Some of your business’s sensitive data is already compromised and more of it likely will be, as the demand for information gleaned from illicit views of business information continually drives attacks on servers, said panelists at the 2018 PBN Cybersecurity Summit on Oct. 11 at the Crowne Plaza Providence-Warwick.
Members of the second panel of the morning included Colin Coleman, partner at Partridge Snow & Hahn LLP; Cindy Lepore, client executive/business insurance, Marsh & McLennan Agency; Larry Selnick, director, treasury and payment solutions, Webster Bank; and Eric Shorr, president, Secure Future Tech Solutions.
The average business’s greatest weakness lies with its employees, each of whom present an opportunity for a data-stealing attack to succeed, according to panelists.
“So it’s mission critical to make sure that from the top down, from the CEO to any computer user in the organization, everyone gets appropriate cybersecurity training,” said Shorr, including at small businesses.
Four key areas businesses should focus on, he said, include phishing attacks, where people are tricked into clicking on links in email that grant access to company machines and data; compromised passwords; malicious links on websites; and unusual activity on your computer – all signals of a compromised system.
“If all of a sudden your computer starts sending out hundreds of emails, that’s a threat,” Lepore said.
“Pick up the phone. The phone is a great tool,” Shorr said, adding when something doesn’t seem right, or you notice unusual activity on your computer, you should bring it to an information technology department member immediately.
The dark web, where users can surf anonymously and purchase stolen private information, as well as engage in other illegal activity, Shorr said, is full of data reaped from people and businesses that failed to protect themselves.
Passwords are a particular weakness wherever they’re used to safeguard access.
“I can’t begin to tell you how many of my clients use weak passwords,” Shorr said. As a result, he also finds clients’ data on the dark web when he begins working with them.
Often, he said, people are resigned to using a password that’s easy to remember, on several services, rather than create unique, strong, complicated passwords for each time they have to log in to a system. Instead, he said, he recommends using a password manager. Shorr said he uses Dashlane, which allows people to generate strong passwords and securely save them for use while browsing the internet.
Lepore pointed out the importance of maintaining an environment where speaking up is encouraged and the safe thing to do for employees. Businesses need to know the moment there’s a potential security breach.
Lepore pointed out the risk of social media interactions, through networking sites such as LinkedIn, where cyber thieves will work to manipulate C-level executives into giving away information that can be used to compromise a business’s data.
According to a survey by Marsh & McLennan Agency of about 140 companies’ C-level executives, Lepore said 50 percent did not have a plan in place to handle data breaches. “Which is very alarming after everything that we heard, just from the panel,” she said.
Having such a plan, including how to alert customers and clients that their information has been compromised, is essential, panelists said.
“It is your liability,” Lepore pointed out, noting that policies can protect against damages from stolen personal information and intellectual property.
“Everyone’s nervous about it, for good reason,” said Coleman.
Without a plan or insurance protection against compromised personal data, Lepore said, businesses risk serious damage to their reputation, as well as significant financial loss.
“These [insurance] policies have proven to be effective, paying out more than $200 million,” she said.
Coleman said a “playbook” outline for responding to cybersecurity breaches is essential for businesses. The playbook should be regularly tested with drills and reviewed often, he said.
“Make sure it works. Make sure people know their roles,” Coleman said.
Selnick spoke about the importance of staying on top of your business transactions, most of which are now conducted online. The average time between a breach of a business’s system and irretrievable loss of money is about two hours, he said.
“We can help, but we have to know about it very quickly,” Selnick said.
Being that responsive to breaches requires planning upfront, setting up tiered security with your bank, he said.
“It really has to come from the top,” said Pat McAssey, certified public accountant and partner at BlumShapiro, who attended the summit.
John Ottaviani, an attorney with Partridge, Snow & Hahn, agreed.
“Spend time educating employees and putting policies in place so you can clean up the mess a lot faster and cheaper,” he added.
A data breach is more a job for the state police or the FBI than local police, who are unlikely to have the resources to respond to data theft or ransomware – computer viruses that lock users out of their own systems, which the creator will only unlock for a price.
“Don’t say the FBI is too busy, they don’t have time for this,” Coleman said. However, he said, a speedy response is key.
Rep. James R. Langevin, D-R.I., praised the attendees for their attention to the threat of cybersecurity breaches, the importance of which he said he wasn’t convinced of until 2007, when he learned it was possible to use cyberattacks to cause generators in power plants to explode by taking over their controls.
But, he said, the problem is one that won’t be neutralized, given the nation’s reliance on the internet and its continuing innovation.
“Cybersecurity is not a problem to solve. We have to look at it as a threat that can be managed,” he said.
Rob Borkowski is a PBN staff writer. Email him at Borkowski@PBN.com.