group photo

NJBIA’s Cybersecurity Summit Offers Advice on Preparing for an Attack

NJBIA’s Cybersecurity Summit, held yesterday at the APA Hotel in Woodbridge, gave attendees a chance to hear real-life case studies and discussions that highlighted the damaging impact of cyber-attacks. The first of the morning’s two panel discussions was moderated by Scott Schober, president and CEO, Berkeley Varitronics Systems, Inc., and focused on what businesses can do in order to prepare for an attack, providing insight on how to formulate a solid plan.

“Preparation is the key to preventing an attack,” Schober said. “Cyber-attacks affect everyone. By 2021, it is projected that $6-trillion will be lost globally [to cyber crime].”

Preparation is important, and equally so is the ability for companies and individuals to accept the fact that they indeed can be, and likely already have been a target.

“Ignorance should be the biggest fear,” Doug Borden, partner Borden Perlman said. “Too many people think they won’t be attacked, when in fact they will be. People need to take a holistic approach and avoid ignorance and complacency.”

Michelle A. Schaap, member Chiesa Shahinian & Giantomasi, emphasized that people are a company’s most important defense. She said that the No. 1 way a company should safeguard against cyber-attacks is by educating its employees on the threats and the steps that should be taken before and after an attack.

However, at the same time, she also cautioned that, “People are also your biggest vulnerability.”

Borden pointed out that there is often too much emphasis on making sure the highest levels of a company are secure, and that often the lowest level employees are overlooked. This is problematic since in many cases it is through these lower level employees that an attacker is able to breach a company’s network.

“I am a big proponent of penetration testing,” Borden said. This is a practice that keeps employees on their toes by intentionally sending out fake scam e-mails so that employees get used to knowing what to look out for. It is also a great learning opportunity in teaching people what to do differently.

When forming a plan to deal with cyber-attacks, balance is key.

“We often trade convenience for security,” Schober said. “You need to find the right balance for your business. You can’t just compromise convenience for security, or no one will want to do anything.”

While a lot of responsibility falls on a company’s employees, they are not the only ones that should be held accountable.

“It is equally important to put pressure on the vendors that you use to keep you safe in the first place,” Chris Rohlf, staff security engineer, Square, said. “It isn’t necessarily the employees fault if they have a weak password if the vendor allows it.” The third party vendors that a company uses should have strong enough default standards that they actually lessen the risk of individual employees.

“Many of your critical services may be outsourced to a third party. This is especially true if you are a big business,” Matt Cherian, director, BitSight Technologies, said. “This means that a lot of the security for your data is out of your control. It is important to remember not to ignore the ‘third-party blind spot’ when you outsource your data.”

A company needs to do its homework when choosing what third party vendors it uses to ensure safety. Rohlf said there are certainly benefits to having a fresh set of eyes examining your current cybersecurity defenses, and that it is necessary to get an outside expert’s perspective in order to identify any potential blind-spots or weak areas.

While you can’t always prevent a cyber-attack, it is important that all levels of your company are as prepared and educated as possible in the event that you are targeted. A well thought out and strategic plan of action can be critical to limiting any potential damage to a business’s online infrastructure and sensitive material.

“Ultimately it is vital to breed an organizational culture about security,” said Cherian. “These things shouldn’t be done just for compliance reasons, like having one test a year. The threats are continually changing.”

Related Articles: