A company’s best asset, its own employees, can be its worst enemy when it comes to cybersecurity, and training employees so they stay ahead of possible attacks is critical to keep data protected.
That was among talking points shared by a panel of cybersecurity officials and specialists in front of about 130 people at Providence Business News’ annual Cybersecurity Summit on Oct. 11.
Moderated by Doug White, chair of cybersecurity networking at
Roger Williams University and podcast personality at Security Weekly, the six panelists shared their views on an array of topics during the two-part breakfast summit at the
Crowne Plaza Providence-Warwick, including what steps to take to safeguard a business from the latest cyber risks, building investment in order to implement effective security programs and filling the skills gap in the cybersecurity industry.
Eric Shorr, CEO and president of
Secure Future Tech Solutions of Warwick, said a company’s business email can be compromised by hackers, noting that Microsoft Office 365 has a web portal that hackers can access without using email.
Shorr recalled an instance where a law firm was compromised and the hackers sent out “fake invoices” to every client it had on file.
“Talk about devastating,” Shorr said. “What kind of law firm wants to have that reputation? This is a fairly common attack where a construction company had the exact same attack.”
Colin Coleman, a partner for Providence-based law firm
Partridge Snow & Hahn LLP, said third-party vendors and contractors can be a significant cybersecurity risk for companies when electronically connected because the outside company “may not be as secure.”
“So, there is great vulnerability there and it’s not recognized until the attacks happen and somebody gets hacked,” Coleman said.
Jason Albuquerque, chief information security officer for Exeter-based
Carousel Industries of North America Inc., said his concern is the industry not having enough people to fill cybersecurity jobs by 2020. Plus, he said that certain decisions people make on how they need to address cybersecurity “may not be where they need to be.”
Shorr also noted that small and midsize businesses “still do not recognize” that they are at risk of a cyberattack and “don’t take it seriously.”
“If they don’t have proper defenses in place, they are easy targets and can be used to hack others,” Shorr said.
Francesca Spidalieri, senior fellow for cyber leadership at
Salve Regina University’s Pell Center for International Relations and Public Policy, backed up that claim with data showing that even though large-scale data breaches garner the most attention, small businesses may have the most to lose if hackers get through its cybersecurity.
According to her figures, 43% of cyber intrusions target small businesses, and 60% of those small companies go out of business within six months of an intrusion. It costs a company on average $879,000 because of damage or theft of information technology assets and 48% of the intrusions are caused by a “negligent employee or contractor.”
Cyber breaches are also not a quick fix. Spidalieri noted that an average company takes close to a year to identify the incident and to contain it.
Jeffrey Ziplow, cybersecurity risk assessment partner for
Blum, Shapiro & Co. PC, added that most small businesses don’t employ a chief security officer and those businesses rely on third-party vendors to provide cybersecurity services.
Problem is, Ziplow said, there is “a gap” between what the IT vendors “can and are providing” in cybersecurity “and what the customers are assuming they are providing.”
“[Companies] are not just spending enough typically on understanding the type of security services that they need,” Ziplow said. “I think they need to look at it a bit different so that … they understand what services are and are not being provided and to essentially raise the bar for their own security posture.”
Shorr offered a “checklist” for companies to protect themselves from cyber intrusions. First, companies should perform security assessments, bringing in a third-party company to identify what systems are vulnerable to intrusion. Then, companies should speak to their IT vendors about “cybersecurity awareness training,” he said, so companies can stay ahead of attack methods that are constantly evolving.
“If you have a team that’s trained on what to look for [in terms of risks and possible intrusions], they can help protect the organization,” Shorr said.
Shorr then emphasized that companies need to use “advanced” protection systems, and he shared a “dirty little secret in the IT business.”
“Anti-virus doesn’t work,” he said. “All those traditional [systems] are broken and it’s reactive. They have to identify what the threat is first … and that takes time.” He said the newer systems use artificial intelligence to scan networks to identify “risky behaviors.”
The panelists also discussed two-factor authentication as a means for companies to protect themselves from breaches. Two-factor authentication requires employees to log on to their emails through more than one means, other than typing in a username and password. Spidalieri said two-factor authentication can “prevent 99%” of attempted account compromises and theft of intellectual property.
Panelists also talked about the importance of employees reporting to their superiors cases in which they inadvertently open a phishing email – a method in which attackers send emails that appear legitimate but are used to steal data. Spidalieri said an employee’s fear of being punished for opening a phishing email shouldn’t be at the forefront in dealing with a possible cyber intrusion.
“If something has happened, call IT,” Spidalieri said. “Yes, there needs to be consequences if somebody does something, but it shouldn’t be their first thought that they’re going to be fired. Otherwise … they won’t report the threat.”
“It’s really important to encourage all of our employees to come forward and let us know about [the issue] as soon as possible,” Ziplow added. “Don’t wait. We all make mistakes, but it’s important if you fess up.”
James Bessette is a PBN staff researcher. Contact him at Bessette@PBN.com