Cybersecurity continues to be an increasingly important issue for companies, and while it can be impossible to keep a business fully shielded from an attack, area experts have some tips on how firms can best protect themselves, as well as what should be their first steps if they become a target.
Andrew Gleasman, director of sales and cybersecurity trainer for CETech, says there has been more cybercrime over the past year brought on by several factors, from the COVID-19 pandemic that led to an increase in remote workers to the U.S. presidential election.
“All of these things opened up the floodgates to criminals,” he says, noting information technology security is must. “IT security is essential as having power.”
The cyberattacks on firms include ransomware, which is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
Lawmakers at the federal and state level have recently taken measures to address such cybercrime issues.
New York, for example, enacted the Stop Hacks and Improve Electronic Data Security Act in early 2020, which is a data security law which requires that businesses set up a data security program to monitor and improve cybersecurity.
The Shield Act takes into account factors such as the administrative, technical and physical safeguards that companies need to have in place when it comes to cybersecurity matters.
Companies should understand the requirements for them under SHIELD, Gleasman says.
They should also complete a yearly risk assessment to see where they have security holes and fill those holes accordingly, he adds.
“Management has to educate itself, understand the threat and give it its proper weight,” he says. “If they don’t do this, they leave the window wide open.”
Employee training on cybersecurity issues is also a must, he says, noting employees are often targeted by hackers, but with cybersecurity awareness employees can go from being a hacker’s prime target to a secure firewall for a business.
Not only does Gleasman recommend retraining on a regular basis, he also says companies should test their employees to increase the awareness of cybersecurity attacks, such as phishing scams.
He recommends having back-ups and business continuity plans in place, as well. It may also be a good time to invest in new hardware and software.
With all of the changes over the past year, there are some good options companies should be using. They include advanced anti-virus software and multifactor authentication.
Having good password policies in place, and changing them regularly is also a must, he notes.
Gleasman also recommends companies have a cybersecurity insurance policy which includes safeguards for an individual business.
Mitigation and preparation are key, he adds.
“Companies have to think about layers of protection,” he says. “It’s cheaper to have safeguards in place than to go through mediation.”
If an incident does occur, the first things companies should do is refer to their incident response plans and begin working with IT to address the issue.
An incident response plan is a documented, written plan that helps IT professionals and staff recognize and deal with a cybersecurity incident.
A firm should also place a call to its attorney, who should serve as the point person for the event and act as lead for the direction of the remediation.
“You want to minimize what is discoverable until you know what actually happened,” Gleasman says.
It can also be beneficial to have a cybersecurity consulting firm involved who can help companies navigate the next steps, he says.
Gleasman adds is crucial that company management understand the brevity of the issue.
“Companies shouldn’t just be taking these steps to check off a box,” he says, adding that the issue can affect employees, suppliers and customers. “It’s about safeguarding their livelihood.”
John Roman, president and chief operating officer of FoxPointe Solutions, says companies need to have documentation in place related to cybersecurity, such as a written information security program.
A WISP is a document that details an organization’s security controls, process and policies and acts as a roadmap for a company’s IT security.
They should also have a clear incident response plan that lays out the steps to take if a breach occurs. If one does, Roman says companies need to assess the impact. He notes each situation is unique and the actions required to resolve the issues are specific to individual companies.
For protection, Roman recommends antimalware software programs, host-based firewall protection for every laptop and desk top device and email gateways, which provide predelivery protection by blocking email-based threats before they reach a mail server.
Another option that is becoming popular with small- to mid-sized firms is working with a security operating centers which provide third-party monitoring of a company’s network.
Employees play a crucial role, he adds, noting they need to be educated in what to look for in an email message.
“Hackers know we are all busy, and they take advantage of that vulnerability,” Roman says.
Michael Montagliano, chief technology officer at iV4, a ProArch company, says attack methods used by hackers are changing.
“They are now more targeted,” he says.
Like his counterparts, Montagliano says employee training is essential, noting hackers regularly use phishing scams targeted at a firm’s employees.
It is also important to educate management on how to protect themselves, Montagliano says.
Montagliano says companies need to focus on certain issues, including making sure recoverability of data is in place. That can be done with viable encrypted data back-ups.
An up-to-date security awareness program that covers all areas from technology to employees is also essential, he says.
Firms may also want to adapt a Zero Trust security strategy for keeping data secure, which is rooted in the idea that one can no longer rely on the network perimeter to assess trust.
In a Zero Trust model, people are the perimeter, and identity is the core of maintaining a secure environment.
Once a system has been compromised, hackers can spend a great deal of time on a company network if they are not caught immediately, so it is important for a company to detect the issue as soon as possible and respond accordingly, he notes.
It is also important that a company contact its lawyers who can help guide a firm through the regulatory and compliance requirements if an incident occurs, he adds.
Cybersecurity is a complex issue, he says.
Gone are the days when hackers were working independently in a basement, Montagliano says, noting the cybercrime economy is the third largest in the world, behind the United States and China.
“This is organized crime,” he says. “It’s a business.”
Andrea Deckert is a Rochester-area freelance writer."