Spilling The Tea from Season 2 - Receipts from The Tea on Cybersecurity

Jara Rowe : Gather around as we spill the Tea on Cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is the Tea on Cybersecurity, a podcast from Trava. We did it. We made it through another season of the Tea on Cybersecurity. And with that, I'm here to bring you the ultimate receipt of everything I took away from each episode of season two of the Tea on Cybersecurity. For this ultimate receipt, I will be breaking down everything into the following chapters, which honestly flow together. First, you can't protect what you don't know. Strong cybersecurity first and compliance second. It's best to be proactive. Education plus strong policies are necessary, and some additional takeaways that I have. Now, with everything that we covered throughout the season, I'm honestly going to miss something, but be my guest and go back through and listen to everything. There was so much knowledge shared with me that it is completely impossible to cover everything in a simple recap. All right, let's get into it. So first, you can't protect what you don't know. And that's honestly been something that comes up regularly throughout the podcast, season one and season two. One of the things that can help with this are cyber risk assessments. These assessments give you insights on where you stand at that time. A cyber risk assessment will provide you with an understanding on where risks are currently in your business. And Jim did a great job at describing risk assessments to me in a way that I thought was extremely helpful. He related them to a doctor's visit or a checkup. Let's listen to what he had to say.

Jim: So a risk assessment has to be with some set of criteria over here. In other words, there has to be standard questions to ask. Again, going back to the medical diagnosis, right? You're going to see your doctor. You get asked the same set of questions every time, right? Any stomach pain, blah, blah, blah. Are you sleeping well at night, et cetera? Well, you could look at each of those categories of questions as a control family. And so it's the same thing in cyber. It's like the equivalent of each of those categories of questions that your doctor's going to ask you, we're going to ask you the same standard set of categories of questions and that standard set of questions, that's the framework.

Jara Rowe : Naturally, I feel like it isn't right to talk about assessments without talking about audits as well. We had an entire episode going over the difference between the two. So what is the difference between audits and assessments? The biggest difference between the two is who conducts them. Audits are a little more formal and are typically handled by third party auditors while assessments are less formal and they just assess things like your risk and vulnerabilities. Assessments can be conducted by companies like Trava. Let's listen to Ben Phillips, one of our experts, talk about what cybersecurity audits are.

Ben Phillips: Really, an audit at its own self, the full purpose of an audit is to have an external independent third party that has nothing to do with anything operationally and organizing and operating these controls to come in and issue or provide some sort of an opinion over the adequacy design and operating effectiveness of the scope of controls in which the audit attestation, examination, whatever you want to call it, is intended to hit. Auditors are looking at... They define what the scope is, right? Because companies have a wide net of security, a wide net of technology and endpoints and things that touch data. When you look at different types of, we'll call it audit for this webinar, but when you look at those different things, a high trust, a SOC report an ISO, those are actually just covering a very small subset of the overall technology stack in business that the company's even using, right? And it's really focused on who's going to be looking at the result. Who cares about the result of these procedures performed by this third party firm? And it's really supposed to be the mission- critical or data- centric information that's relevant to the stakeholders. So a client that would get a security audit or a SOC2, as part of their SOC2, we'd really cover the customer facing applications that allowed our client to meet the expected commitments with their customers through their contracts, right? We would not cover a general ledger system or other things that are a business related, ancillary to what they're actually doing for their client and how they're solving the problem with data.

Jara Rowe : During that same episode, Jim also talked about what a company should do or which one is appropriate if they were getting a compliance certification.

Jim: When we use the term audit, we imply the need to bring in external auditors like Ben and his company. So this is not an examination of evidence that can be done by just anybody. Ben can go into it. Just because he's a CPA that doesn't automatically make him qualified to do a SOC2 audit. In other words, the CPA firms that are doing this have to pass rigorous certification standards of their own in order to do SOC2 audits, ISO audits, et cetera. So it's not just like Joe off the street with an accounting degree can suddenly say, oh, I can do your SOC2 audit for you. There are standards bodies that own those standards that want to assure that the people and the organizations that are doing the audits are doing them properly. There's a lot of layers of oversight in the whole thing. So with that said, the audit is done by what we call, from Trava's standpoint, third parties. Now, an assessment, the way we talk about it is somewhat less formal. Trava will do assessments. Trava is intimately familiar with the requirements of the standard, the controls that need to be in place, but we're clear that what we're doing is not an audit. It's an assessment. We issue a report. We say, okay, this is good. This is not so good. You need some work here. Here's your prioritization. If you leave it as it is, here's the risks that you have. That's an assessment.

Jara Rowe : Which leads us into our next chapter, strong cybersecurity first, compliance second. Throughout the podcast, I've learned that having a really thorough cybersecurity plan is essential. It's honestly what everything comes down to. There are some companies out there that try to win new customers without any proof of their customers' information being safe, or if their employees' information is even safe for that matter. Many of these prospective customers for that business ask for things like SOC2 certifications, which is a compliance framework, and we had several episodes in season two about compliance frameworks. But before we dive into that completely, I talked to Chris Vannoy of the Juice, which we talked a lot about MarTech, but Chris also talked about simply doing the right thing and building a strong system that's secure from the start before even looking into a compliance framework. Let's listen to what he had to say.

