RAP Webcast Series
As you look to modernize your business, it is important to prepare an appropriate cybersecurity strategy to ensure you are adopting new technologies safely. In the same way you lock your home to protect your valuables, a detailed cybersecurity strategy will protect your business, and build value by strengthening customer and shareholder trust.
To help you take the first step toward building a business that is resilient to online threats, we have gathered two industry experts to offer their unique perspectives, discuss best practices, and provide important advice so your business can confidently embrace digital transformation.
Join us for a fireside chat with Eldon Sprickerhoff, Founder and Chief Innovation Officer, eSentire and Ashley Lukeeram, Country Manager – Canada, Tenable as we discuss trends and emerging issues in cybersecurity, organizational planning and governance and how to respond to incidents, both during a digital transformation and in the long-term.
Speakers:
- Eldon Sprickerhoff, Founder and Chief Innovation Officer, eSentire
- Ashley Lukeeram, Country Manager – Canada, Tenable
Leigh Smout: Good morning, everyone. It's so great to have you with us here today. My name's Leigh Smout, and I'm the president of the world trade Center, Toronto, welcome to the latest installment of our recovery activation program, or RAP webcast series. This one is called Building A Cyber Resilient Business. This series generally would not be possible without the support of our RAP program sponsors, who are Air Canada and BLG, and also funding from the government of Canada, and the government of Ontario. And of course, all of our programming at the Board Of Trade is made possible through the board's principal sponsors, The Globe And mail, Ted Rogers School Of Management at Ryerson University and Scotiabank.
Some notes off the top. A recording of the webcast will be available afterward on supportbusiness.bot.com. If your video is lagging during the session, select, "Click here to switch screen," to view at a lower bandwidth. For any other technical issues, click, "Request help," in the bottom right corner of the screen, and someone will be in touch/ and to submit questions at any point, please click on the question tab, and please do that at any point. Please feel free to ask questions anytime. We will have a question answer towards the end of the session. To answer our polling questions, which we're going to have throughout the session. Please click on the voting tab, which you'll find beside the questions tab to the right of your screen.
So this morning, we're here to talk about the pressures COVID-19 has placed on businesses. And how SMEs can harness the power of technology and data to adapt to their operations, succeeding no matter what new challenges this pandemic throws at us, or how long it lasts. At the board, we launched the Recovery Activation Program to help businesses do just that. It's run by our Scale Up Institute and RAP works with your business to identify opportunities for improving your digital structure. Through a digital needs assessment, or what we call the DNE, or DNA, you'll be able to assess the digital maturity of your business and how it ranks relative to your industry.
Based on your company's digital maturity, you'll then be directed to a custom training program. And it could be one that would focus on a specific aspect of your business needs, like cybersecurity, for instance, or a full on multi-week hands-on workshop experience, in which you'll produce a digital transformation blueprint, which is a comprehensive plan to help your company achieve efficiency, leverage technology, and ultimately grow both during these uncertain times, but also into the future. Because of the generous investments from our partners and both the federal and provincial governments, RAP is completely free to businesses across Ontario.
On top of this, we're offering digital sales enablement, including virtual trade programming, to ensure that Canadian firms are still taking advantage of new or emerging opportunities around the world even in this time where we have some current travelers restrictions. So you might not be able to attend a trade show, but come through RAP, and we'll help you find a way to get new customers anyway. Registration for all of this is open. So I strongly encourage you to visit rap.bot.com, or to connect with someone at the Board Of Trade, or the World Trade Center, Toronto, for more information.
Today, however, we're focused on specifically on cybersecurity and the importance of building your own strategy, to ensure your business is resilient to online threats. To help us do that, we're joined by Eldon Sprickerhoff, who is the founder and chief innovation officer of eSentire. Eldon is the original pioneer and inventor of what is now referred to as managed detection and response, or MDR. In founding eSentire, he responded to the incipient, yet rapidly growing demand for more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as subject matter expert in information security analysis. Eldon holds a bachelor of mathematics, computer science degree from the University of Waterloo. Welcome Eldon, glad to have you with us.
Eldon Sprickerh...: Thanks Leigh. Great to be here.
Leigh Smout: We're also joined by Ashley Lukeeram, who is the country manager of Canada at Tenable. Ashley is accountable for Tenable overall business strategy in Canada, and he leads a team of cybersecurity experts in helping Canadian organizations address cybersecurity and risk management issues through Tenable's solutions and services. Sorry, about that Ashley.
Ashley has over 20 years experience in the IT industry and his passion for cybersecurity led him to managing the security program of Symantec and Microsoft distributor for the Africa region. He continued on the cybersecurity journey at industry leading companies, such as Rogers, Symantec, and RSA during the last decade, helping customers across all business verticals in Canada. Along with a master's degree in Information Technology from Cranfield University, UK, Ashley also holds several industry certifications, and has been part of the industry advisory board of Reboot's Privacy And Security Conference, and is currently an active member of ITech, and CCTX. He has also presented at Canada's National Security Committee on the topic of cyber risk. Welcome to you, Ashley, glad to have you with us.
