The Business Journal conducted the roundtable on cybersecurity Nov. 14 at the Courtyard by Marriott in Canfield. Participants were Michael Edwards, director of IT at Tele-Solutions; David Daichendt, vice president of operations at Micro Doctor; Mercy Komar, commercial lines manager with L. Calvin Jones & Co.; Ralph Blanco, CEO of ECMSI; and Robert Merva, owner of Avrem Technologies.
Please introduce yourself and your company and tell us what was the most recent cybersecurity breach or problem that you or your firm encountered and how you handled it.
MICHAEL EDWARDS, IT director, Tele-Solutions: Tele-Solutions is a telecommunication company that started in the 1980s and went into the MSP [managed service provider] portion of the business in 2016.
This year I worked with a company that was a victim of wire fraud committed. They received an email. They thought it was legitimate. It instructed the company to wire money to this account instead of this one, and they had wired the money. And when we had worked with the FBI, we were able to determine that it was overseas and there was nothing they could do about it. They lost $50,000.
Something as innocent as an email can prove very expensive.
DAVID DAICHENDT, VP of operations, Micro Doctor: Micro Doctor has been around since 1989. I’ve been with the company 20 years. We are a managed services provider and data services cloud provider. We offer cloud servers, virtual workstations, VoIP systems from our Cleveland office, which is the data center.
The most recent incident we saw is a company that had a breach based on user activity – how almost all of them start. Fortunately we caught it in time to shut it down. Also fortunately, we had proper backup and disaster recovery in place so that we could go back before the breach and restore it from the data, the disaster recovery system, to get them so that there was no loss. They were up in a few hours.
How did the breach occur?
DAICHENDT, Micro Doctor: Somebody clicked on an email that they shouldn’t have, a link in an email they shouldn’t have, which enabled them to have something downloaded to their computer, which then started to crawl through the system trying to take over computers and was successful to getting to their server. These things happen very quickly. Luckily we caught it in time and some of the software that we use immediately started working on it before we, as Micro Doctor, even had an alert, which is very important these days.
Things happen so quickly. The old “I have antivirus” is no longer good enough. You have to have somebody actively looking for things and acting on them when they find them. Otherwise, you come in the next day and you have a message from some bad actor that you owe $50,000.
MERCY KOMAR, commercial lines manager, L. Calvin Jones: We’re an insurance agency. So, I’m at the opposite end of what these gentlemen do. I’ve been doing this for quite a few years and I got into the cyber end in 2017.
The most recent attacks – three – I have seen have all been invoice manipulations where the client is instructed to send money to a false banking system. So there have been losses of $100,000, $141,000 and 50-some thousand dollars. I usually get called in after it’s over to write the insurances because they didn’t have it.
RALPH BLANCO, CEO, Executive Computer Management Systems Inc.: We were established in 1999 and have three offices. Our main office is in downtown Struthers. We have a Champion office and we also have a Cleveland office. We’re a managed service provider, providing IT support and management for small to medium-sized businesses. And we co-manage for larger firms that have internal IT but don’t want to deal with the security aspects or don’t have the time to deal with the security aspects of IT.
The breaches we see are mostly email manipulation. You’ve been doing business with XYZ Co. for quite a few years and they get an email sent them that seems legit. Somebody has changed their account. They’re told, “I’m about to change banks.” They’re going back and forth with email.
A lot of the stuff we see is mostly educational, not necessarily always technical. It’s more about the end users and instructing them on how to handle certain situations. Unfortunately, we’re in an environment that you have to verify everything to see if it’s legitimate.
ROBERT MERVA, Owner, Avrem Technologies: We’re in Canfield and were started in 2007. We’ve got an office in Cleveland and an office in Columbus. We are a managed and co-managed IT provider for small and medium businesses.
I’m hesitant to even talk about this. We have never had a client with a security breach. I’m just a little superstitious. Everybody knock on wood.
I don’t want to downplay what that means. It certainly can happen to anyone.
Statistically, we’re beating the odds but we’ve never had a client with ransomware. We’ve never had a client with an email security issue. We’ve got some spam that comes through every now and then.
So, essentially it’s about employees. Is that right? It’s about employees being vigilant. They seem to be the prime culprits?
KOMAR, L. Calvin Jones: Right.
DAICHENDT: Depending on which study you cite, between 88% and 95% of breaches originate with human error.
