Transcript of the video
Suzanne Dibble: Hello, hello. Welcome to my interview with Data Security Expert, I’m very excited about this one. Sorry I'm a couple of minutes late, I had to deal with sick dogs and things like that so today is proving a little bit challenging today, but welcome. I'm extremely pleased to be able to be talking to somebody who actually knows what they're talking about, about data security, because I have to hold my hands up and say it's an area where I should know a lot more than I do, not as a lawyer but as a small business owner. I'm absolutely delighted that we are talking about this today.
Louis is joining me, let me just check. Now there is a way if I can see who is actually... hang on. This is about my fourth one now I should really be better at this, and now the whole thing's disappeared. Gosh, hang on, how do I get rid of that. Right. Okay. Let me see. Louis if you're on if you could type a comment, and that might enable me to see you and add you to the camera, but bear with us guys while we're just sorting out the logistics, but welcome, pop in the chat box where you're from, what you do, and what your concerns about data security are, that would be amazing. In the meantime I'll try and find out how I can get Louis on here.
Aha, Emma says "Can see you," super-duper. Louis if you could pop a little message in there then I can hopefully try to add you in the same way that I added Karen and Robin. I'm sure there's a more technically easy way to do this. If there is, I haven't figured it out yet, but Louis if you're there if you could type me a little message that would be great and then I could add you in. In the meantime guys, as I just said, if you can pop in the chat box where you're from, what you do, and what are your data security concerns that would be brilliant. Now, let me check in on my iPad to check any comments because I'm not seeing them on my phone. Brilliant, okay so Emma's the only one that's commented so far. Thank you, Emma. Emma, let me know if you've got any particular data security concerns. I still can't see Louis, so do bear with us whilst I try and work this out.
Okay, so I'm going to try and add him. Emma says she's in sunny London, you've already bought my pack and think that you have some Easter homework. Absolutely, that's why the price is going up on Good Friday so that people will actually start taking some action before the Easter break. Who could think of anything better to do over the Easter holidays than work your way through the GDPR pack. It is apparently going to be terrible weather so there are worse things that you could do.
Welcome, welcome, welcome Yvonne, welcome Danny, welcome Susan, welcome Jim. Jim's a Chatbot developer, awesome. Collecting data inside the Facebook Messenger app and holding it there or even moving it to a CRM system or a simple spreadsheet is your data security issue, okay. Callette welcome, you're saying, "I use GetResponse and you don't see them in the security shield," okay. Susan is just outside of Glasgow trying to get her head around this whole thing, well that's what we're here for. Marias is from Romania, welcome Marias, and he owns a healthcare software company, so this is very relevant for you, isn't it Marias, with your process sensitive data. Welcome Jenny, just back from your very nice trip diving I think, so welcome to you. What was better? The diving or GDPR interview? You don't have to answer that.
Okay, so still waiting for Louis to join, Louis type a little message if you're there so that can try to add you in. Emma says you need to go through some of the platforms you use to make sure that they're compliant, pretty sure they're not. That is probably the case, isn't it? Right, let me see if I can get a hold of Louis another way. Thanks for bearing with me guys while we just try and find Louis. Nope, still no Louis, oh Louis, you're there, hooray. Right, how can I get you onto the camera? You've not got a little camera sign next to you? How is this? Can you request, is there a little button you can see Louis where you can request. Jenny's got a little camera next to her icon, which presumably means I can bring, oh, hang on, I've got a little request here, is this you? Yes. Right, bear with us, this should work imminently, it's thinking about it, saying adding, flashing. Hooray.
Louis: Okay, how about this.
Suzanne Dibble: Hey, hi Louis.
Louis: For some reason though, strange angle. Hello.
Suzanne Dibble: That's good, you've just got a bit of leaves sticking out of your back, but that's absolutely fine.
Louis: Yeah, I'm just working out the angle.
Suzanne Dibble: As long as we can hear you, that's the main thing.
Louis: I think I'll hold it like this.
Suzanne Dibble: Are you sure, you're going to get some kind of RSI from doing that.
Louis: Yeah, I'll do it there, that's better, that's the best angle I can get.
Suzanne Dibble: Thank you so much for joining us, I for one, and this is the I'm most excited about because I basically know nothing about it, so thank you so much. I kind of pounced on you, didn't I, because you were very very thoughtfully came in and shared a couple of things in the group and I pounced on you and said: "Louis, Louis, please would you come and do an interview for us?" You were like, "Yes, okay," so thank you so much for doing that.
Louis: No problem.
Suzanne Dibble: Thanks for your video that you did in the group the other day, which I'd say scared the life out of me, but there you go. I've asked people to let us know what their data security concerns are in the chat messages. There's one chap that is a Chatbot developer and he collects data inside the Facebook Messenger app, he holds it, so holding it there or even moving it to a CRM system or a simple spreadsheet he's got kind of concerns around the security of that. Before we get into that, I'll look at those in the end, can we just have a general overview of the types of things that we should consider as small business owners, bearing in mind that we don't have vast budgets to deal with data security.
