Think You’re Protected from Cyberattacks? Think Again
YOUNGSTOWN, Ohio — The Business Journal convened a panel of local experts March 13 to participate in a roundtable discussion on cybersecurity.
The discussion was published in the April edition of our newspaper, in subscribers’ mailboxes this week. We are publishing it online as well so that our digital readers will gain a better understanding of how they can — and must — protect their businesses.
Participating in The Business Journal’s roundtable were Robert Merva, president of Avrem Technologies LLC, Canfield; Steven Franckhauser, director of IT risk advisory assurance at HBK CPAs and Business Consultants, Canfield; Mercy Komar, senior account executive, L. Calvin Jones & Co., Canfield; Stephenie Maroni, vice president of operations, James & Sons insurance agency, Boardman; Mark Richmond, president of Micro Doctor Inc., Warren; Andrew Prentice, account manager, Star Tech Inc., Hermitage, Pa.; and Mark Robertson, president of Eagle Point Technology Solutions, Hermitage, Pa.
The Business Journal: What’s the environment in which cyberattacks thrive? And what is the dark web that we hear so much about?
Steve Franckhauser, HBK CPAs and Business Consultants: The environment is rich for attack. It’s the world in which we live. Virtually everything we do happens because it touches a computer or software. We transmit virtually every part of our daily lives. I can’t get in my [office] building in Canfield without using an electronic key. I go in. I power up. Everything we do really makes this environment ripe for cyberattack.
Most people, most organizations, are lackadaisical about their security regarding all the information they send and share. No one is immune. Virtually everyone in this room has probably already suffered a cyberattack and been compromised.
We don’t live in a paper-and-pen world any longer. I read your edition online. If I have the luxury of reading the print edition, that’s what I do. This is only going to accelerate as people who are younger than us, who don’t read print materials, center their lives around [digital publications]. That’s a long answer to a short question.
The dark web was born in the late ’90s by Naval researchers, and presented at a symposium in England. It’s the part of the web that search engines can’t reach. And it carries so much more information than the part of the web that all of us use. It has good users and bad users because it’s off-limits essentially, can’t be reached by traditional search engines such as Google. A lot of good goes on there. And a lot of bad.
For instance, a lot of law enforcement uses the dark web to track [suspicious traffic] and communicate [with other law enforcement agencies] so that their communications can’t be breached. But it’s also the place on the web where scofflaws or skullduggery people engage in nefarious activities. It’s where they trade information they’ve stolen about other people. And they know they can get away with it because they’re out of the reach of the search engines.
That is multidimensional. If you took a photograph, the web we use would be the one dimension you see on the photograph. The dark web would be everything behind what you can see. That’s the best way I can describe it. It’s a fertile ground for both good and bad, like most tools are.
Stephenie Maroni, James & Sons Insurance: Our world today is so technology- and data-driven, where everything is done electronically. Big Brother is watching everything from our vehicles, which now are connected, and everyone can track data. Our kitchen appliances are connected too. Everything is connected. So we have opened ourselves up to cyberattackers. …
I am an insurance agent. So we offer cybersecurity policies. The first for cyberattacks were written about 20 years ago. At that time, we knew very little about it and agents were just reaching into that arena. Over the past five years, everybody is realizing that cyberattacks are something to guard against.
Policies have evolved greatly from what they were originally. When the first was written, it was a very basic policy. Now they’re adding all kinds of endorsements, broadening the coverage.
The market has gotten so much more competitive. Insurers are broadening the coverage. There are a lot more carriers in the market and they’re always trying to keep up with better products and adding coverages.
People were concerned about their laptops getting stolen, and the information stored in their laptops stolen. Now there’s so much more with ransomware and extortion and social engineering. The cyberworld has gotten so more complex. So the policies have become so much more complex to respond to all those needs.
Andrew Prentice, Star Tech: Obviously, our environment is wide open for cyberattacks. Everything around us has an element of high technology. I’m wearing it on my wrist. I have a cellphone in my pocket. I carry a laptop, and a tablet, and an iPad everywhere I go. At my house, I have Alexa set up on my counter. Who’s to say that she can’t be hacked and someone listen to me talking to my family?
We have computers all throughout our house. I have lights that are voice-controlled. We have magnetic locks in our houses controlled by NFC [near field communication] devices. There are rings that can unlock your car doors. Everything around us is controlled by technology.
So much around us can be threatened.
… The dark web is another level below. You have the surface web, which is what we all see everyday. That’s our Facebook pages, Google, Amazon.
Then there is the deep web right below that. That’s where banks hide their information, where businesses hide their [investor relations information]. The government does a lot of their stuff in there. It’s typically locked behind passwords so no one else can reach that information.
Then below that is the dark web, created for black markets where people can trade anonymously. And people do a lot of trading. It’s a completely anonymized version of the internet where people can’t be tracked – at least not easily. People go there for sales of illegal weapons, drugs, other things that shouldn’t be done.
Not all of it is illegal. Government agencies will use that, and police can use it for good things, too.
Robert Merva, Avrem Technologies: We should emphasize that the dark web is anonymized. And it’s not just that search engines can’t reach it. It’s that it’s accessible only through specialized software. So there is a layer of inherent protection to just get to it in the first place.
The Business Journal: What we don’t understand is if ordinary users can’t reach it, how do government agencies and shady actors reach it?
Merva, Avrem Technologies: Without getting horribly technical, the internet is driven by a service called DNS [Domain Name System]. DNS essentially matches a name like Google.com with a number of the servers where the host resides. Think of it like a telephone book.
By using specialized software and specialized entries in that system, people have access to another layer of DNS that most people don’t get to see or don’t have access. You install this specialized software on your computer, and then you have access to those other layers we’ve been talking about.
Prentice, Star Tech: The software is developed so that you have access to that dark web. You don’t even have to buy it.
Merva: Yeah. It’s free.
Prentice: There is free stuff you can just download. Anyone can do it, honestly. And it basically blocks out the outer world from entering into your computers. So your IP, your internet provider, can’t see where you’re going. They can’t see what you’re doing. So if they can’t track you, who else can?
There are other controls and devices that people can use to make it look like someone else. Say I’m in Hermitage, Pa. I can use a device that makes it look like I’m in North Korea when I’m searching the web. It’s just things to control the way people can track you through the internet.
Mercy Komar, L. Calvin Jones: There isn’t any place in the civilized world where you can hide from people who want access to your information. It’s all out there.
The Business Journal: Mercy, it’s been said that people can be divided into two groups: Those who have been hacked and those who don’t know they have been hacked. How accurate is that?
Komar, L. Calvin Jones: That’s pretty accurate. I would be willing to bet that everybody in this room has been attacked, even if they don’t know it. It happens every day. It just happened at our office. Social engineering, people phishing.
We have a spam search at our office called App-River. Every morning I get a list of all the different information that has come in. People are trying to access our email to see if that’s real or if it’s not. So everybody is getting attacked at all times.
One hospital that I read about said that they receive about 1,100 hits a day of people trying to access their system.
The Business Journal: To clarify. Does that mean people are getting attacked and their information taken, or just that people are trying to get into the system?
Komar, L. Calvin Jones: People are trying to get the information. They don’t necessarily get it. But they’re trying to access it. And it’s constant.
The mistake people make is thinking human beings are doing this. And it’s not people. Technically, it’s robots programmed to go looking for an opening anywhere, any time. They don’t care what kind of business you are. It doesn’t matter to them if you’re an accountant or if you’re a car dealership. They’re looking for an opening. They’re searching to get into something somewhere.
Mercy Komar from L. Calvin Jones makes a point while Mark Richmond from Micro Doctor and Mark Robertson from Eagle Point Technology Solutions look on.
Mark Richmond, Micro Doctor: The biggest threat is companies not having the total protection needed in any business. A lot of people do a few things. They put up a firewall. They install some anti-virus on their computer. But they don’t protect against phishing emails.
As I was just sitting here now, I got an email that looked like it came from Microsoft saying that my account is locked and I have to go in and unlock it. We get those daily.
And if you have a company that has 50 employees, and they’re all getting 10 of those a day, sometime one is going to think, “Oh, that really is the package I was waiting for from FedEx,” or, “That really was the Amazon order that I want to track.” They click on the tracking link. So it’s very easy for people to get tricked.
We [at Micro Doctor] install additional safeguards for businesses so their employees can’t click on those. If they try, we block it so that they can’t get to that website that’s going to download the ransomware.
Companies are testing their employees. There are several services that will send out fake phishing attempts to all of a company’s employees. Then they send a report card to the business owner that says, “Mr. Smith over in accounting has been clicking on about 3% of these phishing attempts. Everybody else was fine.”
There are a lot of things you can do to protect your businesses, but a lot of people don’t take the time to update them. One of the big things that let ransomware get crazy was remote desktop sessions.
In the past, we used to set up remote desktop sessions so people could get into their servers from anywhere. They would just type in the IP address, their passwords, and it was open to the whole world.
Now with all these robots, they’re constantly pinging these IP addresses. And they’re trying to guess the passwords to those remote desktop servers. Once you get into a remote desktop server, it’s just the same as being inside your network. You have access to everything.
So everything needs to be encrypted.[Lack of encryption is] how bots got into the hospital in Anaheim. They got into a remote desktop session, encrypted everything and the hospital had to pay huge ransom. So things have to be updated. You can’t just install your technology and forget it.
Mark Robertson, Eagle Point Technology Solutions: … It is very easy to actually get to this data [through the dark web]. You would be surprised at how many of your employees may be doing this on your equipment. And the next thing you know, law enforcement shows up at your door because your employees are doing illegal things and you find yourself having to do a lot of forensic work to prove [you didn’t know] what was happening and provide the information that sends people to jail.
That does happen very frequently. I have been doing this for 20 years and I have been part of 17 or 18 different investigations because of stuff being done on the dark web.
The Business Journal: Are we talking about child porn?
Robertson, Eagle Point Technology Solutions: Child porn would be an example. Drug dealing is another example.
A lot of employers, especially small businesses, don’t want to lock their equipment down, so anyone can install anything. So they’re sitting there with a Tor [an anonymity network of free software] on their computer and can take advantage of that to sell drugs.
… Even though you may have all this security installed, employee training is critical and having policies in place for when it happens, even for the smallest little thing, is vital. Sometimes you have to fire good people.
The Business Journal: We have the impression that for many employers it’s not that they don’t care, but they are unaware. So they don’t take efforts needed to educate themselves as to the severity of the threat. Or they don’t have the time. They’re small.
Merva, Avrem: I don’t think they have the time.
Robertson, Eagle Point: There’s that. But they don’t want to bother their employees either. They want to provide their employees with the openness to do what they need to do. But whenever you do that, you give them all the available resources out there. So you might have an engineer who’s constantly needing to download software from the internet to do their job. But if you let them download and install software, they have the potential of doing things [that breach security].
Merva, Avrem: There is a balance between security and convenience. And that part of our job, as IT consultants, is to find that balance for our clients and make sure their systems are secure while their employees have what they need to do their jobs.
Layers are important. The key for good cybersecurity is layers, having multiple layers of protection. But all the layers in the world won’t do any good if your users aren’t educated. Ultimately in every technology system, the weakest link is the people using it. You can have a great firewall, and a great anti-virus block, and great DNS filtering and spam filtering. But all that doesn’t mean anything if you don’t educate the users.[These precautions] can still be circumvented by somebody who clicks the wrong box, or opens the wrong attachment, or says yes when they should have said no. It comes down ultimately to education.
Franckhauser, HBK CPAs: I concur wholeheartedly with the layers. There’s a quote of General Patton, “Fixed fortifications are a monument to the stupidity of man.” You have to have a layer of defense, from software to hardware to human training. But you have to keep changing it. You have to keep moving it. And importantly, inevitably you will fail in some facet. You have to be able to recover.
Steve Franckhauser emphasizes his point that most small businesses will not survive a serious cyberattack. Looking are are Stephenie Maroni from James & Sons Insurance, Andrew Prentice from Star Tech and Robert Merva from Avrem Technologies.
The Business Journal: So I’m a small business owner. I get what you’re saying. How much is this going to cost me? What do I have to do?
Franckhauser, HBK CPAs: First I’m going to tell you, as a small-business owner, that 50% to 60% of small businesses will not survive a serious breach. You won’t live through it.
The Business Journal: Why not?
Franckhauser: Because you will have lost your client base. You will have lost your client data. Your reputation may be harmed. You may not be able to gain access to your finances. And most small businesses are not cash rich. They are cash poor.
So your chance of being a fatality is greater than 50%. I have your attention now. Start with the low-hanging fruit. What’s your area of highest vulnerability? Is it your lack of training? Is it your lack of sufficient software? Do you have an anti-virus?
Find out what your weakest point is. That’s what you should always do first as a small business. Plug the biggest gap and then work your way back as finances permit. You still have to do business. But work your way back from your biggest gap.
I will bring up a gap: social engineering. If you have a CEO who is showing everybody in the world that he or she is going to Cancun and flying out of Cleveland at 2 p.m., your CEO is vulnerable from 2 p.m. until to whenever he or she lands. For small businesses, go with the biggest gap and then do the easy part. But it’s also labor-intensive; train your people.
Robertson, Eagle Point: Training your people is the most basic precaution. Hold a 15-minute meeting every quarter just to remind people on how this stuff is really simple [to defend and be attacked]. But it’s still a cost of business. [Owners] look at it. They don’t want to do it. Even though it’s very simple.
Maroni, James & Sons: You can send [fake phishing emails] out to your employees and get that report back.
It’s an easy lesson. Because we did it in our office. It was a matter of gathering everybody and telling them, “OK, out of 20 people in our office, five clicked on this email.”
