Slides to the online event "Creating an effective cybersecurity strategy" by Berezha Security Group, where we debunked myths about cybersecurity and recommended some easy-to-use practical steps to build an effective cybersecurity strategy for your small business. Meeting plan: 1. Widespread misconceptions about the cybersecurity of small and medium-sized businesses. 2. 10 steps to combat cyber threats. How to protect business effectively within a limited budget? About the speakers -Vlad Styran, CISSP CISA, Co-founder & CEO, BSG Vlad is an internationally known cybersecurity expert with over 15+ years of experience in Penetration Testing, Social Engineering, and Security Awareness. He is a BSG Co-founder & CEO and responsible for business and cybersecurity strategies. He could help businesses with consulting services in software security, cybersecurity awareness, strategy, and investment. Also, he acts as a speaker, blogger, podcaster in his volunteer activities. - Andriy Varusha, CISSP, Co-founder & CSO, BSG Andriy is an experienced top manager in IT-audit, consulting, and IT project management by leading outsourcing teams in Ukraine, Poland, and the USA. He also is keen on building customer relationships within the US, UK, and Western Europe geographies. At BSG, he leads the BSG advisory practice and consults development teams in all aspects of cybersecurity. About BSG Berezha Security Group (BSG) is a Ukrainian consulting company focused on application security and penetration testing. Our job is to help companies in all aspects of cybersecurity. We complete more than 50 Penetration Testing and Application Security projects yearly to know the business security vulnerabilities across the verticals. We help our customers address their future security challenges: prevent data breaches and achieve compliance. Our contacts: hello@bsg.tech ; https://bsg.tech

2. Over 15 years in cybersecurity
OSCP, CISSP, CISA
Blogger, podcaster, and conference speaker
Provides consulting services in software security,
cybersecurity awareness, strategy, and
investment.
sapran@bsg.tech
Vlad
Styran

3. 10+ years of experience in IT-audit and
consulting, IT project management
Experiences in leading large outsourcing
teams in Ukraine, Poland, and USA
Experiences in building customer
relationships within the US, UK, and
Western Europe geographies.
Leads the BSG advisory practice and consults
large development teams in all aspects of
cybersecurity. varusha@bsg.tech
Andriy
Varusha

4. Our job is to help companies in all
aspects of cybersecurity. We
complete more than 50 security
projects yearly. And we are aware of
the business security vulnerabilities
across the verticals.
We help our customers address their
future security challenges: prevent
data breaches and achieve
compliance.
About BSG

5. Top 5 popular misconceptions about SMB cybersecurity.
10 steps to combat cyber threats.
Questions and answers.
1.
2.
3.
Plan for Today

6. Top 5 Popular Misconceptions
about the Cybersecurity of Small
and Medium-sized Business

7. In fact, no one cares about how large or
how small your business is.
Attackers hack you first and think about
how to monetize it later.
Myth 1: Too small to be a target

8. Myth 2: Anti-virus is enough to keep you safe
They aren't, as any other "silver bullet"
technology that was hyped throughout the
history of computer technology, such as
firewalls, DLP, end-point protection,
sandboxes, etc.
As a great quote from the hacking history
book “The Cult of the Dead Cow” goes:
“Antivirus is better than nothing.”

9. Both these statements are incorrect.
There is a shared trust model in the cloud
that every business must understand.
You are responsible for the security “in the
cloud,” while a good cloud provider is
responsible for the security “of the cloud.”
Myth 3: Cloud services are secure.
Or cloud services are insecure.

10. Shared Responsibility model for cloud security
https://www.cisecurity.org/blog/shared-responsibility-cloud-security-what-you-need-to-know/

11. Myth 4: Cybersecurity is too expensive
If you do small business, your stakes are
relatively low, as is your cybersecurity
investment.
If you grow your business, your stakes
go higher as a cybersecurity investment
does.
The effectiveness of your security
spendings is a matter of both what you
do and how you do it.