Of course, the thing with GDPR and data protection laws in general is that there is this concept of proportionality, and if, where a usual small business owner that doesn't process sensitive data on a large scale or does anything dodgy with data, I'm sure the security measures that we have to take are nowhere near like what you would have to take if you're a multinational processing sensitive data in the kind of hundreds of thousands or millions of processing. I'm taking a bit of comfort from that but I'm sure there are still steps that I need to take that I'm probably not taking. I would just love for you to give us sort of a general overview as to what we need to be thinking about.
Louis: Sure, so the first thing any data you store or hold or process as a business organization is where you're storing and how you're interacting with it predominantly. The level of risk you associate with that data is how proportionately how well you need to secure it. If it's confidential information like customer records, customer personal information, customer files, payment information, that all needs to be processed and stored, security in the cloud or also how you interact with it, so how you're accessing your accounts, how secure your logins are, all of that needs to be taken into consideration.
Suzanne Dibble: Okay, so what is more, I mean, if we're ... I hold a lot of, I mean, I don't really deal with any sensitive data but I do hold a lot of data on Dropbox, so something like that is a very widely used cloud storage service, how worried do we need to be as users of that, about security, or can we just then, they're a big outfit, they know what they're doing, we don't have to worry about it.
Louis: That's kind of mixed, there's a mixed response to that. Dropbox has historically had a bit of an issue with security, they haven't designed their platform from the ground up with security in mind, so the actual architecture is much more for, it's much more for the mass market, as opposed to businesses with a definite need to store information security and with privacy in mind. I would say that there is no imminent risk because they're aware of their security architecture flaws and vulnerabilities, but it's worth paying attention to, and if necessary migrating to a more secure cloud provider.
Suzanne Dibble: If you're processing sensitive data on a large scale, then Dropbox probably isn't the thing for you, you need more of a bespoke solution?
Louis: Probably not, yeah.
Suzanne Dibble: Okay, but for me processing not very much non-sensitive data, that's kind of okay you think?
Louis: I would say it depends on your risk map, so whether you're really very much more of a target or whether you deem it more sensitive than other information.
Suzanne Dibble: When you say target, you mean people would actively be trying to get into my data for some reason?
Louis: Yeah, yeah. All that's dependent on the threat model. The most important.
Suzanne Dibble: Okay, so if you were a big bank, then there's going to be lots of attacks on your data, but if you're little old me, advising small business owners on how to do GDPR, there's probably not that much risk of that.
Louis: Yeah, correct.
Suzanne Dibble: Okay, cool, all right. You said the security issues depend on the kind of where we're storing the data is kind of the first thing to think about. We've talked about the cloud, what are the issues with, if you're just keeping it on your hard drive? What is the kind of security issues that we need to think about there?
Louis: You've got a few different things to think about, you've got whether the media itself is prone to failure, so if it's a hard drive which has got moving parts in, a lot of brands don't have great failure rates, so obviously for a long-term solution, you don't really want to be storing it on a local media, even a USB stick because you can lose it. Cloud solutions are the best overall solution, but as a secondary backup, to have like a third backup of your information, a moveable device like a hard drive is perfect for that.
Suzanne Dibble: When you say a third backup, so we'd have it on our hard drive, we'd have it on the cloud and we'd also have it on a removable hard disk?
Louis: Ideally yeah, especially if it's important information, yeah.
Suzanne Dibble: Okay cool. What do we need to think about in terms of employees accessing that data from either the hard drives or the cloud or wherever, or like say USB sticks, I mean, I've probably lost a fair few, they're probably around the house somewhere, but goodness knows where they are. Is it, I mean, hopefully, you as the business owner are going to be quite sensible about that kind of stuff, but when you get to sharing passwords and things like that and employees leaving employment, what's best practice around that type of issue for data security?
Louis: Ideally, you really do need to think about, even if you've got a team of two people or up to 30 staff or however many your team consists of, the best practice would be to allocate individual use of credentials, so user logins, for each member staff, so you're not sharing passwords, you're not sharing the same account. This is just so you can set different privilege levels. I'm not sure that Dropbox can set certain privileges for different types of accounts to access different files and different folders for different people, but there are other providers which do that.
Suzanne Dibble: Okay. Do you recommend, I mean I use a tool like Dashlane because I've got so many passwords...
Louis: That's perfect.
Suzanne Dibble: ...and I just can't remember them, so I use a tool like Dashlane and is that good practice?
Louis: It is. Passive merges are recommended by the national cybersecurity center, so they recommend using them because they see your managing ... you're making it easier for you to use passwords, you're making it easier to update them, so Dashlane is really good, because it will search accounts which have old passwords or out of date passwords or insecure passwords, and it will prompt you to update them, so that's perfect.