I didn’t even have to say their names. Everybody knew who clicked on it. And you can say, “Here were the small details in that email, things that you should watch out for, the differences.”
You can point out the differences between what made it look like it was a legitimate email and why it wasn’t. Those people who clicked on it are going to remember that. It was a good lesson because some were embarrassed. And the people who caught the differences – they were proud of themselves because they figured out it was a fake email. It was a huge lesson.
That’s employee training, and employees are your biggest weakness. Everybody wants to please. When you get that call or that email saying, “I need you to do this for me,” we’re people pleasers. We want to serve our customers, or serve our bosses, and we want to do the right thing. And we think we’re doing the right thing. And now social engineering has grown as well.
Prentice, Star Tech: The cost of training your employees can be free by just opening up a PDF [portable document format] you can get from another business like us. We can send you something and you train your employees on it.[Research shows that] 93% of cyber-attacks can be avoided with proper training of your employees. We had a company that had an employee get an email from the employee sitting next to them, but it was spoofed from this outsourced company trying to hack into their network. So they opened up this email. And the company ended up being broken into because this employee opened up this email [purportedly] from the person next to them.
How are you supposed to know that it wasn’t the person next to them without first doing a little bit of research to verify where it came from exactly?
Maroni, James & Sons: As an insurance agent, I’m obviously here to talk about the insurance policies that can help protect you against the costs of cyberattacks, to help for the forensic investigation, for helping you rebuild your reputation, and all the other things that go along with it.
As for employee training and assessing, a lot of the carriers, trying to be competitive, have developed resources that can help you test your networks. They offer service at discounted rates from Symantec and various anti-virus software. Many small-business owners think, “I can’t afford cyber insurance.”
Well, can you afford not to have the cyber insurance? Consider that a lot of those policies and insurance companies also offer other resources: employee training, helping you assess your networks, your security, along with those policies. That’s an extra benefit you may be receiving with the policies.
Merva, Avrem: As for the cost of implementing some of this – not so much as recovering from it – there is a lot of technology built into things that people already have in their business that, if those settings are properly applied and tweaked and configured correctly, provide some built-in protection.
Most companies have a server, or should if they’re of a certain size. There are a lot of settings on that server that, if set properly from the get-go, can go a long way to prevent many of these issues. Same with email. There are settings inherent to email, without spam filtering on top of it, without any additional protection, that can stop a lot of spoofing attempts and fake email coming in. Just the basics of setting that stuff up properly goes a long way to protecting yourself and mitigating some of those risks.
Richmond, Micro Doctor: The social engineering part of it is everybody has their profiles online. They’re on LinkedIn. They’re on Facebook. And you can find out a lot about somebody.
If somebody is trying to get one of your employees to do something, they send what looks like an email from the CEO telling the employee to do a bank transfer. The latest one I saw that hit a couple of our customers was, “I want you to go to Walmart and pick up 10 $50 gift cards, scratch off the back numbers, photo and email those to me, or take a picture of them and email them to me. I’m giving them out as presents for some of our customers.”
To me and you, that’s obvious fraud. But when your employee is just trying to do his job and please the boss, he or she might go do that. Then you’re out several thousand dollars possibly. That’s another way people are using the little bit of information about you. Or maybe you’re on vacation, “Hey, I’m in Florida. Can you go do this for me? Because I can’t get to Walmart right now.”
The Business Journal: That’s what you mean by social engineering?
Franckhauser, HBK CPAs: Yes.
The Business Journal: I get fake emails supposedly from the IRS. And I know that the IRS won’t initiate a communication with me via email. I know enough not to bite.
But how many people, especially if you get something from the IRS, you’re slightly petrified. You wonder: What did I do wrong? If the IRS wants to reach you, it uses the postal service. This seems to be a great area for susceptibility for anyone. So how do you educate people that the IRS will send you a letter in the mail?
Prentice, Star Tech: … People from every generation use technology. Some have no idea what they’re doing. They use it to browse Facebook or look up recipes on the internet. Most of the hacking [victims] that come into my store are basic users, people searching for a recipe online who end up getting a virus from a website they visited.
You would think [viruses] would be from searching for inappropriate things on the internet, which we get a lot of, too. But more often than not, it’s from searching a recipe online.
The Business Journal: Who has some horror stories?
Komar, L. Calvin Jones: One of the strangest things is trying to get people to take cyber insurance after they were just hacked. They look at you and say, “No, I’m OK.”
The first one was a family that had a machining business that was doing government work through a large corporation. And their daughter, unfortunately, was susceptible and gave away the passwords to the computer system to a boyfriend who knew where to sell them.