Ashley Lukeeram: Glad to be part of it, Leigh. Thank you.
Leigh Smout: Pleasure to have you. Great to have both of you guys and I'm looking forward to having a discussion. Just a quick reminder to the audience. Don't forget to send us your questions using the questions tab as we go along here. No doubt things will be coming to mind. So I thought Eldon and Ashley, we would get this conversation started by touching on current trends and emerging issues in cybersecurity, as it pertains to digital transformation, especially, and given the relevance of this topic for Ontario SMEs, who are really having to move their operations online, adapt to a very different management style as a result of the COVID-19 outbreak. So Eldon, why don't I start with you? And from your perspective, I'm wondering if you can identify any current trends and emerging issues that you see in cybersecurity as businesses take on digital transformation?
Eldon Sprickerh...: Sure, say we're six plus months into it, and it might seem obvious in retrospect, but COVID-19 for most businesses really punched the accelerator on tech perspective. I've seen most sort of smaller tech-oriented businesses, or businesses that use tech in some way, have started off purely digital for the last couple of years. So that's, everything is in the cloud, Office 365. And for other traditional more established firms, it's been a slower, longer process to that migration to the cloud. And as I said, COVID-19 then pushed the accelerator, accelerate that need for online sales process, and fulfillment, and remote access, and endpoint availability, collaboration tools.
And when I look at it, security is the necessary, trusted underpinning across all of these things. And I think from what I've seen in the first month, there was such a push to just get things working. There was a lack of, you couldn't buy laptops, or monitors, or speakers to get things working. And when you get that push to get things working, there's a slip shot, stop gap measure that gets implemented. So there's poor hygiene in place. And some examples of that would be consumer grade antivirus, free antivirus, and just postponing patching and things like this. And so the, I said, the problem with these stop gap measures, is they tend to become permanent as the next fire has to be put out.
I look at COVID-19 because of this acceleration, they magnified the security sins of yesteryear. So you can't just hide what may have worked before when you were in a single office building, hidden behind a firewall. And that's pretty on the tech side. I said, if you look at any process or procedure that would be, so adding a user, terminating a user, what that looks like. That usually would require onsite, or face-to-face interaction, needs to be reassessed going forward.
Leigh Smout: So very interesting Eldon, I think what I'm, as a layperson in cyber, I think what I'm hearing, is that we can't afford to wait until something happens to deal with it. I think we know that in a way, but in some ways that has accelerated, so not having a strategy or a plan in place, means that you're trying to patch things, and then you're having to live with them, because you've got to move on to the next problem. And really you need to be planning way out in front for this?
Eldon Sprickerh...: Yeah, exactly.
Leigh Smout: Okay. Ashley, any further thoughts on it?
Ashley Lukeeram: Yeah, I was just going to add, I agree with Eldon in terms of comments. So on the topic of cyber, what we are looking at these days, is it's not just cybersecurity from the perspective of, "Hey, let's go and put protection mechanism in place." What we are hearing more and more is cybersecurity is cyber and business risk today. It is truly a risk to your business. And what we are finding out, is a lot of the SMB customers, they are starting, to Eldon's point, going online. And as you're going more online, what this means, is you're leveraging web applications. A lot of web applications reach out to your customers, to your partners, to do the business.
So one important trend from an attack point of view, is looking on what's happening with those web applications. What's interesting today is, on average, we find that there are about 33 vulnerabilities per web application. Let's just take a minute here. That's a lot, right? As an organization who is embracing this digital transformation, who knows, maybe you have five, 10, 15 applications out there. So the big question is, how do you handle that, right? That's a major challenge.
The other thing I would add here, is as an SMB, of course, it's all about making sure that you're building that trust with your customers. You're holding on to your reputation. And make no mistake about it, that the hackers are taking advantage of this situation. They're saying, "Hey, yeah, you know what? There's more and more businesses online. What if we could go and try to simulate as if we were the legitimate business?" So what we're finding there also is a lot of those fake mobile applications. Which we certainly also pulls a big challenge for the SMB organizations, because you guys need to understand, "Okay, as an entity, who else is trying to mimic me out there? How do I protect my brand? How do I make sure that the experience is still smooth for my customers and partners?"
And then the third piece, I think which is a bit of a trend also, is a lot of organizations are embracing more and more automation in their business. They have some sort of machine in place. They have operational technology already in place. As you are opening up your doors to be a bit more online, there's definitely an increasing risk of stuff coming in through your traditional IT [inaudible 00:14:41] your operational technologies. So again, this is a bit of a different conversation, because you're talking about machines, you're talking about stuff that's producing a good for your organization. But these machines are definitely a big target for the bad actors. So I would say these are the couple of things that we are finding from a trending point of view, in the last five, six months.
Leigh Smout: So I still can't get over this, was it 33 risks on average, from any given web application?
Ashley Lukeeram: On average.
