Having a True Cybersecurity Plan

[00:00:08.890] – Dave

Good afternoon. This is Dave Hodgedon with PCG. I’m here with my guest today, Steve Ripper. We’re here to talk about one of our current events upcoming our cyber Security series. Welcome, Steve.

[00:00:19.690] – Steve

Hi, Dave. Thanks.

[00:00:21.270] – Dave

It’s always a great day to talk security, Steve, and it’s a topic that most New Hampshire and Maine businesses should be very aware of. The landscape is tough out there and a lot of what the businesses are coming across. There’s unknowns out there, Steve. So our goal of this series is to educate them and we want to kind of set the stage for our first series is going to be called the Basic Cyber Hygiene. What’s the minimum that you need in place, Steve? So from a high level, Steve, what are some of the key policies and procedures that should be in place?

[00:00:54.030] – Steve

Yeah, so first of all, it’s really good that we’re doing sort of an overview because really we just got to kind of get awareness out there. It’s easy to go into really deep topics, but this is just more of an overview of what every company needs to be thinking about. So when they need to be thinking about it, we got to be talking about password policies, right. We’re always going to start with password policies. We’re going to talk about MFA. You’re in my favorite topic. Anyone who’s been listening to some of these, we’re going to have some MFA in there. What should you be doing about remote access your backups? Right. What happens at the cleanup portion of things? What if you have to resolve some stuff, if you have to find data or recover data, what do your backup policies look like? Cyber insurance, patching, unsupported computers, really top to bottom from the minute a user signs in to all the way at the very end when something bad has happened and how you clean it up and every single thing in between.

[00:01:51.640] – Dave

Yeah. The statistics out there, Steve, it’s a phenomenal. What percentage of small businesses are being hit? A lot of them just don’t think it’s going to happen. But the data out there from Forbes USA Today, these cyberattacks are happening. They’re coming at you when you’re least expecting or when you’re not working. So it only takes one cyber attack to affect your business. So the goal of this first workshop is we have an excellent security panel to join us and we’ll have some of the key leading people in cybersecurity on this workshop with us. We’re going to go over the cyber threat landscape. As you mentioned, Steve, some of the policies and procedures they’re going to put in place. And a big thing that a lot of companies need to be to get a value where they’re at is what we call the risk assessment.

[00:02:33.540] – Steve

Sure.

[00:02:33.940] – Dave

And Steve, from a high level, what are the few key things that risk assessment is going to bring value to the business?

[00:02:38.930] – Steve

Well, yes, it’s going to bring quite a bit of value. But let’s back up for just a second and talk about that title in the first place, because, Dave, you just mentioned a few seconds ago that a lot of the companies think that this isn’t going to happen to them.

[00:02:50.180] – Dave

Right.

[00:02:50.470] – Steve

Well, what are they doing? Whether they know it or not, they’re evaluating risk. They’re just assuming that their risk is very low. Right, but what we’re coming back and saying that is certainly when it comes to cybersecurity, your risk is much higher now than it used to be. Are you going to get attacked? Maybe not, but your risk is very much more probable that you are going to. And so that’s what a risk assessment does. We understand that you’re probably not going to do everything. We could run up an incredibly large budget and pretty much run you out of business with doing amount of security. It’s not our goal. It’s not your goal. So what we really have to do is determine what are the ones we have to get and what are the ones that we can either think about table or plan against, or sometimes we’re not even going to do it. We’re just going to say that there’s going to be an exception to this. Right. But what we’re doing is we’re going to assess risk. Where are you at on that spectrum? And then we’re going to make recommendations and plans for the ones that you really need to remediate and to fix.

[00:03:54.990] – Steve

And which ones can you table? Okay. And Dave, I’ll just leave it at this. I will tell you that almost every time we do one of these, a lot of times the people who do them with it, they know already what some of the ones that are sticking out. They know before we get to passwords that they should be doing better with passwords, that they don’t have MFA, that they’re not signing into their bank website correctly, that they’re not totally sure that whoever’s managing their backups is actually managing their backups. So they know a lot of them, but then there are many that they don’t know, that they’re very surprised around the questions. So that’s what a risk assessment is going to do. It’s going to really give you a qualitative and quantitative view of what your risk is.

[00:04:34.260] – Dave

Excellent insight, Steve. So we have two event dates for this. It’ll be on Wednesday, May 24, between 830 and 930. And our second event for those that can’t attend the morning session will be on Thursday, June 8, from 130 to 230. Again, this is a huge topic for small businesses about protecting your business from phishing scams in a ransom attack. We look forward to joining our workshop with some of the leaders in the industry, street and everyone have a great day. Thank you, Steve.

[00:05:02.650] – Steve

Thank you.