October 28 2016

The single most important step to lower your 2017 Network Security Budget 08:30 am

Saving thousands – even tens of thousands on your Information Technology (or IT security) budget in 2017 is possible.  The suggestions below show that outstanding information security results are possible independent of large security budgets or specialized security consultants.   Our customers representing hundreds of PC’s users have consistently and methodically lowered their security incident count and the severity of security breaches over the last 24 months.  Recently we celebrated the last 6 months with having only 1 client with only 1 virus on only 1 computer.  (This was back in May and we hope that client never does this again, as it will mess up everyone’s stat’s!) This update will show how a manager or executive can hold a technical team accountable for great results and control a security budget.  It will also identify how a technical team can institute specific security actions that together dramatically lower the risk profile.

Before outlining the steps and methodology of how this works let us offer proof that outstanding results are possible.  Our validation comes from a comparison of PCIT’s clients to a survey of 540 Canadian and worldwide organizations by the Osterman Group.  In this survey 72% of the Canadian organizations experienced a security attack within 12 months while 60% of PCIT’s clients experienced the same.  However, what happened after the incident was even more striking.  The survey reports 63% of those attacked experienced severe downtime of over 9 hours.  None of PCIT’s clients experienced severe downtime.  Most telling is that the survey respondents appear to have a significantly higher budget on digital security and even dedicated security resources.

The most effective method to lower security results is surprisingly low cost.  This #1 tool is not a special antivirus software, next generation firewall, two-factor authentication, biometrics, independent network penetration testing, or other esoteric approach.  PCIT sees the most effectiveness in network security simply by measuring incident rates of a single network and then comparing those results to a peer group.  As PCIT delivers IT services for many clients across the Peace River region this has become an easy process.  First, every virus, data breach or malware incident is recorded.  Next we track how many of these occur each month for each client.  Last we compare that clients’ results with our entire client base.  A sample table is below.

Operational Results Summary

The table below is an excerpt of key service delivery area metrics that PCIT tracks on a regular basis. security-incidences-table

This methodology is so powerful because it provides owners or executives responsible for IT security actionable data that they can relate to.  If they have more malware than their peers it becomes clearer to a non-technical person that a change needs to be made.  If the IT resource can then pinpoint where the differences are between them and their peers approving a specific action to get better results becomes a lot more justifiable.

The dynamics of this approach are hard to communicate in a short paragraph.  What we have seen is that while the severity and sophistication of reported security incidences in the news has increased over the last 24 months our clients have methodically lowered their risk profile.  Many have experienced this without increasing IT security spending even $1.  What comparing results to peers and bringing open accountability has done is create a culture across many organizations and industries of security awareness and accountability.  It is this culture and user action that has been the biggest ‘second order’ effect of sharing security results in this manner.

Over the last 24 months we have helped various organizations eliminate or greatly reduce the effect of malware, viruses, and data breaches in their environment.  Our clients have seen these results with relatively modest network security budgets.  We conclude great, even outstanding, network security is possible independent of large capital spending or dedicated IT security specialists.

We would be pleased to release at no charge or obligation our best practices related to network security for any interested party.

August 5 2016

Congratulations PCIT Clients in Defying the Odds 09:59 am

As CEO of PCIT I would like to extend a heartfelt thanks to our clients who have worked with us over the last 12 months to protect their data and digital resources.  Together we have defied the odds and won against a host of hackers in a big way.  Referencing a recent global survey by the Osterman group compared to PCIT’s operational results we find our clients had significantly less malware, less downtime from malware and never paid a dime to get their data restored.   According to the survey of over 540 global companies Canadians PAID the ransom 82% of the time and approximately 1/3 of those surveyed were forced into this situation.

If our customers had not been so proactive in educating their staff and promoting a security conscious approach we would have never gotten this far.  In the summer of 2015 our message to clients was ‘Information Technology could NOT control the security of their data and their network without everyone’s participation and ownership of this concern’.  At that point many of our clients had invested in best in class technology but were also open to taking the next step.  Together we had great results.  If we were keeping score for 2015 it would look something like this.