MERVA, Avrem: Yes.
BLANCO, ECMSI: And through email.
And that happens because the email address is manipulated? What fools people the most?
DAICHENDT: There are a number of ways that it happens. It used to be easy [to catch them]. They used to have bad English in the emails and you could spot them right away. Now they’ve gotten to the point where an email will come from somebody in your organization. Or you think it’s coming from somebody in your organization.
Maybe they changed an L to an I in the last name and they’re basically spoofing that use. And it will be from somebody important in the company that says, “Would you buy these gift cards and distribute them to the employees but send them here and I’ll distribute them.” Things like that.
There are emails that look very interesting and legitimate that have a link that somebody will click on, not knowing any better.
BLANCO: It’s big money for them. They do their homework on the back end to make things look legitimate.
That’s why you’ve got to have the multilevel of the security tools to prevent users from even getting the [fraudulent] email. Because end users, unfortunately, will click on stuff that looks legitimate. It’s not their fault. It’s not like they’re intentionally trying to damage the company.
It goes back to the culture of an organization. It must educate the staff and not be afraid that when you click on something by accident, to put your hand up. It helps us as an IT provider to say, “I think I clicked on something that’s not legit because it took me somewhere” – instead of worrying, “I’m going to get in trouble because I clicked on this.” Nobody does it intentionally.
Education and being open and honest with your employees is vital. Just talk about IT and talk about security. Everybody’s in this. It’s not an IT thing. It’s a company thing. We’re all in this together.
MERVA: It’s about layers. You can’t have just one methodology to protect an entire company. It’s got to spread across different technologies and different platforms and different tools. That’s the most important.
KOMAR: Training of the employees is becoming critical. And in the insurance end, soon it’s going to start being a requirement that you must have your employees trained once a year.
All of these gentlemen here, I’m sure have companies that they have the training tapes available. It’s just something that has to be done. And even if you train somebody, people still make mistakes.
Unfortunately, it’s becoming a growth industry where employees themselves are contributing by being paid on the outside. We’re starting to see that now, where the employees are running renegade and damaging their employers.
You’ve seen that locally?
KOMAR: We have.
Please elaborate. You needn’t provide names.
KOMAR: In working with some of the law firms, we’ve seen where an employee gets angry. They don’t get the raise they want. They don’t get what they think they deserve. You can be contacted very easily off the dark web by people who literally have advertisements out there saying, “I’m looking for somebody within such and such a corporation that can give me information.” And they pay for it.
BLANCO: That’s why it’s important to have layered security. Even as the owner, I don’t have administrative rights in my own network.
It’s important to have layered security. If I need to get into something, I log in as an administrator.
You can’t have employees with the ability to give out critical information that could damage the internals of the network.
Even us as an IT provider, we’re all responsible for our own staff. So we’re probably the biggest threat because if one of our staff goes rogue, that individual is in touch with a lot of companies.
We have tools in place that once they log into an environment, the password automatically changes. There are ways of controlling that.
You have to have good controls. Down the road regulations will come that will force companies into doing things a certain way.
So you’re saying there’s software that you can provide, or one of the protections you provide, that will know if somebody goes onto the dark web on a company computer?
BLANCO: Not necessarily the dark web. You could do that from your phone. It’s hard to stop crazy. If somebody’s mad, it doesn’t matter. It’s very difficult.
And that’s in the worldly sense, in the IT sense. You just have to have the tools to be able to lock somebody out. If you have an employee who went rogue or who you let go, you must have the controls to disable their account immediately.
We talk a lot about that with companies. When they get new employees, there’s an onboarding process. The more important part is when somebody leaves an organization, that there’s an offboarding process so that you can put in the proper controls to lock them out of the system.
MERVA: You can’t IT your way out of an HR problem. They go hand-in-hand. We consult with companies. Some are very good at the IT and we’re taking over a relatively clean environment.
That’s rare but nice to see. They are completely deficient, however, on the HR side.
And, as some of the tools that manage the employee side, HR management systems, start to integrate better with the technology systems – and we’re talking about almost a completely different thing here – that allows a lot of control and really good onboarding and offboarding.
I’ve got some colleagues, elsewhere, where in addition to mandating IT tools, they are starting to mandate HR solutions. Not only do you have to standardize on Microsoft Office 365 or some kind of Microsoft platform, you have to use this HR management solution as well if you want to remain a client.
