In this interview, Tom McDonald, NSI's CEO, talks about what cyber security services his company used to recommend, how these services have gotten better, and most importantly, he answers the big question: "who is primarily responsible for my security?"
The short answer is as follows: both the business owner and the IT provider carry responsibility for reducing risk, but the nature of the responsibilities are different.
Check out the interview and let us know what you think!
Table of Content
- How Has NSI’s Security Solution Evolved Over the Years?
-
What Kind of Manpower Does it Take to Get Someone Back Up and Running after a Breach?
-
Who Is Responsible for Cyber Security?
How Has NSI’s Security Solution Evolved Over the Years?
Derek: (00:02)
At NSI, you've been helping small and large businesses around Connecticut for many years. What did the security solution look like a year or two years ago, versus what you're setting up and suggesting for clients today?
Tom: (00:29)
Three years ago the suggestion or the basic set of for a client was:
- A solid backup locally
- A firewall
- Antivirus on the server
- Antivirus solution on the firewall
- And we would try to convince them to have a consistent antivirus on the desktops across the entire environment.
Even that was a stretch for them! That's what it used to look like if you fast forward to today, that is the base level that every bad guy and hacker expects to deal with, that's not even a minimum for clients today.
We tell a client today, that the minimum solution is to have:
- An encrypted offsite backup that you can recover to, and recover from
- Antivirus on every device.
- You need to do security awareness training for all of your people on a consistent basis. Education right now is that is the biggest thing, for the business owner to understand what that threat landscape is and to make sure they understand what the risk is for their organization, which I don't think a lot of small businesses understand today.
- DNS protection
- And a few more things...
Derek: (01:37)
People need to realize that unfortunately, hackers are targeting people through emails and phishing attacks. It makes a lot of sense that education be upfront.
You've probably experienced some incidents, attempts, or maybe even a breach because it's inevitable. Can you tell us more about your real experience?
Tom: (02:01)
We’ve had a couple of examples, here is one that can help you understand how deep into protecting your business you need to go.
One company that we dealt with had a very strong offsite backup, they were solid in terms of how they protected themselves with antivirus and firewall. We had another client it was very similar to the first one except they did not have a solution in the cloud, they had their backup on site.
The same virus attacked both of these companies and it encrypted all of their data files on desktops and servers and on both companies it got to the backup that was onsite.
The company that had the offsite backup wasn't impacted, they were able to recover in a matter of hours, as they spun up in the cloud quickly. We remediated him and restored them, they were up and running in a matter of hours.
The other company, they didn't have a backup to restore to, they went down for a significant amount of time, ultimately they had to pay the ransom to get their data back so they could get back in business, this took a couple of days.
If you think about it, you’ve done everything you can to protect yourself, you have the antivirus, you have all this stuff in place, you have a backup locally. But the bad guys get in whether someone clicked on something, or if it was one of these zero-day viruses that got right through what you were going to protect. You are trying to protect yourself, but they got in and they encrypt your files and what are you going to do?
What Kind of Manpower Does it Take to Get Someone Back Up and Running after a Breach?
Derek: (03:34)
That must have been very stressful for you and everybody. What kind of manpower does it take to get someone back up and running?
Tom: (03:48)
People need to think about the impact of what happens in your day to day business. You have the concern that you don't know what's going on, what was i that you clicked.
Anytime you've had any kind of incident, you feel violated, that someone's come in there and done that. Then, the reality strikes you, you need to get back up and running.
We support these clients through all of it and whatever we can do for them, we do. It just takes time, you can say it's manpower because you got to contain it, you have to eradicate it, then you have to remediate and then you hopefully have something to restore. If you think about it, a small business that has 10 users and the server takes a lot of work to get all those people back up and running, even in the best case scenario, it just takes time.
I tell people all the time, it's not a matter of if this is going to happen, it's just a matter of when and you need to do everything you can to keep them out. But keep in mind they spend all their day trying to get in and when they finally do it, you just got to make sure that you've got a way to recover and get back to operation as fast as you can.
Who Is Responsible for Cyber Security?
Derek: (04:57)
A good transition into why we're chatting with you is where's the line in the sand? Your clients or any small business that's working with an IT provider like NSI, who's primarily responsible for this? What's your perspective on this?
Tom: (05:18)
I run and and own a small business, I have to make these business decisions every day. And this is really a decision you have to make in terms of what your risk tolerance is. How long can you be down and really understanding what that would look like and realize your dependence on technology?
Small companies are even more dependent on the technology that runs their business because they don't have redundancy, they don't have more people to assign things to, like a big company, or roll over to another division.
You need to educate yourself on not only what the threat is, but understand what your risk is. You have to look at what your insurance policies are relative to cyber. And then you need to talk your IT professional about what's going to happen, he needs to take you through the worst/best case scenario.
The single most important thing that I tell people is: put all these protections in place, but get your data encrypted offsite some way, shape or form. Ultimately that's your insurance policy for your business to get back up and running and you need to make sure you have data that's current, that's protected and that’s isolated from the rest of your network.
Derek: (06:27)
It sounds like you're saying that there's a lot of different things that businesses should consider to protect themselves, you've mentioned many of the different things they can purchase or incorporate into their protection plan. But at the end of the day, it's about risk tolerance for each person and company. How much do they want to get up front to protect themselves
Tom: (06:54)
It’s the combination, you can't do one without the other.
You certainly want to keep the bad guys out, same thing as in your home: you want to lock the door, you want to have an alarm, you want to make it hard for people to get in. But the reality is that if somebody wants to get into your house, they can take a rock and they can break the window, even if you have the best alarm system and the front door lock they can break the window and get into your house, grab something and jump out.
It's the same thing with your business, you can do everything you can to keep people out of it from doing bad things to you, but they can get through, if they get through you need to protect yourself and you need to understand how you can recover, the same way you would do if there were any kind of disaster so that you can get your business back up and running. If you think about it that way, you're going to be able to sleep better at night and you'll be able to get your business back up and running sooner rather than later.
