Although the internet’s wide swath of connectivity offers nearly unlimited business possibilities, it simultaneously exposes every business’s wired and wireless computers, devices and employees to global cybersecurity threats. With stunning rapidity, the world has shifted from a time when it was impossible to easily communicate with pocket-sized devices, to an era in which one often cannot escape much of the internet’s pervasive effects, even if he or she so desires.
Many Americans remain unaware that their smartphone location is revealed to companies, allowing, for example, a corporation that owns a shopping mall store to display smartphone screen advertisements promoting its products after the consumer walks into a competitor’s store. And while related privacy implications may raise ethical concerns, businesses can nonetheless advantageously avail themselves of related marketing techniques, which can, for example, leverage sales on a scale only imagined a handful of years ago.
Luis Hernandez, senior vice president and digital strategist at Cedar Knolls-based Marketsmith, tells New Jersey Business, “Mailing lists have always been available, but [now] you can connect someone’s physical location with everything they do online from a behavior perspective – and then also connect it down to their individual device, so you can tell when that person is using their mobile phone, versus their computer, versus a tablet in the evening. [You] can track not just who they are or what they are interested in, but what they are seeing, what they are seeing over time, and what they are purchasing.
“Surprisingly, [these people] have very typically opted in to give this information away at one point or another. Without realizing it, they have really provided all the connective tissue needed to draw a very precise – a very data rich portrait – of them as individuals. Essentially, I think the only [consumer] protection is just the interests of the organizations that hold this data.”
Such consumer data is not merely available to the mega corporations of the world: Small businesses can engage firms to discover the exact prospective customers to be targeted with certain advertisements, and also broader campaigns that entice people to purchase products and services via various techniques and tactics. Merely having a display banner advertisement “follow” a consumer across the internet is elementary; the timing of when and where to display the ad or other approach becomes an intricate mosaic.
As for marketing plans, Hernandez says, “The key, regardless of who you hire or what agency you work with, is to have a clear understanding of what you want to achieve and how you want to measure success from a business perspective. [It is also] having at least some understanding of who you want to talk to, and what that message is. It will at least allow you to begin to look at people who fit that profile, and maybe identify people who don’t fit the profile that you exactly thought, but who [have similar] interests or behaviors.”
The flipside of the above equation is that each business owner and his or her family is also being marketed to with products and services, and, separately, they and their businesses face cyber threats. Since large corporations are able to invest millions of dollars in protecting themselves, experts tell New Jersey Business magazine that small businesses are increasingly in the crosshairs of these would-be frustrated criminals. Small businesses do not necessarily need to store sensitive data: If the business is penetrated, nearly everyone knows that even day-to-day data can be encrypted with ransomware (in which criminals demand “ransom” for decryption), and that this can destroy a company. By now, many people know a few key steps necessary to protect one’s business, but some may not know that the first move, overall, is perhaps to contact an attorney with cybersecurity expertise. The attorney can not only recommend specific cybersecurity firms and associated insurance brokers, but he or she also is part-and-parcel of the attorney/client privilege, so if, for example, the company is “hacked,” the response can be more easily shielded from public view.
Karen Painter Randall is chair of the cybersecurity and data privacy practice group, co-chair of the professional liability practice group, and a certified civil trial attorney at the law firm of Connell Foley, LLP. She says, “Once you put [an] initial [cybersecurity] plan together, it is something that has to be massaged, over and over again. The people who are in the field of cybersecurity are reading and are up to date on the new laws, regulations and type of attack vectors every day, because they change so quickly. If you are not on top of what is going on out there in the cybersecurity world, unfortunately, you are going to become a victim of a cyber attack.”
From keeping software up to date and conducting penetration tests, to installing proper firewalls and carrying specific cybersecurity insurance (and developing a top-tier incident response plan), preventing and preparing for cyber threats is a complex endeavor.
Most readers will know that anti-virus software does not protect against the endless strains of malware that are developed daily, and that there is latency before the anti-virus software companies can detect them. Also, cybersecurity awareness training will teach end-user employees not just not to click on links in e-mails (most people know this), but how to avoid other multiple and non-intuitive mistakes in the cyber sphere.
Against the backdrop of a detailed explanation of what she terms a “holistic” approach to cybersecurity, Randall underscores, “Most important – as discussed before – is that security awareness training is a ‘must’ that everyone from the top down has to participate in, especially the new people who get hired by the enterprise.”
