Cybersecurity: How To Keep Your Business Secure in 2018
Interview with Erik Kangas, CEO of LuxSci
December 21st, 2017.
Stacey: Welcome to today’s episode of Technology Security Insight Series. I’m Stacey Riska, marketing director at LuxSci. Today we’re gonna be talking about cyber security and what your business can do to keep your data and communications secure. Now, there have been a lot of stories about malware, ransomware, cyber threats, phishing, cyber security, and no one is better able to address those topics than our guest today, CEO of LuxSci, Erik Kangas. Welcome, Erik. How are you?
Erik: Hi, Stacey. It’s great to be here today.
Stacey: Great. I am so excited, because I know you’re gonna have … If anybody knows anything about cyber security and keeping data and communications secure, it’s you. Now, in preparing for today’s conversation, I was looking up some of the stats about cyber security this past year, and I was amazed at what I found. I’m gonna share some of the things. Let’s see.
Talking about malware, more malware is being launched every day than ever before. 230,000 new malware samples per day, according to the latest statistics. Did you know that there is a hacker attack every 39 seconds? 64% of companies have experienced web attacks. 62% experienced phishing and social engineering attacks. 59% of companies experience malicious code and botnets, and 51% experience denial of service attacks. The cost is staggering. The estimated cost for cyber crime committed globally is over $100,000,000,000 a year. There are 3,809,448 records stolen from breaches every day, which breaks down to 158,727 per hour, 2,645 per minute, and 44 every second of every day.
Stacey: Right. Now, over 75% of the healthcare industry has been infected with malware this past year, and this is truly staggering. Only 38% of global organizations claim that they are prepared to handle a cyber attack. So, Erik, was any of that staggering to you?
Erik: I mean, in some ways it’s not.
It’s not surprising, because we hear it all the time in the media, the next big one, the next big one. Some things are a bit surprising for reasons you might not expect. Like, I’m surprised 38% of businesses claim they’re prepared for a cyber attack, when I would bet that almost nobody’s really prepared, because nobody can really defend themselves against someone who’s really, really has a lot of resources. So I think a lot of those people don’t really have a clear understanding of what they’re up against.
I was also surprised about the sheer number of new malware signatures there are every day. I mean, some of that, obviously, is due to the fact that malware can now automatically adapt itself, so you’re sort of fighting an intelligent agent in many cases. But still, it’s very impressive, and it’s why, for example, signature base symptoms do a great job, but they can’t stop the cutting edge malware.
The Biggest Story of 2017?
Stacey: Yeah. I mean, this past year, these stories have been all over the media. Malware, ransomware, cyber attacks, hackers. I mean, there were so many stories that the media was covering. Is there anyone in particular that really stood out to you?
Erik: I mean, it’s like being hit on the head with a hammer over and over again every month. I think that they, the most significant one, if you have to pick one, might have been the whole WannaCry fiasco and all of the derivatives thereof. You know, this is something where the government had certain types of vulnerabilities they knew about, and they got leaked, and these leaks were then jumped on quickly to create, essentially, worms to go around infecting machines all over the world very, very fast.
And only hundreds of thousands of people were infected by these, but I think this is the most significant one, because the impact of this was very real and very direct. This brought businesses to a halt. This impacted bottom lines. It impacted patient care and healthcare, and it was the result of vulnerabilities that have been there for years and years across lots of versions of operating systems. So it was real, physical, and immediate.
I mean, lots of other breaches were huge, like Equifax and so on and so forth, but in a lot of cases, those are potential future harm that we won’t really know for a long time what the fallout is, if any. But this was immediate, and it does change the way people look at their vulnerabilities in their systems and the weaknesses that their own machines have. If we have an open vulnerability, we better close it fast, otherwise the next WannaCry could take us down.
Why don’t we do better?
Stacey: Yeah. I find it so interesting, because with all of the technology and tools out there, it’s so surprising to me that there are so many breeches. I mean, why do you think that is?
