By Harrell Kerkhoff,
Maintenance Sales News Editor
Cybersecurity is the act of protecting networks, devices and data from unauthorized access or criminal use. It’s also the practice of ensuring confidentiality, integrity and availability of information, according to the Cybersecurity & Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security.
There are many risks today to people and companies alike. Among the dangers are malware erasing information, an attacker altering files and/or the dreaded ransomware threat. The latter is when an online thief threatens to hold critical data, or permanently blocks acess to that data, unless a ransom is paid.
National headlines of major companies victimized by cyber attacks are all too common. The threat is also real for smaller companies as well as individuals — and that threat grows with each passing day, according to Tom Kirkham, founder and CEO of IronTech Security (www.irontechsecurity.com).
In a recent presentation titled, “Five Steps To Protect Your Firm From Catastrophic Cyber Attacks,” Kirkham reported the following unsettling statistics:
• 60 percent of small businesses that are victims of a cyber attack go out of business within six months, according to Cybersecurity Ventures;
• Small businesses spend an average of $955,429 to restore normal activities in the wake of successful attacks, according to SecurityIntelligence.
“Hoping is not a strategy. A cyber breach can cost a company four to five times the cost of prevention,” Kirkham said.
He shared the following common myths surrounding cybersecurity:
• Myth — Your business is too small. Why would anybody want to attack you?
“There is no such thing as ‘too small.’ You might assume that no hacker would be interested in your company. The simple truth is, the majority of cyber attacks — especially ransomware — is part of an automated process, sent out in volume. A company’s size does not matter,” Kirkham said. “(Hacking) is a serious industry. Tens of thousands of people, from all over the world, work as professional criminal hackers. They are vertically specialized, and other criminals help them.
“The point is, there is no such thing as ‘too small.’ There is also no such thing as ‘being located in the middle of nowhere.’ It doesn’t matter what business you are in. If your company is on a specific list, it could receive a phishing email and potentially become a victim. Everybody hears about the big companies getting hacked, but the majority of attacks are directed at small and medium-size businesses as well as individuals using home computers. Hackers don’t care who you are, all they are interested in is making a conversion.”
• Myth — You can’t afford enterprise-grade security.
According to Kirkham, enterprise-grade security is the same type of cyber protection used by U.S. federal agencies and Fortune 10 companies. The security involves best-of-breed policies, procedures and technical controls.
“It’s security that should be looked at today as being part of the cost of doing business,” Kirkham said. “It’s no different than having insurance — and it’s affordable.”
• Myth — Antivirus software is good enough.
Kirkham cautioned companies that rely on purchasing antivirus software in a store to protect their businesses from cyber attacks. In his words, “Antivirus (programs) are not good enough. What is good enough is a different class of products.”
• Myth — Cybersecurity insurance takes care of all problems.
“It’s great to have cybersecurity insurance, but don’t stop there,” Kirkham said. “Like all insurance, it’s the last thing you want to rely on to make your company whole again. For instance, a lot of (cybersecurity) policies don’t pay for loss of productivity.”
• Myth — A company surviving one ransomware attack is safe from another attack happening again.
“If you get hit once, chances are you will get hit again. Your company has been marked by criminals,” Kirkham said. “It’s important to change your defensive strategies in order to avoid the same vulnerabilities.”
Most importantly, other malicious items, such as “back door” and “keylogger” devices, could be left behind after an attack. Such devices further compromise a company’s cybersecurity. That is why it’s important companies thoroughly have their computer networks examined by Information Security (InfoSec) professionals, making sure future problems don’t come up.
“Every new client of (IronTech Security) that previously experienced a successful ransomware attack has discovered (other malicious items) leftover from that attack,” Kirkham said. “Sometimes (those items) will be dormant for months, if not years. Regardless, it’s critical to get the network immediately checked out after the initial attack.”
• Myth — Cybersecurity is an IT issue.
There is a big difference between Information Security (InfoSec) and Information Technology (IT), according to Kirkham.
“It’s been my experience that roughly 90 percent of people who work in IT don’t have the skill set and experience to properly put into place enterprise best-of-breed cybersecurity defenses,” Kirkham said. “A company’s investment in IT involves an operational managerial decision. IT positively affects the bottom line each day. That is why company’s invest in IT, to increase productivity and efficency, while lowering production costs.
“InfoSec, on the other hand, is all about security. That is its only job. It doesn’t positively impact the PNL (profit and loss) every day. It’s in the same category as a company’s electricity bill and insurance expenses.”
Kirkham added a strategic leadership decision must take place to properly protect a company from loss of funds and/or productivity, brought about by a cyber attack.
“If companies manage their cybersecurity unprofessionally, they will get hacked professionally,” he said. “The majority of today’s hackers are criminals.”
5 BEST PRACTICES
In June 2021, a letter from The White House written by Anne Neuberger, deputy assistant to the President and deputy national security advisor for cyber and emerging technology, was sent to many U.S. corporate executives and business leaders. The subject was: “What we urge you to do to protect against the treat of ransomware.”
Among Neuberger’s recommendations, highlighted by Kirkham, are the following “Five Best Practices.”
1.) Deploy EDR (Endpoint Detection and Response).
“Remember to replace your antivirus software with an EDR,” Kirkham said.
EDR refers to cybersecurity technology that monitors an “endpoint” — such as a mobile phone, laptop and desktop — to mitigate malicious cyber threats.
“If you buy (an antivirus) program ‘off the shelf,’ it is not ‘best-of-breed.’ It probably uses virus signature files to see if anything running on a computer is a virus. That is 40-year-old technology. The game has changed. There are offensive military-grade cyber weapons being used against us from all over the world, each and every single day. It’s important to have something stronger for defense. That is an EDR,” Kirkham said. “EDR uses AI (artificial intelligence). It learns and knows, in real time, what is happening with your computer. It learns new story lines. It uses neural nets (computing systems), which involve computer and user behavior, allowing (an EDR) to predict, attack and stop a threat. That is different technology than virus signature detection systems, which I feel are inadequate.”
He added a good EDR function involves an intrusion detection system. It also functions as an intrusion protection system.
“An EDR requires skilled experts to install, configure, monitor and respond. It’s more complicated than an antivirus system,” Kirkham said. “It goes back to the importance of working with a skilled cyber scurity team.
“According to Neuberger, it’s important companies have an EDR to hunt for malicious activity on a network and then block that activity. That is what EDRs do. They receive, kill and mitigate a threat within milliseconds, while alerting an InfoSec team to investigate and examine the network for other malicious things. You have to have an EDR. In fact, (IronTech Security) will not accept a new client that does not have an EDR on its network.”
2.) Use MFA (Multi-Factor Authentication).
MFA is an authentication method that requires a user to provide two or more verification factors to gain access to a resource, such as a website, application and/or account. MFA is a core component of a strong Identity and Access Management (IAM) policy. MFAs provide a second verification method, and can often be turned on through a security setting.
“Neuberger stressed in her letter that companies should turn on MFAs wherever possible, especially for remote access,” Kirkham said.
He also warned against the use of personal/home computers to conduct company business, such as via remote access.
“Once you connect your personal computer to gain access to company work, it becomes part of your company’s network. Does your personal computer have the right protection? Probably not,” Kirkham said. “Only use company-owned equipment when working.”
3.) Use disk storage encryption.
Disk encryption is a technology that protects information by converting it into unreadable code, making it hard for hackers to decipher.
According to Kirkham, it’s important servers, desktops and portable devices — including phones, laptops and tablets — are encrypted.
“One reason to use disk encryption is to protect your company after a server or computer is replaced. The same is true if a phone or laptop gets stolen,” he said. “Often, all a criminal has to do is pull a disc drive out of a server, desktop or laptop, and connect it to a USB port. That is one way data is harvested and sold for profit.
“The best part of disk encryption is you don’t need an InfoSec specialist to turn it on. It’s built into many operating systems, and has been for decades. Basically, if data is stolen, with encryption, that data is unuseable.”
Kirkham added there is a large market comprised of people seeking used electronics so they can mine for data.
“If you responsibly recycle your servers, computers and other devices, make sure a firm is used that documents those items have properly been destroyed. They must also have the right equipment to accomplish such a task,” he said. “The firm will send you a certified copy showing the serial number, make and model of the equipment that was destroyed. Not all recycling firms will take such steps.”
4). Use continuous defense improvements.
The cybersecurity threat landscape changes every day, in some form or another.
“You have to respond and adjust defenses as needed. Sometimes it’s as simple as installing software updates as soon as they become available,” Kirkham said. “Don’t wait to make those updates.”
He added there are a variety of resources that provide a plethora of information on how to keep safe from cybersecurity threats. They include Dark Reading (darkreading.com), Krebs on Security (krebsonsecurity.com), and Kirkham’s own company, IronTech Security (www.irontechsecurity.com).
Federal agencies, such as the CISA and FBI, also have many resources that are available to the public.
5). Use a skilled security team.
According to Kirkham, Neuberger’s letter from The White House stressed the importance of companies to implement 24/7 monitoring, investigating and responding capabilities to fight cybersecurity. He said such work should be properly orchestrated.
Kirkham recommended companies work with a Managed Security Service Provider (MSSP) to alleviate such problems as malware and customer data breaches.
“MSSPs have their own teams, own command centers and are constantly monitoring. What most people don’t realize is MSSPs are also backed by other security operation centers, staffed with InfoSec professionals,” Kirkham said. “MSSPs are litterly backed by hundreds of experts, from around the world, to analyze threats and investigate anomalies.”
Other cybersecurity steps businesses can take include the use of password managers and to properly secure and manage their websites.
“The learning curve (using a password manager program) can be a little difficult. It may take a week or so to get used to one, but it’s well worth it in the long run,” Kirkham said. “In about a month, you will say, ‘I don’t know how I ever lived without one.’
“Also, don’t forget about your website. There has been a tendency, over the years, for companies to go on the cheap when it comes to website hosting services. Unfortunately, many websites today are not properly updated and professionally managed to protect against downtime or denial-of-service attack. I highly recommend using a professionally-managed secure website hosting service.”