Scaling UP! H2O

165 Transcript

The following transcript is provided by YouTube. Mistakes are present. To hear the podcast episode, click HERE.
when was the last time you thought about
your insurance coverage
for me it is not very often
but i know for a fact that you
sleep soundly at night knowing that you
have it that means it’s important and
that means
you need to understand what it is that
you have
it means you need to understand where
your liability is
and you need someone that you can trust
to have that conversation with
several years ago i met mike hyam at an
awt convention of mcgowan
insurance group and at the time i had
our insurance through a local broker who
is an
extremely nice guy and we had had our
auto policies
with him for years and when i started my
company
i naturally called him and he got us
coverage the thing is he did not
understand the water treatment
industry so he was giving us the best
coverage
he knew to get us without understanding
the industry
i had a conversation with mike at that
convention
and he asked some very good questions
questions that i didn’t have the answers
to
and i’m sure glad he asked those
questions because folks i did not
know to ask them but as soon as he asked
them
i knew that i did not have all the
coverages that i
need think of all the coverages out
there
property general liability professional
liability workers compensation
employee practices liability folks
there’s even
insurance for cyber liability and i have
to tell you i did not know to ask about
that
one but mike did because this is what he
does
he serves the water treatment industry
and he knows that there is a potential
liability because of the remote access
that we do with our controllers not only
did he get me
the right coverage with the right
company
he was able to give me advice
on making sure that we had proper
policies
in effect to make sure that we were
protecting ourselves
and our customers a lot of insurers can
only write through one insurance carrier
mcgowan insurance group represents
dozens of
carriers like donegal insurance
and when we go to renew
i can’t tell you how awesome it is that
they are able to look at multiple
suppliers to make sure
that we’re getting the best coverage but
we’re also
getting the best value i know
without a doubt because mcgowan
insurance group
understands the water treatment industry
that we are
getting that each and every time we
renew
with them they do liability benefits
bonds they are a
full service agency give the fine folks
a mcgowan
insurance group a call today and tell
them that
trace sent you or visit them on the web
at m-c-g-o-w-a-n-i-n-s
grp.com
welcome to scaling up h2o the podcast
where we’re scaling up on knowledge so
we
don’t scale up our systems i’m trace
blackmore the host
of scaling up h2o i’m also very pleased
to say that i am the recipient of the
water technologist of the year award by
the association of
water technologies i have to say that’s
hard for me to say i never want that to
come off as
bragging but i really feel like this is
our award because of all the things we
do
within the scaling up nation so that’s
why
i am so proud of that and i want to
share that
with you you know i’m still getting
comments
over the work that my team did during
industrial water week so many people
have commented on trying
that water cake didn’t even know that
that recipe
was out there so many people loved
detective h2o and dr h2o
and so many comments about what our
family members actually think we do
as water treaters it was a lot of fun to
put all those shows together
i am certain that that was our best
celebration of industrial water week
ever but it does beg the question what
are we going to do
next year and i want to say this year is
going to be
very hard to top but i thought the same
thing
last year too i’m going to ask for you
to help me with that what are some
ideas that you have so we can start
planning for that for the next
industrial water week by the way that’s
going to be
october 4th through 8th in october
next year 2021 by the way that’ll be my
24th
wedding anniversary that monday october
4th
so what do you think we should do
next year to top this
great batch of shows that we just
delivered
this industrial water week i’d love to
hear your ideas
and i can’t believe that we’re in the
middle of october already
october is almost over it seemed like we
were all
waiting for industrial water week and
all of a sudden that came and went and
pretty soon
halloween will be there 2020
is almost over and quite frankly i think
we’re probably
all very thankful 2020 is almost over
but i know that you have accomplished a
lot this year despite all the challenges
that 2020 has brought
so here’s what i want to ask everybody
in the scaling up nation to do i want
you to take
an evaluation over how
2020 was going and
i know you’ve got tremendous
accomplishments this year i want you to
celebrate that
i then want you to look at this last
quarter
and say what do i need to do to achieve
my highest priorities
during this last quarter coming off the
accomplishments that you just looked at
for 2020 i think that is a way to
supercharge
how quarter four can go and it also gets
you ready to plan
for 2021. now if you remember the rising
tide mastermind
you know that we go into high gear
after the beginning of fourth quarter
because we want to make sure that we are
properly planning
for the following year well this year
the rising tide mastermind
is doing something a little bit
different we’re not looking at next year
we’re looking three years out and we are
making
statements about what we have
accomplished
over the last three years when we
are in 2023. now we learned
last week with chris mcchesney of
franklin covey company
that when you think in the positive
when you tell your brain things that you
have already
done as if you’ve already accomplished
them the brain just starts working in a
way
that helps you complete that well that’s
what we’re doing in the rising tide
mastermind
we’re holding each other accountable to
that and we’re helping
each other get there and we’re going to
celebrate those wins
when we all cross that finish line but
that doesn’t mean that
even though you’re not a member of the
rising tide mastermind you can’t use
that same
line of thinking to do the same
goals yourself so please play along with
the rising tide mastermind where are you
going to be
in three years write it in a statement
like you have already accomplished it
and then figure out each and every
quarter you’ll have 12
quarters to get there 12 weeks and every
quarter
what do you need to accomplish so in
those three years
it will get done i tell you when you
start doing that when you start planning
based on quarters start planning based
on weeks
and you can check things off you can see
how you’re keeping score
that is how things get completed
let me switch gears just a bit have you
ever
experienced or know someone that was
cyber attacked well i have
it was a good friend of mine and all of
his data
was being held hostage for a ransom
because somebody opened an email that
they shouldn’t have opened
now i saw this email there is no way
that this
looked legitimate it was just somebody
clicking that wasn’t paying attention
and imagine that imagine if all your
data
was locked up and you did not have
access
