Keeping your data safe is getting increasingly challenging, especially for businesses. Be guided by cybersecurity expert and Gillware’s Vice President of Risk Management, Christopher Gerg, about protecting yourself from ransomware and other threats. He reveals the deceitful ways cybercriminals get into your computer and what you should do right now to avert attacks on your system. Cybersecurity is a must-have, so be vigilant and don’t miss this episode.
Listen to the podcast here:
Cybersecurity For Businesses with Christopher Gerg
We have an expert for you who is fantastic. Christopher Gerg is an expert in cybersecurity and keeping our data safe and letting us know what there might be as far as cyber security to our business. Christopher, welcome to our show.
Thanks for having me.
What do small business owners need to know about cybersecurity? For some people, it’s an overwhelming thought.
It’s hard to know what you need to be worried about. It’s less what you know and more what you don’t know. My company does a lot of incident response work. When someone gets hacked, when someone has ransomware or someone has an information security issue, they call us. Sometimes they call their insurance company who call us to come in and let them know what happened, get them back on their feet. I used to do this work for other organizations. We would talk about reputation. We would say, “You collect credit cards. You are a bank.” The risks there are obvious, but things have evolved to the point that ransomware has taken over everything. There were 23 different Texas State agencies that were infected with ransomware.
For our audience, what is ransomware? Tell them a little bit about the background. They may not be familiar with it.
Ransomware is like a computer virus. It can come in through email. In fact, very often it does. You get those annoying emails and they’re crafted to the point that it’s very difficult even for information security experts to tell what is a real email and what’s not. If you double click this program or script that’s embedded in the email, it often runs. What it does is it goes through and looks for important files on your computer and encrypts them so that you can’t open. When you try to open them, it pops up a little window that says, “These files are encrypted. To unlock them, send money in the form of using Bitcoin.” It’s literally a ransom. In fact, some of the attorneys we work with are attorneys that also do ransom negotiations for people who have been kidnapped because it’s literally a ransom. If you pay this ransom through Bitcoin, they’ll get you the decrypter which is the code to type in to unlock those files. The dangerous thing is that sometimes you don’t get the code or sometimes it doesn’t work. The best approach is to have good backups so that you can recover without having to negotiate with a criminal.Backups are the biggest contingency plan. Click To Tweet
Chris, are they attachments or is it just you open the email?
It’s usually not just opening the email. It could be a link, “Check out your bill,” and you click the link and it will say, “I need to install this viewer so that you can see your bill.” When you say, “Okay,” off it goes or it can be something, “You need to open this file, here’s a PDF,” and inside the PDF is the code.
I get similar emails saying, “I haven’t paid my taxes. Click on this to find out how much I owe.” I’m like, “I always pay taxes, people.”
You’ll get some that say, “We’ve got a problem with your Office 365 account or there’s a problem with your Amazon order.” It’s difficult, so you have to build things so that even if someone did click that you’ve got a plan in place and mechanisms in place to protect you.
One thing you mentioned was backups. What else do businesses need to be looking at?
Backups are the biggest contingency plan if there was a problem. To prevent it in the first place, there are some technical controls. Among those are, you need to still have a signature-based antivirus, the traditional antivirus. The different antivirus vendors have add-on tools called Advanced Threat Protection that do a better job of protecting specifically ransomware and other things that are new and not in the signature a database. You need antivirus plus a little more. Most vendors either include that with their basic package or charge you with a little extra money. It’s worth the money. All of these different technical controls are great.
If you still have all these great technical controls in place and we work with organizations that have robust information security programs, if someone double clicks the thing in their email, you’re still going to have some trouble. The important thing there is information security awareness training. We’ve partnered with a vendor that does information security awareness training and we work together so that we bring them in when we’re working with clients and they bring us in when they’re working with clients. We do more of the technical things, but a lot of it hinges on being aware of what to do and what not to do when emails are coming in or someone calls you.
I think social engineering has gotten so slick. You do have to sit back and look because I can say, “Chris, I’m Sam, your wife’s friend and she left her wallet here. Can you give me her driver’s license number and make sure it’s hers?” The next thing I know I’ve got your wife’s driver’s license number. I know you, so off I go.
The second big thing we’re seeing in our incident response work is the broad category of wire transfer fraud. All that is someone is stealing money from somebody else with social engineering very often. Anytime there’s a credit card payment or any kind of one-off payment, we worked with a construction company that was buying a couple of bulldozers from an overseas vendor. The attacker had gotten into the system and was watching the emails going back and forth.
He became the vendor.
He jumped right into the middle of the conversation and said, “I’m so sorry. I gave you the wrong account number. Please use this one. Have a great time on your vacation.” They’ve been watching the emails going back and forth.
You thought, “Of course, I’m talking to this.”
$1.6 million got transferred. This isn’t a big company. This is a big purchase for this company.
$1.6 million, anyone would feel it.
$1.6 million here, $1.6 million there, pretty soon you’re talking about money. The payment didn’t show up. Thirty days left later, the vendor called and said, “I thought you were going to pay?” They said, “We did.” The money’s gone. I know we’re talking to small businesses, but the lesson here is that these are not big companies that are suffering these issues. In the case of ransomware, in the old days, computers were used for email, surfing the web and maybe accessing a website to do something. Even manufacturing companies rely on their computers. If all the computers in your organization, whether you’re a small mom-and-pop shop or you’re a large manufacturing firm, if the computers aren’t available, you’re not working. The main difference is that, if it’s a big company and they have a $50,000 ransom, that’s on the low side. They can say, “I guess we’ll pay the ransom because we can’t recover these machines.” If it’s a small company that suffers that ransomware and they have to come up with $50,000, that could be the end of that company.
Christopher, you talk about always have backups. You talked about not only get the virus protection, but get a little bit extra. You said to get some training on what ways computers can be attacked. What other safety precautions do you recommend?
The only other thing that I would say is a couple of things at the top of the list, but an order of magnitude more important is patching and updating. Most malware and ransomware is malicious software. Most of them are exploiting something that there’s a patch for. There’s a vulnerability in your Windows machine. If you don’t have it up to date with patches and updates, you’re vulnerable to this malicious software. The best thing you can do in most cases is to have a system that automatically updates all of your workstations and as soon as humanly possible updating your servers as well.
Keep on top of the updates.Cybersecurity is not nice to have, it's a must-have. Click To Tweet
The other thing is that I’m sure that most people are aware of what two-factor authentication is. Banking websites have required this for a little while, where you’re given a username and password, but then you have to enter in a six-digit code that an app on your smart phone generates. The text message is fine but there are ways to hack your SMS. If I was a determined attacker, I would find a way to get access to your texts. A lot of times the texts are mirrored on some app running on your workstation. Text message codes are better than nothing, but I prefer the little app that you run on your smartphone to generate a code.
Sign up for the two-factor authentication. I personally don’t like them because they’re a pain.
They are absolutely a pain, but if someone steals your username and password and they don’t have your smartphone, then they can’t do anything.
It makes it one thing harder. Do you have any tips on passwords?
It used to be that they’d only have a long password and change it every 90 days. A lot of research on and a lot of organizations have moved away from that and are suggesting that people use password vaults. LastPass is one of them. 1Password is another one I use. This is an application that is like a software vault that you can store your passwords in and it generates these long complex passwords. Usually, you use two-factor authentication to open up the vault. Once you have the vault open up, it will automatically fill in passwords for you. In fact, I use it enough that if someone had a gun pointed at my kids and said, “Tell me your password for your bank,” I wouldn’t be able to tell them because I don’t know what the password is. That’s a strong recommendation. Look into these password vaults because they make very complicated, very difficult and it’s not impossible to guess passwords. That coupled with two-factor authentication is going to prevent someone from compromising an account.
How do people find out more about your work and working with your company?
The easiest way is to go to www.Gillware.com. My part of the business is Risk Management. You can click on that on the top. We also have our incident response side of the business. If they have a specific question and want to throw something my way, my personal email address is CGerg@Gillware.com.
What is one thing that you’ve learned from all this experience in cybersecurity that you feel everyone must know?
It’s important. It’s not a nice to have. It’s a must-have. You need to be thinking about information security. There is no question.
We have been with Christopher Gerg. If you want to find out more about him, go to www.Gillware.com. I am Sam Mak. I’m your guest host. You can find out more about me, diversity, inclusion and leadership training at www.SpeakerAuthorMotivator.com. If you like our show, we appreciate your five-star reviews and be sure to subscribe so you can have expert information from great guest like Christopher Gerg.
- Christopher Gerg
- Risk Management
About Christopher Gerg
CISO and Vice President of Cyber Risk Management at Gillware.
Christopher is the Vice President of Risk Management at Gillware. He is a technical lead with over 15 years of information security experience. Christopher has worked as a Systems Administrator, Network Engineer, Penetration Tester, Information Security Architect, Vice President of Information Technology, Director and Chief Information Security Officer. He has experience in the challenges of information security in cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial, and payment card industries.
He has worked in mature information security teams and has built information security programs from scratch and leading them into maturity in wide variety of compliance regimes. While an expert in the theoretical aspects of information security best practice, he is also experienced in the practical aspects of building secure technical environments – and working with the boardroom to promote executive understanding and support.
Love the show? Subscribe, rate, review, and share!