Eventually the company shut down production, and lost over a million dollars. That’s because all of their business associates, once they found out that the company had been hacked – and the owners had to tell them, because they were doing government work – lost massive amounts of money. They just couldn’t continue once the information was out. That was the first one I ever came across. And they refused to buy the coverage. …
They survived. It was very rough. It took them a long time. But all of their government contracts were pulled, of course.
Robertson, Eagle Point: We talked about spoofing, buying the gift cards and sending the numbers on the back. We experienced something similar a couple of times where people gave their passwords out for Google or [Microsoft] Office.
What happened was the hacker goes into your account, because they have the password, and sends the email and then creates rules inside the system. So whenever someone responds – like for money – they email the accountant. The accountant asks, “You sure you want to do this?”
The email goes to deleted items automatically. The hacker sees this, responds to the email [posing] as the owner of the company, says, “Yes, we’re good, move the money.” They move the money and all this stuff is continually going to deleted items. The owner of the company has no idea what’s going on.
Maroni, James & Sons: We talk a lot about the social engineering aspect but another big piece now is ransomware and cyber extortion where they’re sending out these [viruses]. Whether it be through an email, and you click on a link, and in the background it downloads a software that basically encrypts all of your data, and it will encrypt your network.
Now the business owner no longer has access to the company’s own data. [Hackers] have basically shut the business down. And until they pay that ransom, they’re not going to give the data back.
We’re seeing a lot of that right now, the ransomware and the cyber extortion where companies have to pay that ransom.
They may not be asking for a lot of money, but they are asking for enough money from enough people, so they’re going to get a lot of money.
The Business Journal: Those who conduct the cyber extortion and ransomware, are they inside or outside the United States?
Maroni: They’re all over the place. Everywhere.
Franckhauser, HBK: I did ask someone in a federal agency when the highest number of those known attacks occur. What you hear about is just a little bit. The highest number is close-of-business during a business week in Moscow. Now, that might be coincidental.
The Business Journal: We have talked about passwords, and it seems to be the central point. People are careless about passwords. You’re supposed to change them every three months. You’re not supposed to write them down. But there are people who are clever. An eight-character password is required and they choose “password” or “12345678” and don’t change it.
What can you do to harangue – if that’s the right word – people to be wary and careful about choosing their passwords and changing them frequently, remembering them, and keeping them safe and secure?
Merva, Avrem: It is a myth that a password needs to be overly complex to be secure. That’s not the case at all. If you put a lot of restrictions on passwords, special characters, certain character limits and things like that, what often happens is the person makes up an overly complicated password, they write it on a PostIt or they save it in an Excel document. The complexity doesn’t lend any additional security.
Our recommendation is create a password that’s memorable, but long. It’s not human beings on the other side that are trying passwords over and over again. It’s a bot specifically programmed to try certain combinations and go through certain algorithms. And the longer the password is, the more secure it ends up being.
So if you take a sentence that doesn’t have too many special characters or isn’t overly complicated, just longer, it’s either going to be more difficult to break, or the person – or bot – trying to break that is going to recognize that it’s taking too long and move on to some other thing, another person, another company.
Prentice, Star Tech: How often you change your password is very important. Because many of these programs used to hack and find your password just read the most common inputs on your computer, what you type into your computer. So how many times do you type in your password everyday? These programs read how many times you typed in that certain specific set of letters and learn immediately what your password is.
Maroni, James & Sons: I had a claim involving exactly that. They downloaded the software through an email and it was basically keystroke-tracking software. Somebody downloaded something or clicked on something, they didn’t even realize it. They had downloaded a keystroke tracking software. Every time they typed in their password, over and over, it was tracking those keystrokes, and it recognized a pattern. It recognized what their password was, which allowed them access into other programs – maybe bank accounts.
Robertson, Eagle Point: In instances where people had their passwords to Office and Google stolen, I find that they often use a contact card inside those to store all their passwords. So now [hackers] have access to your account and now they have your bank passwords, and your stock brokerage password, everything. Don’t store your passwords as a contact card. In a real quick period, we saw two people victimized who did this.
Prentice, Star Tech: If you ever write your password on paper or on the computer, don’t write out the full password; use dashes. Maybe start with a letter that you want to start with, put some dashes in there, another letter.
Maroni, James & Sons: How many people have their passwords written down and posted on the wall or stuck on their desk? In an office, you’re exposing yourself to cleaning people that come in at night and may look at your password, to say nothing of vendors and other visitors who come into your office. All it’s going to take is the wrong person to come in and take that valuable information.
Komar, L. Calvin Jones: We all think of data as something in a computer. Data is anything that’s written down, even on a piece of paper. When we sell the cyber policies, it includes paper. Because you can lose paper just as easily as something on a computer.