it imagine if you were responsible
for a customer experiencing that
imagine if your kids open something at
home
and now all of your passwords
are suddenly on the dark web have i
scared you enough yet
after all it’s close to halloween well
today
my guest is keon williams of cyber
leadership
and strategy solutions he’s going to
talk about that these things
really do happen but more than that
he’s going to give us some solutions on
what
we should be doing how we should be
educating ourselves
how we should be training people in our
company
people at home so we can mitigate
the risk against cyber attack
i know you are going to learn something
today on this episode that you are going
to
immediately do before you go to bed
tonight
so please enjoy my interview with keon
williams
scaling up nation as you know technology
makes our life
so much easier but there are also
certain things
that come with that technology and of
course that’s people
trying to do harm using our technology
against us
so our lab partner today is keon
williams
and he is an expert when it comes
to cyber security keon how are you today
i’m doing great it’s a pleasure to be
here well we are so glad that you are
here because there are so
many misunderstandings out there of how
to keep our company safe how to keep
ourselves
safe when we are using these wonderful
devices that save
so much time and make information so
much easier to access
but we also know on the back end people
are trying to use it against us they’re
trying to get information
they’re trying to break into areas and
when it comes to
most of our audience we’re really good
water treaters
but we do not know what to do when it
comes to protecting ourselves so i’m
hoping through our conversation today
you and i can help many people out there
in the scaling up nation with what to do
about that
so keon if you don’t mind would you tell
us a little bit about yourself
before we get started sure the
short version of a long story is that
my professional career started out in
the military
so i was a chemical weapons specialist
in the us army
for eight years which allows me to
understand some of the parallels
between water treatment professionals
and
on cyber security just because of my
interaction
with chemicals and green gas that would
melt your skin off
for the last 20 years or so i’ve been
working in cyber security
so i started out at the bottom over time
i worked my way up
to the top and i have a pretty broad
understanding of how
businesses of all types use technology
to advance their business objectives for
the past
eight or ten years i’ve been focused
exclusively on security leadership so
i’ve been a security executive
i’ve taught security executives how to
do their jobs
and a significant part of my time now
involves just spreading the gospel
of cyber security and so from a public
peak
from a public speaking perspective i
have a great opportunity to speak to all
types of industries
all types of organizations and just help
educate people
about good practices good procedures
things that are going to protect
their organization from harm related to
some of the cyber security threats that
are out there
well as i said at the top of the show i
know we are going to educate a lot of
people today
i’m kind of curious what kind of
similarities and differences are there
in working with green gas that will melt
your skin off and cyber security because
i’m sure they’re out there
well you know it all comes down to
awareness
if you think about in a military
situation
uh one of the great things that the
chemical corps does is protect people
and provide early warning
that there’s some kind of chemical or
biological attack
and so we used to have these great
devices that you would put at a distance
and based on the wind speed and
atmospheric conditions
that would determine where you put the
alarm but the alarm was really an early
warning system
when you hear the alarm everybody knew
the movements to execute
the alert to give and it triggered
you know the entire force to put on
their chemical masks
and then depending on the type of agent
that we were dealing with you might put
on your full
chemical protective gear if you apply
that same
approach to security ideally you want to
have early warning systems that trigger
some kind of alert
when there is a security incident or
some type of attack
and then based on the scope of the
attack people are going to jump into
action to
contain the threat to provide
remediation and to restore operations
as quickly as possible so the work that
i did in the military actually
has a very close parallel to
the profession that i’ve selected
post-military and continue to educate
people about
well i’m sure we are going to dive into
many of the things that you just
mentioned there i would like to address
before we start having
the conversation i’m sure there are
people out there today
there are many that own businesses that
are listening to us in this country and
in other countries
and they get it they understand hey i
need to understand this so i can protect
not only myself but also my customers in
the business
but there are some other people out
there that are
servicing accounts and you know they
probably use a smartphone things like
that but maybe they don’t have direct
access into databases and servers
why should they pay close attention to
today’s conversation
you know cyber security is for everybody
um
you know if if we take it all the way
down to the bottom of the spectrum
you know cyber security should be taught
to elementary school children
who are starting to use tablets because
the tablet
then becomes the gateway into the home
environment
if people are working from home now
you’re exposing
your corporate computing resources to
compromise because your child clicked
on a link that was on a tablet and they
were just playing video games
and it messes up the entire ecosystem
and the idea of an ecosystem is really
what we’re talking about and so
for people who provide professional
services for people who are
employees all of the devices that are in
their personal ecosystems
are ultimately going to affect the
organization depending on how well
or how poorly you protect those devices
keep them clean
keep them sanitary and you know the idea
about
hygiene and sanitation is very relevant
to water treatment professionals so i
think again it’s a great parallel
where we’re thinking about keeping our
devices clean and sanitary
and safe from harm because any negative
agent
you know any pollution that we introduce
into the environment is going to affect
everything
something i find very interesting and
you and i were having this conversation
when we met
originally was that target
with they had their hack a couple of
years back that really
devastated a lot of things in that
company
that hack was achieved by the hackers
finding a back door
from the hvac contractor that
their store was using so i
think that that’s very similar to how
we control our products using
controllers and using
internet to control our programs so you
have more knowledge than i do about that
particular
attack do you mind sharing with the
scaling up nation a little bit of the
particulars around the target attack
sure well at a high level what what i’d
like to do is avoid picking on target
because people have been
attacking them and using them as the use
case for years but target is actually
one of many companies
that has had some kind of data breach or
security incident
because they just didn’t do a great job
of vendor risk management
and so if you look at nist nist the
national institute
of standards and technology actually has
some great guidance that talks about the
cyber security supply chain risk
management if you google
c dash scrm it’ll take you to some great
resources
and i think if we move away from target
as a specific case and think a little
more broadly
because not every organization is going
to have an hvac vendor
that has a portal where access control
could introduce some things your supply
chain
plays a huge part in the success or lack
thereof
related to your security program you
know when you think about your supply
chain
for a water treatment facility or you
think about your supply chain just for a
regular business
every third party that exists outside
your organization
that has to have access to your facility
whether it’s remote access through a vpn
whether they’re using remote access to
provide
updates and patches to your industrial
control systems
whether people are just walking into the
facility with laptop because they’re
going to provide a patch
or have some other interaction all of
those outsiders who are coming into your
organization
potentially introduce some level of risk
and the way that you consider how am i
going to evaluate that risk
how am i going to understand it what am
i going to allow
or not allow is going to play a huge
part in the long-term success
of a lot of organizations what i think
would be a very interesting
case study within the context of this
conversation
is if you look at the um nuclear plants
in the middle east where there was a
large attack that was facilitated
against them
that was actually a closed system that
didn’t have internet access
and the thing that was the root of that
security incident
was not that a third party did some kind
of internet-based attack but it was that
a user took a usb
drive into the facility and now we’ve
broken
the boundary so to speak because a
trusted insider brought an untrusted
device plugged into the environment
and that’s how the attack was spread and
so
it causes you to consider regardless of
the organization
what policies and procedures and
protocols do we have in place that are
going to help us
consider all of the attack vectors that
we’re facing but also how do we educate
our employees
you know people do security awareness
training and the entire conversation
focuses on phishing
but you don’t always think about you
know maybe we’re not receiving emails
you know maybe most of our users aren’t
even touching a computer but what
happens when a user sees a usb drive
they stick it into a computer and see
what’s on it and what’s on it
secretly installs some kind of malicious
software that allows an attacker to gain
access
or shut down the scada systems that
could be a problem
that’s really preventable simply by
providing education
making sure that people are aware that
those types of threats exist
well you mentioned a lot of stuff there
so i want to try to unpack that a little
bit or ask you to unpack it
so what kind of procedures could we have
in place because
i’m just like the guy that you described
if i see a jump drive that’s sitting on
my desk the first thing i do is i stick
it in my computer to see what’s
on it and i that might have been set
there for
exactly what you said for somebody to
infiltrate the security that we do have
so
what does a policy look like when we’re
looking at usb drives
if you look at usb drive specifically
one thing that we did when i was at the
centers for disease control that worked
out really well
is we had a trusted device policy you
know there were specific usb
drives that we were allowed to plug into
our computers
the usb drive had the fingerprint reader
it had a specific design
it had um branding that everybody
recognized
and then the usb drive required you know
advanced registration with a central
authority
so that we could do virus scanning on
the devices so that even if i took that
usb
drive and plugged it into a computer
somewhere else before i plugged it back
in the
corporate computer there was a scan that
was done to make sure that there was no
malicious software on there
companies could purchase those um you
know it’s worth the investment
if you think about atlanta and atlanta
had a ransomware attack
and there were multi millions of dollars
that were spent for remediation
the cost of secure usb drives
is ultimately going to be much lower
than the impact of having a ransomware
attack or a data breach or some other
compromise that shuts down your scada
systems
well atlanta would probably be able to
afford i would say
more than what most of our listeners
would be able
to pay out for something like you
described so
does that mean it’s out of reach for the
rest of us well prevention is the best
medicine
you know if i put my public health hat
on there are a lot of things that the
cdc advocates for
to prevent things from happening instead
of the amount of time that you would
spend
on remediation um you know thinking
about the audience and
them being water treatment professionals
the same thing applies i would rather
prevent the distribution of disease
because we are treating the water and
making it safe
than to drink some water that is not
really very attractive and then i have
to suffer
the aftermath of infectious diseases or
other things
simply because we didn’t take the right
approach to make sure that the
environment was clean
or in this case with the water example
make sure that the water was clean
was potable and was safe for consumption
you know it’s the same idea
in both perspectives we’re thinking
about what is the right thing to do
to protect the consumers of our product
and in the water treatment case we’re
treating water
in my case from a security perspective
we’re making sure
that the systems that are available to
support operations
are clean that they are safe and that
they are performing
as intended simply by taking some
preventive measures
if we were to attempt to write a
standard operating procedure
on bringing a foreign device like a usb
drive
into a company network what are some of
the things that we should include in
that
um if we start simply and so you know my
simple approach is let’s not spend a
million
dollars when five dollars will do i like
that approach
the uh the most reasonable thing that
you could do is have a designated
computer
and say if you were not absolutely sure
about what’s on this device
we’ll use the computer to look at the
device
look at the files that are on the device
and make sure that it’s not going to
bring any
harm to the organization now there are
vendors that do this
you know they build special computer
systems
but at a very simple level it’s really
just a matter of taking a computer that
you already own
you know maybe it’s an older computer
maybe you’ve done a technology refresh
and you have some computers that are
sitting around in a closet
you know having that designated machine
and then having a procedure
that says if you are not absolutely sure
plug into the machine
and then the machine will have the
capability to scan the device
identify what’s on it identify you know
what uh
routines are executed when you plug that