So they’re mandating that they have an HR training process that —
MERVA: Not just training: an actual employee management system. They’re called human resources information systems or HRIS. Paycom is one. And these aren’t endorsements necessarily. BambooHR is another. It manages your employees.
When you integrate them into the payroll system and you onboard them, that goes hand-in-hand with the IT process behind it as well. Adding them to payroll automatically adds them to Office 365, which automatically adds them to their computer so that they can log in.
And then the reverse is also true. When you terminate them from the HR system, it cuts off access to all of these other systems as well. We’re starting to see that.
BLANCO: At the end of the day, you’ve got to take the human interaction out of the process. You’ve got to build a process that’s automated. Because once you let in the human interaction, then there’s 10 steps.
And then you get a new employee. Odds are they’re going to skip one or two of those steps and that’s where the security issues come in.
DAICHENDT: Internal bad actors aside, there are systems now – and one we use for our clients to help train their employees – whereby we set up a fake phishing attempt on everybody’s computer in that company and we see who bites. If somebody bites, we send that employee into group training. And we provide that training.
Even the people who don’t bite get other training we provide.
One example: We talk about the internal bad actors. We show a very entertaining film that tells you how a bad actor got into this company and worked his way through getting all this information for somebody who was paying him from the outside.
Training is key. There are a lot of applications that can provide it, and the key for us is to make it part of our base offering. This is the most significant part of breaches: employees.
MERVA: Culture is the most important starting point for this. We pitched user awareness training to a client one time and they pushed back on it, saying that, No. 1, they trust their employees. No. 2, they feel it’s wrong to trick them, which I thought was an interesting take.
The problem there wasn’t the approach or the technology. It was the culture of that company.
Smaller companies especially, the ones that we deal with, are more closely knit. Some are family-owned or they’ve known their employees for a very long time. Culturally, it would behoove all of our clients to move away from that mentality.
[Awareness training] is not about trust. It’s not about whether an employee is good or bad or problematic. It’s not punitive in any way. It’s just society. It’s where we are. These are necessary things that a business requires to function.So clients or companies would benefit greatly from the idea that this just is what it is: It’s something that they need to do. It’s not punitive.
DAICHENDT: it’s important to not make it punitive. Everybody makes mistakes and it’s important to identify those mistakes, correct the behaviors where those mistakes are made – and learn from the experience.
That brings us to remote workers logging in from anywhere. How can companies ensure that their systems are secure? That if somebody’s working remotely – say in the Philippines – how do they know their systems are secure?
DAICHENDT: We try to ensure that the client allows only corporate owned and maintained equipment to have remote access to their systems. That way they’re in control of what goes on inside that remote machine.
We make sure that there is some kind of VPN set up so it’s a secure connection between the two sites.
We make sure that all the maintenance is done and somebody’s 14-year-old son isn’t doing things on that computer that can compromise it.
It’s not always possible. Some companies either can’t afford or aren’t willing to do that. But that’s the goal. We really want all remote workers to work on company-owned and controlled equipment.
BLANCO: That’s a big one. That’s a requirement for us also. You can’t manage what you don’t control. So there’s that and there’s also security. There’s content filtering, monitoring where they’re going on the web. Two-factor authentication: You must be able to identify who’s logging into the system. And if it’s a company that’s not logging into your systems from overseas, then you put in U.S.-based IPs so that they can’t try to get in from somewhere they shouldn’t.
EDWARDS, Tele-Solutions: I can agree with everything that everybody is saying. A strong point in the security of an organization is its training. The preferred method is to roll out the training for cybersecurity right in the onboarding process with the employee. When they’re filling out their payroll information, the next thing they should be doing is taking a security awareness test so there can be a baseline established of where this employee is. Are they just going to click on something randomly? Or are they an employee who’s going to alert IT – “I’ve got a phishing attack.”
You want to get that training immediately and out of the way. With a lot of the remote solutions today, the VPN – virtual private network – is standard as far as connecting back to the office resources.
A connection from a VPN will create a tunnel from my location to your location. The information going back and forth between is encrypted inside of a tunnel. So it’s very hard to detect and completely encrypted inside.
Everything that we do today is encrypted. When you go into your bank, you use a private encrypted connection. When you visit SocialSecurity.com, that’s all encrypted. Your web browser is encrypted from your connection to the location and all the information that passes through is the only information that you can get.
