by VAN HANSEN
On a tree-lined street in the heart of the Victorian Village of Waterdown stands a Georgian style former church building, built circa 1838. These days it’s the home of Birmingham Consulting Inc. (BCI). While this may not be where you might expect to find a high tech information security firm, there is a certain synergy in the striking juxtaposition of old and new.
Jen and I were there to interview Scott Birmingham, BCI’s Principal Consultant, and he shared some valuable tips on how to avoid a cyber attack and protect your information online.
Scott founded BCI in 2009. The goal was to deliver information technology (IT) services using the engineering principles he applied while working in high-value manufacturing industries.
At the same time, BCI was an early adopter in delivering cyber security. And today they provide dedicated information security (InfoSec) services focussed on risk reduction for businesses.
Inside the renovated office space, Scott ushered us into a meeting room where we sat down across a custom black walnut conference table made from wood salvaged from a tree on their property.
All Around the World
Van: Does the risk of cyber attacks vary regionally, or is it more or less uniform because these are global threats?
Scott: So let's start with the bigger picture. Statistically, Canada is the third most attacked country or has the third highest number of cyber attacks targeted at it in the world after the US and UK.
And so it definitely varies on a national or global level. Regionally now I always just say follow the money. Well where's the money? It's where the people are.
So where you've got a higher density of people and businesses you're going to have a higher number of attacks occurring. If you've got some little town out in the middle of the prairies, they're less likely to have major attacks happen compared to somebody in Vancouver or Toronto where big businesses are and there are lots of people.
How to Protect Yourself
Van: From the consumers point of view what can be done to protect their information and their devices?
I know there is some controversy as to whether Mac requires anti-virus software for example. And VPN’s (Virtual Personal Networks) are popular…
Scott: So there's a whole list, almost an endless list of recommendations you can make and it's where you're going to get the most bang for your buck.
You mentioned Apple. Well, we get do get monthly notifications about actively exploited vulnerabilities on Apple. There's more on Windows but it still happens. But how secure are they? Ultimately nobody is fully secure, including Apple.
That said, of the steps you mentioned, antivirus is kind of the old term now. Now you have an endpoint protection or an endpoint detection and response. There was a next-gen antivirus or NGAV, but yeah, more in the business world, you want to look at more than just antivirus.
And you know there's a big technical difference between regular antivirus and something that's actually looking at not just the antivirus part, but what kind of weird behaviour might be happening, and let's shut it down, right?
Yeah those are both very important those two things you mentioned, antivirus, (catch-all term), and a VPN.
But probably the number one thing, and as InfoSec professionals we harp on it, is to make sure your devices are up to date. I don't care whether it's Apple, Windows, iOS, Android, doesn't matter.
Make sure they're up to date, including the operating system. So there's a lot Apple's out there that are older (than 5-6 years) running that are not compatible with an upgrade.
So get a new Mac. Right? Otherwise you've got vulnerabilities on there that aren't being fixed.
The same applies to Windows and with Windows end of life in October, there's a lot of hardware that is going to become obsolete unless you pay to have support extended.
And that really leads to making sure your device can be on a supported operating system and it's fully patched. We just had an occurrence with a business client, but it was their personal phone. It was an iPhone 6. Let that sink in for a minute. What's that, 10 years old?
And we said we don't want to touch this because for all we know it's already infected. It's already compromised and we don't want to be held responsible for anything on here. You need to get rid of that phone.
And if they were doing banking on there or online purchases and that phone's compromised because it hasn't been capable of receiving updates for the last 10 years? You may not even know until the bank calls and says, hey, what's going on?
So that's the big, big thing. There are more security features on newer devices than on old ones. So even if it works perfectly well, I wouldn’t recommend using it.
All you have to do is find out if that's still supported. If the iOS 15.8 is still getting security patches released for it then you're okay for a bit, but you don't want to leave it too long.
Van: How do InfoSec requirements compare from a small business through to a large corporation?
Scott: I'll preface it by saying the financial risk is proportional. You know, if there's a hundred thousand dollar loss due to an incident, well a big company is not even going to notice that. But for an entrepreneur, that's a big deal.
So invest accordingly. When you've got millions or billions at risk as a big company, you're going to invest more in security than an entrepreneur might need to. The overall investment will vary, but the principles to follow are the same.
First is to conduct regular risk assessments at least annually. And of course act on the findings as well. I mean that kind of goes without saying.
The other one is to look at security as a continuous process, not just a project. And the short form of this is threats are ever evolving, so security needs to evolve to match.
And then create a culture of security, not just in your company, but in your personal life, with your family.
I think Christine might have mentioned the concept of safe words, which apply not just to families but to businesses as well. So by safe word, think of it as a code word.
If you get a phone call from somebody that's claiming to be your daughter or granddaughter or grandson or whatever saying I'm in trouble I need help I need money and the voice is an exact match because AI made it an exact match, you can say okay what's our safe word.
And AI is not going to know it. The criminal is not going to know it. They're not going to know it and right away you know this isn't real and move on.
The same as in business because you can have somebody try to impersonate an executive and say I want you to transfer money to XYZ. And In business there are also electronic ways to verify.
But if you don't have that culture of security you're not going to think to do that so keep it on your mind. It's not if, it's when. So be prepared and practice your preparedness to make sure that it's actually effective.
Cyber Insurance
And have adequate cyber insurance on the business side. If you go to our website there is a business cyber liability calculator on there so if you're wondering how much cyber insurance you should have that will give you an idea. We don't sell cyber insurance so it's just an education thing and then you can now have an informed conversation with your insurance broker because a lot of them don't understand all the risks.
On the personal side be sure that you've got some kind of identity theft protection insurance.
These are key fundamentals, whether you're a sole proprietor or you're a billion dollar enterprise. They apply either way, it's just the scale.
Something New
Van: What do you love about your work?
Scott: We've collected a lot of knowledge over the years here at BCI. And I love sharing that knowledge, whether it be with business owners, whether it be with large corporate executives, whether it be paid or unpaid, and just in the community, sharing what we've learned and making sure that somebody takes one extra step to protect themselves.
So it's always something new that we’re learning, and there's always something new to share. That's why we're doing that presentation with the Hamilton police on fraud in March.
__
Scott is a Certified Engineering Technologist (CET), with a CIM designation from the Canadian Institute of Management. He works with his wife Christine, who is BCI’s Operations Manager, and their team.
Their cat Kahn was named after Dr. Robert Elliot, a visionary engineer and one of the fathers of the internet, having co-invented the transmission control & internet protocols (TCIP/ IP), the fundamental communication protocols underpinning the internet.
Birmingham Consulting is hosting the hybrid event Weathering Cyber Storms in 2025 at the Uptown Business Club and online on March 26th, 2025 from 12 – 1 pm EDT, with guest speaker Constable Ryan Clarke, Hamilton Police Service
Comments:
Post Your Comment: