The Secure CEO: How to Protect Your Computer Systems, Your Company, and Your Job

By Mike Foster

Viruses ... hackers ... malware ... identity theft ... IT security breaches. It's enough to make your head spin. As the company's CEO, owner, or key executive, you may think your network and company information are safe from prying eyes, but are they really? Maybe your network is running illegal programs (installed by criminals in other countries and without your knowledge) because you have fast servers and weak protection. Or perhaps your IT staff is overworked and over promising on results, all because they're under-trained or so busy fire-fighting that they can't possibly keep up with IT security issues. If you don't wear a pocket protector or horn-rimmed glasses, and even if you have limited understanding of how business technologies work, this book is for you. Now you can take control of your company's IT issues and rest assured that you really are protected. In this powerful yet easy-to-understand book, Mike Foster gives you the bottom-line information you need to effectively analyze your organization's current use of information technology, minimize IT security breaches, keep your company safe, and create a plan to keep your system secure and following industry best practices into the future. This is the plain English information you'll want to cover with your IT professionals to be sure your network and company are protected and that you are getting the most from your IT investment. Yes! IT can be an enjoyable and interesting topic (really!), even for technophobic executives. All company leaders and their IT staff can benefit from this book, written for you about one of the most important topics today. Cut through the confusion and intimidation and more effectively harness the power of technology for your company's advantage. This book will show you how. Never before in history has IT security been so important. Read this book and you'll sleep better at night knowing you are making smart IT decisions that enable your company to grow.

• Language: English
• Publisher: Mike Foster
• Release date: Apr 26, 2016
• ISBN: 9780997437928

Book preview

Acknowledgments

Thank you to my loving wife. You are an awesome partner in our highest calling—doing the best we can to empower our children with the best knowledge, health, feelings, and spirit. It is a team effort for sure. You are a phenomenal wife and mom. It is a great coincidence that you enjoy travelling tens of thousands of miles each year so our whole family can be together.

Thank you Mom and Dad for your upbringing and empowerment, through your fantastic and living examples. Thank you especially for teaching me that spending time watching a little TV each day adds up to a surprisingly large amount each week. Eliminating TV frees up so much time that can be used to learn and contribute to others’ wellbeing.

Thank you, Greg, for performing the technical review of this manuscript.

Thank you, Alan, for being so willing to share your in-depth knowledge, especially about VDI. You are always there at a moment’s notice and provide incredible value right away—even when it is 2 a.m.

Thank you, Stacey. You are fully involved in helping make the world a safer place to live and work. Your teamwork, communication skills, and ability to keep everything on track add so much as we all, together, help others even when technology and the threat landscape are in constant flux.

Thank you, Dawn. Your countless hours of editing have produced the content of this book. You eliminated grammatical errors, condensed parts of this manuscript that were too long, and helped expand where needed. You handled this whole project, from the first rough draft all the way to making sure the book arrives in people’s hands. You, too, are playing a big role in enhancing the use of technology to make the world a better and safer place to live and work.

Thank you, Rick, for accepting the request to be an accountability partner. Your determination to keep this book high on the list of priorities, combined with your business savvy recommendations and guidance, continue to make a huge difference in the increasing number of people who receive information to make the world more secure. You exemplify how to be a part of a global force for good.

Thank you to the many mentors who have imparted the technical information contained herein, and with timeless principles that make all the difference. You all help so much, whether we’ve met in person, remotely, or only through your works. Some have had more birthdays, some fewer, and some live on forever though their works. And most of all, thanks to The One who is always available.

Thank you also to the many clients whose executives and IT professionals alike have taken the time to explain your exact situation, how you are dealing with technologic challenges, what has worked, and what hasn't worked. Real-life solutions are often more valuable than anything written in books, especially as fast as technology progresses.

Thank you to the thousands of participants who’ve taken information from presentations who have increased their knowledge, and thank you especially if you go back to your offices and homes to implement the action steps you received.

Finally, thank you—the reader—who will absorb this information. You are encouraged to use this information to protect your organization and your job.

Contents

Dedication

Acknowledgments

Introduction

Chapter One: How Secure Are You?

Chapter Two: How Your IT Department Affects Security

Chapter Three: The Cost of Security Breaches

Chapter Four: The Great Disconnect

Chapter Five: The Pros and Cons of Outsourcing Your IT

Chapter Six: Identity Theft and Compliance

Chapter Seven: Encrypted Data

Chapter Eight: Mobile Device Security

Chapter Nine: Network Security

Chapter Ten: Who Are the Hackers?