And that same principle applies to remote connections from people logging in remotely. Either they’re logging in via VPN, going to a secure website and logging in and using the credentials and additional authentication.
It’s just plainly limiting access so one person doesn’t have direct access to everything when they log in, as well as encrypting the operating system. Have some kind of a cybersecurity policy for remote workers to where, if I’m in the Philippines today, I can’t log in from California 20 minutes later, to where there’s some kind of intelligence looking at that.
As for everything being secure, the best approach is [to treat it as if] it’s not secure. Everything you’re doing is at risk.
Keep those factors in mind. And after a period of time in training, you should be a lot better off than you would be without any training or as well as a protected connection.
[To Komar] What percentage of – and a guess or an estimate will suffice — of small businesses in our community, the Mahoning and Shenango Valleys, have sufficient cybersecurity insurance? Do they have it at all?
KOMAR: Twenty percent at the most. We have in this area what we call in the insurance business small- to medium-sized businesses, people who are under $100 million in sales. That’s my concentration.
I can tell you from statistics that I have seen that the worst are the professionals: the architects, the engineers, the accountants, the attorneys. At most, 50% have stand-alone coverage. It’s difficult to sell them coverage.
Obviously we’re competing with money from these gentlemen [on the panel] and their money should come first. I tell the clients, “You need to secure your assets before you insure them. Get it secure. Then it’s going to cost you less for me to insure it.”
And they’ll tell you how difficult that is to get people to do what you ask them to do.
Now the pricing: I’m going to say $1,500 [for] a million [dollars] for liability for a small business for a stand-alone policy, maybe $2,500 for $2 million. And it’s not unheard of to have clients with $10 million and $25 million values that they need to cover.
It’s very hard to get clients to step up until they’re forced to. And they’re starting to be forced. Even the banks are starting to force them. If you’re going to take out a loan, the bank wants to see the [cybersecurity] coverage.
I’ve had contractors who said, “We don’t need it. Nobody’s going to ransom us.” And you get a call two weeks later saying, “I need that coverage now.”
And you say, “Well, why do you need that coverage now?”
They say, “We signed a contract that said we needed it and we didn’t realize that. To get paid, we have to buy the coverage.”
So it’s getting forced on people now, too.
MERVA: I love insurance. It’s the single biggest driver of some of the changes that I’ve been talking about and we’ve all been talking about to our clients for a decade. And I’m trying to do Mercy a favor because we are now in the process of mandating that all of our clients have cyber insurance. We’re asking for that information as part of our onboarding process.
And we’re going back to all of our clients that we’ve had and asking, “Do you have coverage?” It’s a two-pronged approach for us. It’s, “Do you have this coverage? It’s important.” Also, we need to know who to call in the event that we detect something on a Saturday night. We don’t want to scramble to find that information in the middle of the heat of the moment.
So cyber insurance is going to play a larger role than it has. I’m suspecting that many family businesses may lack sufficient coverage because they don’t have many outsiders working for them or they’re small.
KOMAR: Yes, a lot of them don’t have [coverage]. They might have somebody who handles their network, that plugs in their computers for them. But what these gentlemen are talking about is much more advanced than that.
I can hire anybody out of college to plug my computers together on a network and put it on Microsoft. That’s easy. It’s all the security work that they have to do to prevent the claims from happening. These gentlemen do a wonderful job of that.
If people would just concentrate on getting that done, I can save them money on the insurance end because the security is correct.
These gentlemen fill out insurance applications. They fill them out every day for their clients because the clients don’t know how to answer the questions. Some of them are very simple questions. Some are warranted.
The form says, “You’re going to answer these five questions. If you lie or if you make a mistake, we cancel the insurance. You have no claim.” Every day these gentlemen get those and they have to say [the would-be insured] don’t have this. OK, now either it’s going to cost them more money or I can’t give them the insurance.
BLANCO: The biggest challenge is insurance. Over that last 10 years, I’ve seen [clients] that are insuring stuff that they know what they’re insuring. You insure a car; you know the value of the car. You get in an accident; they give you the value.
They have no idea of what tools, what responsibilities their company has [in terms of cybersecurity]. The [insurance company] gives them a flyer. The insurance companies are getting better at this.
Before, people would just say, “Yeah, we’re doing this.” Then, over the last 10 years, you’ve seen claims get paid and [the insured] were doing hardly anything. Now, if you say you’re doing this and you’re not, the insurance will deny the claim.
KOMAR: Yes.
BLANCO: In the long-term, at many companies, it would be smart for insurance companies to partner with MSPs or people doing third-party security for the customer. It would make sure these things are getting done because all these companies need IT. But nobody understands what IT should be doing within the organization.
So their focus is on growing their business, doing what’s right. They just want it to work. They don’t care how it works. They want it to work and they want to make sure that they’re protected. So that’s the challenge. You have somebody internally they designate as their IT person. …
Do companies have a secure environment? Most likely it’s not secure at all.
MERVA: We’re long past the point where your nephew can do this for you. That ended five to eight years ago. And one thing that Mercy [Komar] said that I want to go back to. She mentioned that companies don’t think that they have anything worth stealing or that they’re not a target.
KOMAR: Yes.
MERVA: That’s not how this works.
KOMAR: No, no.
MERVA: There are bad actors, threat actors looking at companies to breach or hack. They’re not targeting one specific company. Do those things happen? Yes, absolutely.
But in general, they’re scouring the internet looking for low-hanging fruit. They’ll find whatever they need to find. So, it’s not about whether you feel like you have something worth securing or worth stealing. Everyone’s a target.
KOMAR: Everybody’s a target who has a bank account, basically. That is what I tell clients.
Over the years the press has stressed ransoms because they’re the big money. That’s the big thing you see. Somebody paid a ransom of $4.6 million.
That normally doesn’t affect the people within our Valley. People here are not paying those sums. They’re getting hit every day in their bank accounts. And it’s very hard for a tool-and-die shop in Salem to withstand a $141,000 withdrawal from their checking account. It’s gone before they know about it.
These are the things I tell the clients. I say, “You could pay ransom but here’s the reality; this is what’s probably going to happen. Let’s take care of that and the ransom is going to come right along with it.”
So it’s changing our narrative as insurance agents as to what we’re stressing to the clients.
When you say it’s going to come through, to their bank account, what does that mean? A fake invoice?
KOMAR: There are so many ways. They can do the fake invoices. The ones that I’ve seen – I’ve seen two – almost the same amount of money. Someone has gotten into their system. Once in, they just look around. They scope it all out and get names and phone numbers and addresses. They look to see your accounts payable, your accounts receivable, who’s going to owe you money.
The most recent one I saw, obviously they saw there was going to be an invoice for $141,000 sent to a certain company. They spoofed an email and said, “Hi, it’s me. We had trouble with such and such bank. So we’re going to such and such bank in Wisconsin instead. They gave us a much better loan at a better interest rate. We’re going to switch to that bank. Here’s our new number and when you send us this month’s check for $141,000, send it to this bank instead.”
Somebody knows exactly how much you’re supposed to pay. You get that and you’re not checking. You do what they tell you. And the money is gone.
And now you’ve got two people, one that’s lost their money and one that’s not going to get their money because they have none to pay them with. That’s what’s happening in this area every single day.
BLANCO: That’s going back to what Robert said about the low-hanging fruit. If the criminals can get $10,000 from 10 companies very easily, that’s a lot easier work than going after one company for $100,000.
And again, we hear, “Our company is too small. Who’s going to go after us?” It’s not about that. They go after everybody. It doesn’t matter.
Unfortunately, the only press you see is about the big companies, the MGMs of the world, the Caesars that got breached.
I promise you, it’s all the smaller ones getting hit that don’t make the news.
They don’t make the news because they don’t file police reports.
BLANCO: Correct.
They don’t want to make the news.
BLANCO: Because a company is concerned about its reputation. They don’t want people to know.
If you call the police, the police have to call the FBI. Once the FBI knows, it’s going to be all over the news. And they know the FBI probably won’t get them.
I recall covering a story a few years ago. The only way we got it was they filed a police report and we had to track that down. It used to be in reporting that reporters would be at all the police stations to read what was filed the night before. That doesn’t happen today: not enough reporters.
BLANCO: It would be better for us – because then more people would be knocking on our door. Instead of us telling them what they need to do, they would know we need to do something. That would help us greatly.
KOMAR: The way that I have to sell the insurance is with the stories. I have to tell the clients: This is what happened in such and such a city. This is what happened here.
I can’t use names but I can give them basic ideas of how it worked. It happened last week in Niles. It happened last week in Warren. And then they start to pay attention.
