Skip to content

Yes we (as a society) have a problem.

Most people do not want to talk about Cybersecurity for a variety of reasons (nod your head if you agree)

Many people (some say 30%) are not doing what is necessary to protect their machines properly.

Managers or owners are not aware of the dangers they are in, think they are not a target(too small to get attacked) or another reason. Psychology of Security: 30% of people are unwilling to spend money on the chance they will lose less money. they think it is a gamble that is worth it.

No communication of problems or when one needs help, no problems here, causes a lot of people to not pay attention (especially when they just keep operating as normal and nothing happens)

Gambling with risk is a unique gamble that depends on the hacker's good graces.

This causes problems for the rest of us as the machines with problems will be used to attack everyone.

Thus the Catch22 - People which do think they have a problem - even if they get a problem will not ask for help except when it is too late already (after a successful attack it is too late)

What will actually make everyone that needs it perform preventative measures (spend money to possibly lose less money)

This is why I have written a book that will be released shortly - within the first quarter of 2021 - as we are finalizing editing and other publishing tasks. Get on our mail list to learn more about the book: mail list link.

Contact Us to discuss

My latest blogpost at Oversitesentry discusses this image(below) among other things.

After writing the blogpost I continued to research from my Security news analyzed page and found this great post by Bruce Schneier: "On the Evolution of Ransomware"

I agree with Bruce Schneier that the ransomware attacks are more intense and sophisticated , the requested fee in 2018 was $5000 and in 2020 it went up to $200,000. The criminal attackers are doing research and going after larger targets. And the ransom might not only be computers and the data it may be information that the hacker will unload to the public unless you pay them.

It behooves everyone to start dotting the i's and crossing the t's because the hackers are not staying still. Maybe you were not targeted in 2020 or in 2019, but that may not be the same in 2021 or 2022. It is nigh time to make sure and make things as difficult as possible for the hacker attackers.

I am putting the finishing touches on a book in 2021 that will help small businesses manage cybersecurity.

As I wrote in my blogsite PCI compliance is a good way to get started if you have not yet done so on the path of creating good Cybersecurity in your organization.

IF you are accepting credit cards, then you _should_ be PCI compliance standard capable. So it is a lot to take on if you have nothing, but it can be easier if you do not develop computer code so that you accept credit cards.

My slightly simplified headings:

First inventory all your systems (software and hardware).

  1. Firewall maintenance (set up proper procedures to edit the ACL - Access Control List)
  2. Change your default passwords (and create a password policy)
  3. Protect stored cardholder data (if you are not developing software or have a website that you are developing - this may not be necessary)
  4. Encrypt Cardholder data - i.e. use devices that encrypt cardholder data (or develop this properly)
  5. Protect all systems against malware (using anti-virus software)
  6. Develop and maintain secure applications (only if you are developing software)
  7. Restrict access to cardholder data (if developing authenticate before giving access)
  8. Identify and authenticate access to system components
  9. Authentication physical access (only qualified people should access credit card systems)
  10. Track and monitor all access to network resources and cardholder data (log systems)
  11. regularly test security systems and procedures
  12. Maintain a policy that addresses security information for all personnel
12 parts of PCI compliance

So from this point one can remove step 6 if there is no computer code helping you accept credit cards.

Step 4 should be handled by the credit card processor devices

Step 3,7,8, and 9 is easier with no coding.

Now all you have to focus on is 1,2,3,5,10,11, and 12 which you should be doing already, maybe you have no documentation, but it is being done (or should be).

If you ask me, 1,2,5,10,11,12 should be done no matter whether you have credit card processing or not. Someone should be accumulating bits and pieces until you have a proper security policy.

THAT is what we do!! We can help you with creating a security policy from scratch. Contact Us

The Image is trying to make a point that governance includes PCI compliance and can be a basis of making proper IT decisions with the future in mind. Where the focus of compliance and regulations efforts are on specific actions and data, governance can be all encompassing and most important create an environment where proper decisions are made with the right people in the room. Nothing is missed, whereas the compliance efforts are only doing what they have to.

Our latest blogpost at (a bit more information)

Is it important to focus on Security? How much should we pay attention to Computer Security? Can we relegate Computer Security or as some coin the phrase 'Cybersecurity' to an afterthought? Or at least a small line item in the plan for 2019!

Your company could have a serious problem if circumstances cause problems to cascade to a dangerous level.

So 'IF' there is a ransomware attack on the most important data that we use, and we cannot recover the data(for whatever reason) is that important enough to pay more attention?

