Debbie Reynolds, "The Data Diva,” talks to Elizabeth Wu, Founder, CEO, and Cybersecurity Auditor and Advisor, PC DOC Canada. We discuss explaining cybersecurity to CEO’s, a public relations campaign needed for cybersecurity, a collaboration between public and private organizations for cybersecurity, handling the risk of external and internal cybersecurity threats, Microsoft Exchange Server security in the news, the importance of systems patching, responsibilities to audit IT processes, proactive cybersecurity education, the importance of enforcement of security policy and her idea for data privacy or cybersecurity in the future.
Debbie Reynolds, "The Data Diva,” talks to Elizabeth Wu, Founder, CEO, and Cybersecurity Auditor and Advisor, PC DOC Canada. We discuss explaining cybersecurity to CEO’s, a public relations campaign needed for cybersecurity, a collaboration between public and private organizations for cybersecurity, handling the risk of external and internal cybersecurity threats, Microsoft Exchange Server security in the news, the importance of systems patching, responsibilities to audit IT processes, proactive cybersecurity education, the importance of enforcement of security policy and her idea for data privacy or cybersecurity in the future.
Elizabeth_Wu
40:50
SUMMARY KEYWORDS
cybersecurity, companies, penetration testing, patches, Microsoft exchange, users, audit, important, updates, people, prevent, network, house, password, auditor, business, bit, firewall ports, computers, risk assessment
SPEAKERS
Elizabeth Wu, Debbie Reynolds
Debbie Reynolds 00:00
Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds. They call me "The Data Diva." This is "The Data Diva" Talks Privacy podcast, where we discuss privacy issues with business leaders around the world for information that businesses need to know now. Today, I'm super excited to have a friend from Canada join me. Her name is Elizabeth Wu. She is the CEO of PC Doc. And she is an award-winning Cybersecurity auditor and advisor. Hello, Elizabeth.
Elizabeth Wu 00:43
Hello, Debbie. Thank you so much for having me here.
Debbie Reynolds 00:47
Yeah. As I was saying award-winning, I want you to explain recent awards you received.
Elizabeth Wu 00:54
Oh, thanks. Yeah, well, we just won the Canadian Business Award for Cybersecurity IT Auditor. And that was such a great honor given that we've been in business for over 20 years and to be recognized among our business peers is a huge honor.
Debbie Reynolds 01:15
Yeah, you're, you know, you and I met on LinkedIn. And we have some chats. Together, we had a couple of chats actually, where we just sort of talked about, you know, being women and technology and you know, sort of, in the cybersphere, but in different ways. So I thought it would be really great that we do a podcast together, especially since I love talking to people from Canada, and I love to talk with women who are in technology. I would love for you to talk about your ideas, which I really love, which is explaining cyber in ways that CEOs can understand as, as they may be the ones to be like ultimate decision-maker, whether you're going to bring on, you know, extra help, or figuring out where the gaps are in their organization. Tell me about your approach to explaining cyber to, you know, CEOs who may need certain help and may not know what they need.
Elizabeth Wu 02:22
Absolutely, and this is partially why we won the award because we have such a holistic approach that's distinguished Lee different from what you see in the media and at what's available are easily recognized by CEOs, business leaders. What's out there is the buzzword is Cybersecurity risk assessment. And the sad part about this, Debbie, is that that one terminology means so many different things, depending on who the vendor is. But unfortunately, as a business leader who doesn't know anything about it, or very little, is going to think, oh, it's all the same thing. And, and the sad part is that it's not a Cybersecurity risk assessment out there. And if you're, you may also hear it in adjacent to penetration testing or hacky ethical hacking. And that's really just about scanning the firewall ports. So that's a very perimeter if you think of it as a fence around the house, so really, what that penetration testing is doing is just checking all the boards on the fence or the chain link to see if there are any weaknesses in that perimeter. And they really, that's what their risk assessment is like. Then there are others where they will go a little bit deeper and look at applications and software vulnerabilities. Again, that's another Cybersecurity risk assessment. But with the work we do is where we really go back to the basics, the fundamentals. If you again, we go back to the metaphor of the house we're doing is we check the doors and locks to make sure that one there are secure that they're tied down, we have the type of locks the proper locks that are on the doors and the locks. And then, going even deeper into the house, we want to make sure that all the valuables that you have inside are properly tied down, hidden, and secured to prevent any type of theft. So that's really what we do. It's very hands-on very specific to the organization to ensure that there's safety in the valuables, which is also including the people of the house, so we also make sure that the users and the employees are also safe and prevented from any type of attacks. And that that also leads to the phishing and email scams that go on.
Debbie Reynolds 05:11
Yeah, I think that I don't know. I don't know what your opinion is about this. But I feel like we may need a PR campaign about Cybersecurity because there's so much misinformation. I think that happens in the media, about talking about Cybersecurity, where they may conflate things that aren't really associated together or, you know, what I see a lot is people think that anyone that does a technology job, you know, can do every single facet of Cybersecurity, what are your thoughts about that?
Elizabeth Wu 05:47
Oh, my God, that is so true as it's, you know, what the English language is so limited do not find. So we've got this one-word Cybersecurity risk assessed by terminology, Cybersecurity, risk assessment, and it is or IYT. You're the IT guy. You know something about computers, well, then you could take care of my entire network. And I, when I was trying to hire an expand years ago, this is what I did. I went to the top graduating class around in the university and colleges around here, and I said, guys, I'm looking to hire. Then I went to headhunters. And I said, I'm looking to hire, and the mishmash of experience and knowledge that I got didn't amount to anything because the education system is so segregated to something very specific. So you are, you could be an Exchange guy, or you could be a System Administrator guy, or you could be a Database guy. But and that's your, that's all you specialize in, and as an academic, but then when you graduate, you need some experience. And then the guy who's hiring says, Oh, you knew something about computers? Oh, sure, I'll hire you. Now, can you take care of my entire network? And unfortunately, what happens is that the guy who just specialized in the database, for example, he spent four years learning all about databases, because he knows something about computers gets hired on by the business owner, who says, you know something about computers, then. And he ends up having to Google University himself in troubleshooting on the job to try and get some understanding, so you can help the business owner. And that's unfortunate. The truth is of it is that you get the label of the computer IT guy. And the assumption is that you know everything, when in fact, it's not true at all. Yeah, that's a huge misconception. And that's a huge problem. I really think we need to do more public outreach about explaining what Cybersecurity is and all the different domains because it does get, you know, put into one little, you know, box. So, I guess an analogy I will give will be, you know, like a doctor, so a doctor, not every doctor can do every type of medical thing, right.
Debbie Reynolds 08:18
So,
Elizabeth Wu 08:19
It is really great because you can have a Ph.D. doctor.
Debbie Reynolds 08:22
Right.
Elizabeth Wu 08:22
You can have it be a dentist, doctor, a chiropractor, doctor, and never married. Right? Yeah. And you know, and if that is, that's actually a really great way Debbie, you know, it's Cybersecurity, because it's such a trendy hot topic right now. Anybody who attaches Cybersecurity to their name is sought after. And there's the CSOs out there, there, there was a brand new title of fairly recent, their Chief Information Security Officers, their title, and their role is super important. I'm not knocking them at all because they're, they're highly educated. But the sad part about this is that they don't have the technical experience to be able to showcase what's important, mechanically and technically, What's wrong in the company. What they're really good at is organizing plans, executing plans, baby be able to find the right type of vendor that is appropriate to the tasks that are required. But to know whether that task fundamentally is the right fit and technically done correctly is, unfortunately, a bit of a gap in their role. So going back to what we do, we've been we've gone through the race, we started as the IT guy in the neighborhood, then we went into being it for a journal for small, medium-sized businesses. We then became its auditors from an ISO 27001 lead auditor. And then we moved up again, still to the Center for Internet Security Framework. And all the way through, we have been working from businesses of coming from the perspective of the root cause. And also, once it's fixed, once it's fixed once it stays fixed, and I use a metaphor that says, Look, a house, you had your house built, and you don't expect your builder to live with you or to be on call with you. And we take the same approach with our IT infrastructure, anything we touch related to computers, whether it be your laptop or your entire operations, what if it's broken, we fix it, but we look for the root cause of why it was broken, to begin with. So that's how we come up with once it's fixed, it stays fixed with us. And that's the way we've been operating for 20 years.
