Cybersecurity is among the most profound concerns facing businesses today, and this is particularly true for small businesses which may have limited budgets and lack the staff and/or expertise to appropriately address the topic. Embodying a rich interplay between end-user behavior, equipment/software, and legal and insurance considerations, the cybersecurity ecosystem may seem daunting for the already-busy small business owner. However, when it is approached with the help of experts on a step-by-step basis, a company can successfully limit its cyber vulnerabilities.
Employee Security Awareness Training
Michelle Schaap is a member of Chiesa Shahinian & Giantomasi, PC, a law firm with offices in West Orange, New York City and Trenton. Working in the privacy and data security practice group, she says, “The biggest cybersecurity problem is [small businesses’] people. And it is not necessarily that businesses have malicious employees; it is that they have employees who don’t know better. It is people who have not been trained to be mindful.”
Even the most sophisticated security systems can be defeated if an employee: opens an e-mail attachment that contains undetectable malware; accidentally inserts a USB drive laden with undetectable malware into his or her computer; fails to update critical software for his or her computer; leaves sensitive paper documents on his or her desk where cleaning people can use their smartphones to photograph the papers after hours and, in turn, disseminate them via the Internet; or does not confirm the authenticity of an e-mail from a “colleague,” and inadvertently furnishes data to an online imposter.
The above examples represent merely a few concerns that can be addressed via employee security awareness training. A trainer can visit a small business and teach employees how to avoid being subjected to these and similar scenarios (interactive online employee security training is also available through reliable sources). In today’s world, perhaps most people know not to “click” on a link in an e-mail from an unknown source, but there are endless other security iterations of which many people are unaware.
Schaap says, “We actually did a program at our office as part of our employer breakfast briefing. I asked everybody: ‘Raise your hands if you do harassment training.’ Of course, all the employers in the room diligently raised their hands, ‘Yes, yes, yes – we do it.’ And then I said, ‘OK. Now, how many of you have a training program for cyber-mindfulness?’ Two people in the room raised their hands.”
Employee security awareness training is merely one element in a long list of 24 cybersecurity recommendations that Cranbury-based Domain Cyber Security (also known as Domain Computer Services, Inc.) supplies to its clients. From removing computer administrative rights and grappling with Windows PowerShell concerns, to software restrictions policies and AppLocker, the list can guide small businesses.
Rashaad Bajwa, president and CEO of Domain Cyber Security, says, “Medicine is like computers: There are general practitioners, but there are also heart surgeons. Although a general practitioner can tell you certain things that might be going wrong with your heart, they are ultimately going to say, ‘If you want a comprehensive analysis, and you want to do a deep dive and make sure that your heart is healthy, here is a cardiologist to whom you should go.’”
Bajwa adds, “The same thing applies in the computer/IT space, in that the vast majority of IT folks – whether they are internal IT or external IT – are either going to be network administrators or service desk [people]; they are not going to be cybersecurity folks. The first thing I would say is: Cybersecurity is a specialty.”
He adds, “It is fairly easy to remediate your risks, but you need to make sure that you are talking with somebody who is current and specializes in that space.”
If alert employees are cautious about avoiding cyberattacks, and cybersecurity experts have been consulted, the business owner may also be well advised to consider cyber insurance. Joseph R. Riccie, market leader for data and information security / cyber secure services at the accounting firm WithumSmith+Brown, PC, says, “Cyber insurance is evolving. [When purchasing it,] we recognize that [clients are essentially saying], ‘Let me add this and check the box.’ And when we review [the policy], the client doesn’t have complete coverage.”
“Therefore, we are educating them, and saying, ‘Listen, let’s call your insurance person in and talk with them about what you need in order to be protected.’ We do it based on risk scenarios – what could go wrong? And if something does go wrong, are they protected?”
“For example, there is a lot of impersonation of executives at companies, such as the ‘CEO or the CFO wire transfer impersonation,’ or the ‘W-2 impersonation.’ The list goes on and on. That’s very real. We say to our customers: ‘Did you ask the insurance agent if you are protected for that?’”