Maybe they know somebody this has happened to. They’ve discussed it. I’ve seen personal losses of thousands of thousands of dollars in banking, not just with businesses. Gentlemen having money stolen out of their accounts, something like a Schwab account or as they were transferring money.
It’s not just businesses getting hit. It’s personal. Money is being stolen out of homes.
BLANCO: Going back to Mercy’s story: I’m willing to bet that they didn’t have two-factor [authentication] on their email and somebody was watching, logging in as them and watching the interactions they’re having between their emails.
When you get that email that says, “I changed my bank,” they already know how that person talks, how they talk to each other.
So they write an email. It’s not even a spoofed email.
We always say, especially bankers, it’s more of an educational thing. Always pick up the phone. I don’t care if you’ve been doing business with somebody for 20 years. If they send you an email that they want to change a number, pick up the phone and call them. Say, “I just got this email. Is this really you?”
That’s part of the educational process because technology is not going to fix that.
MERVA: Multifactor authentication is probably the single most important thing that you can do to protect your account. It probably protects 95% of the scenarios.
BLANCO: Especially in email.
MERVA: However, session token theft is a new and upcoming problem that is not solved. I’ll explain what it is. It’s not solved by multifactor authentication. That is a scenario where someone clicks on an email. It opens their web browser and it takes them to a website that steals all of the cookies and all of the saved information in that web browser, including the Office 365 session token, which is part of the security process when you log in and provide that two-factor code.
By stealing that information embedded into the browser and saved within, they no longer need that multifactor authentication code. They can just replicate your entire web browser session in their environment.
It’s technically complicated but it goes back to what we’re talking about with layers. Because for years I’ve been telling clients multifactor authentication is mandatory. It’s the way to go. It solves a lot of problems. Now, here we are with a new issue not solved by the thing that I’ve been talking about for the last many years.
It goes back to education, awareness, layers and having technologies in place to protect you against new and upcoming and changing environments.
So, the browser session that you have creates a little security token embedded in that. They steal that token, that cookie, those settings.
DAICHENDT: Basically, you are allowing a pre-authenticated person to confirm that what you’re trying to do is OK.
You’re trying to log into something. I would have had to preauthenticate myself as the person I am and what device I have a code on. And then whatever application asks me for that code, it’s coming from my cellphone, which is producing that code.
I type that code in. It’s not just logging into the software. It’s a third-party or device providing me the ability to authenticate into that software.
How do I install that in my company?
DAICHENDT: First, you hire somebody like us,
OK. How is it done?
DAICHENDT: Most software has the inherent capability to allow for multifactor authentication. Generally there’s going to be a code that shows up on a screen that you take the authentication app on your phone. You scan that code and it verifies that you’re you.
It’s very simple. And the simpler it has become, the better it is because people will do it. If you make it too complex, people won’t do it or they won’t follow it.
MERVA: I would make the point to say that companies, our clients, need to choose, to work with, vendors who build this technology inherently into their systems. Certain companies won’t invest in this kind of infrastructure. The two-factor authentication is getting easier but it’s only getting easier for the companies that allow it to be easy.
DAICHENDT: And one of the factors that has made that easier is insurance companies. Everybody wants to bash insurance companies. In the past few years, however, the questionnaires that insurance companies issue for cyber insurance are a very useful tool to use in talking to our clients.
Look at what the insurance companies are doing. There are five questions on this application about multifactor authentication and you’re not doing it at all? This is crazy. We’ll make the argument that sometime in the future your insurance company is going to require this, probably your bank as well, and your accounting firm and a bunch of other entities. So it’s time to get on the bandwagon.
And as Bob [Merva] said, nothing is foolproof. There are ways around everything. It’s an arms race.
Is it expensive for a small business to have multi-factor identification?
DAICHENDT: It really isn’t.
MERVA: No, it’s not expensive at all.
BLANCO: No, it’s not expensive.
What are we talking about?
DAICHENDT: A couple of bucks.
BLANCO: A few bucks a user. It depends on what you have.
MERVA: If you’re using the right technology, we are mandating that all of our clients use a certain Microsoft Office license type because that’s a best practice. If you’re using the proper software, it’s built in. It’s free. You just need to turn it on and check the boxes and configure it properly.
BLANCO: Two-factor has been around forever. The easiest way to explain it lies in the banking system. Banks have been doing it forever. You carry a little token. You can still do that with this.
