Episode 24 Part 1- ISO – Cybersecurity as a Form of Quality
ISO – Cybersecurity as a Form of Quality Part 1
On this episode of the Quality Hub, host Xavier Francis engages in a crucial discussion on cybersecurity with Scott Dawson, President of Core Business Solutions. They highlight the diverse tactics employed by cybercriminals, from phishing to malware and social engineering. They share a recent survey reveals that a mere 14% of small businesses have a cybersecurity plan in place, leaving a staggering 86% vulnerable without a formal strategy.
Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.
Episode 24 Part 1 Key Content
Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, and today we’re here with the President of Core Business Solutions. Thanks for being here again today.
You bet. And it’s kind of cool to be in the new studio setup.
Yeah. Yeah, I’m liking this. I think it’s going to be interesting. We’re not going to do it every podcast, but here and there we can. You know, I get that. It’s always a pleasure having you here. And for everybody who’s listening and watching now over the next several weeks, we’re excited to explore a range of ISO standards beyond the well-known ISO 9001, at Core Business Solutions our ability to work with companies extends well beyond ISO 9001. We support our customers with consulting, training, software, and a comprehensive array of ISO standards. In addition, we support cybersecurity, which is what we’re going to be talking about today NIST and CMMC compliance and certification. But as I said today, we’re going to be talking about how cybersecurity is a form of quality from a high-level business point of view. So we’re talking about cybersecurity. I’ve been on the show before. How did you get so interested in cybersecurity?
Yeah, great question. And it was our customers asking. This topic today is kind of pertinent to me because it was our customers who are generally ISO certified of some kind. Asking us if we could help them with cyber security because they’ve seen how we’ve kind of simplified compliance for ISO. Can we also simplify compliance for cybersecurity? At first, I was a little intimidated. I mean, a lot of people are.
Well, yeah, rightfully so.
Kind of intimidated by this. You know, it is just another vocabulary to learn is what I’ve come to understand. But cybersecurity is just a threat that’s out there that anybody faces. Everybody faces. You know, with our phones and our tablets and our computers and our lives out now. Online, you know, a cybersecurity incident or attack or problem could jeopardize your family, could jeopardize your finances, could jeopardize your business.
You know, and so many different respects. And, you know, we talk a lot about health and safety and environmental impact, and those will be topics down the road. But cybersecurity is kind of the hidden threat that we don’t necessarily see as we walk by and see things. Unless you’re pretty technical. But it is real. It’s very, very real, even though it’s sort of unseen. So I’m just really fascinated by that, by the topic. I’m also interested in it just because of that. The, you know, how prominent it is in our world and how misunderstood it is. And people don’t know what to do about it, especially non-technical folks. Who isn’t in I.T. or something like that?
Well, and business owners where you’re focused on making money and keeping the business rolling and yeah, payroll and what are we build and what’s new stuff coming out. Oh yeah. We use computers for that. Okay. But they’re working.
That’s right. You know, I worry about our finances. I worry about our customers, I worry about our employees. And so all of that kind of leads me to look at our processes and procedures and the methods that we use to protect our business in those respects. Cybersecurity is also very prominent in our business because we are an online company. So I’ve had to engage myself not just generally into the world of standards and compliance with cybersecurity, but protecting our business and our customers and our employees because we handle a lot of information that’s important to a lot of people.
Yeah. I mean, we’re look, we’re not just talking about information. You’re talking about our website. That’s the front end of people. Of how they see us. If we can’t connect with people via Zoom, whatever, you know, teams, whatever we use to communicate with them, we can’t do business with them.
Yeah, that’s right.
You know, it’s. We’re beyond the telephone call. I mean, you know, what’s your fallback? And even now, some of that’s Internet-based, so it touches everything.
That’s right. Yeah. Our phone system is a web-based phone system. So even our telephones are, you know, hackable. Well, absolutely.
Yeah. Well, in that vein, what are some common ways cybercriminals attack a business?
Yeah. And you are right to use the word, cybercriminals, it’s no longer just the hobbyists trying to do this for sport. You know, it’s kind of where the cyber attacks kind of germinated in the early days. It wasn’t really for necessarily nefarious reasons. It was more of a challenge. Can I hack into a bank system? You know, and brag and bragging rights with your buddies, you know, And I’m talking early days. You know, in the late nineties, early 2000s.
But people have figured out that you can make a lot of money and you can extort people and you can steal things and you can resell things that you’ve stolen all this information base type of. It’s motivated a lot of cyber criminals around the world to make a business out of this. But there are different techniques and different approaches and we hear these and they sound a little confusing because again, the vocabulary and the terminology are unfamiliar. I guess the one that I think about first is the phishing attacks. P H I S H, the play a play on the word right.
But what phishing means is that an email or a text message or even a phone call was sent to you, a voice mail, and they’re trying to get you to respond and reveal some kind of sense of information or to click something that might allow a hacker to get access to your computer system.
So they’re throwing you bait hoping they can hook.