usb
device in it’s now going to give you a
central repository
to interrogate scan and make sure that
it’s safe
before you start plugging it into the
real corporate computers
in the environment and it doesn’t take a
lot of effort or
a lot of financial resources to set that
up
now if you’re in a larger organization
and you want to take it to the next
level
again there are vendors that will do
that some of my friends
work in oil and gas or in large
manufacturing
facilities and so there are vendors that
tailor solutions for that
because in their context you might have
65 000
plant employees who don’t normally use a
computer
but if they come across a device or they
need to use a computer
there’s still a solution in place to
make sure that those
infrequent computer users still
understand the procedure
and their infrequent use doesn’t cause a
major disruption to operations
another topic you mentioned earlier was
phishing and i was just on vacation
and one of my trusted employees received
an email that looked like
it was from me stating that i was away
and i needed him to transfer funds
luckily we had training on this and we
talked about this and he didn’t
the email was close enough that if you
weren’t looking you would think it was
mine
but in further investigation you could
see that something was off about it
so nothing happened with that but i know
that they would not
do things like that if they weren’t
successful
so can we take a moment and talk about
one
what really phishing emails are and how
we can protect ourselves against those
sure if if we go back to the beginning
phishing is just another permutation of
spam
and so spam historically was just
unsolicited email that’s why you ended
up with the canned spam act
and you know it was meant to provide
some kind of regulatory penalty
for sending massive amounts of
unsolicited emails to people
and over time what people have figured
out is that if i target an
organization or i just cast a wide net
and send billions of messages to people
that has a length that’s going to
produce
some kind of negative outcome or an
opening into the organization
that even one or two percent of a
billion is still a lot of people
and so spam has become a very well spam
and fishing
have both become very lucrative for
organized crime
and for criminals who want to make a
quick buck
as time has progressed the phishing
messages have become more and more
targeted
to the point that they will do research
about the organization kind of
understand
how you communicate what is the industry
that you’re in so that they can craft
a message that looks more and more
relevant one of the things that i see
very frequently and i’ve even had to
educate
my employees about is that we use a
voice over internet
phones so voip nobody actually has a
real phone on their desk
all of the phone calls come in through
the computer
and if you don’t answer the phone then
you get an email with an attachment that
is the voice message
which really increases the effectiveness
of our interactions with the phones it
makes things much more convenient
but if somebody happens to send a
message that says hey you missed a call
and you have a voicemail
and it’s crafted to look similar enough
it is possible that somebody would
actually click on an attachment
now it’s not just a link and then that
attachment could have a malicious
payload
and the best counter measure for this is
just training you know the more people
are aware of what things should look
like
versus what things could look like that
are close but not actually
the right format the right formatting
the right header the right logo
or even just the ability to look at the
link that’s in the message
and make sure that you look a little
deeper and make sure that it’s actually
going where it says it’s going to go
all of those going to be things that
help you from a practice perspective
avoid the negative impact or the
negative consequence
of phishing messages and then for the
organization to have the budget
there’s always a tool that is going to
help with that so you have things like
proof point
you have solutions like solarwinds that
you can purchase
from a vendor from a consultant from a
third party organization
where they actually install those tools
in line on your mail server
and they’ll do a lot of the work for you
which drastically reduces
the number of malicious emails that
would actually get to
your users on their mobile device or on
their computers
i think i’m safe to say that most people
are familiar with outlook or office 365
so are there things that we can do in
the settings
of that program to help protect us one
thing that would be constructive is to
talk to the
it team or your email administrator
within your organization
and just ask them to turn on the feature
in office
and i believe this also works for the g
suite for those organizations that are
using google
but you basically just get a message at
the top that says this message came from
outside the organization
for the use case that you provided where
they’re pretending to be you
if the header at the top says this
message originated outside the
organization
well they know it didn’t come from you
because if it came from an internal
employee
it wouldn’t have had that message on
what some people are finding
are that users are getting desensitized
to that message because they’re used to
seeing it so the additional practice
that i would recommend
is that the it teams that are managing
this feature
you know periodically change the color
you know maybe sometimes
it’s white text inside of a bold
background
you know maybe change it from blue to
red to yellow
to hot pink to lime green so that the
message
continues to stand out but ultimately
you want to draw the attention to your
users
the difference between someone something
that came from an internal corporate
employee
and something that came from an external
employee and that’s really going to cut
down
on messages that appear to be from the
ceo and tells the cfo
to wire a million dollars to the cayman
islands well that’s not really
legitimate if
that message came from outside the
organization a friend of mine
about a year ago uh was trying to access
his information and he was a victim of a
ransomware
attack and he was not prepared for it
and since that time we’ve tried to do
some things because his story
really scared me and i’m sure you’ve
been involved with other people that
that have suffered ransomware attacks
can you explain a little bit about what
that is
and then what we need to know about it
and what we should do about it
sure so ransomware very often ties into
the conversation that we had about
phishing and so there are statistics
from multiple organizations but
on average about 85 of your ransomware
attacks
start with a phishing email and somebody
clicks on a link
or there’s some kind of um payload or
something that executes
when you open the message and interact
with it and so
you know the conversation that we had
about email security
is a good start to reducing
the likelihood that you’re going to face
the impact of ransomware
and then the other part of the equation
is going to be preparation
you know we talked about water treatment
and you’re preparing things in advance
we talked about the alarms that we had
when i did chemical weapons that
notified you in advance