Erik: It’s almost the wrong way of looking at it. The technology’s proliferated. There’s more and more software and more and more hardware, the more embedded systems with all of the IoT devices. So the so-called attack surface, the places that attackers can go try to get their fingers in and try to find that chink in your armor. There’s more and more of them. It’s not like we’re fighting a two-front war. We have to protect this side and that side.
We’re fighting a million-front war, where it’s every version of every piece of software and hardware out there, down to the code in the microchips that we have to protect, and all it takes is a few of the army of hackers to find the latest exploit, and then they’re in. And the defenders are mostly having to fight a defensive war when they try to stop the gaps once they’re identified. And by then it’s kind of too late.
And why can’t you stop it more proactively? It’s because there’s only so many people, and most of the people who are out there running software and creating hardware, do not have security top of mind. They have making profit top of mind. [inaudible 00:06:51] viable product out there, getting some sales, and then saying, “Oh, it’s working. Let’s continue developing it.” By then it’s kind of you’re already too late. Your baby monitor may already be hacked.
It’s that kind of thing that’s going on. So the hackers are getting more technology. They’re getting more tools to investigate systems and find bugs. They’re smart. So it’s not like we’re creating new technology, so why can’t we do it right. We’re not doing it right, and the fundamentals aren’t right, and the ecosystem is not right. And while we can try to improve the things we do in the future, there’s so much out there now, they’ll never be right.
There’s machines in people’s closets that will never be updated, that are always gonna be part of botnets for the next 10 or 15 years. It’s just the way the internet works right now, and that’s why you can’t fix this problem easily, and security is gonna become a continuing larger and larger facet of every business.
A little about Luxsci
Stacey: All right. So all of these businesses are dealing with these data and security issues, and there’s new companies popping up every day that seem to proclaim they have the solution. But LuxSci has been around since 1999. That’s a long time in providing data and security solutions. So can you talk a little bit about the changes that you’ve seen and what LuxSci’s been doing since 1999?
Erik: Yeah. Sure. Back in 1999 when we got started, security was an afterthought. It was barely there. It was only in academic circles, and it’s really made a huge progression. I mean, only after 1999 did we use the TLS and HTTPS and these types of connection encryption systems really started to take off. Back then, every connection to everything was insecure. Everything could be eavesdropped on, and nobody cared.
So we started offering TLS solutions for everything. We started offering PGP to encrypt email. We saw HIPPA start to change its rules, and we found ourselves in a great position within existing email security products. So we started tying together, all the different things that you need to start to address security and compliance, not just encryption, but logging and authorization and backups and filtering and being proactive.
So that kind of thing has been like a rolling ball down a hill getting larger and larger as it accretes different kinds of great features that you need to really protect yourself, be proactive, and be forensic when things are said and done. Nowadays, there’s a lot of great security frameworks out there. There’s a lot of legislation, but what’s left is that we’re still fighting this war that’s getting harder and harder, because people just aren’t really adequately educated on what they need to do in order to allocate the right resources and the right people in the right places to be effective and protect themselves.
Is it better to outsource?
Stacey: So are you saying it’s better to work with someone like a LuxSci, because you get a comprehensive suite, everything under one umbrella? Because, as you said, there’s just so many things that people need to be aware of when it comes to the security of their business.
Erik: Yeah. In truth, you can do it yourself if you want. You can buy all the software, you could open source things, set up your servers, map out your perimeter, and this becomes your full-time job for $100 a week of just getting this stuff going and making sure it’s done right. We find that a lot of people really like to outsource their risk to a third party, like LuxSci or somebody else, where someone else is in charge of making sure you’re keeping up with technology, that you’re protecting the solutions from attackers, and that you’re applying all the patches and changes and security updates that you need to do.
Every time you do that, that’s one less things that you yourself have to worry about as a business. Pick a company who you trust, who is focused on security, who can handle certain aspects of your business, and then focus on other things, get your job done.