Leigh Smout: Just a terrifying thought, just terrifying. That's really fascinating. I mean, would you say that I there's been a bit of a shift in thinking cyber? Or is this just as I'm seeing it from the outside, but there was a time when I was with IT in the Province of Ontario. We were very focused on our data, and what was happening with it, and what kind of attacks are coming at us. But really now it's really about protecting our customers, isn't it? And I think that's, a piece of that has to do with your ability to sell, and to get, people have to trust you. I mean, people don't put their companies in your hands to provide service to them, unless there's trust. It's not just about your products. It's about feeling like they've [inaudible 00:16:01]. So, I think cyber is a really important aspect of that, isn't it?
Ashley Lukeeram: It is a huge point, Leigh. Let's face it, every one of us is going through a stressful time right now. So put your self for a minute in your customer shoe, right? So your customer is trying to come online, do a transaction with you. And if that experience is not pleasant. If that experience is the website is not available, it's going down, or that person is getting redirected to other sites-
Leigh Smout: Yeah.
Ashley Lukeeram: ... make no mistake about it, they're moving on.
Leigh Smout: Absolutely, that's right.
Ashley Lukeeram: So that trust, that confidence is so important to maintain in these days.
Leigh Smout: Yeah, fascinating. I think before we move on to the next question, maybe we'll just drop a poll out there to the audience. So we can, asking the audience, if you can vote on this poll, using the voting tab to the right of your screen. And we'll take a look at the results in a second here, and move on to the next question. So the question is, how confident are you in the cybersecurity practices of your third party partners? So are you extremely confident, confident, somewhat confident, or not confident? And we'll see those results in just a moment and get onto the next question. It's very interesting that I think that everybody is also realizing as they're maybe digitizing their business, might be a business that isn't particularly digital, can be food production or what have you, but that all these business are starting to realize the importance of security while they're moving more online. Even through their own, managing their own processes, managing their staff virtually, whatever other, trying to manage their supply chain, or attracting customers using online.
So I think this is one of those things that we really need to get out there. So we, I guess you can see that about half of the people are somewhat confident, which is, that's good. I'm glad to hear that. And we've got maybe a third that are confident, which is fantastic. None are extremely confident and that's not surprising to me at all. And of course, we've got maybe about a fifth that are not at all confident. And I think that is, this is probably, if we did this a 100 times in different places, you would get some results similar to this. We have somewhat some confidence, but that if I was talking about data in my business, and I said, "Yeah, I have some confidence that we're going to be okay," I think I'd be trying to get some help, because it's not my area of expertise.
So maybe just following on that pole, I'm wondering as businesses go through a digital transformation and they implement new technology into their operations, what are some of those key challenges that they face, both internally and when working with third partners? And how can they strategically plan for this tech overhaul? I mean, we talked about the fact that you need a strategy. So how can you strategically plan for a tech overhaul while ensuring that they're keeping both their own data and customer data safe? Ashley, why don't we start with you?
Ashley Lukeeram: Sure. So, a couple of things. Let's look at it from, first of all, from an internal point of view. So as you folks are embracing more technologies, I think the first thing to look at, is each and every single piece of technology you're adding into your environment, that means it's an expanded footprint, it's just another potential angle for the bad actors to try to break into your organization. So, the first major challenge, as you're introducing those new technologies, is trying to understand what type of loopholes, what type of vulnerabilities may exist on those technology. And as you are deploying these internally, it's extremely important to consider how these tools are being configured. Are you actually following the different type of standards out there in the industry, to make sure that you have a solid baseline?
So that's one key thing. The other piece, is most of us are working remote these days. So the technology that we're deploying are surely being accessed remotely by some of your administrators, some of your super users. When you're doing this, it's important to consider how are you protecting the identity of the people who are accessing those tools? Because again, the bad actors know about that. They're going to try to simulate as if they were a legitimate user. So start getting into the whole conversation about, "Hey, is password good enough? Strong, complex password, is that going to do the trick? Or do we need to look at other things from an identity point of view?"
The other element about this, is if you want to spend a few minutes just quickly on the third party side. So we know this from other breaches, we've seen very often, it all starts with a weakest link. If your supplier is coming in with a process that's not mature enough, and they don't have enough security control, again, the bad actor is going to find a way to leverage these folks to get into your environment. So as part of the process here, I think it's important to think about how do you audit your suppliers?
It could be as simple as, "Here's a bunch of questions that Mr. Supplier, I would like you to answer. How are you protecting my data? If there is a breach of information, how are you going to respond? What type of controls have you put in place? How are you screening your own people when you are hiring these folks?" So those are a couple of things that you could do from an auditing point of view. Or you could also look at it from your contract perspective. In your contract, you could look at time of the year where they need to provide you some audits, some data on how they are protecting their environment.
The third part about this piece, Leigh, has to do with cloud providers. As an SMB market, I know a lot of folks are leveraging infrastructure in the cloud, which is good. But at the same time, I think it's extremely important to ask for those security certifications, a lot of the right people out there have done certifications like SOC 2, like ISO. Make sure that you have access to the type of measures that these people are taking to protect your data. And then last but not least, I would say, as an entity, it's always good to test. So whatever you put in place, whether it's internal, or in the cloud, it's extremely important to be able to go and do penetration tests, to make sure that you have a view of, as a hacker, what would it look like if someone was going to try to infiltrate your environment?