  Typical Canadian organization surveyed PCIT Customers
Profile 5,400 staff + a CIO, IT Director or Chief Information Security Officer + lots of internal IT staff, respondents across Canada 250 or less staff, mostly have PCIT as 100% IT resource, a few cases where PCIT is responsible for operational results and works along side -1 full time internal staff, Peace River region focused
suffered security attack last 12 months 72% 60%
Percent who last data due to ransom ware and PAID between $1,000 – $50,000 to get it back 72% 0%
Percent who lost data when they refused to pay the ransom 82% 0%
Severe downtime – It took more than a day trying to restore endpoint functionality 63% 0%
More than 9 hours to remediate 60% 0%*
Upper management and C-Level executives are at higher risk 8% target C-suite, 22% target managers Typical Cndn organization results seem very similar – don’t have hard data
High Risk 43% lost revenue, 25% stopped operations Data not available – would estimate the actual results were much much lower
Confident they can stop security issues (after all they have lost of ‘smart people’ on staff, and likely someone solely in charge of security) 51% ? I really doubt most of our clients are that confident.  Guessing results would come in under 20% as being confident they can stop security issues.  Most would probably have an internal resource if they felt they could afford it and find one.  However, these results are starting to speak for themselves.

*PCIT did have a remediation that took more than 9 hours in 2014 but it was just after C-level management requested we remove one of our recent security best practices as it ‘was frustrating the staff’.  Less than 2 weeks later 3 million files were erased after a C-level executive experienced a security breach.  Subsequent to that the security best practice was re-engaged and has remained ever since.

Results are based from an international study released in August 2016 of over 540 organizations worldwide.  Canadian specific results were also discussed in this Digital Journal article.

To me these results stress a couple points.  First, we have great clients who have been diligent in working with PCIT in this regard.  Very few push back and ask us to own the security results when we say we need everyone’s help.  Second, our ‘secret sauce’ appears to be working.   In early 2015 we began benchmarking PCIT’s security results across our entire client base and comparing it to individual customers results.  In this manner we could very clearly identify when our clients were hindering or helping the protection of their data and their operations.

Finally, I believe a deep analysis of the above table completely and totally disproves the fallacy that having an in house resource is the best way to support IT.  The facts appear to heavily weigh against the fact that that no matter how smart, how helpful, how well trained, and how well intentioned internal resources are most Canadian organizations have NO IDEA how large their security exposure is.

I can actually picture the conversation in most boardroom’s as being sympathetic to internal IT resources after having to pay a $20,000 ransom like the University of Calgary just did.  Executive’s not knowing how to manage IT try to get results by hiring, providing budget and gauging results by how well they ‘feel’ about the work that is being done.  To most managers having to pay a ransom can be excused because the bad guys are ‘really really bad‘ and they just know their ‘guy(s)’ or ‘gal(s)’ are good.  Results seem to speak otherwise.

If there are organizations who want to manage technology results by more than a ‘feeling’ we would love to discuss if our approach would be a fit.

June 9 2016

Negotiate and win everytime when held for digital ransom 02:58 pm

Fortunately, up until now our clients have had a zero negotiation policy when it comes negotiating with cyber-terrorists.  These criminals hold people’s data and network for ransom instead of kidnapping people.  Our current negotiation policy is to have a valid backup and be 100% confident it is working everyday.

I know from being in the trenches it takes steady professional  human involvement to be 100% confident.   Even then a frequent stress test is important to really prove everything in the system works when it is called upon.

We have probably seen 15 times now when our clients data has been almost 100% completely gone unless the ransom is paid.  Not once have we asked our clients to open a bitcoin account to pay the terrorist.

When the FBI’s official position is to pay the ransom, the University of Calgary pays the ransom and other really big organizations pay the ransom it is reassuring we have kept our clients from that position.

It turns out terrorism is a good business.  This concept has been so lucrative instead of being shut down since appearing over 18 months ago the types of threats are increasing in severity and cost to go free.  If this continues it will likely increase the cost of insurance because when data is lost someone is going to pay.  If the client has an IT contractor I’m pretty sure the client won’t feel like they are the one who needs to pay….

I believe end user training, disciplined security procedures, and a great backup are all a part of preventing a digital ‘kidnapping’.  Technology can also play a great role in prevention.  If you have a sense of uneasiness about the security of your data perhaps we should talk.

Working with the team here at pcit there is always that little sense of question everytime we hear a breach occurred.  Everyone wants to reach Bernhard, our backup specialist, right away to confirm everything is ok.   Once we hear everything is ok calm then ensues.  We go on with the restore, the removal of the infection and everyone else goes back to work knowing the resolution is at hand.   Another digital heist prevented with no ransom paid and fortunately no lost data.