Say I have a client who has a briefcase and goes out every morning, puts the briefcase on top of the car while he’s putting his coffee in the little holder inside. One day he backs off, starts down the street, and all of his information comes flying out of his briefcase. That’s a data breach, just as if someone had gotten into the computer system.
All of your paperwork sitting on your desk can be breached. Someone can easily walk in and go through papers. And in the businesses we’re in, people steal information. They steal expiration lists. They steal your corporate information when they leave one company to work at another. That’s also covered under the policies.
Franckhauser, HBK: We tend to look outward for cybersecurity. We don’t look at our own feet. And I will say the dirty word here, co-workers. Rogue employees, co-workers. They’re as much risk as anyone.
The Business Journal: A company calls you and asks you to protect them from cyberattacks. What do you do and how do you do it?
Prentice, Star Tech: We offer a free security analysis to any person or business, because that’s how important cybersecurity is. We send someone out and have them look over your network.
You give us as much information as you like. That’s a basic form of trust. We will check your hardware, how your hardware is set up. You can have a simple piece of equipment – just a basic home router can be customized to protect you in greater depth than what you think you need.
We will do a full analysis of your hardware, your software, so any anti-virus you have on your computers [works], the way you have your passwords set up. If you have employee training, we like to discuss that with everybody. It’s an in-house overview of everything to see what you’re doing right, and what more you can do to protect yourself. The cost varies depending on what you can afford and what your company thinks is worth protecting.
Franckhauser, HBK: You may have a contractual partner who requires that for you do business with them you must have your system analyzed. Because they don’t want to share information with you if you put their information at risk. We do something called SOC for cybersecurity: service, organization, control. It’s a standard list of criteria set by the American Institute of CPAs. And it goes A to Z.
You don’t have to get a perfect score. Nobody’s perfect in anything. But it checks off these criteria so that your third-party vendors and your potential business partners can look at this and say, “Yeah, The Business Journal has their act together. They have taken the time to do this. We feel secure doing business with them, sharing information.”
Merva, Avrem: It starts with a discussion. We meet with every new client. We have a conversation. We talk about where they have been, where they are and where they want to go. And the more in depth I understand their business, and how it operates, and what their goals are, the better we can start to put together a plan to protect them. And we understand that budget is important.
Over the years, many clients have told me, “We’re not the IT business,” meaning they don’t see IT as the primary focus of where the budget needs to go, and where their time needs to go. I completely understand that, but the reality is that they can’t function without these systems.
The Business Journal: How do you strike the balance between making them appreciate what they need to do, without feeling that they’re spending too much on IT?
Merva: It’s different for every company. We start with the easy stuff, the low-hanging fruit. We customize the things that can be customized. We make sure that the servers are set up properly, that the right security is in place. And then we build from there based on need.
We’re not doing anything for our clients that’s overly complicated or overly expensive. We work within their budgets. We haven’t had a ransomware breach for any client.
… You don’t need a $45,000 firewall to protect your business. You just need somebody at the helm who knows what he wants to accomplish and is there to strike that balance.
Richmond, Micro Doctor: We conduct a business technology review, which incorporates the scan of the network, and gives us a lot of reports back. We have a set of standards that we enforce. We tell our clients they need to live up to these standards.
They’re based on things like PCI [payment card industry] compliance and NIST [National Institutes of Standards and Technology] standards for defense contractors and the document that Steven [Franckhauser] talked about for CPAs. We give them an acceptable-use policy. They’re to notify all their employees that they take technology seriously. Employees are to sign a document where they acknowledge that if they go on the dark web or download what they shouldn’t, they jeopardize their employment.
You must have that in writing. You must have the training. You must have reviews. And we conduct these reviews, not only on potential customers, we do it on ourselves. Because what we did two years ago is not what we should be doing now.
It helps us identify users we need to lock out. Someone may have been fired six months ago but no one notified us. We can tell from our report that he hasn’t logged in for six months [but don’t know why]. We have to have the dialog with the business owner where he tells us, “I just hired this person.Set them up properly.” Or “This person left and they should not have access to our systems anymore.” A lot of times that doesn’t happen. They fire people and nothing happens on the computer.
Robertson, Eagle Point: One of the bigger problems – we go in there, set all the rules, do everything – is having the business owner keep you informed as the business grows. All too often they just continue without thinking about IT, which we’re there to help them with, and they drive a different direction. And you’ve not had any input. So call us. It’s free. It’s not a big deal. But for whatever reason, a lot of business owners implement software without telling you. Or they buy a new online service – you’re not part of it – and they open [themselves] up to data breaches.
The Business Journal: We’re sensing that at this point our readers are saying to themselves, “This all sounds good, but I don’t see a number.” So if the company has 20 or fewer employees, what are we talking to have someone come in and do a full security check and plug holes?