Debbie Reynolds 11:08
Yeah. Before our session, you're talking about penetration testing. I like to bring this up because it's come up a lot in posts on LinkedIn recently. You know, you had had a metaphor about, you know, having a fence around the house, which I think is really interesting, especially because a lot of people are saying, oh, let's do this penetration test for this company. And it may give the CEO or the leaders of the company the misconception that that's all that they need. Can you explain that a bit?
Elizabeth Wu 11:43
Sure. The penetration testing, like you just said is, is like the perimeter around your house. It's like the fence that's around your house. And if you've got a wooden fence, for example, each plank, you don't know whether that's if it's secured, it could be a little loose, it could be completely just leaning. So you don't really know that. So what penetration testing is all about is just literally testing each piece of the wood board. And that would be your firewall ports. And outward firewall, ports could be their public-facing like your website, or you've got firewall ports that are also outwardly facing, and they're just there to protect anybody, any outsiders from coming in? And if so, what is one little bit cumbersome. So what some of you imagine walking by your fence, and they're testing each board, they're shaking, to see if it can come loose or not. And that's what penetration testing is doing. They're coming in, they're scanning an external facing port, and they're checking their sending out a signal to see if somebody is there. If somebody is willing to answer, if somebody is willing to answer from the inside, that means that port or that piece of board is loose. So then, if someone is willing to answer their signal, then it must be open. So then they'll send a packet of information. And that could be a virus or ransomware file of some sort. They'll send it through and handshake with their internal response. And that packet will then be incorporated into the network. And that's how they get inside. Now, the way to be able to do that is sorry, does that answer your question?
Debbie Reynolds 13:50
Definitely, yeah, that answers my question. Okay. So now that we talked about the perimeter, right, let's talk about inside the house inside the organization, insider threat. So insider threats are a big deal, in my opinion, because I feel like, especially in the media, a lot of times when you're talking about Cybersecurity, you see the picture of a guy in a hoodie in the basement. He's trying to like get into your network. But obviously, you know, what can someone do when they're inside, let's say outside, naked inside your network, but also there are threats that companies have, whether it's malicious or not inside that may cause them harm or Cybersecurity. So can you talk about the types of insider threats that companies need to be thinking about?
Elizabeth Wu 14:58
Well, there are different types of insider threats. And well, there's a term that's not really popular, but it is out there. It's called the human firewall. And the human firewall is, is basically all of us were users. And that would include the IT department, they're human, and they're part of the human firewall, we, we are our own biggest threats as humans, because we're, we make mistakes, and we can oversee things. So the largest weakness that we have to protect ourselves against any type of cyber attacks is is to ensure that the strength of the human firewall has integrity. And there are two sides to this one are the interaction of the emails that we have. So we can definitely prevent any type of Internet, we can prevent any type of ransomware viruses from coming in if we don't click on those horrible phishing email expeditions. But the other part is the software updates of our operating system. And that is where those little in the icon bottom right-hand corner, we see Windows updates are ready to install or download. And quite often, there's a lot of us that ignore it because we know that once they've been installed, there's a reboot that's about to happen. And then the thought for us to say I'll do it later, I'll do it later. But that importance of having to install those operating system updates is so vitally important. And that that also applies to the servers that we have on our network. They also have Windows updates that need to be done. And the size is completely supportive. And I have empathy to the IT department site, sometimes they don't install those Windows updates, because they don't have time. And to reboot the servers takes quite a bit of time. It's not a few minutes. Sometimes it can take hours for that to be done. And it would also knock everybody off the network if they were to install those updates. So there's the IT department being human and the users, the employees also being human, are a big vulnerability to ensuring our, the corporation is, is secure.