Suzanne Dibble: Cool, and I think also on Dashlane and probably similar software, you can give employees their own sort of setting and then it's quite easy, once they leave to kind of revoke all their access, is that right?
Louis: Exactly, that's exactly it. You can have teams of it, and you can set personal space, they're called spaces in Dashlane, but you've got personal space and a business space, so you can separate your passwords out.
Suzanne Dibble: Excellent, okay. Just definitely taking a bit of a step backward, in terms of data security, are we really just thinking about loss and breach? I've, you know, we're careless with our data and it's somehow disclosed when it shouldn't be, or there's a breach where people have actually actively attacked us and stolen the data, is that what we're really talking about in data security or I missed a large chunk of it somewhere?
Louis: Yeah, you're looking at access control of your data; you're looking at the loss, so mitigating that loss.
Suzanne Dibble: How strange, something's gone on.
Louis: You've gone white.
Suzanne Dibble: What did I do? Oh my God, this is freaky. How did I do that? I am not sure what's happened there.
Louis: It could be screen brightness.
Suzanne Dibble: No, I've not touched anything, that's a bit weird. Okay, I need to fix that, don't worry. Here, see you look fine.
Louis: There you go, it's the auto-focus probably, I suspect.
Suzanne Dibble: I'm okay. How do I sort that out then?
Louis: I reckon there's a light in the background somewhere.
Suzanne Dibble: Okay, let me try and turn the ... uh huh, there we go if I turn it that way. That has never happened before, okay. All these challenges. Okay, so as we were saying.
Louis: Yeah, so what were we talking about? Yeah, so loss, mitigating the loss of your data, so just making sure it's backed up in ideally two to three places, so cloud, having two cloud backups, there's a good one called Backblaze, which just incrementally and continuously backs up all of your data, any file changes it will back up as well, so that, you can use that on top of Dropbox and then you got two adamant solutions.
Suzanne Dibble: That was Backblaze did you say?
Louis: Backblaze yeah.
Suzanne Dibble: Okay, I used something called ZipCloud, which I found incredibly annoying because it used so much memory and CPU that everything else kind of stopped whilst it was doing its stuff, so I kind of took it off after a while, it was very annoying.
Louis: Yeah, you do have to test the applications, some of them are quite buggy.
Suzanne Dibble: Okay, it's not losing it, it's making sure no one nicks it and it's backing up basically.
Suzanne Dibble: Okay, awesome.
Louis: For a small business, your threat model doesn't work consistently much outside threat trying to hack you, unless you're dealing with really important intellectual property or you've got lots of competitors which are digitally savvy and they can use that to their advantage.
Suzanne Dibble: Okay, awesome. What are some ... We've talked about some practical steps I suppose, let's talk through what else we need to think about. Firstly, I think what you're saying is if we keep everything just on our hard drive, then we need to find a suitable cloud provider and back it up ideally onto a separate hard drive, so we've got those three areas of data storage. The second ... Actually just talking about that, you said like a hard drive to back it up on, do you still that hard drive if you're using a service like ZipCloud or Backblaze that backs up regularly? You still want in those two places presumably?
Louis: Yeah, I mean ideally if you've got a... if you need to have... The one disadvantage of having it backed up to the cloud, and having it all continuously backed up is that if you move computers, you can just download and re-sync it, re-synchronize the folders. If you want to do that quickly, you want to have a local copy, just so you can download it locally without internet usage, can be a disadvantage, can put you in a disadvantage if your internet is slower, which is an issue on this country, but yeah we're-
Suzanne Dibble: Is it, we're behind? We're behind the times here, where is good for internet speed?
Louis: A little bit, we're catching up.
Suzanne Dibble: Where would you live to have super-fast internet?
Louis: Looking at Cambridge here.
Suzanne Dibble: I mean outside of the UK, is it the UK that is particularly slow or just areas of the UK?
Louis: It's areas of the UK, it's the really remote places, it's some rural hotspots which are black spots because they don't have any coverage, but then you got wireless providers coming in and trying to fill the gap with 4G and WiFi, long-range WiFi solutions.
Suzanne Dibble: I thought you meant the UK was behind generally, so I was thinking, yeah.
Louis: We are a little bit, but we're catching up rapidly.
Suzanne Dibble: Yeah, we were right, we're getting there, we're getting there. Okay, so the first point then I'm taking from this is backup data in as many places as possible including local hard drives and cloud providers. If you're processing on a large scale anything sensitive, then Dropbox is probably not a ... it's not adequately secured for that. Who would you recommend as having an adequate security for a cloud-based service?
Louis: I've done a lot of research as part of my studies inside security, and I've looked at the architecture of different platforms, where the actual storage is located, which data centers it's based in and the usage of the applications themselves, how easy they are to use. I've come across this really good solution called Tresorit, which is a Swiss company, and they use Microsoft data centers in the EU and Ireland, and that's it. Data security- wise they're really top-notch, and also their software is really easy to use as well.
Suzanne Dibble: What are they called again Louis, Tresorit?
