Cybersecurity Begins with Educating Employees
BOARDMAN, Ohio – With more and more of our daily lives tied to computers, both at work and at home, the risk for falling victim to a cyberattack is greater than ever and only increasing.
And those who deal with cybersecurity on a daily basis see two major problems facing businesses: a lack of employee education and failure to use of technology that can thwart attacks.
“Most people are lackadaisical about their security regarding all the information they send and share. No one is immune,” said Stephen Franckhauser, director of HBK CPAs & Consultants’ IT risk advisory and assurance group. “The environment is rich for attack. That’s the world in which we live. Virtually everything we do happens because we touch a computer.”
Frankhauser was among the seven participants in The Business Journal’s roundtable discussion on cybersecurity yesterday at the Holiday Inn Boardman. An edited transcript of the discussion will be published in the April issue of The Business Journal and posted online.
Other participants were: Stephenie Maroni, vice president of operations, James & Sons Insurance; Andrew Prentice, account representative, Star Tech; Robert Merva, owner, Avrem Technologies; Mercy Komar, agent, L. Calvin Jones; Mark Richmond, owner, Micro Doctor IT; and Mark Robertson, owner, Eagle Point Technology Solutions.
“I’d be willing to bet that everyone in this room has been attacked, even if they don’t know it. It happens every day. It happens with social engineering and phishing,” Komar said. “It doesn’t matter if you’re an accountant or a car dealership. They’re looking for an opening. They’re searching to get in somewhere.”
Among the most common cyberattacks are phishing attempts, where hackers send emails that appear to be from reputable sources, such as Microsoft or government agencies like the IRS, in order to convince users to turn over personal information or download malware. It’s in these instances that businesses, no matter the level of security systems they’ve put in place, need to be cautious.
“A lot of people do a few things. They’ll put up a firewall and antivirus on their computer but they don’t protect against phishing emails,” Richmond said. “If you have 50 employees and they all get 10 of those a day, all it takes is one time of someone thinking, ‘This is [the email] I’ve been waiting for.’ ”
The weakest links in any cybersecurity plan, the roundtable participants said, are the users. Education, combined with having a clear policy of how the company’s computers should be used, is one of the best defense.
On the security front, the IT experts noted that there is no standardized solution, but agreed that there are steps everyone can take. Passwords need to be updated regularly, but don’t have to be overly complex – memorable and long, as Merva said, such as writing a full sentence. Firewalls and antivirus software need to be in place and regularly updated. And system backups need to be made regularly so that should a system be hacked, it can be reverted to the most recent version before the attack.
The cost of such security measures varies from business to business.
“We’ve got companies with 10 people and an IT budget of $100,000 and we’ve got 600-employee companies with a budget of $100,000,” Merva continued. “It can be affordable because it’s not one size fits all.”
But whatever that cost is, Franckhauser said, it pales in comparison to the cost of falling victim to a cyberattack.
“You will have lost your client base, your client data, your reputation. You may not be able to gain access to finances,” he said. “Most small businesses are not cash-rich, so your chance of being a fatality is greater than 50%.”
Most IT companies offer system analyses for free, participants said. While there is a cost involved with putting the recommendations into place, not everything has to be done all at once.
Beyond just those examinations, many trade groups and professional organizations offer best practices for cybersecurity in their profession or industry. And there are federal regulations and state laws — New York, for example, enacted new mandates on cybersecurity for the banking industry and the U.S. Securities and Exchange Commission has extensive rules for public companies.
“Find out what your weakest point is and that’s what you should always do first as a small business. … Is it your lack of training? Is it a lack of sufficient software? Is it your antivirus?” Franckhauser said. “Plug your biggest gap first.”
Pictured at top: Stephenie Maroni of James & Sons Insurance offers an observation at The Business Journal Roundtable on Cybersecurity. Looking on, from left, are Stephen Franckhauser from HBK CPAs, Andrew Prentice from Star Tech and Robert Merva from Avrem Technologies.
Copyright 2023 The Business Journal, Youngstown, Ohio.