Banks have just made it easier with technology. You can use your cellphone as your token.
One of our customers had two-factor on their email. It alerts them on their phone when they log in. Every time they logged into their email from another device, it gave them a prompt to ask, Is this you? And obviously if you’re going to another device, you would say yes. They kept getting that prompt. And they got fatigued from that and they started saying OK on that.
We had to call the customer and say, “We’re getting these reports that you’re – where,” We asked, “Where are you?”
“Oh, I’m in my office.”
“We’re getting reports that somebody claiming to be you is logging in from another country. Are you getting any prompts?”
He said, “Yeah, I’m getting a prompt. I’m just saying OK to it.”
We put two-factor on. Now we have to explain that. You should be calling your IT company if you’re getting an alert that says, “I’m trying to log on.” You’re not trying to log on from a different location. Then there’s something wrong. That means your original user name and password has been taken, and you must change your password. Because that’s the first factor.
The second factor is getting to you. That’s the importance of two-factor. If your stuff is breached in the dark web and somebody gets your user name and password … because the problem is, everybody has 50 passwords and they’re relatively close because nobody remembers 50 passwords. People keep them the same. Then passwords end up on the dark web.
Hackers could reverse engineer it to try to get into your company log-in.
MERVA: Again, you can’t IT your way out of an HR problem. That’s all the more reason why a password manager is important.
Our base offering includes a password manager because it’s something that everybody should have. As an IT professional, I don’t expect you to remember all 284 passwords that you have to use in a day. With things like single sign-on, or SSO, that number should be reduced.
But you still have a lot of passwords. I recognize that. And they should all be different and they should all be complicated. That’s almost impossible without a password manager.
Or you open yourself up to bad practices. It’s been a year ago, but a client wrote all of his passwords on a piece of paper and put it in his wallet. Don’t do that. We’re trying to enable better practices by giving clients tools.
Let’s move on to artificial intelligence. What are the benefits and challenges, if any, from this and how companies are using AI? Is that another issue in cybersecurity?
BLANCO: Yes.
DAICHENDT: Absolutely.
How is it an issue? How do breaches occur through artificial intelligence?
MERVA: It could be as simple as an employee using AI to perform a function of their job and supplying private, confidential company info to that AI platform. Sometimes without even thinking about it.
We haven’t reached the point here where our clients are addressing this.
Shadow IT is always a problem. That’s where employees of companies take IT into their own hands to make their lives easier. Our clients sometimes don’t know that AI is used in their environment. If you have a marketing manager who took it upon themselves to sign up for an AI platform to generate prompts or content, the owner of the company or the IT provider may not know that. The concern is that we haven’t created policies to address these situations because it’s all so new.
DAICHENDT: Artificial intelligence isn’t all bad. You’re hearing all of these horror stories about how artificial intelligence is going to take over the world, “The Terminator” scenario.
There are many good things about artificial intelligence. That’s why it’s becoming so talked about.
For instance, artificial intelligence can detect when weird things happen and look at a bunch of data and say, “Even though you haven’t installed a virus protector on your PC, these things are happening.” They indicate something might be wrong. Based on this artificial intelligence identifying that issue, we’re going to take these steps.
That’s artificial intelligence, too. And there are many ways to do that. Updates, like everybody’s software on every computer, should happen regularly.
Artificial intelligence can make sure that happens properly, without human intervention. AI robot does it and makes sure it’s done properly.
The bad side is also there. Artificial intelligence can spoof things. It can spoof email. It can spoof people. It can spoof your face. It can spoof how you write. So it’s a mixed bag.
We’re very early in artificial intelligence development. I remember when the internet first came out. Everybody jumped on the internet bandwagon and spent a ton of money on it. It was five years before anybody made any money on the internet.
We’re at a point where we need to step back and think about the pros and cons of AI. We need to plan and figure out how to be protected from it and how to use it effectively.
BLANCO: AI is going to be used positively and negatively. The bad guys that are doing bad stuff are going to use AI to help facilitate and speed up the process. Just like we’re using AI internally to automate a lot of stuff.
DAICHENDT: That’s a key word, speed. Things are going to happen so much faster with artificial intelligence and you have to be prepared.
What is the Internet of Things and how does this fit into cybersecurity, if at all?