Leigh Smout: Yeah. Fascinating. It makes me think of movies I've seen over the years, when cyber was an early thought, where the FBI would have to hire the terrible hacker guy in order to figure out how to protect themselves. So you have to think like a hacker in a sense, that's a fascinating thought, really. Eldon, what do you think on the strategy side?
Eldon Sprickerh...: So there's a couple points that Ashley made, that I wanted to build on. I think that you need to have a recognition of who is responsible for what. And as somebody in the business, you can't fully delegate both responsibility and accountability to any third party. The examples, where we talking about Microsoft, Amazon, they built these great platforms for cloud offerings. So AWS and Office 365. And along with that, they've given a great swath of tools that you can use to implement, whether it's yourself or your provider, but that onus to implement is on, or your delegate, to make sure that it's implemented appropriately and properly. So they can lock up things. So it'd be like you'd have to affect something like Oceans 11 to break in. But that may not be appropriate for your business. Somebody else is making those decisions as to what are the right measures to place? You need to be able to confirm that they're making those decisions correctly as what you would want.
And to that same point, you'll confirm that your vendors are behaving properly. And that's part of the SOC 2, I think, that Ashley had suggested. And specifically in that, the SOC 2, you can minimize scope of business. So it's not just good enough to say that they've got their SOC 2. You need to, if you're investigating your third party, to say, "Okay, well, what did that cover in that audit?"
I think the other thing that isn't often considered, and that it feeds into that, is you need to get a sense as to what third parties your third parties are using. So I've got, you can call them fourth parties, or third party once removed. And you may need to do annual due diligence depending on how deeply involved and critical they are to your company. That's just part of due care.
Leigh Smout: So, yeah, like your second cousin to your third party, is no telling what they're up to. What I'm not sure I get how do you get to knowing that you need to audit your third party, or how to do it, or what to be looking for. So are there organizations that help you do that? What's the best way to get at that Eldon, is there ...
Eldon Sprickerh...: Well I think what you need to do, is spend some time going through all the list of service providers, and who has access to your data, and figure out who are the most critical. And then you'd say, "Okay, along with that, what access do they have? What data do they have? What do they have in that chain?" And basically then working through that. You can, depending on the size, there are platforms that will help you do that. For small businesses, I think, just going through the list in a simple spreadsheet, you don't even do a database, as, "These are the contacts. These who have data. And these are the people who are most important. This is how I would have to get ahold of them if something went south."
And then when it comes, before it comes time to renew your contract, you'd go in and say, "Okay, these are the terms that we need to have in this contract. And we'd like to see audits." Depending on the size of the company, and how important they are, you may want to reserve the right to do audits, and figure out where that goes to. And you should be able to ask for vulnerability assessments, and I think that's what Ashley was getting at. You can outsource that kind of process, but really, if you are about this, it befits you to be part of that conversation.
Leigh Smout: Yeah. So I this is the thing, I guess, even if you are, and that why we hold seminars like this, webinars, and why some of our audience is here, I think, probably trying to get some of that basic education. There are probably people who also just want to get into some real deep detail. But yeah, a bit for everybody, no matter what your business, no matter how far it feels like it's from technology. Having a bit of understanding of where your vulnerabilities might be and the process you need to manage within your strategy, I guess, to ensure your safety of your data and your customers. Eldon, I wonder maybe we could talk about what happens if there is a breach, so let's assume something does occur. And so what would be strategies and/or tactics, I guess, that you would probably have, hopefully, have had in place from a strategy point of view, but that you'd actually have to do once it happens, to manage a breach effectively?
Eldon Sprickerh...: Yeah. So I always have a small grin when someone says, "If something happens." You should just assume it's a foregone conclusion. Something bad is going to happen the next few years. I don't think anybody knows, there's nobody that knows of anyone who hasn't been hit by ransomware, or fake emails, or things like that. That's just how it goes these days. And the attackers, they're starting to demand larger ransoms and so on. But for smaller firms, again, it's generally two, one of two things. So, it's our business email compromise. Someone pretends to be someone else in the organization, the CEO, the CFO, to scam them, "I need to do something quickly that requires cash, or access to bank accounts, or wire transfer, or apple iTunes cards. It needs to be done urgently, and swiftly, and quietly."
And so that's a big chunk of the attacks you'll see at small business side. Then the other side is some kind of malware, faked email with bad content. And usually these leads to ransomware, and so the defense mechanism behind those two are exactly the same. First I call it ongoing inoculation of skepticism. And you want people to say, "Does this request make sense? Why would the CEO be asking me to buy iTunes cards? And this doesn't look, doesn't smell right. I'm going to send it to somebody in IT before I open it." And if I do open it accidentally, recognizing that people are human.