Suzanne Dibble: How do you spell that?
Louis: T-R-E-S-O-R-I-T. I'll type it in, I think I can type it in.
Suzanne Dibble: Like that, I've just typed it in, let me know if that's right.
Louis: That's it, yeah.
Suzanne Dibble: Yeah, okay. How much does that cost? Is that within the budget of most small business owners you think?
Louis: Oh yeah, yeah. It's within my budget and that's a pretty mediocre budget. I use Dashlane, I've got two passive merges, Dashlane and, one password and they're both business plan, so they just got more features, and Tresorit and Backblaze, so that kind of covers all your bases in the cloud, and they're all [ and they're all vetted. Tresorit has several advantages for say, just a moment, here we go-
Suzanne Dibble: Just while you're looking at that, is it Backblaze all one word as you would expect to spell it?
Louis: That's it, yeah.
Suzanne Dibble: Okay, thanks. Sorry, carry on.
Louis: Marias as a healthcare provider could use, could find some use in Tresorit because they have HIPAA compliance, which is health care industry data compliance, so that's perfect for that and it's GDPR compliant as well, it's got all the compliance.
Suzanne Dibble: Cool, excellent. I can see Danny's saying there, what's your view of box.com?
Louis: Yeah, box.com is, I think they are owned by a large company or in fact they might have other subsidiaries, but box.com is quite a good solution. I'm not sure if they've got two- factor authentication, which is where you log in with a password and then you log in with a second factor, so a code from your phone or a code from a code generator. That's really important to log in with because if you get your login ... your password compromised in any sort of way, that's really easy to get through by intercepting the password reset email. But if you've got two-factor authentication which Tresorit does have, then that's.
Suzanne Dibble: Great stuff. I can see Emma is saying that Tresorit currently has 50% off the business rate.
Suzanne Dibble: That's fine, you're not on commission, are you Louis? Is that what...
Louis: No, no, I'm not a sales.
Suzanne Dibble: Just a happy user?
Suzanne Dibble: Good. Okay, so Ian says, "The regulation says that personal data should be ..." I can never say that word, pseudonymized.
Louis: Pseudonymized, yeah.
Suzanne Dibble: Is that the right, how you say it?
Louis: Yeah, that's it, that's correct.
Suzanne Dibble: Or encrypted. This is particularly true of mobile devices like laptops, most up to date operating systems allow you to switch encryption on or you can purchase a third party product, tell us about encryption because I have to say that's an area that I don't know much about at all.
Louis: Yeah, so encryption is probably the greatest invention that's been around for millennia, but at a fundamental level it means that you can convert plain text or any documents into completely randomized binary, code or hexadecimal, whatever you want to call it. The important thing is when you encrypt something, you're stopping anyone without your key from reading it, so it's completely modeled up.
Suzanne Dibble: Unreadable, yes.
Louis: Unreadable yeah. Two elements of encryption are when you have a private key and you've got a public key. If you want to share a document with someone you want to share it with, then you give them your public key, and when you've encrypted the said document with your private key, they can then use the public key and un-encrypt, decrypt it.
Suzanne Dibble: What should we be looking at using encryption services for?
Louis: Yeah, it's mainly to protect several things, so it's the data on your mobile devices is really important because it's a key attack and a place where you store all the data, so to use hardware encryption as standard is very important, and you can enable this just by using a passcode on iPhone and Android devices.
Suzanne Dibble: Really?
Louis: Yeah, that's as simple as it is. The main difference between the encryption on an iPhone and Android, iPhones have hardware encryption, so by default, when you turn on your password and your touch ID, it will encrypt everything, so when it starts up, it has to decrypt it all with your passcode. That means at a hardware level, it's completely uncompromised even if you've got access to the hardware and cloned it, you can't the Android version, on android it differs because it's software- based encryption, so the encryption when you do your passcode it encrypts it at a software level but not at a hardware level.
Suzanne Dibble: Does that mean that in simplest terms then, if I lose my iPhone and somebody is trying to hack into it but doesn't have my password, and then what does it mean? That they can somehow get in but everything is encrypted? How does that work?
Louis: Yeah, it basically means, without specialist tools which I've had some using, you can't access the data unless you can identify the passcode, so you have to find certain parts of the operating system and then work backwards to get the password from there.
Suzanne Dibble: Is that the same with my MacBook Pro or is that just for-
Louis: Yeah. You have to have on Macs, they are different from iOS, so Macs you have to enable file vault in the settings.
Suzanne Dibble: Oh, right, I'm going to make a note of that because that or not.
Louis: But the important thing to recognize is encryption is that because it's having to use processing power to decrypt things in real time, either on boot up, on startup, or per file, it does slow it down a tiny bit, but that depends on your system specs as well. , it's unlikely to need file vault turned on, on Mac, unless you're using really sensitive information on your local hard drive
Suzanne Dibble: Okay, so we're saying I don't need to switch it on then.