DAICHENDT: The Internet of Things basically is all things connected. It’s your computer. It’s your cellphone. It’s your refrigerator. It’s your smart TV. And it’s the communications paths that all those things use to talk to each other. There are pros and cons to that as well.
If you’re on a home network, you have a PC and everything is connected. Somebody gets into your computer. They now have access to all those things connected to your computer.
As everything becomes more connected, things talk to each other and make your life easier. The negative part: If there’s some vulnerability, all of those other things on the Internet of Things are exposed.
EDWARDS: The Internet of Things could be as simple as Alexa in your living room: you giving those commands. That is a device that responds to voice commands that can do various functions throughout the house.
You can have devices that are connected to your wireless to open your blinds, indicate that there’s a message in your mailbox. All of these devices, all connected, and they’re all bound to you, to your identity. If someone could come in and exploit that vulnerability, not only do they have access to your devices, but all of your information, your habits, your spending habits, your web-surfing activity.
It can narrow down a lot of information to further exploit you for monetary gain or just access your systems or use your equipment for nefarious purposes.
There’s an added layer of security that has to be involved with these devices that are set-and-forget. You’re not going to be constantly using and checking the security on that. You should keep that updated, along with general security practices. Focus on keeping those secure, just as you would with your computer, your cellphone, or your personal information.
[To Komar] Does that mean we need to have cybersecurity insurance on our homeowner’s policy?
KOMAR: Ah, thank you. I was going to bring that up. Most people have identity theft on their homeowner’s policy but you can now start to purchase personal cyber coverage, either under your homeowner’s or you can buy individual policies being sold.
And, yes, they will cover – not with identity theft – they will help you restore your identity but they won’t restore money. With a personal cyber policy, it’ll restore the money that might have been stolen from you up to a certain value.
And they throw in some very interesting coverages. One they throw in – and I tell parents of teenagers – is cyber bullying. They give you coverage if your child, or even an adult, decides to bully somebody by using their home internet service and they get sued for it. They even cover mental health for a child or an adult bullied over the internet.
There’s many interesting things out there. And it’s not expensive at all. If you are doing home teaching or banking or Schwab, something like that on your personal computer, all of that’s in there.
And if they get in, they can make your Schwab account vanish in no time.
That’s not standard on a homeowner’s policy?
KOMAR: Not normally. You have to ask for it. Only a few companies offer it. Probably five to six but it’s going to become more popular.
Within the next year you’re going to see it coming out more and more. Some companies are backing off and saying, “We don’t want to do it. It’s too much exposure. We can’t control it.”
They might be right.
Let’s wrap up with some final thoughts about what we haven’t covered, what you’d like to mention, what you want to underscore.
EDWARDS: Training, the age of your equipment or equipment retention and your patch level are the most important things you can do in your business. If you keep everything fairly new, all your equipment patched, all your end users caught up on training, the chances of something happening are slim. There’s always a chance.
DAICHENDT: Every business should have a functioning updated firewall. Every business should have a backup and disaster-recovery device to take your systems back to where a breach happened.
Every client should have antivirus and malware detection that includes EDR, which is endpoint detection and recovery.
The other main thing is training. From 88% to 95% of breaches happen because of human error. Train your employees on what to look for, what not to look for. There are tools out there to do it. There are companies like us that will help you.
KOMAR: I teach insurance agents cyber all over the United States because it’s difficult to understand. One thing I tell them is that they’re going to have to turn to these gentlemen sitting here at this table to get help to let the clients know what they need to get the cyber insurance.
It’s very difficult for some people to understand. I can do all kinds of wonderful things for companies. But security has to come first.
BLANCO: With the Internet of Things, it’s our responsibility as IT companies to manage and secure an environment. The challenge we run into is that people bring a lot of things into the network.
Knowing what’s on the network is very important and being able to segment business assets from employees’ personal stuff that’s connected. Make sure those are segmented because we need to protect what’s important, which is the data and the productivity of the company.
Companies: When new equipment comes in, start looking at it because everything connects to the network anymore. It doesn’t matter if it’s camera systems or security systems.
MERVA: Companies need to take this seriously. Companies need to make the proper investments into their IT infrastructure and they need to allow a professional to do this. We are long past the point where your nephew or your buddy can do this on the side.
Pictured at top: Michael Edwards of Tele-Solutions and David Daichendt of Micro Doctor participated in the roundtable discussion.