The worldwide web has been around for almost 30 years at this point. Links are meant to be clicked. Attachments are meant to be opened. There's a certain amount of again, inoculation we can do, to get that, but people, given enough kicks of the can, will click something. So if they do open, it looks suspicious, escalate it immediately. What does that process look like? So there's an education piece, there's a tech piece. And I say, again, I keep banging on using enterprise grade antivirus is a must, as free antivirus downloads give you the protection that you paid for. And not everybody has the need for a full incident response plan. I recognize that you can go to eSentire, and you can download a framework from our website, as a jumping-off point.
But I say, if you only have 10 minutes to spare, what can you do? There's a page that is in that framework that is basically contact information. Everybody in your organization and outside, your third parties, banks, et cetera. Who would you need to call when something bad happens, have it readily available. And I mean, a print-out, because if your network is down, you're not going to have access to it. And make sure that you have the contact information for these people, both home, cell, email, everything, when you need to initiate a call, and make sure that those things are kept up to date on a quarterly basis.
Leigh Smout: Our CEO, Jan De Silva, she just loves music, but it sounds like I shouldn't have bought all those iTunes cards for her on my corporate credit card. So that was a big mistake, it sounds like. I'm sure they'll catch up with me soon. Yeah, no, it's amazing, who hasn't gotten these emails? That it's like, we're all seeing them constantly, phishing emails, and what have you. We just, and we're always getting examples sent out from our IT department too, just because they're looking more and more real, they're looking more and more sophisticated. They used to look really bad. The English was bad, there're things you could spot right away. But it's getting harder, Ashley thoughts on this?
Ashley Lukeeram: [crosstalk 00:32:43] Yeah, and if I may just add here, just again, in terms of breaches, it's not about if it happens, it's more a question, "When it happens, what should we do?" So to Eldon's point, a lot of it honestly has to start with planning how you're going to respond to the breach. And the companies who've done well, anytime they've been breached, are those ones who have been able to respond quickly, and have a plan B kicked in. So that they're up and running again. So part of this has to do with do a quick table top exercise. Just pick an hour in a day, just assume that today you guys have been breached, who needs to do what? So going back to Eldon's point, make sure that your contact list is updated, right? Let's play this out.
The other thing to be mindful of, is when these breaches happen, typically a lot of people are in a quick, reactive panicky mode. And we all know that when we start panicking, it's hard to think. So one other thing to consider, is there's a lot of great service providers out there in the industry, who actually provide an incident response, retainer type of service. So it would be certainly worth having a conversation with some of these people, and quite a few of them I know, would be okay just to sign a contract with you guys, not paying anything until the day when you need to pick up the phone and call that 911. But at least at that time, you don't need to worry about contract. You don't need to worry about legal. You don't need to go and figure out, "Oh, okay, who do I need to go and knock on the doors." It's something that you would have already done as a pre-work.
The other thing to keep in mind also, is from a government point of view, there's definitely a couple of entities who may be helpful in these type of breaches. So I'm thinking of the new Canadian Cybersecurity Center. They're always available in terms of guidance, in terms of advice, reach out to them. If you're subject to some type of fraud, the RCMP has a center that you can reach out and say, "Hey I think we are being targeted. What can you guys do to help us? Or what can you do to guide us to some providers?" So the big thing about this, is be ready. That's that's the best way.
Leigh Smout: Have a plan. I mean, this is, we don't make plans for when things are great, right. We can just roll, but you need a plan for when things go bad. And so having it in advance makes all the difference. I totally get that in every aspect of business. Okay, why don't we just, before we go to the final question of this part, before we get to the audience questions, which I'd like to try and get to quickly, because we're getting a low on time here. Let's ask this poll of the audience. So what tools does your organization currently use to detect attacks? And they are self-developed tools, open source software, or commercial products. I can see that there isn't all of the above or anything, but please pick the one that you most depend on.
And it'll lead to the next question, I think. I'll just state the question while we're asking for, while we're waiting for the responses. And the question is, and we will get to this in a second, Eldon and Ashley, but what are your recommendations on some of the tools businesses need, or can use to ensure they're protected both now and in the future. And I think we've addressed some of those, but it'd be good to just maybe get a little more specific. So let's have a look here. So I apologize, I've got to pin this. So commercial products for the most part, significantly more than anything else, a little bit of open source too. Maybe a fifth essentially as the numbers are moving around a bit. Very few self-developed tools, and probably not too surprising, I guess. But yeah, commercial products hitting like 80%. So I don't know if that, does that fit with what you would've expected, Ashley and Eldon, and any thoughts on specifics you can suggest? Jump in, whoever's ready?
Eldon Sprickerh...: Yeah, so I think that's a pretty reasonable and unsurprising piece. I think that if you're going to [inaudible 00:37:26] your own tools, you're way ahead of the average business owner. And as for what tools I would recommend, I say first thing is multi-factor authentication. That's in, Microsoft and other firms are making it easier for you. You've got, because I just brought up, authenticator on my phone, that every 30 seconds gives me a new password. I think almost every provider will give you some kind of multi-factor authentication. So you don't have to use the same password that can be used by anyone else. That's the first thing, multi-factor.