Debbie Reynolds 17:41
So when people think about, you know, insider threats, one thing that they may or may not be considering are, you know, people putting past passwords on post-it notes, because they can't remember it, it's too hard for them to remember, or business people you know, in executive positions that may have passwords, or may have more access to stuff than they actually need, which becomes, you know, executives are high targets for people outside to try to get into their information, and it makes it you know, more dangerous once someone gets their information. You know, like, let's say, executive, sharing their password a with an assistant or something, and maybe that assistant somehow, you know, gets compromised in some way. So what are your thoughts about that in terms of just what companies can do on the inside of their organizations, not necessarily thinking about our cyber-attacks?
Elizabeth Wu 18:57
Well, as a matter of policy for corporations, they should, their password should be changed at least every 41 days. And with, with rules in place for it being a minimum of 8-10 characters with a special and a special character and a number inclusive with capital letters. So that's at the bare minimum. I find in smaller organizations, those types of policies are those rules for their passwords aren't in place. The last audit that we did, even despite having a huge IT department, and I'm talking about nine people they had a Director, a System Administrator, a help internal Help Desk. This company had been around for 50 years, and the people that have worked there for almost that long had never changed their password. And to no surprise, they got hacked. And, and there, there was a lot of damage that had been done through that, that one cyber attack. So through our audit, we discovered, obviously, that they didn't have this type of password policy in place, the passwords were almost identical, identical to what used to being there, some of them had their password under been a little post-it note underneath our keyboard hidden. Yeah, our auditors are on their monitor, or somewhere on a notepad sitting beside their mouse there those types of protocols shouldn't be part of, we shouldn't have to remind people in whether they be executives or users staff anywhere on the floor, that that that cannot be done. And to remind their IT department to put this type of policy in place when they log in, they do Ctrl-Shift, Control, Alt Delete, to login in the morning, that that has the rule of having that policy every 41 days, at a minimum should be done.
Debbie Reynolds 21:25
Right. I would love to talk a little bit touch on patching a bit. And I want you to explain a bit about what happened with the Microsoft Exchange incident that, you know, the government the US without an advisory telling companies that they needed to do this patch update to Microsoft Exchange because there was a there was an issue that could create vulnerabilities right, with companies that were using Microsoft Exchange on-premise. Can you just sort of detail what that incident was? And what are your thoughts about it? Well, I think this is by far the largest and global impact on any network. I mean, they went right. These guys who released the ransomware went right for the jugular. Unlike other attacks that have been that have gone on to data breaches of large corporations, as we know about Cisco, we know, but Equifax, Yahoo, those were all corporations that were very specific to the attack. Those attacks cost billions of dollars. But they were isolated incidences. What, with this recent attack on Microsoft Exchange, it's an entire it's a software. So let me first add an I'm not sure if your users know, alright, sorry, if your listeners know, but what Microsoft Exchange is and why this was such a huge impact too, I think the last count was 80,000 servers, and counting. So Microsoft Exchange is, is a software platform, very much like Microsoft Office and Microsoft Word, Outlook PowerPoint. But Microsoft Exchange is a program that allows a company to house their email in-house. So it would be like a post office but housed inside the corporation. And what this software allows, it basically manages all the emails coming in and out. So if there's any type of odd bits, spam that comes in, so it gets filtered right away at the Exchange Server, and then that so you as the user recipient aren't going to see stuff like that, like by grow. So that's what Microsoft Exchange is all about. It's really all about your postal office, post office inside. And now, many corporations, how's their email in-house. And so now you can understand, like, if I'm a corporation, you're a corporation, and we all decide to use Microsoft Exchange to house our email to manage our email. Why this, this vulnerability, and this ransomware attack has been for these data breaches are so huge. It's a nuclear bomb that's gone off to affect all these different post office boxes inside as a said 80,000 servers and counting all across North America. That's why it's. It's devastating. Yeah, and then two, I think, a concern that I have? Well, my double concern is, you know, unfortunately, some systems are not up to date on patching. So they may have to do a lot of patches to get to a place where they can Institute this patch, right. And then a lot of companies, unfortunately, keep that exchange information or may replicate it other places. So, you know, I always like to refer to the server in the back room where they have all emails, and you know, the server may be out of date can't update it, you know, it's vulnerable. Unfortunately, it's probably still connected to the Internet, or something like that concerns as well. What are your thoughts about that, especially legacy data that are connected to the Internet?