As the image above notes in six months we could be out of business if we did not prepare properly setting up backups for our data. Sometimes ransomware just destroys data and it cannot be recovered.

Contact us to get someone to review your backup plans and more to make sure that your business will be viable even after a ransomware attack.

So now we are in July 2018 and the 3rd quarter has started in earnest, have you completed  your compliance reports for 1st and 2Q?

PCI compliance is just a bunch of check marks right?

Just say your network is secure, the payment transactions are all encrypted, all the employees know what to do in all situations, etc. etc.

Did you perform Risk Analysis as the PCI compliance documents require at PCI Security standards?

Unfortunately if you ever do get breached and you do not have all the paperwork, the fines will make paying an auditor for years chump change.

Contact us to audit or create Compliance security policies.

What does it mean to be PCI compliant? Are You Secure if you passed compliance standards?

If you update your software as you are supposed to be PCI compliant what happens if the update breaks your environment or is actually not secure?

Do you need an example? How about from our blogpost¹:


In our blogpost we mention a plugin that was hijacked by a criminal then he installed his own malicious code in the plugin.

Now he said "Upgrade your plugin" to WordPress which caused WordPress program organization through it's upgrade mechanism tells all the users of the plugin to upgrade.

If the unsuspecting users upgrade then they are automatically hacked - Upgrading is normally good, but there has to be a reason for an upgrade and it has to be tested.  But for "PCI compliance" you have to upgrade and keep your systems patched for example requirement 6.2 in the latest v3.2 PCI standard²:


Requirement 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

So the Requirement has no mention of fake upgrades only to upgrade your software that is necessary for the systems that need it.

This is why one has to test the upgrade first, make sure it is what it claims to be before placing it in production.


Another problem can be if you are compliant for all "Known" vulnerabilities that means unknown vulnerabilities can hack you even if you are compliant³.

As in the post from Dec 10, 2015 new exploits are found which cause you to get hacked and then you still lose a lot of money even though you have the latest patches. Even in the latest firewalls (like in the post mentioned) certain NGFW Next Generation FireWalls can get hacked with a specific method.





So to answer the question above (are you secure if PCI compliant) not necessarily. In the end PCI compliance is a specific standard for the credit card numbers.  You can be compliant for the credit card numbers  or Primary Account Numbers(PAN). And still fail to provide security on other systems. Or you can claim to pass the PCI compliance online while not actually performing all the functions.

Testing your network for security vulnerabilities should be done by a separate pair of eyes.


Contact me at 314-504-3974 Tony Zafiropoulos to discuss


Why do Cybersecurity? Can you take a chance on your Info Technology being  attacked by nefarious actors?

There are a lot of attackers looking for a way into your computers:

allyourbasesbelongtous Including Alias "little Japanese"

These criminals have honed their skills.  "All Your Bases belong to Us" is a video gaming term - where 2 gamers are fighting each other and attempt to take over their opponent's bases, the term mean that when it was first used but it has morphed as many other things have on the net.

In this case I take it to mean in broken English how Criminals in other countries will take over your computers. They are crafty and have learned their way around computer weaknesses. The hackers are getting better all the time.

So if you decide yes we _will_ improve our security situation ... now what?

How much time and resources should be spent on Cybersecurity prevention?

Is it about 10%? For simplicity let's say 10% is the  minimum amount of time and resources that should be spent.

So out of 2000 work hours spent in a year - (i.e. not including all the time sleeping and taking time off) 200 hours per year should be spent on various activities to save your personal and business data from calamity.

Now the big question is what to do with the time and resources to be spent on Cybersecurity?  200 hours is not a lot for the year and it should not be used up all at once as there are other things to do.  So if we divide 200 by 12 it equals 16 2/3 hours per month. we can round it to 17 hours per month. it can be about 4 hours per week.

The interesting item as Anthony Christie¹ says:  “Our security people spend 60% of their time optimizing documentation and 40% of their time doing the work,” said Anthony Christie, chief marketing officer for Level 3 Communications (a networking company).

So let's say 2.4 hours on documentation and 1.6 on actual security work.

Documentation is important that is why 60% of time should be spent on it.

This is where can help you we are familiar with compliance standards including HIPAA, PCI, NASD, Sarbanes Oxley, GLBA and more.

But what should your IT department actually do? Update your systems - make sure they have the latest patches. Updating your systems is not easy peasy.

Before doing an update one has to test the patch to make sure it will not harm the rest of your software that is run in your standard environment.

PCI Compliance² is important if you take credit card payments.

HIPAA compliance is important if you handle or are near patient data.

Sarbanes Oxley if a public company (Or thinking of becoming one)

Various Financial Regulations require cybersecurity as well for any financial institution.

The consumer rights division is getting more aggressive so needless to say there are many government entities regulating more and more Cyber activities, and _when_ there are more attacks there will be more regulations not less (when have you seen less regulations from the government?).  The Federal Trade Commission got a ruling in the Wyndham case³ data security:

"The FTC sued the hospitality company and three subsidiaries, alleging that data security failures led to three data breaches at Wyndham hotels in less than two years. According to the complaint, those failures resulted in millions of dollars of fraudulent charges on consumers’ credit and debit cards – and the transfer of hundreds of thousands of consumers’ account information to a website registered in Russia."

You can see that as an executive overseeing an IT department one can look at the budget and spend in many directions, including technology.

Remember that technology is just one piece of the puzzle:


Privacy and civil liberties versus Security needs to be taken into account, your risk assessment must be done by qualified individuals.  There is no such thing as 100% security, only "more secure" and "less secure"


The likelihood of an attack and the impact of the attack (what would happen if criminals are successful) should set your risk and then you can gauge your "Risk appetite" to decide where to spend your budget.

As I have discussed in my blog Website


Here is another way of looking at risk management:

Imagine playing Russian roulette with a 1000 or 500 barrel gun (depends on circumstances)

Every day we are revolving the barrels (1 has a bullet) so we have a 1 in 500 chance(or 1 in a 1000) for something bad to happen. Hopefully the odds are 1 in 500 or 1 in 1000.  But imagine the worst possible experience - your customer data is now in the hands of a criminal. Now what?

Whether you know it or not, there are risks just for using your computers and being connected to the Internet. So unless you want to disconnect there will be risks. So what will you do to reduce your risks?

Contact us to discuss




What Do I mean when I say "Start With Some Cybersecurity"?

At we will help you design your own Cybersecurity department, or help you with just enough Cybersecurity.

What do i mean 'with just enough Cybersecurity'?


I think it is safe to say that most of us do not think about the security of our phones, computers and tablets. As a whole people want their electronic devices to work.

Is this indicative of what we want in our companies? Do we expect the IT department to keep us safe and secure?  We don't want to think about this we just want it to happen.

So what to do? Why does the IT department need oversight? Because testing their abilities in a nice way tells them they are doing a good job and tells you the IT job is being done well.

You can still get hacked, but at least the i's were dotted and T's crossed.

The key in our environments anyway is what happens after the hacker is in. You don't want them to steal anything and get away with it. You have to set up methods to track down when a hacker is doing their work and shut down the exfiltration (or stealing of data to an external machine).


So to start we have to audit the environment and count all the computers before doing the next steps.

  1. audit environment - count the computers, find out what is running on the computers. (count computers = find them all and review what is running on them)
  2. Audit the software since just knowing what hardware or in virtual machines, the instances of servers is not enough. We must know the type and version of software running, since a vulnerability alert can cause PCI compliance to be in jeopardy. The criminal hacker is looking for your software, so you should know what is in your environment as well.
  3. Doing vulnerability assessments means trying to uncover unpatched software in your environment. ( just like the criminal hacker would do and like you are supposed to do for PCI compliance - HIPAA compliance and all other governance) as it only makes sense.
  4. What about the Zero-day attacks? the attacks that cannot be patched? Since the hackers found a problem that can be exploited. Well for these situation we have to have a detect and monitor program. Check the logs, check the network traffic (which means a SIEM - Security Information Event Manager) and IPS (Intrusion Prevention System).
    1. Although  the SIEM-IPS systems will not prevent all attacks, they will prevent a lot and with vigilance we can keep up with attacks on our environment with enough resources.



[Image from NIST(National Institute of Standards and Technology) 800-37 documents¹]

If risk management is to work properly in an entity it must be assessed given enough time to review all your data and usage of computers.

So yes the first thing one must do is to find out what and how your Info tech is being used. so don't just learn what is running on each computer, but rate each item to its risk factor:

You must classify data from High importance, to Low importance.


High Importance data can then be properly classified in Cyber Risk categories.

We will review each step of the path to better Cybersecurity again and again as that is what we are all about.

Contact us to discuss Contact me Tony Zafiropoulos 314-504-3974


Our hashtag #testYourSecurity should be everyone's hashtag that wants more Cybersecurity.