Valley Experts Discuss Cybersecurity Threats, Precautions
CANFIELD, Ohio – Nothing will prevent 100% of cybersecurity threats, but contracting with an IT company, training employees, updating software and equipment and maintaining cybersecurity insurance provides safeguards.
That’s the message from a panel of experts assembled Nov. 14 at Courtyard by Marriott for a Business Journal Roundtable Series discussion on cybersecurity.
The full discussion will be published in The Business Journal’s December print edition, with video excerpts running online at BusinessJournalDaily.com.
Panelists were Michael Edwards of Tele-Solutions, David Daichendt of Micro Doctor, Mercy Komar of L. Calvin Jones & Co., Ralph Blanco of ECMSI and Robert Merva of Avrem Technologies.
Edwards said he worked this past year with a company that was a victim of wire fraud. It received an email asking that money be wired to a particular account, and an employee did.
“Something as innocent as an email can be very expensive to a company,” he said.
That’s similar to what the other panelists have seen.
“Between 88 and 95% of breaches happen because of human error,” Daichendt said.
It could be an employee clicking on an attachment or a link that gives a bad actor entry into the company network, or following the instructions in a spoofed email.
That’s why it’s important to train employees so they can learn what to watch for, and if they suspect a problem to report it to the company’s information technology provider.
Most of the employee-caused issues happen accidentally, but Komar said there’s a growing industry of cybercriminals paying employees within a company to aid them in their activity.
“That’s why it’s important to have multilayered security,” Blanco said.
Even though he’s the company owner, for example, he said he doesn’t have administrative rights in the company network.
Merva said companies should take the same care in offboarding employees when they leave a company as they do in onboarding them when they’re hired. That would ensure that former employees no longer have access to the company network.
He also emphasized the need for employee training.
“You can’t IT your way out of an HR problem,” Merva said.
Daichendt said his company sometimes sends fake phishing attempts to client employees as a test. Those who fall for the attempts are flagged for more training. He stressed though, that the training should never be punitive.
Company culture also comes into play, Merva said. Some companies shy away from test phishing attempts and other strategies because they don’t want to single out or offend employees.
Other companies insist they don’t need cybersecurity systems, reasoning that they don’t have anything worth stealing or they’re too small for bad actors to bother with them.
Merva said cybercriminals troll, looking for vulnerabilities, and Blanco added that it involves less work for a criminal to get $10,000 from 10 companies than $100,000 from one.
Other companies don’t think they need professional services, thinking a friend or family member can handle their technology needs.
Blanco said anyone can handle assigning passwords, installing software and similar tasks, but companies need more than that.
“We’re long past the point where your nephew can do that for you,” Merva added.
The panelists agree that companies should invest in cybersecurity insurance, but Komar says only about 50% do.
Soon though, she says, it’s going to be a requirement from banks and other institutions to secure financing.
“If people would just concentrate on getting that done, I can save them money on the insurance end because the security is correct,” Komar said.
She tells clients that everyone who has a bank account is a target. Over the years, media attention has focused on cyber ransom attacks where bad actors net a lot of money.
“That doesn’t normally affect the people within our Valley,” Komar said. “They’re getting hit every day in their bank accounts.”
It’s difficult for a smaller company to withstand a significant unauthorized withdrawal from their checking account.
“And it’s gone before they even know about it,” she said.
Criminals get into the system and look around, gathering names, phone numbers and addresses, looking for accounts payable and accounts receivable to see who’s due to receive a payment.
Recently, a criminal got into a company’s network and saw there was going to be an invoice for a particular amount sent to a certain company, Komar said.
The criminal spoofed an email from another company saying they had switched banks and asked for payment to be sent to a new account.
Multifactor authentication is a good way to secure your accounts, the experts said, although it doesn’t provide 100% protection.
“It’s an arms race,” Daichendt said.
Multi-factor authentication software isn’t expensive. It amounts to a few bucks per user, he said.
Having layers of protection is the best defense, the panelists said.
As it is in most industries, artificial intelligence is moving into cybersecurity. It can be used for good or nefarious purposes.
An employee may be using an AI platform to facilitate a task and open the network up to attack.
AI can detect when there’s a problem though, too.
Edwards said there are steps a company can take to lessen risk, including training employees and keeping equipment up to date.
“There’s always going to be a chance of something happening, but you’re minimizing it,” he said.
Pictured at top: From left are David Daichendt, Mercy Komar, Ralph Blanco, Michael Edwards and Robert Merva.
Copyright 2024 The Business Journal, Youngstown, Ohio.