Business Owner’s Guide to CMMC
Ep 2: Top Two Cybersecurity Tips
Watch episode 2 of our Business Owner’s Guide to CMMC series with Ben Scully (Avatara) and Dan Langley (Lupa Advisors), or read the transcript below. Stay tuned weekly for new episodes containing actionable insights and an overview of each CMMC domain.
BEN: So, if we have a DIBS (Defense Industrial Base Sector) CEO sitting right across from you and they are a little bit overwhelmed about the whole situation, what would you tell him or her that you think are the two top things that you would start with to start to just secure your infrastructure? Forget about the paper. Forget about all the rules. If I want to secure my business, my data, and the work that I’m doing, what are the two top things that you would tell them to do?
DAN: I would say patch your systems. Stay up to date. We go through and we find security vulnerabilities that are announced weekly. You have to make sure your operating systems are up to speed. So, patch your systems. Three years ago, there was a virus that came out called Petya. This came out in March; it exploited a vulnerability we knew about in January of that year. So, if you didn’t patch your systems in January, you were exposed to it and you were hit. Six months later, another virus came out exploiting the same vulnerability. It was called not NotPetya. So, you got hit twice if you didn’t patch your systems. Number one: patch your systems. You have a phone? Make sure you’re doing your iOS or Google updates, okay? It goes down to the user level. That’s probably number one. Number two: train your people. I go into my business today, and I talk to the people, I say, “do not click.” Whatever it says, if it’s an invoice that you don’t recognize, if it’s a “here’s the document you wanted”—do not click. Eighty-two percent of breaches happened through human involvement; somebody clicked on something bad.
BEN: Yeah, I would echo that completely. People ask me a similar question and when I start to talk about cyber education, they kind of look at me funny, like that’s not really security. Well, quite frankly nowadays, less things happen through systems that aren’t patched and more things, like you said, happen because of people. And people not doing the right things that we all kind of look at and say, “oh I wouldn’t have clicked on that.” So, there’s some obvious ones but the thing that makes it more difficult now is the threat factor. They’re good. When I sit down with our the guy that kind of runs our cyber education program and I look at some of these things that people are doing now, I’m like, “oh my gosh, I would have clicked on that.” I mean, they’re getting really, really good. So ,it’s critical, critical, critical that you’re continuously educating your employees, doing simulated phishing attacks, and while that doesn’t sound like IT, you know it kind of sounds like education, it’s a tremendously important part of the whole the overall security stature. So, good point.
Watch Episode 3 on Scoping.
Need help getting compliant?
Avatara’s DoD Platform is a turnkey solution for centralized data and easier compliance. Schedule a free consultation today to learn more.