An issue that will only become more prevalent moving into the future, cybersecurity is something that affects everyone. From the grandfather that sends his social security check to a “prince” in Nigeria, to the CEO who finds her proprietary data held hostage by a cyber thief, no one is immune to online threats and scams. Business owners need to be especially careful as they must protect, not only their own information, but, in many cases, the information of their customers as well.
A recent Business First panel discussion covered the topic of cybersecurity via a webinar hosted by Nevada Business Magazine. The panel was moderated by Connie Brennan, publisher and CEO of the publication and sponsored by Eide Bailly, Nevada State Bank, and Link Technologies. The expert panel covered everything from the biggest mistake business owners make in regard to cybersecurity to the best advice they have for businesses.
Panelists included Anders Erickson, principal-in-charge of cybersecurity for Eide Bailly, Navpreet Jatana, senior vice president of enterprise information security at Zions Bancorporation, NA, the parent organization of Nevada State Bank and R. Montana Williams, co-founder and managing partner of Titan Rain Cybersecurity speaking on behalf of Link Technologies. Each panelist is an expert on cybersecurity and provided a unique perspective to this complex issue.
Unfortunately, when it comes to cybersecurity, a business is only as protected as its weakest point. “One of the most important mistakes an organization makes is just not taking it seriously,” explained Erickson of cybersecurity. Part of his job entails helping companies establish a culture of security from the top down.
He added, “It really does come from the top. Organizations still kick the can down the road, but we know cybersecurity attacks are the fastest growing crime in the U.S. right now. By next year, it is estimated that ransomware attacks are going to happen every five seconds.” Erickson further estimates that the average cost of each incident of ransomware could be between $100,000 to over $380,000.
“I would add, it’s about awareness for, not just the overall business, but the individuals that work in the business,” said Jatana who is responsible for multiple cybersecurity teams at Zions Bancorp.
When it comes to common mistakes, Williams explained that, essentially, it boils down to company culture. “That [culture] starts at the board room and goes all the way to the breakroom,” he said. “[There should be] an understating at every level of an organization of the importance of cybersecurity.”
Having held positions ranging from the private and non-profit fields to government and military, Williams has helped a range of organizations protect themselves from cyber-attacks. “Cybersecurity is also about risk management,” Williams said. “Remember there’s these basic three tenants of cybersecurity: confidentiality, integrity and availability.”
“Don’t treat it simply as an IT problem,” Jatana concurred. “Treat it as a business problem. This is about risk management. How do you manage financial risk? How do you manage HR risk? How do you manage legal risk? You’ve got to manage cyber risk at a very senior level within the organization.”
“One of the biggest threats is phishing,” said Jatana. Phishing is when a cyber thief sends an email that looks reputable in order to trick someone into providing important information that can be used for theft or to defraud.
“It’s someone trying to trick you into clicking on something that will either infect your computer or steal information from your business,” he said. “That remains one of the biggest threats and we take that very seriously. For Nevada State Bank, that means educating team members on the importance of vigilance and addressing any potential phishing early on.”
Erickson weighed in with some additional advice on phishing. He suggested having a notification added to all emails that come from outside the organization can be helpful. “It’s very easy to do and your IT team should be able to do it. Do not ever click on a link from outside your organization,” he said.
He also suggested testing employees to make sure they aren’t clicking on links that could potentially be harmful. He explained, “You should be testing your organization’s people on a regular basis. In the month of October, I got tested at least four times a week, it was cybersecurity awareness month. Our cyber team was sending us fake phishing emails and we were supposed to identify them and report them. This is something you should be taking very seriously. It is only through practice and technical notifications and identifications of these potential threats that we’re actually going to win this one.”
Williams added that asking some common-sense questions goes a long way to protecting against phishing attacks. “Do you know who the sender is? Are they familiar to you? If it’s an attachment, are you expecting them to send you something? If you are clicking on an email and see an email address you’re unfamiliar with, go straight to the company’s website [rather than clicking a link],” he said.
Another common threat is reused passwords, explained Jatana. “Have you ever reused your password across multiple websites?” he asked. “Chances are the answer is an overwhelming yes. It’s hard to remember a lot of passwords.”
He went on to explain how dangerous that is but that it’s a relatively easy fix. “That’s one of the biggest things and [something] that any individual can directly control,” he said. “Start using a password manager so that you can assign unique passwords to all your accounts.”
Williams added that the Nigerian “prince” so familiar to email users is also back at it again because, unfortunately, those types of scams are successful. “Every major breach starts with some type of social engineering component to it,” he said. “That is still the number one threat. We have to educate. We have to practice. We have to exercise our plans. An incident response plan does nobody any good if you type it out and put it on a shelf and it collects dust.”
Jatana recommends businesses adopt a D.I.V.A. approach – Data, Identities, Vulnerabilities and Assets. “Those are some of the things that, if you focus your efforts on, you will be in a good spot as a business. At least get an understanding of each of those,” he said. “You’re either going to have to do it on the front end, do it on the back end or go out of business.”
One issue that has been brought to the forefront in 2020 has been the need for employees to work remotely while maintaining company security. Remote work brings about a host of security issues and many companies weren’t ready for the dramatic shift to work from home that happened earlier in the year.
“We are in a new paradigm,” said Williams. “From a security perspective, you have to have a BYOD policy – Bring Your Own Device. You have to containerize things on people’s cell phones and [tablets] if you’re going to let them use those as part of the data they are needing to do their jobs every day. You’re going to have to give them some sort of secure VPN (virtual private network) because they are working from home, so they are using their own ISPs (internet service providers). All those things need to be taken into consideration and improved upon as you move forward with remote work.”
One option many companies have begun using is known as remote desktop. That is a service that allows a user to remotely log into a work computer from their home device.
“What I’ve noticed is, enabling remote connectivity is not always done securely,” said Jatana. “If you have a person you rely on to provide you with IT support services, they might enable you to start connecting remotely to your infrastructure. Put a stop to that because that is one of the ways [organizations] end up in compromising situations.”
Erickson added that one of the biggest dangers with remote desktop boils down to simple password management. “Talk to your service provider, talk with your IT team about what they are using,” he advised. “Ask them the questions. Is this secure? How are you accessing [company computers] securely from remote? In the case of remote desktop there are some vulnerabilities but also, it’s [important to have] just good password management. Put a strong password on it.”
Jatana advises using a strong VPN that is maintained well and up-to-date as well as the use of multi-factor authentication whenever possible. A verification method that grants access only after presented with two or more pieces of evidence as to a user’s identity, multi-factor authentication helps ensure that the person logging onto a system is who they say they are.
“Do you know who is actually logging into your infrastructure?” asked Jatana. “Can you be sure of that? Or is it someone who stole someone’s password and are pretending to be that person? Multi-factor authentication gives you the assurance that person is who they say they are.”
As far as remote work in the future, Williams said it’s not going away, and businesses need to be ready. “Organizations need to understand that this is the future, and they need to institute these types of policies. [They need to] have them in place to help ensure that confidentiality, integrity and accessibility remain,” he said.
Jatana stressed the importance of, not just making the necessary data available to employees, but ensuring it’s protected first. “Make sure the controls you have in place are up-to-date and you have some insurance over the identities,” he said. “Then you’re going to be in a much better spot in a remote workplace environment.”
For businesses looking to protect themselves in an ever-increasing digital world, there are some general best practices they should adhere to.
“Understand that cybersecurity is, again, about risk management,” said Williams. “From the executive level, you have to be the culture center. An organization takes on the personality of its leader; if you don’t care about cybersecurity, no one in your organization will care about cybersecurity.”
“Think through it logically,” said Jatana. “How are you informed about cyber risk? It’s important for you to, not only be informed, but to govern it effectively within the organization.”
He added that third parties can increase, or decrease, a business’ security. Any organization with access to a company’s data puts that company at risk. “You can do all the right things but, as soon as you rely on a third-party, you’re only as good as their security.”
Finally, he concluded that incident response is vital. “You can’t just make an incident response plan and assume it’s going to work,” he said. “You’ve got to put it into practice. If you aren’t seeing incidents, then you are not looking hard enough from your cybersecurity team’s perspective.”
Erickson added that it’s something all businesses, regardless of size, should be taking seriously. “I used to do panels and I thought it was important to be light and joke around to connect with people,” he said. “I have now sat across the table of too many CEOs and presidents that are at their wits-end because their businesses are being drained by these security incidents. It’s not funny anymore.”
He advises taking cybersecurity seriously, implementing preventative measures and getting a second opinion. “If you think you have it down, great, but get an opinion,” Erickson said. “Talk to a security professional. Talk to someone who understands what risk is and they can help you put in the preventative measures, so you don’t end up being another victim. There are hundreds of thousands of them out there and you don’t want to be another one. You don’t have the time. You want to run your business not have to deal with these kinds of things so, take it seriously.”