A Few Legal Considerations
Underscoring the extraordinary depth and complexity surrounding cybersecurity, Schaap says, “One of my clients said to me, ‘Well, I don’t want to do a risk assessment, because then I am going to know what’s wrong.’ I said, ‘Here’s the deal. You can’t put your head in the sand, anymore.’ You can’t say, ‘I didn’t know, so you can’t hold me accountable.’ What they can do, and this is the benchmark that most people are looking at, is: Did they act reasonably? So, if they do this risk assessment, and they understand what assets they have, what is at risk, and what they could and should do about it …”
“God forbid you do have that incident, and then law enforcement or a zealous plantiff’s attorney comes in and says, ‘Well, you did not act reasonably,’ you can say: ‘Actually, I did, because I did these risk assessments. I identified the high-, medium- and low-risk issues. I identified those issues that I need to take care of right away, and here is my budget for the next three years to improve upon these things. I am acting reasonably and responsibly, given the size of my business, the type of records that I have, and the resources that I have.’”
Attorneys may also assist with helping clients prepare to address a security breach: Who will be notified immediately? How would the situation unfold? What about public relations? Should law enforcement be contacted? A wide range of questions – and preparations – should be considered via preventive legal consultation.
For the small business owner who is striving to focus on operating a business rather than getting bogged down with multiple phone calls to multiple professionals, one expert can often help pave the way toward locating others. In some cases, firms offer soup-to-nuts comprehensive services. WithumSmith+Brown, PC’s Richie says, “We want to see how well prepared our clients are – if they can show us what they have done, and they can explain to us the risk inside their business. We go beyond the typical data risk loss. Yes, you have to protect personally identifiable information and health information, but I want them to think about their business. What about their customers? What about the third parties they work with in order to deliver their goods and services?”
The New Jersey Office of Homeland Security and Preparedness
The New Jersey Office of Homeland Security and Preparedness (NJOHSP) also has an important role to play in keeping businesses safe from cyber threats. Chris Rodriguez, director of the NJOHSP, tells New Jersey Business, “… Unlike some of the larger businesses that we deal with, the smaller [companies] may not have the resources or the organizational structure to fully integrate all aspects of cybersecurity into their businesses. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) attempts to fill this gap. It has alerts, the advisories that we put out, [and] our cyber bulletins – [they go to] all NJCCIC members. We have more than 4,000 members, now. Those are small and large businesses alike, as well members of the public. About half of our members are from the private sector, while the other half are from the public sector. And these [free] alerts, advisories and bulletins provide situational awareness.”
Speaking in broader terms, Director Rodriguez adds, “We need to be able to raise the barriers to entry for malicious actors to get into systems. We can only do that effectively if we are sharing information, we are talking – and we are trusting each other. What a large part of the NJCCIC is intended to do is to build that trust with the private sector. If the private sector shares information with us, they know that it can’t be used against them; they know that we are doing everything in our power, using the latest and greatest technology to secure their information, and that we are using it simply for awareness.
“I would also mention, finally, that we encourage people to go to our website: cyber.nj.gov. It is very user friendly.”
Many entities are conducting research related to improving cybersecurity. Kurt R. Rohloff, PhD, is associate professor of computer science, and co-founder and director of the NJIT Cybersecurity Research Center in Newark. He tells New Jersey Business, “NJIT has been growing over the years, in that a couple of decades ago, it was more of a teaching institute; it has gotten very aggressive with research in the past couple of decades, and NJIT, in general, has been making a shift to better engagement with government and industry. I was hired with a mandate to basically try to foster that, and to try to engage with broader research in the community; not just the academic community, but government and industry.”
He adds, “The other model which is pushed is that some large company might come in, and they might want to license intellectual property (IP). Or, a startup might want to license IP, and that works very well in some sense; we’re trying to do something a little bit different. Because we have a lot of very good, cutting-edge people doing cybersecurity, a lot of folks in our center are actually from industry, and so we know how to work large teams very well. And we set ourselves up not as IP providers, and not necessarily as insular academics, but actual partners with industry. We go and build things together.”
Cybersecurity is an unwanted, resultant byproduct of technological progress. Given that many of the world’s most secure computer networks have already been breached, it is doubtful that small businesses can make their networks completely impenetrable. However, what they can do is render their systems very difficult to access by unauthorized users, and thus avoid being easy targets for criminals.