What will be the big story in 2018?
Stacey: So as we head into the next year and businesses start thinking about their security needs, I mean, do you sort of see that there is going to be a big story of 2018? Or is there … What can businesses do to make sure that ultimately they’re not the big story of 2018?
Erik: Yeah. Well, 2018 will have lots of big stories just like every other year has had so far, and it’s kind of hard to say what it will be. I mean, is it gonna be the next WikiLeak? Is it gonna be this or that? But in truth, it comes down to a few things. One thing is just making sure that all your systems are updated. I mean, that will stop so many of the problems that we’ve seen, is those who have updated systems are safe. People who have legacy systems, their systems are encrypted by the ransomware.
But beyond that, probably the biggest security problem that everybody has are their employees, lack of education, being too busy, not having the time to care, that causes a great deal of oversight, clicking on the wrong links, downloading the wrong attachments from emails, that’s how most systems get ransomware. That’s how most systems get affected and add the botnets. So employers need to understand this is a fact of life right now. They need to sort of invest: (A) in making sure their employees have the right technology to defend themselves,
and, (B) make sure their employees know what to do, and make sure that they’re paranoid. You have the right training programs. You have to test them. Send them fake malware and see what they do with it. If they open it up, then train them that that’s not something they shouldn’t do. And if you do that intermittently and you do that for everybody, then people are gonna be paranoid that they’re gonna caught, and that’s gonna protect them from phishing campaigns.
This is a sort of standard thing nowadays, but most companies don’t bother with this. Most companies are focused on other very important aspects of their business and neglecting sort of basic security training that will go along way in making sure they’re not the next headline in 2018.
How should one protect email?
Stacey: No, that’s great. And I’m glad you addressed email, because that’s something everybody knows and everybody uses and so it’s interesting how the human element impacts that. So you addressed some things that businesses can do. Let’s talk a little bit more about email. What are some of the things that a business should be looking at when it comes to their email security?
Erik: Yeah, exactly. Probably the biggest thing related to the last question is taking a lot of the decisions out of the hands of their employees. So if you can reduce your risk by reducing decisions, reducing the ability to make a wrong decision, then you’ll stop a lot of problems. And how do you do that? For example, you make sure you have great email filtering for spam, viruses, and so forth, but you don’t put that in your Outlook. You put that on the server before the message ever gets to someone’s computer.
You make sure that you are looking at links that are coming in, scanning them proactively to see if they link to invalid sites, malware sites, phishing sites. You make sure that you have encryption options available to your users, so that they can send that important data somewhere securely, and people can reply to them when they need it. Make sure that it’s easy, make sure they know how to do it, and make sure you even put in some data loss prevention system, so that you can detect, “Oh, social security number. Oh, trademarked work.”
Whenever these things show up in emails, maybe you automatically encrypt them. Maybe you don’t allow them to be sent. I mean, there’s a lot of things that you can do, but whatever you can do to put in policies that are outside of the hands of your end users that just make things work. That’s what you can do to protect yourself from potential problems.
What should people in helthcare be worried about in 2018?
Stacey: Is there anything for healthcare-related organizations that have to do with EPHI and HIPPA? Any other additional things that they should be concerned about or thinking about as we go into the next year?
Erik: Yeah. A couple really big ones. First of all, backups of everything. Healthcare organizations are getting hit by ransomware all the time. Ransomware has no teeth if you have backups of everything, and they’re recent. Because if everything gets encrypted, you just blow it away, and you start from backups, and you have no problem with the media and no problem with trying to find Bitcoins that you can use to pay off the ransomers and so forth.
So make sure you got backups. Make sure you have archival. And also, once again, the human factor. A lot of systems that allow you to send encrypted mail or encrypted messages from one person to another, especially in healthcare, are opt-in, which means it up to the practitioner, the doctor, the nurse who is extremely busy to remember, “Yeah, this is a sensitive message.” To remember, “Oh, yeah. I have to type secure, or was it encrypt? Was there a plus there on the subject line?” And in order for a message to go securely.
