The CBJโs Cybersecurity Power Breakfast panel included (from left) moderator Jodi Selby, of Bankers Trust; Libby Benet, of Beazley Product Solutions; Ron Draganowski, of RSM US LLP; Andrew Nellers, of Wellmark Blue Cross Blue Shield; Jim Sherlock, of Pearson; and Aaron Warner, of ProCircular. PHOTO/ADAM MOORE
By Dave DeWitte
dave@corridorbusiness.com
Speakers at the CBJโs 2016 Cyber Security Power Breakfast said small businesses with sparse IT resources can still mount strong defense against a wide range of cyber threats.
More than 150 attendees turned out Nov. 2 to hear CEO Aaron Warner of information security firm ProCircular discuss threat protection, and a panel of experts discuss everything from the growth in ransomware attacks to the dangers of using open Wi-Fi networks for sensitive data.
Fresh in everyoneโs minds was the Oct. 21 distributed denial of service (DDOS) attack, during which tens of millions of devices were enlisted by hackers to send packets of information that interrupted web traffic at major web businesses including Twitter, Etsy and Spotify.
A consistent theme at this yearโs event was what small businesses โ many lacking their own IT staffs โ can do to minimize their exposure to threats. They were steered toward valuable resources like the Small Business Information Security report from the National Institute of Standards and Technology for advice they can understand.
โIf you learn nothing else today, itโs โback up your system,โ said Libby Benet of Beazley Product Solutions, a leading provider of cybersecurity risk insurance. She said businesses that keep their backups fresh wonโt have to worry about paying ransoms to hackers who invade their systems and lock down their data, because theyโll still have the data available.
Jodi Selby, vice president of financial intelligence for Bankers Trust, moderated the expert panel that included Jim Sherlock, director of assessments privacy and security at Pearson; Ron Draganowski, director of application development and integration for RSM US LLP; Andrew Neller, information security manager and security official with Wellmark Blue Cross Blue Shield; Ms. Benet and Mr. Warner. The following is a collection of condensed takeaways from the panel session.
The Nov. 2 event at the Cedar Rapids Marriott was sponsored by ProCircular. Supporting-level sponsors included RSM US LLP, Pearson, Grinnell Mutual, Wellmark Blue Cross Blue Shield, Iowa Women Lead Change and KGAN CBS2/KFXA FOX 28.
On securing small businesses
Andrew Neller, Wellmark Blue Cross Blue Shield:
โYou have one thing that these hackers will never have about your environment, and thatโs the homefield environment. You should know your system better than any set of eyes in Russia that havenโt seen your company before. You should know how your system behaves and be able to detect that anomalous behavior.โ
Aaron Warner, ProCircular:
โThe biggest risk to any system, computerized or otherwise, is really the individual โ sometimes not knowing what theyโre supposed to be doing, sometimes not being armed with the information necessary to make the right call at any point in time. Enlisting your employees as partners in the organization to not only follow whatever rules are in place but protect the organization is really critical.โ
On the proliferation of ransomware
Jodi Selby, Bankers Trust:
โItโs usually an innocent employee thatโs browsing a website or clicking on something in an email and all of the sudden you have files that are locked up or encrypted, and to get that encryption key you have to pay [the attackers] in bitcoinโฆ You can pay money, and maybe the encryption key you get might unlock your files โฆ but youโll probably need to hire someone to come in and unencrypt those files for you. Itโs probably going to cost you probably a lot more than what the ransom is.โ
Aaron Warner, ProCircular:
โMake sure you have solid backups in place. If you have a backup from 45 minutes ago, you really donโt care about [ransomware]. Maybe you lose a little trouble, a little bit of time, but you donโt have to pay some Russian hacker in bitcoinโฆ You donโt have to do anything.โ
On using open, public Wi-Fi networks
Ron Draganowski, RSM US LLP:
โIf youโre just making casual use of your phone on the Wi-Fi network, it not a big deal. If youโre opening your work laptop and thinking, โIโm going to check my bank balance,โ thatโs not a good idea. If youโre checking your bank, you need to be on a secure network. If Iโm in a coffee shop and go to www.myfavoritebank.com, a malicious person out there in the parking lot may have taken over your signal and have a fake copy of that bank website. They put in your credentials and redirect you to your actual bank websiteโฆ You may not notice that that happened, but you just gave away your bank credentials.โ
On security in cloud computing
Jim Sherlock, Pearson:
โAs it pertains to security, itโs kind of interesting, because the cloud, while it provides a lot of promise for organizations to be able to grow and scale dynamically โฆ it also gives you, the owner, the power to shoot yourself in the foot much faster.โ
Andrew Neller, Wellmark Blue Cross Blue Shield:
โA lot of people just assume itโs all just one big thing when you go to the cloud. There are different cloud providers who think very differently, so you donโt gain security just by going to the cloudโฆ You really need to look at why you want to go into the cloud, what kind of cloud youโre going to and what are the areas for which youโre responsible.โ
On compromised email accounts
Jodi Selby, Bankers Trust:
โThey [criminals] take over the CEOโs email or spoof the email โฆ and send an email to the CFO or somebody within the organization who has wiring capabilities, and tell them, โWe just completed a big dealโ and to wire $286,000โฆ We probably at Bankers Trust see this at least once a week from someone, where theyโll issue a wire and we get a call in an hour or two, saying, โHey, we sent a wire and want it back โ the CEOโs email was spoofed.โ
On the Oct. 21 DDOS attack
Aaron Warner, ProCircular:
โTypically, you associate an attack of that scale with a nation state โ a Russia or a China, somebody like that. The evidence that is out so far points the fingers at some hackers. These individuals have tools that have historically only been available to nation states, and that a few individuals can cause such havoc on the internet, I think, is something a little bit differentโฆ A very small number of people are able to do some very huge damage, and in order to do something about it, itโs going to take a very combined effort, hundreds of thousands of people.โ
Libby Benet, Beazley Product Solutions:
โI suspect because of the magnitude of this distributed attack we will see some kind of
