Measures Big and Small Build Cybersecurity Plans
HOWLAND TOWNSHIP, Ohio – Whether it’s ensuring employees create strong passwords or knowing who can physically access your offices, creating a cybersecurity plan is an all-encompassing effort. And as hacking attempts become more common and, in some cases, elaborate, the risks for businesses grow with them.
“Small organizations that don’t have the data of hundreds of thousands of clients, but they still have the information of employees and those employees have PII [personally identifying information],” said Stephen V. Bish, senior security analyst with Scheinder Downs & Co., a Pittsburgh-based accounting and business advisory firm. “There’s still all that Social Security information, addresses and email addresses. That’s what hackers want.”
According to the 2018 Verizon Data Breach Investigations Report, Bish relayed, 53% of breaches resulted in damages of more than $500,000, 61% of victims were organizations with fewer than 1,000 employees and the annual cost of cybercrime is expected to hit $6 trillion by 2021.
Bish was the speaker Thursday at seminars hosted by Farmers National Bank on cybersecurity and preventing cyberfraud. A certified ethical hacker, Bish is part of Schneider Downs’ team dedicated to evaluating clients’ digital security systems.
“The whole class is teaching you how to hack stuff. But the word ‘ethical’ is in there because it’s not just teaching people how to be the bad guys,” he explained. “The techniques are being used in the real world by hackers every day. Our team needs to be constantly aware of the offensive tools available out there.”
Among the most common tools in digital malfeasance is simple human error. Phishing attempts – such as sending an email from an approximation of a company executive’s requesting a monetary transfer or a message with a malware-ridden link – are best combated with employee training, while weak passwords can allow hackers to guess their way into a system.
“There are a lot of human aspects that hackers love to exploit and there are technical solutions. People think they can just make a password longer or more complicated, but it comes down to the processes and procedures of how they’re created,” Bish said.
Any passwords that are a variant of “password,” such as “p@ssw0rd” or password!321,” are to be avoided at all cost, as are those that involve the company name or current months or seasons. With automated processes that combine password guesses with user IDs – plenty of companies stick to the first initial, last name format – breaking into systems can be easy.
“A dedicated attacker can just find an interface and guess passwords,” he said. “And those can lead to some serious compromises where, once they’re in, they poke around until they find data and then it’s a full-blown breach.”
While a cyberattack can penetrate a system and gain access to data in minutes, the average time for a hack to be discovered is around six months, according to the Verizon report.
“An ounce of prevention goes a long way. If you can spend the time to get some basic detection capabilities, it makes it so the moment someone does hack in you can just pull the plug,” he said. “There’s a lot of activity hackers do that have telltale signs.”
Among the other missteps Bish sees frequently are the lack of multi-factor authentication, inadequate antivirus software, data that is not encrypted, poor security monitoring, unpatched systems, flat networks where all computers on a system are allowed to interact and share data with each other and too many computers having administrator rights.
“People think the reason you take [admin rights] away is because of problems the user may cause,” he explained. “What they don’t often understand is that local admin rights is the single most powerful weapon you can give a hacker. If you get access to a machine but can’t install or run anything, if you just have access to email, it’s really hard to get out of that cage.”
Finally, while not a digital security measure, Bish noted the importance of having physical security to protect computers. He pointed to a penetration test – basically, testing a computer system’s vulnerabilities – Scheinder Downs did for a client where the office was locked down after hours save for a vent next to the entrance. To get access to the office, Bish waited in a bathroom until the office closed, unscrewed the cover and could get into the office.
“We’ve been to [retailers], sat down at a [salesman’s] cubicle and set up shop for two days. The guys were friendly but never asked why we were there,” he added. “A majority of your attacks are foreign IPs playing a numbers game. But for a dedicated hacker that has chosen your [company], a three-hour drive isn’t out of the question.”
As the sponsor of the three seminars – two held Thursday at Holiday Inn-Boardman and the Avalon Inn, as well as one Friday in Canton – Farmers National Bank has tools available to businesses to help combat cyberfraud, noted Tim Shaffer, Farmers’ east regional president.
“We have a lot of human eyes and a lot of technological eyes that watch these transactions,” he said. “The common one is positive pay, where a customer provides a list of checks they’ve written and expect to be presented. When those numbers come in, we match them up and if there’s one that’s not on the list, then that’s a check that’s not paid.”
A similar process is also available for automated clearing house, or ACH, transactions, he noted.
Both Bish and Shaffer noted the importance of continuing education when it comes to cybersecurity, not just for IT departments or executives, but for all employees of a business.
“It’s a growing industry and it’s lucrative. So we’re always on guard for the latest in attempts to defraud our membership and defraud the bank,” Shaffer said. “There are so many vulnerabilities that anyone can have if they’re not on guard and staying current with the tools and capabilities available.”
Copyright 2023 The Business Journal, Youngstown, Ohio.