any early warning system that you have
that is going to identify the ransomware
is happening
is going to increase your capability to
contain it so that it doesn’t take over
the entire organization um at a
technical level
what many companies should do is think
about network segmentation so that you
are isolating
different things on the network and so
that something that happens in one
area does not automatically affect other
parts of the organization
for people who store process or transmit
credit cards
they’re often familiar with this because
of pci compliance
because the payment card industry that
includes mastercard visa discover
american express from a security and
compliance perspective they require that
anything relating to credit cards
should be isolated from other things in
your business operations
if you take that same concept and then
apply it to your entire organization
the scada and ics components of the
organization
should be on a different segment or
portion of the network
compared to your back office systems
compared to your servers if you have
servers in the environment
compared to the workstations that are in
the environment and the more you
separate things
the more you can reduce the impact of
ransomware when it occurs
and then you allow your response teams
whether it’s
corporate employees or a third-party
company that you selected to work with
now the response team can focus on a
specific area while things continue to
operate and other network
segments that weren’t affected by the
ransomware another thing that
contributes to this equation
is just having good backups what tends
to happen and i see this when i have my
consulting hat on
is that a lot of organizations have no
idea where their data is
they have no idea what the value of that
data is and there’s no formal standard
for classifying data for backing data up
for testing
the backups to make sure that you can
restore them you know that
standard business continuity planning
is going to be very valuable when it
comes to ransomware because sometimes
even if you pay the ransom the key that
they give you to
get all of your data back doesn’t work
and so now you’ve paid the ransom and
you still can’t get your data back
the counter measure for that is just to
have good procedures
for backups have the capability to
restore your information
and that’s going to expedite the process
for recovering systems and services
and getting back online and then the
network segmentation
is hopefully going to reduce the impact
of the ransomware all together
because it would be much easier to
address
you know maybe five ten fifteen systems
being affected instead of a hundred
percent
of my environment being affected and the
example that i gave in the beginning uh
my friend did pay they found it was
easier just to pay for the ransomware
and for those of you listening that
aren’t familiar with that uh there was
something installed on his computer
he went to access his data and and it
didn’t give him the right to do it it
said you have to
contact these people and pay them money
in order to get access to this file
so he figured the easiest thing was just
to deal with it they didn’t ask for
a tremendous amount of money considering
uh the project that was being held
up because of him not being able to get
to the file so he paid it
he was able to access the file but then
months later
the same thing happened what should he
have done
if we look at it from an ethical
perspective and i have this conversation
with attorneys and some of my security
executives
who are colleagues and friends of mine
from an ethical perspective
it’s not recommended that you pay the
ransom because most of these ransom
payments are going to organize crime
so by paying the ransom you’re just
facilitating more crime
and you’re increasing capability of the
organization
that took the ransom from you to now do
this to other people
if you have good backups and you have
good business continuity planning
that would have been a better
alternative because the money that your
friend spent on the ransom
would have been spent on the recovery
efforts to restore
their operations and there would have
been a higher degree of confidence
that everything is just working like
it’s supposed to work um a nuance for
backup
and recovery is that part of the process
should be
to consider what was the source of the
ransomware so that when you do restore
your capabilities you’re not restoring
back to the same state that allowed the
ransomware to occur you want to actually
improve your practices
so that your restoration also adds some
new measure
of security control that prevents the
ransom from happening again
it sounds in the use case that you
provided that the ransom was paid
but there was no change in the practices
and so theoretically there’s nothing
that prevents them from getting a ransom
letter
every quarter every six months and now
this organization
becomes part of the economic drivers of
the criminal organization
that keeps attacking them you’ve
mentioned back up
several times what are some procedures
that we
should be using in our companies
around backup and i’ll ask this what is
the minimum that we should be doing and
then what’s the most extravagant we can
even look at
what i would recommend to any business
is to take the time to do a business
impact analysis
one of the things that my company does
on the consulting side because my
company does consulting
and education on the consulting side we
advocate
that people take the time to do a
business impact analysis
and really understand how does the
business operate
what technology does it depend on to
operate and what information
is necessary for the company to operate
and that’s going to boil down to your
mission essential functions
what some companies tend to do and this
is much more prevalent
in small and medium businesses is that
they back up everything
and then that starts to eat into their
capabilities because you’ve backed up so
much data
that now you have to pay for extra
storage the process for recovering that
data
is extremely slow in an ideal sense
if you’ve done the business impact
analysis then you can say that
this bucket of vita which is some
percent of the whole
is what’s really important this is what
we’re going to back up
this is what we’re going to test
regularly this is what’s
what we are going to make sure that we
have the capability to restore
if there is a power outage if there’s a
ransomware attack if the building
collapses
and we need to restore it the practice
that i’m talking about
is not exclusive to security but it’s
really going to
provide the capability for any
organization to continue their
operations
after any type of disruption and
realistically
you know ransomware is one type of
business disruption
the beauty of the business impact
analysis and having good contingency
pinning
is that regardless of the disruption you
have identified your mission essential
functions
and you have identified capabilities to
make sure that you
can restore those functions as quickly
as possible
the other answer to your question is
that once you identify your mission
essential functions now you can start to
think how much storage do i need
you know do i have a backup server
within my organization do i put it in
the cloud
there’s nothing wrong with the cloud
