Unlocking the secrets to cybersecurity

The CBJ’s Cybersecurity Power Breakfast panel included (from left) moderator Jodi Selby, of Bankers Trust; Libby Benet, of Beazley Product Solutions; Ron Draganowski, of RSM US LLP; Andrew Nellers, of Wellmark Blue Cross Blue Shield; Jim Sherlock, of Pearson; and Aaron Warner, of ProCircular.  PHOTO/ADAM MOORE


By Dave DeWitte

Speakers at the CBJ’s 2016 Cyber Security Power Breakfast said small businesses with sparse IT resources can still mount strong defense against a wide range of cyber threats.

More than 150 attendees turned out Nov. 2 to hear CEO Aaron Warner of information security firm ProCircular discuss threat protection, and a panel of experts discuss everything from the growth in ransomware attacks to the dangers of using open Wi-Fi networks for sensitive data.

Fresh in everyone’s minds was the Oct. 21 distributed denial of service (DDOS) attack, during which tens of millions of devices were enlisted by hackers to send packets of information that interrupted web traffic at major web businesses including Twitter, Etsy and Spotify.

A consistent theme at this year’s event was what small businesses – many lacking their own IT staffs – can do to minimize their exposure to threats. They were steered toward valuable resources like the Small Business Information Security report from the National Institute of Standards and Technology for advice they can understand.

“If you learn nothing else today, it’s ‘back up your system,’ said Libby Benet of Beazley Product Solutions, a leading provider of cybersecurity risk insurance. She said businesses that keep their backups fresh won’t have to worry about paying ransoms to hackers who invade their systems and lock down their data, because they’ll still have the data available.

Jodi Selby, vice president of financial intelligence for Bankers Trust, moderated the expert panel that included Jim Sherlock, director of assessments privacy and security at Pearson; Ron Draganowski, director of application development and integration for RSM US LLP; Andrew Neller, information security manager and security official with Wellmark Blue Cross Blue Shield; Ms. Benet and Mr. Warner. The following is a collection of condensed takeaways from the panel session.

The Nov. 2 event at the Cedar Rapids Marriott was sponsored by ProCircular. Supporting-level sponsors included RSM US LLP, Pearson, Grinnell Mutual, Wellmark Blue Cross Blue Shield, Iowa Women Lead Change and KGAN CBS2/KFXA FOX 28.


On securing small businesses
Andrew Neller, Wellmark Blue Cross Blue Shield:
“You have one thing that these hackers will never have about your environment, and that’s the homefield environment. You should know your system better than any set of eyes in Russia that haven’t seen your company before. You should know how your system behaves and be able to detect that anomalous behavior.”

Aaron Warner, ProCircular:
“The biggest risk to any system, computerized or otherwise, is really the individual – sometimes not knowing what they’re supposed to be doing, sometimes not being armed with the information necessary to make the right call at any point in time. Enlisting your employees as partners in the organization to not only follow whatever rules are in place but protect the organization is really critical.”


On the proliferation of ransomware
Jodi Selby, Bankers Trust:
“It’s usually an innocent employee that’s browsing a website or clicking on something in an email and all of the sudden you have files that are locked up or encrypted, and to get that encryption key you have to pay [the attackers] in bitcoin… You can pay money, and maybe the encryption key you get might unlock your files … but you’ll probably need to hire someone to come in and unencrypt those files for you. It’s probably going to cost you probably a lot more than what the ransom is.”

Aaron Warner, ProCircular:
“Make sure you have solid backups in place. If you have a backup from 45 minutes ago, you really don’t care about [ransomware]. Maybe you lose a little trouble, a little bit of time, but you don’t have to pay some Russian hacker in bitcoin… You don’t have to do anything.”


On using open, public Wi-Fi networks
Ron Draganowski, RSM US LLP:
“If you’re just making casual use of your phone on the Wi-Fi network, it not a big deal. If you’re opening your work laptop and thinking, “I’m going to check my bank balance,” that’s not a good idea. If you’re checking your bank, you need to be on a secure network. If I’m in a coffee shop and go to www.myfavoritebank.com, a malicious person out there in the parking lot may have taken over your signal and have a fake copy of that bank website. They put in your credentials and redirect you to your actual bank website… You may not notice that that happened, but you just gave away your bank credentials.”


On security in cloud computing
Jim Sherlock, Pearson:
“As it pertains to security, it’s kind of interesting, because the cloud, while it provides a lot of promise for organizations to be able to grow and scale dynamically … it also gives you, the owner, the power to shoot yourself in the foot much faster.”

Andrew Neller, Wellmark Blue Cross Blue Shield:
“A lot of people just assume it’s all just one big thing when you go to the cloud. There are different cloud providers who think very differently, so you don’t gain security just by going to the cloud… You really need to look at why you want to go into the cloud, what kind of cloud you’re going to and what are the areas for which you’re responsible.”


On compromised email accounts
Jodi Selby, Bankers Trust:
“They [criminals] take over the CEO’s email or spoof the email … and send an email to the CFO or somebody within the organization who has wiring capabilities, and tell them, “We just completed a big deal” and to wire $286,000… We probably at Bankers Trust see this at least once a week from someone, where they’ll issue a wire and we get a call in an hour or two, saying, “Hey, we sent a wire and want it back – the CEO’s email was spoofed.”


On the Oct. 21 DDOS attack
Aaron Warner, ProCircular:
“Typically, you associate an attack of that scale with a nation state – a Russia or a China, somebody like that. The evidence that is out so far points the fingers at some hackers. These individuals have tools that have historically only been available to nation states, and that a few individuals can cause such havoc on the internet, I think, is something a little bit different… A very small number of people are able to do some very huge damage, and in order to do something about it, it’s going to take a very combined effort, hundreds of thousands of people.”

Libby Benet, Beazley Product Solutions:
“I suspect because of the magnitude of this distributed attack we will see some kind of

response to that, and really start to follow the European model – be distrustful first and trust second.”