Keeping computer software up to date and training employees to be alert to hack attempts constitute the first line of defense in cybersecurity, a panel of experts told business owners and others at a breakfast meeting yesterday in Riverhead.
It’s critical to make sure your operating systems are up-to-date, with all available updates and security patches installed as soon as they are available. Failing to do so leaves your devices and network vulnerable to attack.
Employees should be trained to recognize malicious email, because that’s the biggest threat to business networks. Most are not sophisticated and easily recognizable — the familiar “phishing” emails that entice people to click on a link or download and open a malicious file.
Ransomware sent through emails — like the WannaCry ransomware that attacked computers worldwide in the past week — is nothing new.
More and more, however, hackers are using targeted attacks.
“We’re seeing a rise in attackers researching companies, identifying critical employees
and launching specific attacks on them,” said panelist Agrim Bracovic, the information security officer at Bridgehampton National Bank, which hosted the breakfast meeting at the Suffolk Theater with the Campolo, Middleton and McCormick law firm.
Sophisticated attackers will use that kind of knowledge to dupe an unsuspecting employee and gain entry to a network. They will often then “sit on” the network and gather more information that they can use to achieve their goals — which might ultimately be a wire transfer of money, for example.
“An attacker reaches a customer’s email account, sorts through their sent mail and contact information, finds out where they bank and launches some kind of attack through their ID,” Bracovic said.
Small and medium-sized businesses are more frequently being targeted, added Kevin Edwards, director of compliance and IT security at Flexible Systems.
Edwards says his staff, when called to assist businesses with cybersecurity, completes a risk assessment first. Is there an adequate firewall? Are appropriate and up-to-date email filters in place? Are users properly trained?
“The weakest link is always user education,” he said.
Next is the lack of policies and procedures — requirements for strong passwords, for example and approved, secure ways to store them.
Not having multiple layers of security in place is another weakness, Edwards said.
Finally is complacency. “People think, ‘Oh we’re not that big no one is going to come after us. Rogue states are not going to come after us.’ But that just is no longer the case,” he said.
“They’re running bots 24 hours a day. They find weaknesses, get into your network
and sit there collecting data before an attack — sometimes for months or even as long as year,” he said.
Jonathan Harrington of Campolo, Middleton and McCormick reminded the audience that laws and regulations — as well as their own insurance policies — may require them to take steps to secure their systems and data.
“Do you conduct regular vulnerability scans? Do you have a mobile device management policy in place? Can you get the data that’s on a lost or stolen phone off the device remotely?” Harrington asked.
“All laptops should be encrypted,” he said. “If not, they’re a huge risk to your business. They contain your intellectual property and customer information, too.” Businesses may have a legal obligation to protect customer information and the failure to do so could cost them — a lot. Harrington pointed to the Target hack a few years ago that cost the company $300 million. Insurance only covered $90 million, he noted.
Cyber insurance policies are separate from general liability policies, which don’t usually offer such protection, Harrington said. But pay attention to what they cover and what they exclude, he cautioned. Many policies don’t cover state-sponsored attacks, he said.
“It’s important to have an incident plan — sooner or later everyone gets breached. You may have customer as well as government reporting obligations and maybe contractual obligations to report to third parties,” Harrington said.
“If you’re breached, call your attorney ASAP,” he said.
“Communicating with people in your organization is essential — making sure everyone takes responsibility for security,” said panelist Judy Murrah, chief information officer at Applied DNA Sciences. “It’s important to have policies and equally important that the CEO and senior management support them with budgeted resources.”
Thomas Simson, senior vice president and chief information officer at Bridgehampton National Bank moderated the panel discussion.