And if they make a mistake, if they mistype it, if they’re distracted, if they have to talk to another coworker, and then come back and hit send, any mistake there leads to an insecure message going out, which can get breached. So once again, if you can take the risk away by removing a decision point from one of your employees, then you’re much safer. So what we always recommend is encrypt everything by default, at least, so that you can’t make a mistake and send it insecurely.
And then if you want, allow people to choose to send insecure messages, and it sort of flips the whole thing on its head. Instead of choosing this insecure and then being in trouble if you forget, you have to choose to send insecure, and then if you forget or mess up, then it’s still secure, and you’re okay. So we always like to err on the side of caution, err on the side of avoiding mistakes.
How can we make passwords more secure?
Stacey: Yeah. Absolutely. Now, when it comes to email, you had eluded to the human factor, sometimes being the detriment there. And so I would love if you would address the topic of passwords, because people sort of … The passwords most people use are sort of the 1, 2, 3, right? Or their dog’s name. So talk a little bit about that. How can we make passwords more secure?
Erik: The best recommendations for passwords right now are to pick things that are long and complicated that you cannot remember. And people don’t want to do that, because they have to type them in. So you don’t write them down on paper. You don’t write them down in Notepad, but you use a password manager. LuxSci has a password storage system that you can use to remember all of your passwords and share them out with groups of people, and there are other ones out there like LastPass and OnePass that integrate with your browsers.
They’ll generate the password for you so you don’t have to think of, “What am I gonna think of for a 20-character password?” You just hit a button, it fills in, and it saves it. And so do that, use a different password for every single site, so if you’re at some site, has a great password, but they don’t have a security, and it gets hacked, then all that happens is that site is compromised and not everything else.
So picking strong passwords and only using them uniquely with each site are the biggest things that you can possibly do to protect yourself, because that’s what people aren’t doing. But beyond that, use two-factor authentication whenever you can. So you have to get a code on your phone or do something else. So if your password’s compromised, people still don’t have access. Those are best practices that I think that you can do to go even beyond that in terms of analyzing how good your password is or choosing a really good second factor.
But just taking those first steps will go a whole long way in securing things for you. Just to look at some things that happened in 2017, 2016 even, we’ve seen lots of cases where there’s a breach in Yahoo, or there’s a breach in the company security where they give out a password they shouldn’t have in a password reset process. And then that password is used to access your email. And then your email is used to access some other account, and you reset the password there.
And it’s a chain reaction where a chink in one place sort of creates a big crack that goes through your entire identity, and people get access to more and more of your accounts, because they use the same passwords, or they use simple password reset mechanisms where like, “I’ll just send my password to Yahoo!, and then I can get it there.” Well, Yahoo!’s terrible. If your Yahoo! account’s compromised, which I think they all are by now, then all of your other account that are tied to that are compromised, etc. So you gotta avoid that through two factor and so forth.
What are the 8 Pillars of Email Success
Stacey: Okay. Well, you’ve been talking about best practices. So I understand that LuxSci just recently put together what it’s calling the eight pillars of email success. Do you want to talk a little bit about that?
Erik: Yeah. We’re trying to give a checklist that any business owner can look at and understand in plain English that sort of describes, “If I want to make that our email system is as robust as possible, what are the things that I should look at? “What are the things that I need to check off to increase our security?” And those run the gamut from archivals and backups. Do I have copies of everything? Logins. Does every user have a strong password? Is it all being audited? Am I gonna get alerts if someone’s trying to attack my account?
Can I look back in history at who’s logged in from when, from where? Can I create unique passwords and unique logins for different users to different systems? Do I have adequate filtering? Do I have systems in place that allow me to assert the identity of my domain? Can people send me forged email from other places? Can I prevent people from [inaudible 00:20:35] my email?” So it goes through each of these things and ends up in the last two pillars with something that’s really critical, and that is performing a risk analysis.