although some people will argue that
it’s very scary
the important thing related to the cloud
especially if you’re using it as a
backup solution
is that you are very intentional about
access control
not everybody needs to have access to
your backup data and then you also need
to make sure that whatever controls you
have in place
and production also exists in the backup
environment
because data is just data as far as
computer systems are concerned
and you have to make sure that you
protect that data everywhere that it
exists
if you get that right what you have is
you’re protecting all the data while
you’re using it in production
then you’re protecting the data and
whatever backup location
is appropriate for the organization and
when you need to restore the data
you have confidence that it is the right
data you know
we haven’t violated integrity is going
to support your operations and then you
just restore it
and keep moving and once you get into
that good rhythm and those good
practices
you should be able to restore things
within a timely manner
so that your core operations don’t
realize a significant impact
i can’t say there’s no impact at all but
the objective is to make the impact
as small and as manageable as possible
so for somebody listening today and they
say
that business impact analysis sounds
like something that i’ve never thought
about before but
i need to look into this what advice do
you have for them
um there’s two approaches they can hire
an expert and so obviously my opinion is
biased because we are those experts
or they can uh just read best practices
there is a
um document from nist and nist is not
only source of wisdom related to cyber
security
but for those people who are in the
united states and even people globally
you know the american tax dollars have
um
produced a great set of documents that
cover everything that you ever wanted to
do from a security perspective
and so if my intention as a small
business owner is a medium business
owner
was to develop my own business
continuity plan
the nist special publication 800-34
is going to at least give the
overarching guidance and even if you
seek help
from experts you now use that nest
document
to frame and guide your expectations for
what they’re going to produce
and so it tells you you know how do you
do the business impact analysis
at a high level the 800-34 tells you how
to start to build your contingency
planning
and then if you need help from an expert
now you’re not allowing the expert to
tell you everything
you’ve at least developed a basic level
of knowledge about what should be
produced
what i need to consider what’s the
information that i need to start
gathering
so that the consulting fee is reasonable
and you have
some level of confidence that what you
get from the consultant that you hire
is actually going to be valid and
relevant
to meet your needs well keon you’ve
provided
me with that document for contingency
planning
so we’ll get that on the show notes page
so nation if you
want to download that for absolutely
free you can go to the show notes page
and you can do that and keon thank you
for providing that
sure the objective is to make sure that
everybody has as many resources as
possible without having pay for them
if you go to csrc.nist.gov
there’s actually an entire catalog of
security standards that you can look at
what we’ll do in the show notes is make
sure that you have things that address
what we’re talking about specifically
but for people who are curious there are
hundreds of documents
that talk about hundreds of security
types and all of those are freely
available
well thank you for that i want to ask
you one question and then i want to
shift over
where we can really help a lot of people
in the scaling up nation which i think
we’ve done
on this episode but i want to describe
the systems that we have in almost every
single one of our accounts where there
is a microprocessor controller hanging
there on the wall it’s feeding our
program
and we have access either into the
internet and sometimes it’s through a a
wireless card
where where it has its own cellular
connection
that we probably have less to worry
about but sometimes
it goes into the actual company’s
internet where it resides what are some
things that we should be doing
to protect not only our customers but
also ourselves
part of the answer is addressed by our
conversation previous
previously about network segmentation i
think another part of the answer is just
access control
you know if you very strictly control
access
to the device and control access between
the device and the network components
that is communicating on combining that
with good network segmentation
maybe adding some encryption on top of
that if you have the capability
not all of your industrial control
system solutions
are going to support encryption but
network isolation
is going to be something great that you
can do at a corporate level
when you get to the end users making
sure that only the right users
are interacting with those components is
also going to be very important
and that’s going to be valuable as a
corporate practice it’s also going to be
valuable
for your employees to get into that
habit of only allowing the right person
to touch the right things and so at home
my children shouldn’t touch
my work computer at work i shouldn’t
allow other people to use my credentials
to do things and as that becomes part of
the ecosystem
now security rises to the same level as
safety does
in a manufacturing or a scada
environment
where you know for my manufacturing
clients we have a safety briefing about
ladders
or something related to safety before i
even open my mouth
to talk about cyber security i think it
would be valuable for people
to start to adopt um the same ideas
where you know there’s a cyber security
minute and people are constantly
reinforcing good practices and good
behavior because the practices and the
behavior
are going to help reduce your risk
drastically you’ve mentioned kids a
couple of times and i just
can see that somebody’s on a tablet
a young person and they just want to
open something
and see what it is and we don’t know
what that’s going to do
to allow somebody access to our
information
so what can we do at home to protect
ourselves
the best advice that i can give home
users
especially if they’re taking corporate
work home is to have two separate
networks
in my house for example i actually have
three separate networks
and so i have one network for all of my
iot devices so my smart tv
my smart home devices my wife is
thinking about getting a
smart refrigerator but it makes me very
nervous because i think that’s going to
be the
root of a lot of problems but all of
those smart home devices are on their
own network
that is isolated from the computing
devices
because we do home school you know i
have a lot of children that are always
on a computer
we have a homeschool network setups for
my wife and my children
to be on a network that is separate from
the third network which is only for
corporate activities
you know we’re blessed to be able to do
work from home sometimes people come to
the house
to conduct business but any business is
done is on a completely separate network
that is isolated from the smart home
devices that is also isolated
from the personal and home school
devices
but that separation now prevents
you know somebody doing something on one
of the personal devices from affecting
any of the devices on the corporate
network because everybody is in their
own
isolated swim length it should be the
same thing that people are doing in a
corporate environment
where i would not allow guests who come
to the office to connect to the
corporate network
we have a guest network for that so
we’re just taking the same principles
that you would apply in a corporate
environment and applying them to a home
environment
you mentioned password sharing earlier
and
in a corporate environment in a home
environment
you have access to something and you
want somebody else to do something for
you
so most people just say hey here’s my
login credentials go ahead and do that
for me
what should we be doing so the super
bowl was interesting because most of the
commercials were horrible
or i’m just too old to understand them
but one of the um
one of the best commercials in the super
bowl if you reflect back
to you know the catalog of commercials
that were available
is i think um this year for the 2020
super bowl
this was the first time you had a
commercial where they the company paid
six million dollars
and the company was a password safe and
so
i think it’s the beginning of something
great in terms of just increasing the
awareness of the value of password safes
i like lastpass they have a free version
but lastpass
isn’t the only solution on the company
that did the super bowl commercial
i tip my head to dashlane for investing
what it takes to have a super bowl
commercial
to raise awareness about the value of
password safes
but the great thing about a password
safe regardless of the company that you
use
all of them have the same functionality
where the password safe is going to have
a database of your usernames and
passwords
and it is going to make sure that you do
not use the same password
for more than one item what that does is
it prevents a situation whereby what you
tend to see with a lot of people
and this is corporate users and home
users is they will use the same password
to log into
facebook twitter their bank account
and their desk at their computer because
of something that they have memorized
but if any one of those items gets
compromised
now the people who broke into your
facebook account can log into your bank
account
because your username is your email and
you’re using the same password
across multiple services the password
safe is going to stop you from doing
that it’s going to warn you
when you use the same password for
multiple things
and the great thing about modern
password saves regardless of
the solution that you choose is they
will just generate a random password
and then know what password goes to what
accounts
and my default configuration now is that
i have a random
25 character password for everything
that i log into
and the only password that i need to
remember is the password for the
password
safe then technology takes over
logs me in and if i need to share a
password for example
my wife needs to know where the life
insurance is in case something happens
to me
that password is in my name but through
the password save
my wife has an account also and i can
share that password with her
she never sees the password but she can
log in to the
life insurance account if she ever needs
it keon we have covered a lot of
ground today i think we’ve educated a
lot of people and not only that we’ve
given them some
handles that they can actually start
improving
what they’re doing but i want to ask you
if somebody
just tuned in right now what’s the one
thing you want them to get from this
discussion
if i boiled it down to one thing it’d be
be careful out there
and you don’t have to click on every
link you know very
often your security compromises
are really just playing on human
curiosity you know people click on links
because they got a message that looked
interesting
you know back in the day when people
used to send e-cards that was a great
tool
to get people to click on a fake message
and then you have horrible things happen
to your computers and the don’t click on
everything applies to home users
it applies to consultants and
contractors it applies to corporate
users
uh if we extend this into just the
corporate environment kind of thinking
about
the audience and we’re dealing with you
know people that work in industrial
environments
i highly recommend that everybody who
works in an industrial control systems
or scada environment you know takes the
time to at least look at
nist special publication 800-82
it is a guide to industrial control
system security
and it would be a great just user
awareness
tool to make sure that all the people
who are working in the facility
whether they touch a computer daily or
they touch a computer infrequently
kind of understand how everything is put
together how you secure the environment
how you keep it secure and you keep your
operations technology secure
because all of these things like we do
with safety
in an ics environment that awareness of
cyber security practices
and how things should be is going to
make sure that things are how they
should be
much more often and everybody can
contribute
to success and that was another document
that you shared with us so we’ll make
sure that’s available on our show notes
page as well
well let’s shift gears one more time
because now i have some
lightning round questions for you if you
are ready
i’m ready so now you can go back in time
and you can visit your former self
on your first day as a cyber security
expert what advice would you give
yourself
um if i went back and i saw my old self
i would
encourage myself to dig into business
practices
sooner than i did it took me five years
after i started as a cyber security
expert to even think about getting a
business degree
and the business degree is the best
thing that i’ve done professionally
because everybody who receives
everything that i do as a business
person
and my communication with them improved
drastically
once i explored it at an academic level
and then started just doing it in
practice
what are the last few books that you’ve
read my favorite books right now
and i’ve read them all recently number
one
this is marketing from seth godin i’m a
huge fan of seth
his book linchpin actually helps me
become
an executive and the wisdom that i got
from that
opened my first opportunity into
security leadership
the second book i just got it i just
cracked it open
but it is awesome so far and is securing
devops
uh that’s not going to be exciting for
most people but doing security in the
cloud
is where everything is going and so this
has been a great read
to understand at a technical and at a
business level
how to secure everything when you take
it out of your corporate environment and
put everything on the internet
and then my third favorite book right
now is just essential truths of the
christian faith
um once pearl passed away it was kind of
a sad thing
but i spend a lot of my personal time in
christian ministry
and that book um kind of puts things
very simply and is easy to understand
for everybody regardless of what their
faith background is
now eventually hollywood is going to
find out about keon williams and they’re
going to make a movie
who plays you that’s hard to say um
it depends on how old i am when they
play me when i was in the army i was a
strapping young gentleman
235 pounds with six percent body fat so
maybe the rock
even though he and i are close to the
same age
um you know if it’s the older me
it’d be hard to say you know somebody
who is a little more pudgy
but is wise um i’d leave it to hollywood
to choose the best actor
fair enough and then my last question
you now have the ability to speak with
anyone throughout history who to be with
and why
uh if i could talk to anybody throughout
history i would love to talk to abraham
lincoln
um i say that kind of given the
political climate and the united states
today
things are not as drastic now as they
were back then but it would really be
interesting
to talk to the president of the united
states in the midst of a civil war
that was tearing the country apart i
think that would really put things into
perspective
and had good context for you know what
is really
social upheaval in the us and in a lot
of other countries around the world
right now
well keon i want to thank you for coming
on scaling up h2o and really
educating the nation on what we should
be doing
about some of these cyber threats it was
it was my pleasure this was a great
conversation i am very happy to share
this conversation with the new audience
and hopefully it had an impact and more
of our water professionals
are going to take cyber security on as a
new learning challenge
when i was speaking with keon i made a
list of things that i needed to do
both at home and here at the
office now something i have that you
might not have is i have a cyber
security insurance policy
here at our company and the reason i do
that
is because folks i can put a line
item in our budget to account
for insurance i cannot put a line item
in the budget
to account for what if something like
that
were to happen how would i get my
information back
how would i help make my customer whole
how would i do better
practices to make sure that when we did
get the information back it wouldn’t
happen again it’s always been my
philosophy that we can budget for
insurance but we can’t budget for the
unknown
making insurance something that i always
want to look for because it’s easy to
put that in the line item
with a policy that we have we actually
get a team
of experts that help us with best
practices
they review what we’re doing we’re able
to
call talk to a real person ask them
questions they give us help
so i’m not here trying to sell you an
insurance policy but i want you to know
that if you’re a business owner there
are policies like that
out there and folks we are good water
treaters
we should not be versed in all of this
technological stuff that we have to do
to protect ourselves and our company
from getting cyber hacked we should be
partnering with someone who helps us do
that so
that’s one tool that’s available out
there
also there were so many tools that keon
gave us
that we can start using he mentioned a
publication that is on
our show notes page so you can download
that that was a great
tool for us to use here at the company
but i have to tell you after talking
with keon
after meeting with people that hold
our insurance policy i went home
and i set up our routers differently
i changed the passwords i made them so
someone could not sit in the driveway or
out
to the outskirts of where our wi-fi
reaches
put a randomizer on our network
and within a couple of seconds find
a simple password so i made it a lot
more
complex i added some security to the
wi-fi
and i made sure that everybody that was
logging on to the wi-fi
understood what needed to be opened what
needed not to be open and when in doubt
we just simply do not open it
i know a lot of times we have that fear
of getting
left behind or left out or missing out
so
with that if somebody did send you an
email and it looked bogus
what i would do is i would open up a
separate email
and ask that person is this something
that
you are really sending me or folks let’s
face it if you delete it and it was
important they’re probably
going to contact you through another
means
so don’t click anything that you don’t
know is reliable and there’s so much
software out there
microsoft 365 is a platform i know a lot
of us are using
there are a lot of security precautions
already programmed
in there so if you can use some of the
things that are already available to you
you can minimize your risk but let’s
face it there’s
always going to be a risk
out there so the best thing you can do
to protect yourself
is to be armed with better knowledge
and that is exactly what keon’s mission
was today to give
us some more information so we can make
better decisions
when it comes to cyber security and i
just have to say as one final point
it really aggravates me that there are
people
out there looking for ways to cause
trouble for the rest of us so get a real
job
you’re smart you’re able to to crack all
these codes well folks there is an
honest job for you to do that out there
so i’m speaking all the criminals out
there
stop making our lives even worse
when we’re having to deal with the
pandemic and all the things that have to
come with that just just stop it
i don’t know if that does any good but i
feel better saying it so
if you have any questions about any of
the tools any
of the tips resources that keon
mentioned again we’re going to have all
those on our
show notes page and i hope that today
everybody learned at least one thing
that they could do
to protect themselves well next week is
a special
halloween episode i’m going to be doing
something a little bit different
so i’m going to ask you what do you
think about it
i’m trying something new i’m excited
about it
i’m also a little nervous about it so
again you’ll find out about all that
stuff
next friday as always i
look forward to bringing you a new
episode
each and every friday something that you
can count on
in the meantime please stay safe out
there
of course now staying safe not only
means protecting ourselves the ones we
love and now we got to look at keeping
our computers safe and our data safe
but if we know all that we can do it in
the meantime
stay safe out there and i will see you
next week
have a great week folks
folks you’ve heard me talk about the
rising tide mastermind and the success
that all the people that are members of
the rising tide mastermind
are enjoying but i know you’re wondering
what are the reasons that
people join so here is michelle farmery
to tell you
why she joined
[Music]
[Music]
[Music]
michelle thank you so much for sharing
with the scaling up nation
why you joined the rising tide
mastermind and what you get
out of the rising tide mastermind folks
let’s face it we all
wear so many hats being a water treater
is
not an easy job but when you can talk
with
other water treaters about issues you’re
having
both in business and in personal
you are able to get to the next level
faster
one of the things that we do in the
rising tide mastermind is we
urge each other to take the next step
and then we hold each other accountable
to make sure we’re doing the right
things
in order to get there go to scaling up
h2o.com forward slash
mastermind to find out more about the
rising tide mastermind
and to see if this is a group that’s
right for you
i urge you to find a group of peers
that will make sure you are taking the
right steps
to get to the next level