WBM have posters, articles, et cetera that we can share with end-users in our company to raise awareness on what they can do to avoid cyber security attacks?

Ilija Stankovski: Yeah. This is a good, good point. We have internal end-user awareness programs that we forced people to go through. Ryan somewhat alluded to that prior to asking this question. That he’s gone through one. We’ve implemented the very two things that I described as the most effective one. I do tours within the organization to get people into a meeting and talk about cyber security. The impact of it and how do we deal with it and what to be aware of which is super effective, but I also know that that’s very impractical so we also use online awareness training sessions.

We don’t necessarily have a mass distribution model for brochures and posters given the size of organization and distributed model. We found that face-to-face and the online awareness training is super effective, but we also, in that kind of a line of business, as a managed service provider, people are working in all sorts of places. People work remotely in distributed offices, so printed material is not effective for our model. However, there are businesses out there if majority of people in a single building or a couple of campuses if you will nearby and majority of the work force shares the office space, this is a good opportunity to have printed materials. I would encourage that that will be effective given the physical model of the business and how it’s oriented in relation to the work force.

Hopefully, if that’s along the line of how your business looks like, then that will be effective, but we’ll most definitely use a combination of resources and not just rely on one. This if we’re going to rewind back here, goes back to that notion of having someone responsible for cyber security. This resource with the organization for cyber security will drive this agenda of end-user awareness training. Now obviously, this resource cannot do it alone. This resource would need help from your human resources department and perhaps marketing department or other departments in order to create meaningful programs that work for your organization, but they have to be multidimensional, not just brochures, not just online meetings, but a combination of all of these aspects of dealing with as we call them people controls to create an effective program to raise end-user awareness.

Ryan Lockwood: Okay. We have another anonymous question here. This all sounds expensive. What would you say would be the cost-effective way to begin our cyber security enablement road ahead for those who have not had a strong practice?

Ilija Stankovski: Yeah, that’s a good point. This sounds expensive. When you talk about cloud-based protection for email and firewalls in this and the other thing. There is a component of cost of course. Nobody argues that. If the question is about justifying the costs, I think that one begs the question, what is the cost to the business for not doing these things in terms of increase of risk because just a matter of time before a cyber-attack impacts your organization. Think about comparison of cost versus benefits of doing it versus not doing. Obviously, I’m of the opinion that upfront investment in cyber security protection is a must in order to reduce the risk of exposure to the business and therefore, impact the business.

If you want to be cost-effective about these things, there’s two schools of thoughts here. One, you can go ahead and staff internally as we said earlier. [47:00] cyber security specialist, make that person responsible and then, let that person drive that agenda forwards. The alternative model to that which is a little more cost-effective is to look into managed security service providers. At the end of the day, you’re in the line of business that makes sense to you. If you’re a legal firm or a marketing agency or you’re extracting resources of some kind, you’re not in the business of IT.

There’s a second notion that’s using managed security service providers that provide security as a utility or as a service is an effective way to get you started quickly. We haven’t really spoken about this today. We have written some posts around this topic about using managed security service providers that I’m sure, Ryan, make a note that we can share that link to eh post as well, but at the end of the day, there is innovative and quick ways and cost-effective ways how to get started quickly by seeking help from the outside. At the end of the day, it boils down to assessing your business model approach. Do I staff internally, hire people, buy equipment, implement equipment, deploy equipment, operate equipment and security controls, or do it externally and seek it from a service provider, so that all I need to do is get a monthly bill for this as a service and have that external party deploy, scope, operate, implement reports, so forth and so on.

Obviously, I’m a little bit biased because I work for a managed service provider, but at the end of the day, those are two schools of thought and I believe that the internal one would be a little more expensive than the external one. It’s a good way to get started. Evaluate that first and then, commit to that agenda and then, push it forwards.

Ryan Lockwood: Last question which is very much related to what we’re talking about here from Laurel again. What happens when WBM. suffers an attack. How do we protect our clients in the event that WBM is the target?

Ilija Stankovski: It’s perfectly reasonable to expect that WBM will be a target. As I said, I believe Jake asked a question earlier about small business, medium business. Attacks don’t care who the target is and we are a target no differently than anybody else. What we believe in is that we apply the same method of protection of what we just talked about today. We establish a defense in-depth strategy and we reduce risk at every level possible. We are essentially eating the dog food we talked about today. Multilevel protection at the cloud, at the perimeter, the endpoints, have recoverability with backups, have end-user awareness and training, increase the awareness of staff and then, we also apply some MSP best practices when it comes down to providing operational tools that we use to help our clients.

We are expecting and we do have incidents that take place and guess what, we use the same security incident response process that we’ll be sharing with you that we outlined as part of the policy controls. Either for ourselves or when attacks happen with our clients. We essentially pull up this document and follow it. Step one, step two, step three. I believe it’s about seven steps in total. Then you qualify. What’s the impact here? Is there data loss? Is there a harm to humans? It’s just an obstacle or is it just an annoyance. Then from there, you act according. Ultimately, we have a preparedness level. We have a security incident response process, but most importantly, we’re following exactly the same model we outlined today. Defensive depth with multiple levels by using policy controls, technology controls, people controls. All in the effort to reduce risk by using industry standards. Remember the mantra, risk, controls, standards. We’re not just telling you to do this, we’re doing it as well.

Ryan Lockwood: Okay. Risk, controls, standards, got it. Thanks, Ilija. Sorry, we’re out of time now. We committed to doing this inside of an hour and I know you’ve all got a busy workday probably to get back to. There are a couple of questions that we haven’t answered. We’ll respond to those via email and send them out to you. We’ll also send out a link to this webinar so that you can watch it anytime or share it with colleagues who were unable to attend today. I guess, one other thing, we’ve also developed our cyber security threat assessment checklist and we can email that as well. Thanks so much for joining us today. I look forward to seeing all of you at Connection 2020 in Saskatoon on January 30th. Have a great day.