EtherMon CEO Brandon Reeves says the exercise, which was authorized by the company, was a stark example of why businesses should develop robust cybersecurity programs as more devices become connected to the internet. He says that while the growth of connected devices and data can create business opportunities, it also presents vulnerabilities that many companies overlook until it’s too late. “That means that somebody can take advantage of it and use it for good or to harm you in some way — and we see that a lot,” Reeves says.
Reeves and David DeArmond, owner of business productivity and IT services firm Strix Louisiana, spoke about cybersecurity at a recent Tech Park Academy workshop at the Louisiana Technology Park. The two cybersecurity experts led a discussion of emerging cyber-risks for businesses and how companies can ensure they are protected.
The company with the vulnerable excavators is hardly unique. Reeves says his firm has a 97 percent success rate of gaining administrative access when conducting authorized penetration testing for large organizations.
“That means that we can control their systems from our office, our couch, Starbucks or anywhere else, and theoretically lock them out and take over their systems simply because there’s some lax technology or implementation,” he says. “It’s usually because somebody did some shortcut somewhere. Most technology is so hardened today that you shouldn’t be able to do this, but we see it time and time again.”
Reeves says that while companies tend to focus on their own employees and systems, third-party technology providers, such as Wi-Fi access points and internet-connected televisions, can present security threats that are frequently overlooked. “All of those things in some capacity pose some level of risk,” he says. “And what most people don’t realize is it’s their responsibility as a business to manage that risk.”
New Opportunities, New Threats
So what are the top security threats at the moment? DeArmond says ransomware and challenges surrounding “bring your own device” policies that let employees use their personal smartphones and other devices for work are the top security issues he sees at most companies.
Ransomware, a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid, has garnered international attention as large-scale attacks have crippled organizations across the world. “If your data is inaccessible and you lose your data, in most cases you’re out of business,” DeArmond says.
In addition to temporarily crippling a company’s operations, data breaches can be expensive. The current estimate of the average cost for each lost or stolen record containing sensitive and confidential information is more than $220. The average organizational cost of these breaches was just over $7 million, although long-term consequences can extend beyond the financial realm. “You can get revenue back,” Reeves says. “You can’t always rebuild reputation as quickly.”
Build Multiple Layers of Security
Reeves says strong passwords aren’t nearly enough to prevent these types of data breaches or other negative events. Businesses must have multiple layers of security for any protections to be effective and reduce the probability of something going wrong.
He suggests developing a plan that employs a combination of people, process and technology: First you educate people, then you develop an effective and repeatable security process and install technology to support those processes. “A well-educated person that understands how to protect your environment is going to help you more than most technology,” Reeves says. “Educating people on what they should be doing is an amazing deterrent to bad things happening.”
DeArmond agrees that people are the first line of defense for cybersecurity, with more than 90 percent of attacks coming through employees. “You have to educate yourself and your employees on how to avoid those things,” he says. “If the employee knows what a phishing scheme looks like you can avoid most of those attacks.”
Don’t Forget to Back It All Up
But that doesn’t mean you don’t need to have technology in place to protect your data. In addition to more robust security technology that can vary according to an organization’s needs, DeArmond says he generally recommends companies back up their data to an offsite facility every 30 minutes.
He also says even the smallest companies should boost the security of computers purchased off the shelf by removing pre-installed “bloatware” and enabling or installing a basic antivirus program, and should make sure all devices are patched on a regular basis.
“You don’t have to spend a lot of money to put up some basic protections,” he says.
Tech Park Academy is the Louisiana Technology Park’s skill-based workshop series designed to provide entrepreneurs with the training and resources required to move their businesses forward and to address the critical business and organizational issues they face daily. The next event will take place in early September.