Second again, enterprise-grade antivirus, malware prevention. I've noticed that some of the larger antivirus vendors aren't quite as good as they used to be, because it's, and so it's important to make the right choice, and what works within your own IT provider position. There are some smaller firms that seem to have a bit of a head start on say the biggest names in antivirus. And the third piece, isn't really a tech thing, it's your backups, make sure your backups are performed and tested regularly. If you don't get a test of a download, of a recover, it may ... Why would you bother backing up if you don't have confirmation that they actually were successful.
Leigh Smout: Yeah, makes sense, Ashley?
Ashley Lukeeram: Yeah. If I may add, so listen, even before we start talking about tools, I would argue that first line of defense has to be your people. So if you need to invest, make sure that there is some cybersecurity awareness done across the organization. All the stuff that Eldon has mentioned definitely can help, but without a good user awareness, that's going to make it tricky.
But just to hop back onto the tool capabilities, what I would also add there, is it's important to think about, okay, where and how those breaches are happening. You look at all the breaches out there, on average is about 60% of those breaches happening because there was an available patch for a very known vulnerability. But by the way, that patch was not applied. So part of the strategy, part of your security program has to include that continuous management of vulnerabilities. Making sure that you are patching on a regular basis.
Again, today, in these days, what we find is, it takes way too long for organizations to find their vulnerabilities. It's over 29 days to know if you have a vulnerability or not. And by the way, once you it's over 40 days before you patch. So literally it's like you're sitting in a house, and you're having all the bad actors coming in and out without you knowing. So that I think should be one of the top things to take into consideration. I agree with Eldon, identity is another- big one, again, 80% of breaches would leverage some sort of a compromised identity. So multifactor authentication is critical.
The other thing to think about is this, we won't be able to protect everything. Okay, so as an organization and you look at your business, it's important to understand what are your key assets, where is your key data sitting? Those are your crown jewels, where putting controls, putting some of this stuff, like even encryption would really benefit the organization. And by the way there, there's a fantastic list of top 10 things to do, which you could look at, if you look it up on SANS, S-A-N-S top 10, and even the Canadian Cybersecurity has its top IT security actions top 10, so.
Leigh Smout: Great idea.
Ashley Lukeeram: [crosstalk 00:42:05] some great ideas over there.
Leigh Smout: Yeah, there's so many resources aren't there? If you know where to look, when we have the opportunity to talk to experts who can tell us, it's very valuable. Thanks for that. I am going to beg my guests' indulgence and the audience's indulgence, because we are well past when we should have got to audience questions. And I don't want to short our folks who have been asking them. So I'm going to just try and push us a little bit beyond the 11:45 mark. Thankfully, one good thing about planning to end at 11:45, is most people aren't really booked in it for anything until the next hour. So sometimes we can go an extra few minutes, understanding that we might lose a couple, but as I say, I'll beg indulgence, we'll go a little bit longer. Just, before we dive into the listener questions, I really just want to take a moment, do a bit of a sales pitch for our DNA, our Digital Needs Assessment or something, which is really like a digital readiness assessment for your business.
So this online assessment tool identifies core competencies and gaps in the digital capacity of your business. And based on your digital maturity, we then have program experts who can work with you to connect you to a program that will help you take the next step in your digital transformation. So you can take the Digital Needs Assessment today, simply by clicking on the graphic to the right of your screen, in the info tab. And it's honestly, I've talked to many tech folks who are starting to just say to their customers, "Why don't you start with this? Because then we've got a bit of a sense of where you're at relative to some benchmarks, and then we can take it from there." And it will lead to programs in many different areas, including cyber, which is why it's very important that we're having this discussion today.
So I want to get to our audience, Eldon and Ashley, I'm going to just let you guys jump in, whoever feels like they've got a competent answer, or just feels like answering, competent or otherwise, that's fine. I'm only kidding, of course. I have great respect for your expertise. So let's start with Beverly, "Do you feel that safeguards are developing fast enough to keep up with hackers and foreign interference?" So, and we'll do, let's try to do quick answers, because I got tons of questions, and I'll just love to get to everybody if we can.
Ashley Lukeeram: Yeah, so safeguards, so I would say, always it's about thinking about it from a hacker point of view. A hacker is trying to run a business. He or she's trying to get something done quickly. And therefore the more you put defense in depth, the more [inaudible 00:44:21] you're locking stuff which are most important for you as an entity, obviously the harder it is going to be for the hacker. And I think that's key. You're not going to be able to put a lock on every single door. Put it where it really matters the most for your organization.
Leigh Smout: Right, makes sense. Okay, should I move on Eldon? The next one from Rosemary is, "How can small businesses meet ever changing requirements for cybersecurity, such as NIST?" I don't even know what that acronym means, so.
Eldon Sprickerh...: [crosstalk 00:44:55] NIST is the National Institute of Standards And Technology, they've put together a great framework, and it's very, it's short compared to say one of the ISO ...
Leigh Smout: I think Eldon froze. Well, I would-
Ashley Lukeeram: So maybe while we're waiting for Eldon to get back.
Leigh Smout: Yeah, thanks Ashley.