Robertson: For a company with 20 users, it depends. You go into a company they started as mom-and-pop, had a little Linksys router with very little security on it, never upgraded the firmware, stuff like that, I would recommend you upgrade that.
You get into a Cisco or a SonicWall or a Fortinet or whatever and start putting those bigger passwords in there, and then that’s clearly on size. So 20 users, you’re probably looking at $350 or $400 for a SonicWall. And antiviruses are a buck a month.
Merva, Avrem: It’s not fair to put a number on it. Because we have got 10-people companies with an IT budget of $100,000. And we have 600-employee companies with a budget of $100,000.
The Business Journal: We understand it varies. But we’re still trying to get a range.
Merva: It’s very, very difficult to pin that down.
The Business Journal: It is affordable?
Merva: Definitely affordable.
Franckhauser, HBK: It is affordable, because there’s not a one-size-fits-all. And you don’t have to do everything at once. That’s the beauty of it. You take the low-hanging fruit first, and then you do the steps as you can afford them.
Richmond, Micro Doctor: Owners are going to the per-employee pricing model. We don’t charge per server, per workstation. We go per employee.
We do all the technology. We do the VCIO [virtual chief information officer] stuff. We do security. Add those changes, everything except a new project, and that price range is between $1 and $200. Depends on the solution we’re putting in there, and whether we’re including a backup solution.
We haven’t talked about backups yet. But one of the layers of protection that everyone should have is a device that’s backing up and giving you time [to recover] – being able to go back in time. So you have yesterday’s backup, and you have this morning’s backup.
If you got ransomware demand at 8 a.m., you know you can go back, that the ransomware didn’t hit you at 10 p.m. last night. You have an image you can reload from and lose very little downtime. That’s another layer of protection. We almost require that now to bring on a new customer. That’s an upfront cost. Besides changing the firewall, they’re probably going to have to upgrade their backup device.
Robertson, Eagle Point: It’s amazing how many companies, before a managed service provider gets in there, do not do backups. And when they get hit with a ransomware, that’s a really bad day.
Richmond, Micro Doctor: Well, they’re doing backups, but not checking them.
Robertson: We recently saw a company that had never had an MSP and never did a backup. It had 30 users, and they got hit by ransomware, and didn’t have anything. They had to pay the ransom.
The Business Journal: What was the ransom?
Robertson: I don’t know. I didn’t ask. When they said they didn’t have backups, I was thinking, “You’re hosed.”
Merva, Avrem: The FBI suggests that you don’t pay the ransom. And I don’t know of any instance where paying the ransom got someone’s data back. We haven’t had to deal with it.
But backup is hugely important [as a defense against ransomware]. We’re at a point where ransomware is – I don’t want to say on its way out – still very scary. But we’re where ransomware should be considered a minor inconvenience rather than a business-altering event.
If you’ve got the layers that we keep talking about, if you have good backup, it shouldn’t take you down.
Prentice, Star Tech: Someone steals your data, asks you to pay a ransom, you pay it and they unlock your computer. That doesn’t mean they still don’t have the power to lock your computer again, or still have your information that they can sell to anyone. They can come back to you in six months, a year, and demand, “Pay us more money, or else we’re going to [freeze] your data we kept with us.”
Komar, L. Calvin Jones: From an insurance point of view for pricing, it is based on the number of employees you have, how many records you’re keeping, the kind of records you store constantly.
And it’s based on the business you have. Obviously, somebody in the health-care business pays a great deal of money for cyber insurance because they have HIPAA information. Somebody in retail may not pay very much because their exposure is just in credit card swiping.
We recommend that you don’t keep a lot of records. Most of the insurance agencies, if we ask for your date of birth and Social Security number and driver’s license number, we don’t keep it. I may call you back in three months and say, “I need your date of birth.”
You say, “I gave you that.”
“Well, I don’t keep it. I don’t want it. It’s just an exposure I don’t need.”
The Business Journal: If a company hires one of the service providers here, and does all that’s recommended, all the holes have been plugged, does their premium go down?
Komar: Depends on the size of the company. The premiums start at about $750 a year. You fill out an application that’s a warranty. On your application, you say, “We have taken these security measures.”
If somehow in the future one of those security measures doesn’t work and you have a breach, you’re not going to be covered. So you have to be real careful what you promise the insurance company.
A lot of people still have old software. We still know that there are people on Windows 5 and it can’t be protected. One of the specifications in the application says you will not use outdated software.
You have to make all of these promises to the insurance company. If you’re a large company, that will make a difference in your premium. If you’re a small company, it’s not going to make much difference. They take it into consideration.