And most companies don’t do this. I think the only ones who usually do are the ones who are required by legislation, you know, like everybody in healthcare, everybody who’s public, etc. But it’s really important for everyone, and that just means sit down once a year and look at your entire communications infrastructure and really anywhere where data flows. And sort of write it down.
Where is the sensitive data? Where is it coming from? Where is it going to? Where is it saved? What vendors touch it? What software system touch it? And then based on that, write down all of your risks. What’s the chance that I have a rogue employee who can access this and delete it? What’s the chance that there’s a problem if vendor A goes down? Am I gonna lose everything? If our servers get encrypted, do I have backups that I can restore from?
There’s a long list of possible risks. But going through those will you help you then identify on the next step, what can I do this year to reduce all the major risks? I mean, you can have a lot of risk. Every company does, but it spreads the gamut from things are kind of low, we don’t really care about, to things are extremely critical, like “We don’t have any backups.” So you rank order, and then you start knocking them off over the year on getting backups taken care.
We’re getting encryption to this vendor. We’re switching from insecure to secure email. We’re gonna stop using AOL Instant Messenger. I mean, whatever it is. That’s dead now, but you’ll have this list that you can strike off. So a great business practice is to do a thorough risk analysis and have another set of eyes. You don’t want just your IT guy who’s been doing this for the last 10 years to be in charge of it all.
You want someone else, a new employee, external firm, to sort of go through this with you and make sure you’re not missing things, because it’s complicated, and probably you will. Anybody will. And then don’t stop there, but make sure you’re mitigating throughout year, so that next year when you do the same analysis, you can say, “Oh, yeah. I fixed these 10 things, didn’t really get to those, but they weren’t such a big deal.”
So when there’s three more critical ones, you don’t have this proliferation of problems. You have things that you’re working on managing all the time. And if you are in a compliance situation like HIPPA, and you are doing this and documenting it and working towards it all the time, and if there is something that crops up that causes you problems, you’re much less culpable. You’re not being negligent.
You’re actually trying hard. And the impact with you in terms of bad media or in terms of financial penalties will be much, much less than if you just shoved it under the rug and say, “I bought this, and I’m done, and it’s gonna fine. Let me focus on my business.” You have to pay attention. You have to do these reviews.
Stacey: Great. So LuxSci has summarized everything that you just went through in this checklist. So I believe it’s a free report that people can download from your site?
Erik: Yeah. They can just go to LuxSci.com/emailtips.
Erik: Add your email address and some information, you can download this report.
Stacey: All right. So LuxSci.com/emailtips. You can get your free checklist and make sure that you’re secure and you have these eight pillars in place.
Final words of wisdom
Stacey: So Erik, in closing out, is there any words of wisdom? We talked about a lot of things today with more of a specific focus on email, but sort of any last words of advice you want to leave people with?
Erik: Yeah. Security climate’s terrible, but it’s kind of like don’t be afraid. You have to decide what level of threat you’re gonna protect yourself from. If there’s a nation state after you, all bets are off. But in general you’re trying to avoid, like you said in the beginning, all of these attacks per second, this background radiation of attacks that are happening.
And most of the things that are best practices will put up the shields and block all that noise, your patching, your standard things, your firewalls, that’s gonna stop a lot of that from really affecting you. So in a sense, don’t be afraid to use technology to make your business grow, but make sure that you do it intelligently and proactively and engage in best practices so you’re not caught off guard “with your pants down,” so to speak.
Stacey: That’s great advice. Erik, thanks for coming on today. You shared such valuable information. For everyone out there, if you want to get more information, you can visit LuxSci.com or feel free to reach out to get a free consultation from the sales team. You can reach them through the website or at sales at LuxSci.com. Thanks for tuning in everybody. Have a great day.