Chapter Eleven: Update and Patch Your Operating Systems and Applications

Chapter Twelve: Update Your Firmware

Chapter Thirteen: WSUS

Chapter Fourteen: Patch Tuesday and Hacker Wednesday

Chapter Fifteen: Server Updates

Chapter Sixteen: Workstation Virtualization

Chapter Seventeen: Log Consolidation Tools

Chapter Eighteen: User Beware

Chapter Nineteen: Anti-Virus Programs

Chapter Twenty: Anti-Spyware Tools

Chapter Twenty-One: Tools to Keep Spyware Away from Your Machines

Chapter Twenty-Two: E-mail Security

Chapter Twenty-Three: Anti-Spam Tools

Chapter Twenty-Four: Trojan Horses

Chapter Twenty-Five: Rootkits

Chapter Twenty-Six: Firewalls

Chapter Twenty-Seven: Application Whitelisting

Chapter Twenty-Eight: Virtual Private Networks

Chapter Twenty-Nine: Bring Your Own Device

Chapter Thirty: Content Blocking and Internet Monitoring

Chapter Thirty-One: Policies to Prevent Internet Abuse

Chapter Thirty-Two: Group Policy Objects

Chapter Thirty-Three: Administrative Accounts and File & Folder Access Control

Chapter Thirty-Four: Don’t Let Users be Local Administrators on their Devices

Chapter Thirty-Five: Backup Strategies

Chapter Thirty-Six: Disaster Recovery Plans

Chapter Thirty-Seven: Physical Security

Chapter Thirty-Eight: Wireless security

Chapter Thirty-Nine: Endpoint Security

Chapter Forty: Make Sure Your Service Providers are Secure Too

Chapter Forty-One: Commit to IT Accountability

About the Author

About The Foster Institute

Introduction

Technology is a core part of business today, and IT is essential to many organizations.

Almost every business relies upon email, websites, and a myriad of applications. More and more The Cloud is part of organizations. If your organization cannot access the Internet or some other component, and the users’ computers fails, business is seriously impacted.

Risk management is crucial in today’s world of storing so much sensitive information—some of it in The Cloud. Cyber security helps prevent fraud. Many compliance programs include extensive, and often expensive, cyber security requirements.

As an Owner / President / and any C-Level Executive, you may feel overwhelmed by all of the technical jargon. Indeed, cyber security concepts can be complicated. Some executives observe that cyber security is, in some respects, analogous to experiencing a chess-match against someone who has mastered the game.

Some people tasked with risk management assume that, If we have a firewall, a VPN, and an anti-virus, we are safe! Remember, this is like chess. Guess which three technologies that hackers have learned to circumvent? If you said firewall, VPN, and anti-virus, you are right. And they didn’t stop there. This is, in many ways, a cat and mouse game.

Related to risk management, fraud prevention, and protecting sensitive data, who do you suppose is always one step ahead? The attackers or the technology to protect your organization? In spite of what advertising will lead you to believe, the attackers are almost always many steps ahead. Bugs such as Heartbleed and Shellshock are examples of vulnerabilities that were exploitable for many years before the good guys learned of the exploit. Yes, controls were put into place, but how many exploits occurred before the problem was identified?

How is an executive supposed to make informed decisions about IT when it is so difficult to understand the underlying concepts of cyber security? Turning IT over to an IT professional, without being any part of the decision process (other than approving the budget), can be disastrous. The news is full of stories demonstrating such.

You are now reading a definitive guide to understand, in plain English, some advanced concepts. This material is designed to facilitate your being able to make those important informed strategic decisions that will help provide you with the best results in the long term.

When I speak to audiences about technology, I see a lot of people wince and groan. So I know that technology isn’t always a fun topic. One of my audience members summed it up perfectly one time when he said, You know what, Mike? Technology is amazing. It lets me solve all kinds of problems I’ve never even had before.

And yes, that’s how we feel a lot of the time. That’s why my goal of this book is to help you understand and embrace best practices so you can use technology for the benefit it was meant to give you.

The good news is that you don’t have to be a Techie to understand technology.

Anyone, yes anyone, can become more aware of IT issues.

When I go into companies, especially small ones with 700 or fewer computers, I see some common IT problems. One company that comes to mind is a wonderful firm in the Midwest. They started out small and over time grew quite substantially. When I met with them and looked over their IT department, they were in the midst of their growth spurt. The executives claimed to hate computers, and their attitude filtered down to all of the end-users too. It showed. I looked at the network, and sure enough, the configuration was totally inadequate. In the back of my mind I thought, No wonder this network isn’t working for them.

So I pulled the IT person aside and asked him, By the way, where did you get your IT training? Who taught you this stuff?

He looked at me with a puzzled look and said, No one. I went to college and studied music. I’m a concert pianist.

I then asked him how he got into IT, and he said, I started out when the company was really small. We got our first computer, and I was the only one here who even knew how to use the mouse. So the owner said that I was now in charge of IT. I’ve been here ever since. I hear similar statements a lot.

He had managed to study and learn along the way, but the biggest problem was that he was lacking some important information. Additionally, along the way, some less-than-adequate IT consultants he hired had fed him erroneous information. Fortunately, I was able to mentor him and coach him, and he learned a lot of important things about changing the network around. The information I gave him would have been simple to people who’ve had extensive formal IT training, but to him, it was all new information. As such, their network got a lot better.