Chris Vannoy: Step one, I alluded to this earlier, is only store what you absolutely have to. Especially, when we're talking about personally identifiable information. Unless a product person has told you specifically what it is and why they need it, don't store it. Don't store stuff just in case. Don't store additional data. So that's step one. The stuff that's hardest to eventually leak out is the stuff you don't even have because it can't happen. So second of all, like I mentioned, the principle of least access. Keep the access to these systems to just the people who absolutely have to use it and keep an audit trail of when they access it and what they do. That's fundamentally it. Now, like I mentioned, there are different levels of this data. In this case, we're talking about low level PII, it's names, it's email addresses, that sort of stuff. If you start getting into healthcare or into e- commerce stuff and you start getting into credit cards and social security numbers and medical records and fun stuff like that, then you're talking about encryption so that even your own people can't read this stuff. Luckily, MarTech doesn't have a lot of that. We're usually the level below that PII that's like we can store it in plain text. We can let engineers be able to poke around that and do stuff. We just have to be careful about where stuff collides with one another and make sure it doesn't leave our system.

Jara Rowe : Chris shared so much information with me about SaaS companies and engineers, but as I mentioned, that is related to compliance. So what is compliance? Marie did an excellent job at explaining this to me. Let's listen.

Marie: So compliance is really making sure that you as a business are following a certain list of controls that an organization or a governing body has set, usually best practices that you need to adhere to. So in the realm of technology, you see it a lot in regard to security and privacy of data.

Jara Rowe : The way Marie breaks everything down is super helpful for me and I hope that it's helpful for you all as well. She also talked about how compliance is really related to cybersecurity. Let's listen.

Marie: When it comes to compliance and cybersecurity, people are really looking for those frameworks and having those certificates because they want to know that you're going to be handling their data with care. They want to make sure you're not going to use it for anything malicious, and it is something that's really important to them. And I might've mentioned it before, but your data is always important. It could link back to your identity somehow and just constantly link back to something else and you don't know what they could possibly take from what if you were to be breached.

Jara Rowe : As I mentioned, this season, we talked a lot about different compliance frameworks. When talking about ISO 27001, Ahn, another Trava team member, and another expert from this season, gave some tips on ways to keep stress levels down. One of those, just following the process. Let's hear what he had to say.

Ahn: One of the biggest thing about ISO is to ensure that you follow the processes that have been established by you. So for future compliant and for ongoing compliant, you really need to make sure that anything that you put in place, you follow it and you audit it, and you regularly check and monitor to make sure that all of your KPI are being met or your risk of regulatory review, your ISMS regulatory review. So it's really coming out to stick to the things that have been established. If you set you're going to do quarterly access review, just make sure you do it. It doesn't have to be formal. It doesn't have to be perfect. As long as you follow those processes and document everything, you should be good.

Jara Rowe : Which also leads me into my next chapter. It's best to be proactive. And like Ahn was saying, it's important to keep stress levels down. Another way that I got from this is just simply being proactive. We also had an entire episode where Jim and Ryan shared information about the benefits of being proactive versus reactive. Jim did a great job at explaining proactive and reactive cybersecurity. Let's listen to what he had to say to me.

Jim: First thing you have to do is be aware of what we call your system boundaries are. Now, I say something like that and people might say, oh, Jim's getting overly technical again. And I'll tell you what just occurred to me is what if you were a rancher, right? And you had cattle that you were trying to protect. What's the first thing you're going to do? Well, you're probably going to put up some kind of fence around the boundaries of that ranch. How do you do that? Well, if you don't know where the boundaries are, you can't very effectively put up a fence, and that's exactly what we're talking about. You need to understand the boundaries of the system that you're trying to protect, because within that system, instead of having cattle, you have data and maybe your customer's data, right? And so first and foremost, what's the rancher have? The rancher has a plot, a survey that says exactly where their boundaries are. It's a diagram, it's a system diagram. That's what we need. We need a system diagram. We need a plot. We need a diagram that shows system boundaries of our information system rather than our ranch. That's really where it starts. Unless you know where your boundaries are. Again, keeping with the same analogy. Unless you know where the gates are, where you purposefully let cattle go in and out. In our case, where are the gates where you let third parties, whether they're customers or vendors or service partners, where are you letting them come into those gates in your fence? Same thing.

Jara Rowe : Again, there was just so much knowledge dropped by Jim and Ryan in that episode. Another nugget I took away from that episode goes back to my original statement of you can't protect what you don't know. And Jim and Ryan stress that you should not fly blind. And that's something that I take away a lot throughout the podcast. You shouldn't fly blind when it comes to cybersecurity. Speaking of flying blind, there are some companies that don't even know the areas that a hacker can intrude into their systems, but this is something that a penetration test or a pen test for short can help with. Christina gave me a full download on pen tests. Let's hear how she explained them.

Christina: Pen testing is a method of conducting controlled attacks to simulate actual scenarios of how an attacker would try to infiltrate and exploit company data. So essentially, it's a way of finding and exploiting various types of vulnerabilities before a hacker does. So a company can test their security strength through their applications, IOT devices, also their internal network.

Jara Rowe : So again, a pen test just educates someone on what areas they need to lock down a little more to make sure that they aren't hacked. Which leads me into my next chapter. Education plus strong policies are absolutely necessary. But again, if we're being honest, there are tons of us that fly blind when it comes to our security because we simply don't know. In season one, we had an entire episode dedicated to why people feel intimidated by cybersecurity, and it's simply that they don't understand it. But there are people like me and hopefully all the listeners that want to understand it to make sure that they are making the best decisions when it comes to securing their personal data and the company's data that they work for. And again, there is a way to help with all of this. It's through training, specifically cybersecurity awareness training. I talked to Kathy Isaac of Carbide on this exact topic. Kathy taught me that the purpose of awareness training is simply to bring awareness to cybersecurity. It isn't to make the team members an expert, but it's just simply to educate them enough on what to look for and ways to keep their information safe. Let's hear what Kathy had to say in her own words.

Kathy Isaac: So Cybersecurity awareness training involves educating your employees, all your stakeholders, that could be contractors, your board members, et cetera, et cetera, about the different aspects of cybersecurity. What's important to add into that is their obligations, their responsibilities, and the risks that exist. They've got a lot of power right there at their fingertips when they hit that keyboard, and they need to understand what those are. It's also important to indicate that the word in cybersecurity awareness training is awareness. We're not trying to create cybersecurity experts with this training. The aim is really to make your staff and your stakeholders aware of the threats and how to respond to them.

Jara Rowe : Another important thing that I grabbed from Kathy throughout that conversation is her stressing that it's essential to get all stakeholders, including board members involved with training. But once we start training, then what? How are these actions even being enforced? This is where policies come into place, especially now that we all work remote. Ahn and I had an entire discussion about work from home and working remote and best practices. Ahn shared a lot of information on how remote work has changed cybersecurity and even gave tips on how we can keep our network secure. Let's listen to his tips on how to secure our home offices.

Ahn: With remote work, the one thing that employees are now missing is that face- to- face connection and conversation. So when you're at home, you're just inherently more vulnerable to attacker posing as colleagues. IT support people or supervisor mainly because you may not know it, but you feel somewhat isolated at home, even though you may say you're comfortable. When you get somebody reaching out, you just inherently want to talk to them. And most of the time you may forget to verify the identity, so you're more vulnerable to phishing. On the other side of that, they also have to deal with distraction at home that could lead them to make a mistake. If you get a call from an attacker posing as your supervisor and your kids are screaming in the back, you probably will forget to verify that it's a legitimate call. So those are the risks, the human risks that come with remote work. Some tip I have is to always be wary of unsolicited communication. Make a sticker note on your sticker on your monitor. Double check everything. Treat all unsolicited communication as malicious unless you can prove otherwise. Even if it come from your manager, if it wasn't solicited, just make sure that you do your due diligence and double check that. Verify all urgent requests, particularly those that ask you to provide sensitive information or perform very risky tasks. The oldest trick in the book, but they still work. And then really scrutinize email addresses and domains. When you get an email from a strange looking domain, just make it a habit to always look at a sender, hover over the link, make sure the domain look correct, that kind of stuff.

Jara Rowe : And some other things that I also got from Kathy and Ahn during their respective episodes is that using a VPN is essential. Also, working remote brings in actual physical things. Kathy talked about someone left their computer in a coffee shop and someone else came and picked the laptop up, and so there was all of the company's data and everything out the door. So again, let's make sure we are following our company's policies when it comes to working from home and making sure we're educating ourselves. And the final thing I have are just some additional nuggets and receipts that I gathered throughout this season. Throughout the season and even the first season of the Tea on Cybersecurity, almost each guest, if not all, mention the importance of MFA or multi- factor authentication. This is one of the easiest ways to take your personal and professional cybersecurity practice up a notch. Where you can, it's essential that you activate MFA. And there are some times where 2FA comes into place, which is two- factor authentication, which is very similar to MFA, but MFA typically has more than two ways to authenticate that it's you. Another thing that always sticks out to me is that none of us are totally safe. I have gathered that throughout hosting both seasons of the podcast so far that no matter all of the things that we put into place to make sure we're secure, there are always things that may happen that allow us to be vulnerable and then eventually get hacked. Any of us can get hacked at any moment, which is something that I cannot stress enough. None of us are completely safe. And if you're a SaaS business, cyber insurance is a great safety net. I had an entire episode dedicated to SaaS companies and cyber insurance with Ryan that, again, has so much information in it. But one thing that I would love to stress most is if you don't have a cyber insurance policy, you definitely need to get one. And that wraps season two of the Tea on Cybersecurity. I hope you learned as much as I have throughout this season. I like to joke with the team that pretty soon I won't be able to say that I don't understand cybersecurity. But I will also say the more I understand, there are so many more questions that I have. I want to get into the nitty- gritty of some of these topics, which leads to season three. So I hope that you find the Tea on Cybersecurity helpful and is increasing your knowledge. And I will see you soon for season three coming at the beginning of 2024. And that's the Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcast.