By Diane M. Calabrese / Published March 2020
How much is being spent on cyber-security? A lot. In 2019 companies spent between five and eight percent of their technology budget, according to Gartner Inc. There’s quite a bit of variation among industries, though, with manufacturers spending half the average and financial sector entities nearly two times the average.
Look in any direction to verify that the money is well spent—Hackensack Meridian Health, a large hospital system in New Jersey, suffered a ransomware attack on December 2, 2019. Two weeks after the attack, the health-care provider was still in recovery mode.
Investment in cybersecurity aims to thwart attacks before recovery becomes the only option. The National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce identifies five components to a cybersecurity framework: identify, protect, detect, respond, and recover. NIST is an excellent resource on how to implement cybersecurity plans. (See www.nist.gov/cyberframework.)
Identifying threats in order to protect against them is a universal goal as well as a task that gets attention from the highest levels of government, including the U.S. Department of Homeland Security. Yet even as the federal government endeavors to ensure the integrity of components used in computers and all inter-connected electronic devices, individual users and businesses bear great responsibility.
The best gates and locks don’t work if they are left open. Lapses in vigilance (e.g., skipped logout, shared password) invite trouble in the virtual world.
The more access to a system, the greater the risk. Banks and financial services companies not only have more clients accessing the system, but also generally attract more nefarious activity because of the vital information—and in some cases, funds—that can be extracted by an intruder.
Every digitally connected device offers a potential path for a would-be thief or ransom-seeker. (The very algorithms that monitor keystrokes of users to authenticate the individual typing password or credit card number can be modified and used to steal sensitive information.)
To gain a better idea what members of our industry do for identification and protection, we turn to a few for advice.
Put a good foundation in place, right from the start. “Make sure you have a good IT company that has installed your system and will monitor your services with great antivirus software,” says Greg Sprunk, president of Superior Cleaning Equipment Inc. in Phoenix, AZ.
The complement to the defensive monitoring is a well-trained team. Education of employees is “always” a significant piece of the protection component, says Sprunk.
A member of the team who opens a phishing email can introduce malware or worse. There are many vendors that offer anti-malware products. “Trend Micro has done very well for us,” says Sprunk.
Of course, opening a malicious email or clicking on a counterfeit link are only two of many ways criminals compromise computers and networks. Routers now provide the entryway for many offenders. Large internet service providers offer protection—usually for an additional fee—at their router.
Sprunk explains that he knows several who have been the victim of a cyberattack, “but only when the employees opened up an email with an attachment.”
Unfortunately, it is possible to open an attachment from a trusted source and still encounter a problem. Cybersecurity depends on everyone having protocols in place and then following them. Nothing weakens a cybersecurity system more than an unfortified or semi-fortified system.
What’s a semi-fortified system? An example is an employee who gets a warning (e.g., “be sure you know the source before opening”) and then proceeds to ignore the warning and open the email. A fortified system would not permit a suspicious email to be opened at an employee’s discretion.
When a computer or system hums along, it’s easy to grow complacent and forget to check on updates, clean files, and so on. The laissez-faire approach invites treachery.
“Always be aware,” says Ricky Zolen, the IT manager at A. R. North America Inc. in Fridley, MN. “Make certain you have rules in place to protect the system.”
Products and firewalls designed to prevent trouble must be up to date and in place.
Zolen emphasizes the need to think before clicking. “Make certain that people are aware—not just to click a link if they don’t know what it contains and who it is from,” she says.
Links may look genuine, but the ability thieves have to make them look so is staggering. If there is any doubt about a genuine link to a subject or site of interest, use a search engine to search the terms and independently find a link to use.
Passwords merit protection. “Don’t write your passwords down for anyone to see,” says Zolen.
With the proliferation of passwords, keeping track of them gets cumbersome. Most cybersecurity programs offer some sort of password vault, but a vault can be penetrated, too, by ardent hackers; then, not just one but many passwords may be retrieved. Fingerprint readers offer more, but not total protection, and they may add problems, such as misreads on certain individuals—locking out a bona fide user.
Each business will identify an anti-malware product that works best in its environment. “We have had great success with Symantec Endpoint Protection company-wide,” says Zolen. “If needed for computers that are more susceptible to possible attacks, we run Malwarebytes.”
Protection offered to routers as an additional service from internet providers must never stand alone. “As a business, we need to protect the company with inside protection and setting things up internally,” says Zolen.
Once everything is set up for maximum protection of all things connected to and in the cyber world, a company must look toward the whole framework for security. That includes detect, respond, and recover.
As fast as detection and response may be, some data may still be lost or programs corrupted. Zolen says her best advice is “to make certain that you have backups” of everything.
Zolen explains that one factor members of our industry must weigh carefully when putting a cybersecurity plan in place concerns outsourcing IT support: Is it to be recommended? “I would recommend that it may be a good idea to get a company to assist if you do not have the staffing for a fulltime IT staff,” she says. ”It is good to have a company that keeps up to date with everything going on.”
How much backup is sufficient? It depends upon what happens. (Hospitals under attack have had to retrieve and revert to paper records.)
“Aside from having strong security in front of, inside, and behind your network, make backups, and back up your backups both on and off site,” says Brenda Purswell, president of Alklean Industries Inc. in Pasadena, TX.
Education of employees is “tremendously important” because “email is the number one way that viruses, malware, phish-scams, ransomware, and all other threats enter your network,” says Purswell. “Internal cybersecurity only works to protect your network from these things spreading, using intrusion detection, etc.”
Internet bait used by lawbreakers looks authentic and often entices, too. “That’s why it’s so important to implement some training to help teach employees how to know the difference between real and fake emails and about not opening attachments or clicking on links from any unconfirmed email,” says Purswell. “When in doubt, they should have a designated person they can forward the questionable email to, to confirm it as legitimate or not.”
In the anti-malware products category, choices abound. “There are many good ones,” says Purswell. “Trend Micro Worry-Free Business Security works very well. However, regardless of what anti-malware you use, it must be set up correctly by a cybersecurity professional who understands your business.”
Take cybersecurity seriously. The cost of recovery—in time as well as money—is not a pleasant experience.
Purswell explains her company was the victim of a ransomware attack. “The ransomware got into our system from a legitimate website we were on and corrupted many of our files. We reported it to the FBI, and they told us to just pay the ransom and get the key—that did not work out very well. Our IT firm paid the ransom to get the key to unlock our files, but they never gave us the key.”
Thwarting attacks is important, but 100 percent prevention is (for now) in the realm of impossibility. “According to our IT professional, ransomware caused a global damage of $11.5 billion in 2019 alone,” says Purswell. “When these types of threats first emerged, they were difficult to prevent. The biggest defense is backups. Redundant backups, on-site and offsite, and network invisible backups.”
There is good news. “Today, these things have been happening long enough that certain software and smart configurations will combat them or stop them from continuing to encrypt once they start,” says Purswell.
At the same time, however, new vulnerabilities will appear. For example, using Office 365 does not mean businesses are protected, says Purswell.
“Office 365 has some security in place, mostly to protect Microsoft’s servers,” explains Purswell. “A compliant cybersecurity plan should see email running through a cloud-based security appliance prior to being forwarded on to Microsoft.”