Franckhauser, HBK: Here’s why the insurance component, and the warranties, are so important. If you are a small company, chances are good statistically that you’ll be bought at some time. The incubation period of any breach is about 180 days from the day it enters your system to the day you find it. If there’s a company that I want to buy, I’ll go through their reps and warranties, and I’ll go through all their financial information. I’ll review that information and say, “OK, you tell me you had this six months ago, and you had better have it, or you’re not going to get that merger you thought you were going to get.”
Komar: We’re finding that more and more people, especially people with government contracts, are asking, “Do you have cyber policies?” And a lot of large contractors saying, “We have a job with a certain railroad company, and they want to see our cyber insurance policy.”
The Business Journal: Last question. Anything that we did not touch on that you want to add?
Robertson, Eagle Point: There are a lot of small businesses that will never hire us. Their son does their computers, or their uncle does their computers, and he knows how to play games, so he can take care of our network. Those are the people who need to read this [roundtable] and address backups, address anti-virus.
It’s amazing how many smaller companies don’t have anti-virus. Address backups of Outlook online and Google online – people seem to think, being it’s synced and they do their own backups, there’s no real need to back up that data. But we’re all using it heavily. We have clients that do everything online. If you’re a small company, you still have to think about these basic things to ensure your security.
Richmond, Micro Doctor: One thing we didn’t talk about was two-factor authentication. If you go into your bank and you want to log in, they’re going to send you a code before you can get in. That’s starting to come down to the computer world now.
You get a text on your phone that tells you, as you’re trying to log in, you enter your password, you get a six-digit code on your phone, and you’re going to enter that. Now they’ve identified you two ways: You knew the password. The bank knows you have the device that you registered with.
I’m trying out one of the new Everykey things. It’s a Bluetooth device where you walk up to your computer and you can log in with one keystroke. We’re also looking at PC Lock, which is an app for the iPhone where you set that close to your computer, and it logs in.
You take it away from your computer, it logs you out. There is a lot of technology we’re always looking at that’s going to help us keep those passwords secure, keep the whole network secure.
Komar, L. Calvin Jones: We’re finding a lot of people are contacting us now that are doing online banking. Because online banking basically scares them and they know there is access to their computers a lot more readily that way.
There’s a lot of personal cyber liability insurance being sold through the insurance agencies where you can address that for your personal home computer, too, especially if you’re doing business from your home computer.
Merva, Avrem: Mark Robertson hit the nail on the head. If there was one takeaway from this, it would be the need for higher-qualified professionals. We took on a client last year that had 800 employees. And the gentleman in charge of their entire IT infrastructure was a former TV repairman.
Not that there’s anything wrong with that, but he had absolutely no computer experience whatsoever and somehow had been in that position for 10 years. So we are undoing 10 years of just horrible, horrible changes in this network that should have been never been done in the first place.
Small companies hire their nephew or their son or the neighbor who’s good with computers. That doesn’t make them qualified to understand the business risks and put some of these safeguards in place. My biggest pet peeve is walking into a company that should have somebody who knows what they’re doing, and doesn’t for whatever reason.
Prentice, Star Tech: Cyberattacks are an ever-growing field that’s not going to stop. Hackers will develop new ways to hack your computer. The software that we have on our computers – people use McAfee, Norton, Symantec, everything like that to protect against viruses. Those constantly have to be adapted. So people get hit.
Hackers keep creating new things to keep breaking into your computer. Be ready, and be prepared. And find someone who knows what they’re doing to do an analysis on your system.
Maroni, James & Sons: You also want a qualified professional to handle your insurance. Cyber policies are not standardized. What you think you’re getting because somebody threw a cyber endorsement onto your package policy, and it’s costing you maybe $100 a year – are you really getting the coverage that you need? Or are there better policies with higher limits? Make sure your policy’s got all the proper endorsements and coverages that you really need.
Franckhauser, HBK: Go to whatever organizations you belong to. Find out what the best practices are, whether they’re NIST best practices or the best practices from the Ohio department of whatever. Then go to practices that are mandated. The state of New York has mandated practices for the banking and insurance groups. The Securities and Exchange Commission just came out with guidelinesthat are very, very strict. Find out the best practices in your trade or field. And follow them.
Pictured at top: Roundtable discussion took place March 13 at the Holiday Inn Boardman. Moderating the discussion was Dennis LaRue, copy editor of The Business Journal. Also asking questions were Publisher Andrea Wood and special projects editor Josh Medore. Cynthia M. Allen, certified legal reporter of Steno Scribe LLC, recorded verbatim the discussion that LaRue edited and condensed.
Copyright 2022 The Business Journal, Youngstown, Ohio.