The point of this story is that even if someone started out in the mailroom, if he or she now has to interact with technology in any way, offer that person some training. Let your people get certified in the technology that your organization utilizes.

As an executive, you are already aware that technology is useful; however, creativity and relationships are what got you where you are today. And those are the two things that will keep you successful in the future. Realize that technology is a powerful tool to help with your focus on creativity and relationships.

Your customers trust you to provide for them. Not only do they trust you with their sensitive information, but they also trust you to be there for them when they need you. Data breaches and downtime are two of the many problems you want to avoid. Risk management programs address these issues with cyber security and DRP (Disaster Recovery Planning).

That’s why the information in this book will not only teach you what you need to know to keep your company safe from IT breaches, but it will also help you better relate to your IT professionals so you can work together as a team to keep the company moving forward.

My goal with this book is to give you a lot of tools and strategies you can start using right now. Throughout this book I’m going to give you websites to go to and products to investigate.

At the end of each chapter you’ll see Action Items. These are specific things for you to do to help you implement the information in the chapter. We all know that information is useless if you don’t implement it, and I created these Action Items to give you a head start on your cyber security issues.

Put a timeline on your action items. Set a date. Too many times we put important things on the back burner so we can put out fires. But putting out fires is an inefficient use of anyone’s time. You’re better off putting the practices in place that will keep the fires from starting in the first place. Empower your IT professionals with simple concepts, addressed within this book, such as Gantt Charts, PERT Charts, Work Breakdown Structures, and other project management tools.

Realize that I am very much an IT professional, but I have also functioned in executive roles. Today, I enjoy being able to give executives a window into the IT professional’s world and vice-versa. The world of IT isn’t just about pocket protectors and glasses with tape in the middle.

When I visit with IT professionals, I talk about having them seem like they are the Maytag Man in those old TV commercials, meaning that as far as IT goes, it would be wonderful if they could just be sitting there with nothing to do because the network is taking care of itself. One of the most rewarding parts of my job, as an IT partner, is to watch IT professionals who are completely overwhelmed, eventually (sometimes several years later) make all the necessary changes in technology that do enable them to sit back and relax, to take a vacation, and perhaps work a four-day workweek. Their happiness and physical health change accordingly.

So why is this important for an executive? Because, to some degree, your hands need to be on the steering wheel too. At the very least, you need to be the GPS that is providing strategic guidance. When you are informed in the basic concepts of technology, your GPS map becomes more accurate.

One problem is that far too many IT professionals are forced to spend their time putting out fires most of their days. This busy-ness rarely feels comfortable to an IT professional; they want to feel like they’ve accomplished more than just keeping things from getting worse. It is important to provide an environment that will allow him or her to feel some fulfillment at the end of the day. It may even impress the boss to see the IT professionals getting so much done. The reality is, they—the IT professionals—are stealing from themselves and the company. There is little time for the IT professional to invest in important learning, researching, and strategizing.

Many IT professionals are very good at showing people how a computer can make their job easier. Sometimes, though, they limit themselves and don’t always use best practices in their own utilization of technology. Maybe they need to look into the mirror and say, Hey, here’s what you could do as an IT professional to make your own job easier.

An example of when some IT professionals don’t take advantage of technology is when they only have one or two monitors. That may be enough. When I lived in Napa, CA, after the devastating earthquake in 2014, as part of the cleanup process, an engineer came to inspect my office. Upon entering my office, the first thing he said was, Wow, you have three big monitors! That is crazy, man! Usually there are four monitors and sometimes more. For some IT professionals, that would be way too many monitors.

The point for executives is to know that IT professionals need to utilize IT effectively. If more monitors will help, then buy them more monitors. Personally, I find that it is easier to have everything open in front of me without needing to rearrange and flip windows. I have had so many birthdays that I would need to strain to see a bunch of small windows on fewer monitors. With 27" monitors being so inexpensive and the wide availability of USB to video adapters, if people need to have many applications open simultaneously, the time savings can pay for the monitors quickly.

In order to help you effectively manage risks and prevent fraud, one goal of this book is to get your network to the point where it can, to a large degree, take care of itself. Then, your IT professional will be able to be proactive and do things that help your network, streamline it, and make it better. This then enables your IT staff to flourish and protect your company instead of running around and putting out fires.

But to get to that point, you as an executive need to be involved at some level. No, you certainly do NOT need to become an IT guru. In fact, you may not need to know much technology at all. But what you do need is a basic understanding of the concepts related to the building blocks for cyber security, risk management, and network reliability so that you can make informed decisions that define and affect the success of your company, not just IT initiatives.

You, the executive, will benefit when you know about technology and IT issues. You can:

• Understand enough to provide crucial input to the IT decision making process

• Free up your IT professionals’ time by reducing the need for firefighting

• Better handle risk management

• Address cyber security to protect the sensitive data entrusted to your company

• Create a mature disaster recovery plan

• Implement the strategic goals that support your organization’s future

As you read this book, feel free to hop around, skim some chapters, skip others, and only drill down into what interests you the most. Do NOT