Suzanne Dibble: Also, my laptop doesn't really leave my house, it's not like I'm going to be, you know.
Suzanne Dibble: I guess if I had sensitive data and I was going on trains a lot with it and I was a forgetful person, then obviously it would make sense. Okay, all right, that's awesome. What else about encryption? Is there anything else that we need to think about there?
Louis: Yeah, so you've got two different ways that mobile phones really work, the use of the Wi-Fi, they use Wi-Fi and cellular data. Cellular data by standard default settings is encrypted between the ISP, for example E, T-Mobile, Vodafone etcetera, they encrypt information through the use of a sim card, so a sim card is like a credit card, it's got a pin number encoded into it, or some kind of special code, and it will encrypt everything between those two things. Unless you're in a situation where you're saying an activist or you're an investigative journalist and say a government agency wants to read your phone calls or intercept them, then they have to use a special mobile cellular tower to hijack those communications. The only way you can get around that is by using encryption, and the best way to do it is with a VPN, so both your Wi-Fi communications and your cellular are all encrypted. VPN is a greater virtual product tunnel through your connection, through the internet for the public network and it will create a private network in the middle of it, which is a way, that's a way of encrypting stuff.
Suzanne Dibble: Okay, that lost me, okay that was beyond my kind of pay grade there. In very simple terms, okay so I'm not going to get hacked into by government agency hopefully.
Suzanne Dibble: Hopefully nobody else is listening either, so when do you need to think about VPN's?
Louis: I mean it's good practice if you're just out in the field and you're using public Wi-Fi hotspots, so they're a standard insecure because you're sharing a password between public people, either you login and say you give your email address coffee and then that gives you access. That's still insecure that connection, so when you're doing any of that work in the field, also on your personal device as well, you can download VPN clients and they will encrypt all of your information those unreadable to a third party.
Suzanne Dibble: What would you recommend for one of those apps?
Louis: There's a good one called F-Secure, I'll write it in here, it's called F-Secure mobile device client and it's really good because you can get it through resellers or partners on a monthly basis and this plan, you can either buy the whole subscription for like a year for like three devices, say Mac, iPad, and iPhone or whatever devices you use, or you can get it on a monthly business plan and that encrypts the data as well. The other benefit of using VPN's is that they bundle in other features called mobile device management software profiles, which means that you can remotely wipe, you can remotely download patch updates to your phones, you can remotely find out the location as well.
Suzanne Dibble: What's a patch update? Excuse my ignorance, what is one of those?
Louis: When you got a system update on your phone, it says the update is waiting or ready to download or Mac, you can remotely patch or you can remotely push an update to your phone.
Suzanne Dibble: Why would you want to do that? Just because you're out and about?
Louis: Just for compliance, I mean if you're merging 10 devices in your organization and say some of them are out of date, you can just remotely patch it.
Suzanne Dibble: Okay, I see, right. Rather than relying on each individual employee to go do it, you can ... I see.
Louis: Yeah, exactly.
Suzanne Dibble: Okay, so that's an interesting topic about accessing Wi-Fi in public spaces, there've been a few comments about that because I have to say, I merrily just go on and, I can never actually be bothered about giving them my email address, so I do typically use 4G for any browsing or anything like that.
Suzanne Dibble: What are the risks of doing that? Is it, if you just say, "I'm looking at John Lewis and thinking what pair of shoes to buy," but not actually buying any, so I'm not putting any payment in, so I suppose I'm still logging into my ... maybe it's automatically logging me into my John Lewis account, which I can't remember whether they actually store my credit card details or not, is that okay? Is that something we need to be cautious about? I mean there're some comments here, Richard says, " Coffee Shop Wi-Fi, never click log in with Facebook." Stewart says, "Never use social media login." What's the issue there? What do we need to be thinking about there?
Louis: The main risk you're giving yourself by logging in or providing any important credentials through any kind of application running on the Wi-Fi, they can be just key logged.
Suzanne Dibble: Really?
Louis: Yeah, because it's unencrypted, it an un-secure connection.
Suzanne Dibble: If I put in any password while I'm using coffee shop Wi-Fi that could be hacked?
Louis: It could quite easily be copied by the Wi-Fi provider using some spyware or malware either in the network itself or from another device.
Suzanne Dibble: If you're using caster surely their Wi-Fi provider is going to be able not doing that?
Louis: Yeah, the thing is anyone else sitting in that café can actually use a fake hotspot so they can emulate the hotspot and make it look like you're connecting to the genuine one.
Suzanne Dibble: Seriously? People do this kind of thing? I'm outraged.
Louis: Yeah, they do, they really do and as Richard says, the provider of your hotspot can just get over your Facebook account.
Suzanne Dibble: Really?
Louis: ... Because of your log in, you can log in or you can even auto join to a Wi-Fi network and it won't be a credible hotspot, so you got to be really careful to check your Wi-Fi settings. This is why the VPN client on the device itself bypasses all this because even if you do unintentionally auto join to a malicious network, that will overcome any issue because it will encrypt everything, over that network anyway, so you'll be.