13. Myth 5: IT is responsible for cybersecurity
It is false.
Understanding cybersecurity is essential for
modern IT professionals and business units.
However, the responsibility for cybersecurity
resides solely on those responsible for the rest of
risk decisions: the business leaders.

14. 10 steps to combat cyber threats
How to protect your business within a
limited budget?

15. WARNING: Your threat model is not our threat model

16. Educate employees
1.
Humans are not the weakest security
link. Humans are the product of
evolution conditioned to produce the
risk-aware species. We are better at
seeing a tiger in the grass than
identify cyber threats, though.
Humans are the best weapon you
have against malicious hackers. You
just have to train them.

17. 2. Enforce two-factor authentication
Turn on two-factor authentication on every
website, in every system, in every app you use.

18. 3. Use encryption to protect data
and communications
VPN for sensitive
communications
E2E messengers
HTTPS on all websites
Encrypt files in the cloud
Data encryption – everywhere

19. Update the software regularly and
install an anti-malware solution on
computers, smartphones, and
other electronic devices your
employees use.
P.S. Remember the AV efficiency.
4. Protect the endpoints

20. Move to the cloud: SaaS applications, IaaS
hosting services, and other professional third-
party services with good security practices.
You will never protect your MS Exchange
better than Microsoft can protect O365, or
Google can protect G-Suite. Mind your threat
model, though.
5. Abandon Earth

21. Use a logging solution or another
way to get early notification about
being compromised.
"Amateurs don't want to get
hacked. Professionals don't want
to remain hacked."
6. Know when you are hacked

22. 7. When ready, start using
a control framework
CIS – Center for Internet Security
NIST – US National Institute for
Standards & Technology, SP800 series
ISO 27000 series of Information Security
Management standards
PCI DSS standard and supplementary
materials

23. 8. Get cybersecurity insurance
Cybersecurity insurance is still
affordable to most companies.
To lower the premiums, you should
follow some basic cybersecurity
practices and show them to the
insurance company.

24. 9. Do backups
Backup your data regularly to save
yourself the time and pain of trying
to recover lost data.

25. The “what you don’t know can’t hurt you” principle
does not work in cybersecurity.
Cyberthreats are invisible, but their consequences
are very much apparent.
Without regular testing of your protection, you have
no idea if it matches the attackers efforts.
10. Challenge your security

26. Useful Links,
Reports, and Tools

27. World's Biggest Data Breaches & Hacks
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

28. Data Breach Investigations Report
https://enterprise.verizon.com/resources/reports/dbir/
Key takeaways
Industry highlights
Best practices
Classification patterns
And many more

29. NIST documents and frameworks
https://www.nist.gov/itl/smallbusinesscyber
NIST Cybersecurity
Framework
Small Business Case
Studies
NIST Cybersecurity
Framework
Cyber Insurance
Cybersecurity Resources
Roadmap

30. FTC
https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf

31. Small Business Big Threat
https://smallbusinessbigthreat.com/access-resources/
Online-Security-Best-Practices
Cybersecurity-Tools
Cybersecurity-Canvas
Security-Best-Practices-for-
Mobile-Devices
Ransomware: What you really
really need to know

32. Center for Internet Security
https://www.cisecurity.org/wp-content/uploads/2017/09/CIS-Controls-Guide-for-SMEs.pdf
Inventory of Authorized & Unauthorized Devices
Secure Configurations for Hardware and Software
Continuous Vulnerability Assessment & Remediation
Controlled Use of Administrative Privileges
etc.

33. CISA
https://us-cert.cisa.gov/resources/smb
CISA’s Cyber Essentials
Cybersecurity Resources
Road Map

34. National Cyber Security Alliance
https://staysafeonline.org/cybersecure-business/

35. Microsoft Security Youtube Channel
https://www.youtube.com/channel/UC4s3tv0Qq_OSUBfR735Jc6A

36. Projects and Clients
Review
BSG Security
Findings
https://bit.ly/bsg2020report

37. Questions and Answers

38. Stay in Touch With
If you have any questions,
please contact us at:
https://bsg.tech
hello@bsg.tech