Elizabeth Wu 26:01
That they will everything is, once you get once a ransom is, is in or any type of viruses into your network, it has access to everything and the email, it just has to pretend it's a valid email for to gain access to all the accounts. It's not just the accounts of the users. It accounts for the contact lists, the data, the data of your vendors, of your clients, of everything. It just multiplies, metastasizes all over the place. It's 100% dangerous. And so from there, what it can do, if all of the recipient laptops, servers, desktops don't have their software patches, their operating system patches installed, then they're all at risk. And again, it just metastasizes and becomes available to anyone who doesn't have their patch in. And it's a sad state because it's such a simple task, simple activity for everyone to do. But unfortunately, it's ignored. And therefore, it ends up hurting a lot of companies and costing huge billions of dollars for companies. Yeah. And warranted.
Debbie Reynolds 27:23
Yeah, I know. I've heard some people like, well, we can't stop the server down because I'm working or I don't want to reboot my computer and or patch it. It's like, you know, those, you know, even if you have one person in your organization that that is, you know, stopping that from happening that could be you know, that's the door, that's the open plane, right, where someone can get in and infiltrate someone's network, right? Well, you know, what goes back to our audit is that I feel bad for IT. Because you are back to what we talked about, like the IT guy, and having to learn how to manage, you got all the users and their desktops and their performance issues, you've got the business in the corporation who is demanding your time and service, and you've got security. So you have all these different types of tests and responsibilities attached to your one label being the system administrator and network administrator. So what we do in our help and support of that is we're able to assist both on the IT and the business side. Or we're able to audit to know exactly what patches, where are those patches? What are those patches that need to that are missing and need to be installed? So, where the business is no longer having to waste time and resources to get those installed? The IT department now knows they don't have to go from desktop to desktop, but they can be given a list bias as to which updates are missing from which desktop server laptop, the and that that's that has been a huge, yeah, it's a huge, but it's been a bit of a lifesaver for the IT department because there's no luck, no more guessing, they could just go through our task list and just get it all done. And then we can verify that to say yes. In fact, these updates have been done. And so you're now up to date and secure. Now, what are your thoughts about educating people about the proactive side of Cybersecurity? So, you know, I like to say that a lot, a lot of companies too many companies, right? Think of Cybersecurity like a fire department. So they don't think they need it until some emergency happens. And then they kind of scramble to get someone or some company to help them out. Where really, you know, they're if I really There's a proactive part that has to be in place that will help reduce your risk. So that when you do have an emergency is kind of, you know, less impactful to the business. Can you talk a bit about that?
Elizabeth Wu 30:12
Sure. Yeah. I think if we go back to the house, yeah, sure, we don't have to lock the door. We can all assume that our neighbors are going to look out for us. We can all assume that, you know, my house won't get broken into. The guy next door has a much bigger and fancier house than I do. So why would he break into my house? Well, that's kind of a silly attitude, right? It's sort of that's the sad part of the businesses is that they always think, well, no one's gonna, why would a hacker come in and break into my company, I, I'm just a small business in Toronto, or I'm a small business in Nebraska. There's, there are all these big banks that are much more lucrative and worth their time to hack. But that's not true. Because every record and every piece of information that you have in your, in your company is valuable and important to the hack, so to be able to prevent any type of stuff, it warrants just the ability to be aware, first of all, that you are not innocent, you could very well be the next victim. That's number one. Number two is to do this. The attention to detail is so important to know that your IT department or consultant is there to installing your updates on all your servers and desktops. An interesting fun fact is 70% of the data breaches that have occurred so far could have been prevented. And by the simple installation of those operating systems and software updates. That's number two. And number three is it's there's a lot of talk about policies. So having the process and policies in place, for example, USB encryption keys, that that there they are either allowed or not allowed to be used. Well, you can have a policy in place that says these five USB flash drives are authorized to be used, but you don't know. Until How would you know that? How do you know if somebody is using it or not using it? That's, again goes back to our audit, where we're able to monitor, and we're able to actively see whether those USB flash drives are have been authorized to be used or not. And, and that's really important is that it's one thing to have a process and policy manual for your Cybersecurity. But if you're not willing to enforce it with your staff and your users, then it's just another piece of paper.