Suzanne Dibble: Goodness me. Obviously, that's really a key for employees to know that as well?
Louis: Yeah, I know it is, yeah.
Suzanne Dibble: If you have got employees and obviously it makes sense to use a VPN but also explain the importance of that using that rather than just going to the sort of general Wi-Fi hotspot to do any home working or anything like that. Goodness me, I'm so naïve about that kind of stuff, I'd be like, "Who's going to want to hack into my John Lewis password?" or whatever.
Louis: It's, even more, better than that because they can gather all that browsing information. Stewart says either when on twin or when you're on a genuine network, the provider can sell all that information and browsing history and your IP address and your identity to a maxing agency and they can just sell it.
Suzanne Dibble: Really? I've just started to get in ... I can always tell when something dodgy has happened because I start getting my updates for bingo and PPI and all that kind of stuff, so something's clearly happened to me recently where that's happened and they've somehow got my email address for that. Okay, so let me just look at, there have been some comments here. Stewart's mentioned the Cambridge analytical case. Tommy says, "Is it secure when you share your mobile's internet access with your laptop?" Yeah, I do that a lot actually, I hook up to my, when I'm on my laptop, hook up to my iPhone's 4G, is that safe?
Louis: Yeah, so when you're doing that, you're just creating your own Wi-Fi hotspot. When you've got a really secure password and you're sharing it with your ... and you're putting that password not your laptop and connecting it that way, it's really secure because you're the only one with that key, so you're creating a secure connection. Obviously, it's wireless so people can intercept it if they really wanted but it's unlikely and you'd want to make it more secure by making your…you can change the name of your iPhone in the settings or the same android phone as well in the about. You can change the name of your handset and you can anonymize the entire network as well.
Suzanne Dibble: What would you change it to?
Louis: You can change it to anything, just a random name or a random word, just so it's not identified to other people when they turn their Wi-Fi on to iPhone or whatever.
Suzanne Dibble: It still pops up, does it?
Louis: It will still pop up, the only way to get around this is by using a direct USB connection, plugging it into your laptop and you can tether it over USB instead, so that's also more secure.
Suzanne Dibble: The chance of someone being able to hack into my Susan's iPhone without that password is slim.
Louis: I wouldn't say it's slim, it's quite easy to do, but that's probably unlikely, they won't do that, it's about their interest.
Suzanne Dibble: Right, okay dearie me. Okay, Richard is saying, "My next-door office neighbor actually provides cafés with Wi-Fi hotspots designed to harvest social media data from joiners," seriously?
Louis: Yeah, that's a business model, anything free is.
Suzanne Dibble: Okay, but presumably that's above board isn't it, where it says enter your email address and blah, blah, that's a bit different to just look in people's email addresses. Okay, Elizabeth says, "Just downloaded F-Secure into my iPhone, I will agree to the privacy terms and conditions, it's now asking me to allow it to collect anonymous data to help improve the service, is that recommended?"
Louis: Yeah, I mean, this is, so I think Elizabeth had probably downloaded the freedom app, let's double check, I reckon the app the free or like a free trial, these guys, F-Secure, they are a Finnish cyber security company and you can trust them, but that's not really an issue here, it's whether they're collecting your data anonymously or not, but audio usage data is anonymized so that would be fine.
Suzanne Dibble: Okay, I've just noticed we seem to have frozen in the Facebook group, so let us know if we've frozen. I can still see you, you can still me, and I can still see everyone's comments, but let me know if there's a problem. What else will we ... Stewart raises an important point, BYOD, which is, bring your own device, where employees use their own mobiles and tablets at work, you need to have BYOD policy which sets out what they can and can't do and what security measures they need to take and all that kind of thing. Richard says, "I've noticed that IRS now shows your mobile hotspot name even if the mobile hotspot is turned off."
Louis: Yeah, so, this is the thing with IRS, it's a bit strange, but when you got Bluetooth on and you go to another device, it will still show up with the personal hotspot. The only way to stop this is by turning Bluetooth and Wi-Fi off, turning off the personal hotspot and then restarting the personal hotspot with just readjusting when you're using it. Then turning all the wireless off or airplane mode on, because it will still transmit or broadcast a little message on other devices.
Suzanne Dibble: Okay, cool. So that’s what have we covered. We've covered cloud-based storage systems, you've given some good recommendations there, we've talked about encryption, we've talked about using ... Well, being very careful about using what are they called? I want to say hotspots, is that the right word? Hotspots in cafés.
Louis: Public Wi-Fi, yeah, public Wi-Fi.
Suzanne Dibble: We've talked about backing up data, yeah with the cloud and stuff like that, but also have it on your hard drive. What else have we talked about? What else do we need to talk about? I think we've talked about more than that, my summary isn't very good, but what else do we need to be thinking about?
Louis: I'm just going to get this presentation up. A lot of it is to do access control, so two-factor authentication on your accounts is really one of the standard things you should be doing to make sure that you can prevent-
Suzanne Dibble: What does that mean in practice?
Louis: It means enabling on all the accounts that you use, Facebook, email example, Office 365 or Google, Gmail, it means enabling settings, so you're getting a code after you've logged in with your password. You either get a notification to say, "Are you logging in, click yes," and do you bypass the inputting of a code, or you use a hardware token, but a lot of the cases nowadays is just a notification you click yes, in and out, and.
Suzanne Dibble: Okay, so get that for my ...I use a payment processing system called Stripe, so every time someone tries to log in for that, we always get a code texted to my phone, but you're saying, what are the other examples of where we should be looking to set that up?
Louis: It's mainly financial software, accounting software if it's supported.
Suzanne Dibble: I use for example, I have never been prompted to do that, do you know whether they use it?
Louis: It doesn't have support for 2FA, but not many of the accounting softwares do in fact support it for some reason, it's worth questioning about that because just using a standard password is a bit risky, you want to have a secondary means of authenticating yourself.
Suzanne Dibble: Okay, so financial and accounting, any other type of system we should be-
Louis: Email, there's email and your data, pretty much, so those are the main, most important places you're storing your business data, either Google Apps to work, Dropbox support. Tresorit obviously does and then there's email, and then you pretty much got all bases covered.
Suzanne Dibble: Okay. If I'm using Outlook on my Mac, Outlook for Mac, is there an easy way of setting that up?
Louis: Yes, so by default when you're using Outlook, it's a desk of applications so you don't need to input it over and over again when you set up an account, that's set up, so you don't need to use that.
Suzanne Dibble: Okay, so I don't need to get that code on my phone and then access that every time because that'd be a real pain in the ass to have to do that all the time.
Louis: No. using web applications on your Chrome, so when you're logging in for a new time, a new session or using it on a new, you're setting up a new device pretty much.
Suzanne Dibble: Okay, cool. All right, we've just had to a couple of new joiners who say ah is there a recording blah blah. No there is no but yes there's a recording in the group, so fear not, you can catch up with it at a later date. Okay, Louis, what else do we need to think about?
Louis: Yeah, Richard says, "uses Google Authenticator," that's great, yeah, that's a good application to use. I didn't use that, I'll just set up a website for someone when they're using that.
Suzanne Dibble : I'm going to make a note of that because I use is Google.
Louis: An application, mobile app that is.
Suzanne Dibble : Oh I see, I think I've got that, okay cool.
Louis: I'll just bring this up, okay. Yeah so passive merges, really important, using one of those on your mobile and your work machines and even necessary if you're working with a small team of people, making sure you've got separate uses separate passive merger users for each person, and then they can secure their own passwords that's pretty much that.
Suzanne Dibble: Yeah, we did talk about that and I forgot, that's right. Okay, good, what else?
Louis: Malware protection because if you think about it if you've got data on your computer and all of a sudden you happen to click a malicious link in an email and you start, not just downloading a script or some kind of program, but you unintentionally install a key logos on our machine, the main places you got to protect is your emails, so what does scanning your emails before you click on them in your inbox. For a lot of people, they use Google G Suite or Google Apps to work or Office 365 or Microsoft Exchange, both of which have good spam, but it's important to just be aware of different phishing attacks to get your information etcetera.
Suzanne Dibble: On a Mac, I always kind of understood it was pretty attack proof and that I didn't need a third party malware provider, but that's going way back actually and I've not really looked into it since then, what's the current position with Macs?
Louis: Macs are unfortunately increasing in the number of viruses, specifically just kind of spyware and ransomware, which are being generated by various people and making their way through to specifically Macs. Again the best solution I found for Macs, as well as Windows computers, is being F-Secure endpoint protection, which-
Suzanne Dibble: S-Secure endpoint protection.
Louis: Yeah, it's a really good antivirus, yeah, Stewart said many, many issues with Macs is a myth, correct, there were a lot of different security implications using Macs, but it's important just to have a good endpoint protection which hasn't been finable, hasn't been antivirus.
Suzanne Dibble: How much do you think that is rough? The S-Secure thingy?
Louis: Yeah, so you best be talking a monthly charge of something like three pounds 60 per workstation, and because it's on an ongoing basis, the software is always up to date, you can deploy it in a matter of minutes, and it's fully compatible with any software you're using. I have tested it in loads of different machines, I've tested it in loads of virtual machines, so they've been isolated. When I loaded it from software and I found it to be the most reliable solution.
Suzanne Dibble: Okay, so F-Secure, I did S-Secure, I misheard. Okay great, so F-Secure end-point protection, a monthly charge of three pounds 60, per month per work station.
Louis: Per month, per workstation, per user.
Suzanne Dibble: Yeah, okay. That's not going to break the bank then in that case.