Ashley Lukeeram: So the [inaudible 00:45:23] about the NIST is they have that cybersecurity framework in place, which can be leveraged by everyone in the industry. What's important, is there's a lot of those different type of standard NIST is one of them, what matters for any organization, is to take the pieces out of those standards, which are relevant for you, and apply it accordingly. But certainly NIST is a great start.
Leigh Smout: And Eldon, you froze for a second. Ashley jumped in, which was great, but I'm hoping you weren't hacked. It's just a technology thing. I think you might be frozen again. Well, we'll carry on. And hopefully Eldon's, oh, there we lost. Yeah, I don't know. Hopefully, hopefully we'll get you back, Eldon. How are things going there? Are you back?
Eldon Sprickerh...: I'm back. Not sure what happened there. And so, but I missed all of Ashley's response.
Leigh Smout: That's okay. I can tell you, it was brilliant. I'm going to move on though. And we'll get to the next one. This one is from Petra, and I'm going to take this one. It's very specific, so it needs a true expert. So I'm going to take this one. It's, "What kind of automatic booking system for an accommodation business would you recommend?" I'm obviously kidding about being the expert, because it's for a booking system, I think it's just, Petra, it's just a little too specific to ask our guests. My recommendation, I made it a few minutes ago. Go and take your DNA. Come on through RAP. We will help you find the right partner to deal with very specific things like accommodation booking systems and things like that. So happy to have that call offline. And okay, now moving on to Brett, "What do you find are the biggest challenges businesses are facing during the pandemic regarding prioritization of good cyber hygiene?" I heard hygiene come up in, I think, your talk earlier, Eldon, so?
Eldon Sprickerh...: Yeah, so I, on our website, I've gone through what basically the NIST, a lot of what the NIST framework has done. And if you're are a small, medium or large company, which things do you need to focus on. So you can go to our website esentire.com, and look at it under A Cybersecurity Compliance Perspective. And again, because we've dealt with companies that had different regulatory regimes, but they all focus on the same sort of six pillars of security. And what's generally said, it needs to be appropriate for your size of company, and the data that you're collecting, and who has access to it. So there's some, and I've been answering those questions for several years. So I just decide to make it into a document to help along. It's not eSentire-specific. So it's very much, "These are things that if you are small business, this is what you need to survive to become a medium sized business."
Leigh Smout: Oh, that's fantastic. I do think there are amazing resources available for those small businesses, who aren't ready yet to be a, just don't have the money, or can't commit as much as they would like to perhaps into some of these tech programs. There's tons of resources out there like that. So like our programs, like what you're speaking about, you've put up on eSentire, and many others out there. So yeah, I encourage them also to take advantage of that. Hopefully they'll come check your website out.
Ashley Lukeeram: Yeah, and just, just one other thing I wanted to add here, when talking about prioritization, let's face it, we have a lot of shortage of skillsets, for all of us to do everything out there. So as you're looking at how to prioritize your efforts, it's important to leverage artificial intelligence, data science capabilities, which are already part of a lot of the commercial products out there. So cyber hygiene, I like it, it's the foundation, right? So you need to know where your loopholes are. You need to know where your assets are, and there are a lot of tools which can help you figure that out.
Leigh Smout: Great, I am going to skip a couple, because I think we've got at some of the answers. So I apologize to anybody who didn't hear their name, I'm going to move to CJ, because this is an interesting one, "What's a rule of thumb to follow to not compromise cybersecurity of your network when the decision has been made to let staff go, but they still have a company mobile hardware, laptop, or tablet." Sorry about that. So for instance, now people are being managed remotely, and now you're going to let them go, but they're sitting with their laptop at home, and access and so on?
Eldon Sprickerh...: Yeah. It's a tough thing, especially if they are in charge of your IT itself. So let's take the not that case. Again, so much of it has, again, is more of a preventative mode. What did they have access to? What's on that computer right now? Is there a way to lock that down? Right before, this coordinated effort is very difficult. I don't think anybody's really mastered it, unless you put things in place that are very stringent, so that if you disable this person's access, they are locked out immediately from everything that they had access to. And you're able to, and no one finds out about it in advance, because usually it needs a coordinated effort on the IT-side. There's a lot of moving parts. Even if that person is in the office, now whether it's a case of you need to get in front of that person's, how do you retrieve hardware when you're not allowed to be within six feet of a person?
There's a lot of issues that are in play now. You need to plan with your HR department, maybe external counsel, depending on how big it is, and your IT department. Make sure that everyone can come together on that plan. And that it is reasonable, and it is legal. You're not allowed to use subterfuge when you're getting rid of someone. And terminating their employment, it's important that things are done in a fair, legal, and ethical manner. And that's even more difficult now than a year ago,
Leigh Smout: Right, got it. Okay. I'm going, we're really pushing the time here. So I'm going to get to this. I had a couple of questions from Ingrid. I'm going to just ask one of them. I think it gets at both in a sense, and it's quite specific. She mentions, "Open ports can be considered a major vulnerability. How can an SME with a small IT budget relatively easily and efficiently find and close them?"