Debbie Reynolds 33:10
Yeah, I think enforcement is key within the organization. And then also, I see a lot of companies run into trouble because they make exceptions for certain executives. So you know, for example, let's say if a company has a policy that people's passwords get changed every, you know, 30 days or so, or 40 days or 90 days, but then they have an exception where this group of people, they never have to change their password. It makes that that executive is more vulnerable because they're going to be at the higher target anyway, in terms of someone from outside trying to get in. And then you have a situation where, you know, possibly the path of the super easy password that they have is being used by someone else, right. Yeah, exactly. You know, the, there's no such thing as an exception, just because you live in because you're just because you're the executive, or you're a director of some sort, it doesn't give you the exception to say, Oh, no, we won't hack you. Oh, no, we won't, we won't install that ransomware into your house, that doesn't give you privileges to the hacker or to the guy who's sending out the virus ransomware. He's sending it out to anybody who's the loose board. You know, if we go back to the Premier, to the loose board that is open and available, he'll send it in through but and while again, I'm not suggesting that that's not important. Is penetration testing really important, but just so for the executives or for the business to understand the difference. So that in it in a corporate network, you don't have just five network ports that are open. Everybody who's whose computer is attached to an IP address is open and available. So that port has to be scanned and protected. And if they're not open, sorry, if they're not protected, then you have to go to the next slide, which is back to our house. Are your doors and windows locked? And if those doors and windows aren't locked with the right fit of luck, then there's still a chance that they could get in. So then we go down even deeper, you know, are the are your valuables inside the house locked down? Are they weak in any way that is a threat, that a thief can still take it, so we want to make sure everything is locked down? And again, it goes back to our audit to make sure that your passwords, your updates, all the policies that you have in place to prevent any type of thief or weakness in your operations infrastructure have been strengthened. And, and you're protected, we find that when we're finished, the entire culture changes. It's funny that people don't equate security with, with the performance of a corporation to think two amazing things happened actually, is that when when you've got this type of security, and everybody understands what it means to be secure, there is a performance difference and optimization to the users and how they feel about coming into work. I coined a phrase that says employees come in tired, and they leave exhausted because they're in fear of their of what's happening, and they're not sure if they could be the ones to let the virus in. So once we've assured them that and taught them what needs to get done, why it's done, and, and that we have prevented to the best of our ability that they are now safe and secure. They feel great. They also feel that the technology is now working for them and with them. So they no longer feel that. And when they start feeling better about themselves, they work better, they the entire organization as a whole becomes better. No, excellent. So what will be your wish? If you rule the world, Elizabeth, what is your wish for either privacy or Cybersecurity? My wish. My wish is that it could be viewed as a preventative and not as a reactive industry. Right now, it is. It is viewed as reactive. They don't want to hear about it until there's a problem. If I could change anything, it would be that it is for businesses to understand that it is preventative, it can be prevented, the performance issues, the security issues, the stability issues, all those problems could be prevented. And if they can see their way to that, they will find that their bottom lines will increase. They won't have as many expenses towards health and user problems. They'll be spending less on their IT budgets won't increase the way that they have been. And yeah, and we certainly my goal as an IT auditor, it's a big, hairy, audacious goal. But it would be to start to see the number of data breaches go down. Because I know it's possible. I all for 20 years, none of our clients. None of our clients that from where we started at the beginning with them for the past 15 years. None of them have ever had a data breach. It's only been the past couple of years that where we have been in been auditing advertising our auditing services on a much larger scale. Are we meeting companies that have already been breached? And now they're on a very good road track with our plan with knowledge and empowerment of what it takes to stay secure in preventing further hacks. So that's, that's my, my wish. That's excellent. Well, thank you so much, Elizabeth, for joining me. This is a great session, and I think that a lot of things you said are very important. And I know that the listeners and especially those that are, you know, CEOs, they should really heed, you know your advice in terms of being able to understand the complexity of Cybersecurity and knowing where the gaps are in the right plus. Well, thank you again for being on my podcast, and We'll talk soon. Thank you so much for having me. I really had fun. We'll talk again, okay bye.