That’s exactly what it is. And it’s a numbers game with them. You know, they send out millions and millions of these messages thinking they’re going to deceive some people and all it takes is somebody to click on something or to reply to something. And then they’ve got you or they’ve got your information or they’ve got the access that they want. Email is one way that they do it. So they’ll send email messages, they’ll sound legit. They often have things like urgent messages or information that they need to clarify or they want you to validate your your logging credentials. They want you to update your payment information. Things like this tend to be the themes they’re they’re looking for you to reveal, you know, information that shouldn’t be revealed by tricking you into a response.
Right. And there are different levels of that where you might have it on email. You might have something that specifically attacked. There were certain individuals in an organization, those in leadership.
Yeah. And those are called spear phishing. So they again, take the analogy and instead of just I’m going to try to catch any fish, you know, I’m going to try to catch that fish, right? And then there’s even a bigger play on words called whaling.
So you need a harpoon at this point.
Yeah, exactly. And a big ship.
And a big ship.
And a big ship. But that’s where they’re they’re targeting people at the “C” level in a corporation or ownership who have access to big, big bucks. You know, big information.
They can write big checks.
Yeah, but they’re all under the fishing kind of banner if you will. Malware is another one. Malware means that they secretly install your back end or under-the-cover software so you can be on your computer or your phone generally. And that can happen through a phishing email. A phishing email might come in, you click a link, and that then opens up your computer to allow malware to be installed or copied onto your computer.
Now, what might that do? What might that malware do?
Yeah, malware can be very devastating. One of the ways I think we hear in the news a lot is ransomware where they’re holding your computers and your information hostage for payment. So what would happen is something a program gets installed on your computer either that day or months later it gets activated and a screen comes up and says,
Hey, all your information has been encrypted. We are not going to give your information back unless you make a payment and most of those payments are big dollars, big dollars. So at that point, you either get to pay the ransom and hope you get the information back or you go to a backup, you know, hopefully, offsite backup that you have of your data and restore it and don’t pay the ransom or you’re just out of luck and you’ve lost the information.
Yeah, And that’s the thing that a lot of people don’t realize. Like, we don’t have anything important on that, you know, meaning like, you know, if it’s it. But even if it’s just your spreadsheets and you know what your plans are and things like that that nobody else could use, yeah, you still need it.
They may not monetize it, like resell it in some way,
But it’s important to you.
Exactly that’s out there playing on. Is it important to you and the disruption it might have to your business? Trojan is another kind of malware. Those have been around a long time, but a Trojan means that they disguise the malware as a real program like Microsoft Word or some kind of an icon that you would normally click. And when you click on it, unbeknownst to you, it then launches this routine that gives the hackers access to data or transmits the data to get information from your organization.
Spyware is a little bit different. But again, another kind of malware that where can monitor what you’re doing on your computer, there’s one called a keylogger that exactly what it says as you’re typing, it shows up on the bad guy’s computer, exactly what you’re typing. So let’s say you’re typing a password or credit card information or something like that. It’s just getting time to write out for them. So, different ways that malware is used, but its malicious software is what it is.
That’s one of a couple of others just to mention. One is called DDOS Attack. DDOS stands for Distributed Denial of Service. What does that mean? It means they lose your your website with requests, millions of requests that basically bring your website down to a crawl or take it offline because your website can’t handle that amount of traffic totally an unusual level of traffic. Specifically targeting specific companies typically their website to take it offline and sometimes that’s a company with some kind of ransom type of thing or sometimes you don’t know why it happens. What was behind it?
Again. Well, I have a website. Well, is that how you communicate with your current customers? Is that how they log in and get their data? If your credit card company or any of that, think about if your website’s down if you have software as a web-based service. Oh my goodness.
Well, like ours.
Yeah, exactly. We have anything that can just take that down and now you know you’re out.
Yeah, Yeah. And those are hard to protect against because they’re happening on the legitimate level of the web of the Internet. And it’s just requests. It’s just, you know, think of it as links being clicked. But millions of them. All at once And your no-no website is set up to prevent that and to to protect against it. It’s almost impossible.
It’s almost is response thing you have to be on.
Yeah exactly right. Yeah. And then there are others I guess the last one I want to mention is social engineering because that’s where they try to trick the human being into revealing some kind of information. So say, for example, you know, someone calling and impersonating IT or calling and impersonating somebody in HR. Hey, I’m new in hr. Nice to meet you. Just wanted to make sure that we had your personal information updated. Can I just ask you a few questions? And right over the phone.
Take. Take a minute of your time. Won’t take long at all.
Take a minute of your time. I’ll take it. But they kind of impersonate somebody who’s legit and fool you into revealing information. Sometimes on a computer or sometimes verbally or in person, that if there’s a way to make money, it’s probably happening. And it’s no different than any other kind of crime.
Just a different form of thievery or ransom.
Exactly. Right.
Yeah, It seems to be this does seem to be a lot of people attack. So it seems it’s not just hardware software, but they’re they’re reaching out to people and making you feel like you’ve got to respond. Right now, we have an emergency. Oh, you know.