October 13 2015

Strategy, Revenue and Security Insights From Amazing Conference 09:39 am

Tech Data put together a gathering of some of the most progressive organizations in the technology industry for their annual North American TechSelect conference this past week Oct 6-9, 2015. It was a great time to be in Boca Raton Florida where the sky was sunny and not a touch of fall could be found anywhere. In Grande Prairie our first frost had already arrived before leaving for the event. In Boca we had to move breakfast from out of the open sunlight as it was too hot by 9am in the morning. Quite a difference.

Listening to some of the biggest organizations in the industry present their best practices, industry trends and product focus was very informative indeed. One theme that kept recurring from Cisco, HP, VM Ware, Intel and more was how valuable good security solutions are at this point in time. CEO’s and management simply don’t want to be known as the next place where data was breached and their vulnerabilities made public. This is just a further convergence of an observation made at the beginning of the conference. ‘Companies are now realizing that their technology strategy and business strategy are really the same thing.’ This observation was attributed to Accenture in 2015 and it is just as applicable for the security needs of an organization as it was for any new revenue and business opportunities that are available.

A good security practice takes the operational disruptions and impact of security breaches and creates restore processes, remediation processes and root cause analysis steps to help reduce and eliminate these instances from recurring.  A good security practice also benchmarks the results achieved and compares them to a baseline of what is possible.

I had the opportunity to speak with Scott Schweitzer from Cisco, Vice President of Security at length one evening on the typical security spend per user and typical results one could expect from that spend. This type of data is not yet mainstream. At pcit we are updating our tools and processes to keep our customer’s from being the next data breach headline. The threats are very real and pcit as well as the media and the entire technology industry have seen the increase and severity of malware in 2015.

Special thanks to A&G Advisory and Mark Thompson, author of Admired, for presenting at the conference. Both of these sessions were extremely valuable. I read the book Admired on the way home and found it to be very helpful.

August 31 2015

Security is a PAIN-Here’s 80% of what you really need to know. 07:55 am

If there was one single thing to be aware of in regards to network security it is managing email on work related devices.  Almost all security breaches, network crashes and lost data come from a single source.  The number one place to be vigilant is when working with email.

According to Allen Paller, director of research at the SANS Institute, 95% of all attacks on enterprise networks were the result of successful spear phishing email’s.  This was in 2013 and today the regular success of this technique has only increased the volume and nastiness of deceptive emails.  If you prevent problems coming from email you’ve almost contained all major security problems.  If Mr Paller is correct then we feel the bold statement of 80% or more of what you need to know about online security best practices isn’t out of place.

Phishing has been documented to work to hack Canadian Government sites, the New York Times, company bank accounts, merchant service accounts online and much much more.  It can result in serious loss of money, reputation and data.  The wrong click can also crash a network very quickly by releasing some form of ransomware.  When the source of any of these incidents is located and it happens to be your PC from a deceptive phishing related email the result is a very uncomfortable feeling….

We have many of these deceptive tricks to try and get people to click where they shouldn’t.  However, here are some other great tips to keep yourself from finding yourself with a dead pc and wondering what just happened.

1. Read the return url backwards, from right to left. The url might start out with “www.bankofamerica” but when it ends with 120 characters of jibberish, you might start to get suspicious.

2. Don’t fall for what’s being called the “double-barreled phish,” in which you respond to the email with a question, such as “Is this really my buddy Jim.” Phishers are now clever enough to wait a while, in order to show that the response is not automated, and then reply with, “Yes, it’s me, Jim.” Of course, it isn’t Jim.

3. Never open a PDF from someone you don’t know, since spear phishers are now hiding their malicious zip files inside seemingly innocuous PDFs.

4. Never give out your password or other personal/sensitive information in response to an unsolicited query.

5.  Pay attention to emails that may appear to come from a bank, credit card company, shipping company, IT, payroll, a friend or a colleague that invoke fear or greed.  That lost shipment from UPS, Apple ID recovery tool or email from a client that seems a little weird can be the work of something deceptive.

6. Use a world class spam removal tool like McAfee Email Protection service in the cloud.  Many of our new customers often comment that the spam removal tools pcit uses help reduce the volume of malicious emails greatly.  When more phishing emails are blocked there is even less potential for staff to be mislead.

We wish it could be laid out simpler.  The good news is once the tactics are exposed they are almost powerless.