Cyberbreaches are something to get used to for all sizes of firms.
“Breaches are going to happen—computer systems get breached all the time, whether it’s a little mom-and-pop store or it’s really sophisticated companies with powerful defenses; it happens,” said Matthew Wright, Rochester Institute of Technology’s director of the Center for Cybersecurity.
“The first thing is that it’s important to recognize that there is no perfect defense,” said Wright, also a professor of computing security at RIT.
The attacks are far-reaching and will continue to affect any kind of network, he added.
“We live in a world of lots of automated attacks, so certainly there are some hackers who are targeting specific big companies and going after big money targets, but small firms get hit all the time,” he said. “A lot of that is it’s not that someone is specifically targeting you, it’s that they’re targeting anybody who runs a Windows computer.”
As the chief technical officer for the Garden City, Nassau County-based Integris Security LLC, Blake Cornell has heard many reasons why business owners and officials choose not to invest in cybersecurity protection, such as “It would never happen to us” or “We don’t have anything important for someone to steal.”
“The only secure system is one that doesn’t exist,” Cornell said. “It is secure because it can’t be a target, because it is just a figment of the imagination. In lieu of that, cyberattacks happen. They happen all the time. The percentage of cyberattacks succeeding is what counts. You want to make that as close to zero as possible.”
Big companies will continue to be sought after since the payoff is bigger, but hackers will continue to get what they can from small firms. They still have a lot to gain from the average-size business, said Trevor Smith, executive vice president of sales and marketing for Victor-based Brite Computers.
He sees attacks on major companies as a continuing trend. “They’re trying to steal data from Paychex because there’s a lot of good stuff there, but what they’re also doing is more phishing attacks or broad-based attacks,” he said. “Any company or individual can be susceptible to that, and that’s a big change in the security environment.”
Data breaches of large corporations can give small businesses quite the education, he says.
“Knowing that a breach happened is somewhat difficult,” Smith said. “Target (Corp.) is one of the most studied breach incidents out there because Target released so much information about it, and what they found is people were inside their network for six months.
“Target had every single piece of technology you could imagine at the time, but certain things weren’t turned on, certain things weren’t alerting people properly, certain things were bringing up false positives.”
Prepare for the worst
Instead of wondering whether their systems can be broken into, businesses should consider how difficult they want to make it for an adversary to get their data and at what cost, Cornell said.
“You want to do whatever you can within your budget to make it as difficult as possible,” he said.
When a business hires Cornell’s company, Integris Security will “emulate the evil for the sake of the good,” he said, by simulating a cyberattack to find weaknesses and vulnerabilities in a system and put together resolution strategies tailored to each client’s needs. He encourages businesses to know who they need to call in the event of an attack, including local law enforcement.
“Reach out to them,” he said. “Have those lines of communication open so that when an incident is discovered or the suspicion of an incident, you have an attack plan ready to combat the incident itself.
“The worst thing you could do is nothing beforehand,” Cornell said. “If something happens and you discover it, you have to figure out all this information anyway, so you might as well do it in lieu of a pending attack.”
Know your attorney
With cybersecurity come laws, regulations, standards and notification requirements, so many businesses need counsel as early as possible.
Steve Britt, a partner and director of corporate and technology law at Berenzweig Leonard LLP in McLean, Va., said cybersecurity is “only getting more complicated, and the first thing any company should do is take it seriously and begin the process of understanding what they need to protect themselves. … If there is a breach, you definitely have to have experienced data security privacy counsel, because it is just too complex a world.”
Companies need to take inventory of their assets, such as laptops and phones, and know the boundaries of their business network, Britt suggested. A management plan may be put together to discuss the data held, how it is stored, the business processes involved in the data and what terms and conditions apply to understand the scope of liability.
With more devices entering the workplace, they need to be managed and accounted for, Brite Computers’ Smith said.
“(Hackers) used to try and steal data and then go sell it. Well now with the onslaught of ransomware their payback is immediate,” he said. “So much time, money and effort has been placed on securing the network and the infrastructure, now the next phase that everyone is talking about is securing the endpoints.”
Invest in services
Some companies may need services beyond a cyber detective and good legal counsel, and businesses have started to provide them.
Kount Inc., a fraud detection company, has created software to help online vendors determine whether transactions are real or fraudulent. The Boise, Idaho-based company works with businesses selling a number of different products, such as diamond rings, airline tickets and automobile parts, seeing transactions from some 180 different countries a day.
Say you want to buy a computer from a major retailer. After putting in payment details and clicking the buy button, “Kount software takes hundreds of pieces of information from what is there on that buy page and we run it through dozens of different technologies,” said Donald Bush, Kount’s vice president of marketing. “In about 300 milliseconds, we go back to (the company) and say we think this is a legitimate transaction or not.”
The software looks at different aspects of the data, such as the device, payment type and email being used. The information receives a score that tells the retailer how much risk is involved with each customer. “Now the merchant can make the decision, literally in real time, in fractions of a second, whether they want to take that transaction or not,” Bush said.
He advised that businesses look at their security on an annual basis—at a minimum.
“Fraud and cybercrime are moving so rapidly and gaining so much ground that what you did last year is just not good enough for this year,” he said. “It’s got to be something that you stay on top of.”
Employees are key for companies defending themselves against attacks. Every employee should be educated about their role in cybersecurity, Smith said.
“Your end user is your ultimate decision maker,” he said. “A system might be black and white, maybe some shades of gray, but a human being can really make a decision, so your end users have to be vigilant.”
Once a company notices a breach, its leadership needs to “go into fight mode,” Cornell said. A company may need to bring in forensic analysts to determine which data has been targeted, which systems have been affected and who the perpetrator might be.
“It’s just like any crime scene. A digital crime scene isn’t much different,” Cornell said. Forensic evidence will determine what the criminals were looking for, who, if anyone, was a target and what the modus operandi was.
“There are a lot of moving parts, and if you do nothing, you might as well wish your business away,” Cornell said.
Gina Gallucci-White is a frequent contributor to The Daily Record in Baltimore.
12/16/2016 (c) 2016 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or email firstname.lastname@example.org.