Michael Penders, general counsel and chief information security officer at the Command Group Companies, headquartered in Secaucus, says, “Most small organizations have never done a risk assessment, and [ISO standards] require you to do it, and all the big health insurers and financial institutions require you to pass a third-party risk assessment. But, after you are through it once, an organization looks forward to it. … This is one time where you sit down for days, and just go through all of your assets and determine their effectiveness in terms of meeting your control objectives – and kind of proactively plan to secure these assets.”
Employees working remotely now pose a risk to companies, and Rashaad Bajwa, president and CEO, Domain Computer Services, says, “Ever since the internet, [hackers] didn’t even have to come to our office,
anymore – they could just remotely connect and steal our electronic files. But, now with the advent of remote work, they potentially don’t even need to connect to our office; all they need to do is get to one of our workers, at their home, and they can get to that data. This interconnected world comes with so much opportunity, but it also comes with risk.”
There are technical security aspects that remote-work employees must become familiar with, and also the aforementioned security awareness training. In tandem, employers may wish to consult an attorney regarding remote work policies and related points.
Robert W. Anderson, shareholder and co-chair of the cybersecurity and digital privacy group at Lindabury, McCormick, Estabrook and Cooper, PC, says, “I think everybody, every company, realistically, within the constraints of what they can reasonably do, [should] devote significant attention to these kinds of remote access liability issues. [Remote access] opens up so many holes into the company’s system …”
The Internet of Things (IoT)
Complicating cybersecurity efforts are, in effect, physical objects which are connected to the internet – the so-called “Internet of Things.” One expert interviewed by New Jersey Business magazine detailed how a business had a “smart fish tank” in its office connected to the internet, which would determine when the fish would be fed. Hackers took advantage of the fish tank’s digital vulnerabilities and were then able to access the corporation’s entire computer network.
A different expert – Cristian Borcea, professor and chair of the computer science department, at NJIT – says, “Unfortunately, I would say for most of the IoT solutions currently available on the market … companies producing these devices have jumped ahead and just built the devices without much thought regarding security. Security is a problem. Privacy itself could be a problem, because if I have cameras and sensors everywhere, technically, I can see what people do all the time and this may or may not be a problem.”
Borcea adds, “If possible, I would say that right now, [companies should] keep the IoT connected only to their local infrastructure; do not open it to the internet. Sometimes, it is not possible: If I want to do supply chain management and track my fleet or packages everywhere they go, then I need to be connected to the internet. But, there are ways to protect, and they [will need an IT expert] … I don’t think getting the solution out-of-the-box is feasible, right now. It will be in the future, but, right now, we are not at that stage.” Of course, when a company is able to leverage IoT and create efficiencies and/or revenue, a balance between security and business improvements must be struck.
A discussion about cutting-edge technologies and business perhaps would not be complete without tangentially mentioning cyptocurrenices. While Bitcoin may be a household name, there are dozens of other cyptocurrencies. In effect, some experts assert that the value in the digital currency is its rarity (much like gold is “rare”). Bitcoins, for example, are today “mined” via supercomputers. Overall, cyptocurrencies are an emerging technology, and Angelo Mendola, president and chief operating officer, Priority Payment Systems Local, LLC, tells New Jersey Business, “Absolutely, there’s going to be a level of regulation. We are in the infant stages of cryptocurrencies. Literally, it is the very, very beginning. It is like being in the 1980s, when the world wide web came to fruition; it wasn’t understood until the late 1990s. And that is the same thing that is happening with crypto, and the block chain, right now.
“There is going to come a time where the big boys are going to come in, and regulate this. And when I say big boys, I mean the card brands like Visa and Mastercard, American Express and Discover, JCB and Diners International; they are going to want to come in and regulate this thing, and they are going to have the banks behind them, to do it.”
Whether it is cybersecurity concerns or marketing to specific audiences, a recurring theme is clear: Telephone an expert. When a specialized attorney takes the lead for comprehensive cybersecurity approaches, for example – or a marketing firm paves the way for increased sales and deeper market penetration – those who “know the ropes” may offer the best path. One expert interviewed for this article noted that, in effect, there is no unbiased website to consult. Rather, experts like this individual gather privately with peers to discuss the best ways they can protect their clients within a lighting-fast, emerging, hazardous and extraordinarily unpredictable technological environment.