Ashley Lukeeram: Yeah, so, so again, if this is not your core strength, I would suggest start working with the people who do it day in and day out. eSentire is one of them, there's a lot of other managed security providers, who can go and figure that out, and help you close the right ports. The other big thing about this, is you will not find this out if you are doing a discovery once every quarter. You need to put a process in place where it's a continuous assessment of which ports are open and which ones are not. So again, that needs to be part of a bigger program.
Leigh Smout: Yeah, it's interesting, isn't it? These are things that even on a small budget, I mean, for instance, you have to have wifi, so you've got to pay for wifi. There're things you just have to buy, there're services you have to buy now. And so I think, ideally, you find something that's value-based, that gives you what you need. Of course, it's always challenging. It's like buying insurance, like, "How much insurance do I need?" It's always trying to figure out like, "Just what do I need?" But whether budget constraints, even more, so you have to put some effort into finding that right partner that-
Ashley Lukeeram: Yeah, you're bang on. It's basically you're looking at buying your vulnerability management as a service. Let the experts come and do it as and when you need it.
Leigh Smout: To one really super quick question, then one last question, and we're going to have to call it today. Rosemary asked the question that I didn't ask, "What is SOC 2?"
Ashley Lukeeram: All right, Eldon?
Eldon Sprickerh...: Yeah, it's a service provider security auditing that's performed generally by accounting firms that go through to basically work through a framework to say, "Are there sufficient safeguards in place when handling client data?" And what was the, Ashley, do you remember what it was used to be called? I know it was, the long term, I think it SSAE 16 SOC 2.
Ashley Lukeeram: [crosstalk 00:54:09]
Leigh Smout: Okay.
Ashley Lukeeram: Yeah, and there's different level. There's type one, and type two SOC 2 compliance. So again, two [inaudible 00:54:17] point comes down to how many safeguards you have to put in place.
Leigh Smout: Okay, and it's a certification essentially?
Eldon Sprickerh...: Yeah, for service providers.
Leigh Smout: Yeah.
Eldon Sprickerh...: The big three accounting firms will deploy people. And it specifically for service providers, because there's, when you're handling client data, they want to have an assurance that you've been thinking about the things that could go wrong, and, depending on the audit, how deeply they investigate, they'll ask questions, they'll push back on the answers and so on.
Leigh Smout: Okay, and then I have a last question I'm going to throw at you guys from Linda and she's asking, and I'm going to insert for cybersecurity, but, "What would be recommended from a cybersecurity point of view for email, marketing and communications for a home-based business?"
Eldon Sprickerh...: Are you, I'm a little confused. I wonder if they're about the mechanics of it itself, or considering some of the privacy measures that you're recipients opt in, opt out, that sort of thing, I'm [crosstalk 00:55:33]-
Leigh Smout: Yeah, I would think it's that latter part, but again, it doesn't say anymore. So I was hoping you'd know?
Eldon Sprickerh...: Yeah. So there's legislation to limit spam emails and things like this. We can have another hours spent on how well those things have worked. There's things that are much more stringent, I think, in Europe where you're talking about when is data collected, what was the purpose for which it was collected? How was it used, and the framework that you need to keep in mind when you're handling that kind of data? That's well beyond on a sort of [inaudible 00:56:19] 30 second response. Again, so much of it will, what's the domicile in which you're located, and where your clients are located? What is that data? What was the intention when you collected that data? Do you have their ongoing permission to use it for that purpose?
Ashley Lukeeram: Yeah, from a confidential point of view, I would just add, if you're dealing with sensitive files, you may want to consider adding some encryption capabilities onto your email platform. And that would be really helpful, because basically most of the email communication is open. So if there's many in the middle of type of attack going on, they will pick up those emails, unless they are encrypted.
Leigh Smout: Okay, thank you so much. And I, Linda, I'll just add again, because it's a bit specific by industry, your question. I, again, take a look at RAP. In our blueprint program, we have a whole pillar based on digital sales enablement, marketing and sales, and so on, and some fantastic experts that train you in a workshop setting. So feel free to look us up. And then Eldon and Ashley, it's been very informative. Educational for me, certainly, I hope for our audience also. I really appreciate your time today. And I really appreciate you taking questions from the audience, because I know they can throw a curve ball sometimes, but it's good of you to be able to do that. And I appreciate it.
And just before people sign off, I really like to quickly tell them about, I tell you all about an upcoming webcast we have scheduled on October 21st at 11:00 AM, we'll be holding the next episode of our RAP webcast series, which is on how to effectively manage your sales team remotely. So maybe that'll in some ways, get at some of Linda's question. And registration for that's going to be open soon. We'd love to see you there. I wish I could see you. This is one of the sad things about the way we're doing this. I love having everybody in the room, but it's great that we're able to get this information out there. Anytime you want to register for a webcast, the folks on here probably know that, but supportbusiness.bot.com, select webinars and videos. Again, Ashley and Eldon, can't thank you enough. Really appreciate your time. And to everybody else, enjoy this wonderful day.
Eldon Sprickerh...: My pleasure.
Ashley Lukeeram: Thank you.