Louis: Yeah, and a good ... the UK partner is a private ISP called Zen Internet and if you go through to their website, you can actually just buy it online, you can get the links to download it, sent via email and then you can just install it in 10 minutes or so.
Suzanne Dibble: Good, is that for Mac and Windows?
Louis: Mac and Windows, and they also do the VPN for mobile as well, so you can do everything on the F-Secure portal, you can log in to the F-Secure portal and you can see your device, you can see your tablet, your mobile, and your Mac or PC and that is, you're covered then, you can see whether they're updated or not, you can see whether they're secured and that's that.
Suzanne Dibble: Awesome, great. We're running out of time and I've got another caller on the hour. You did actually do it, I mean I only have a chance to look at it like literally five minutes before we came on, but it looked like a wonderful presentation on what we need to be thinking about. Are you happy if I share that in the group?
Louis: Yeah, absolutely yeah.
Suzanne Dibble: Fantastic, that would be really good. Is there anything that we've not covered on this call that we need to?
Louis: I'm just double checking. It's a matter of doing like a digital footprint in this is quite new to this is working out where your information is, where your information is on the internet, so doing deep web searches for your business, working out where your listing on the internet.
Suzanne Dibble: What is deep web, that sounds very homeland and 24 what is the deep web and how on earth do we search it?
Louis: There are special tools you can use, special search engines, some of which you store data that's really another completely different level for small businesses.
Suzanne Dibble: Okay, so we don't have to think about that?
Louis: It's especially doing conference of Google search, it's doing a map of wherever you are on the internet and making sure all your accounts are secure, all your information is up to date, your logos all in the right place, it's like a digital footprint in assess, so you work out exactly where you are for your marketing.
Suzanne Dibble: Who would you recommend just that? Is that for all small businesses or I'm just processing sensitive data and those that need to be more concerned about security aspects?
Louis: It's helpful for any small business to do one of these because it means that you can get a really clear picture of your online reputations, it comes into SEO and how your website works, and then it's just down to your marketing as well, so it's kind of like an overall use of internet.
Suzanne Dibble: Okay. I haven't got time to get into how we actually do that, but maybe you could, if you had five minutes, you could do a little bit that would be amazing.
Louis: Yeah, sure.
Suzanne Dibble: Okay, listen, I think we're going to have to wrap up now and I've not seen any more questions apart from lots of comments saying this has been so helpful, so thank you so much Louis, for taking the time out. Now do you actually consult on data security? What's your sort of then care?
Louis: Yeah, so I started off doing IT support, so just fixing computers when computers needed a lot of fixing.
Suzanne Dibble: We should have done this at the start, shouldn't we, just launched right into it, I was so excited, and now we do your bio and why you're so amazing.
Louis: Well, I kind of did a lot of work since leaving the sixth form, I've did a bit of online digital marketing and kind of grew my IT security skills alongside it. But because IT security crosses over so much with the management of IT, even with one man bands and small businesses, you need to have broad skills, so yeah I can help with a few different things from online marketing to just fundamental IT management and stuff and getting things set up.
Suzanne Dibble: What can you help with, with online marketing?
Louis: SEO, making sure things all link up with Google in the right ways, making sure things like your analytics really actually works because a lot of the times it kind of is set up correctly but you don't really see how the data can be used to work out how many inquiries you're getting or how many calls you're getting per month, or weeks, so the metrics on data.
Suzanne Dibble: Awesome, so you're an SEO expert and a security expert, fantastic. How can people get in touch if they would like to benefit from your vast experience and knowledge?
Louis: Just send us an email or give us a call.
Suzanne Dibble: pop it, excuse me, in the comments.
Suzanne Dibble: Is Louis Fist your company?
Louis: Yeah. I set this up just after my birthday at the beginning of March, and it just basically provides a broad set of IT services, just so things work properly and to get things set up, specifically in security and F-Secure stuff, which just takes 10 minutes but just get it sorted out for people.
Suzanne Dibble: Have you got a website domain?
Louis: Yeah I do.
Suzanne Dibble: www.louises.digital.
Louis: That's it, yeah.
Suzanne Dibble: Okay cool.
Louis: Website is still being built.
Suzanne Dibble: Okay, we better hold that against you. Andrew is one step ahead of us 404 error. Okay, we'll just use your email address for the time being and until that gets up and running.
Louis: Please do, yeah.
Suzanne Dibble: Thank you so much for joining us, that's been super helpful. I'll share your presentation with the group because that looks fantastic too. Thanks everyone for joining this live and engaging so brilliantly and for those of you who watch the replay then it's been a really, well by the time you get to be hearing this, you'll have worked out it's been a really, brilliant informative session, I'm certainly ... I think I knew most of it, but hadn't kind of joined it all up together and so actually I didn't realize the implications of mobile browsing in those coffee shops, so that's definitely something that I'll be more careful about. Thank you so much Louis, thanks everyone for being here.
Louis: Thank you very much.
Suzanne Dibble: See you all in the group, thanks, bye.