The FBI’s Internet Crime Complaint Center logged more than 791,790 reports of suspected internet crime, the agency announced in 2021, with losses exceeding $4.2 billion. New Jersey ranked No. 9 for the number of victims, so business owners are increasingly realizing that it is not a matter of if they will be attacked — rather it is when. The key, however, is to make it difficult for the hackers to penetrate your systems, increasing the odds that they will skip over your firm and move on to an easier target.
Unfortunately, securing systems is not simple. It can be done and it does not have to break the budget, but to be effective, a security approach should be thorough, deep, and comprehensive.
We call it a defense-in-depth strategy, where your devices and protection are layered, like a cake, so there are tailored protective solutions for one device and other solutions for additional, connected devices on top or below it. That is because there are so many entry points for cybercriminals including: emails (a favorite target), accounting systems, and APIs, or application programming interfaces, the stuff that ecommerce is built on, which enable your products and services to easily communicate with other products and services without having to build each connection from scratch. There are so many entry points and evolving threats that business owners just do not know what is coming next.
The threats are especially acute in today’s interconnected environment, with lengthy and complex supply chains that interact with multiple APIs. In one case, a managed security service provider’s systems were compromised, and the virus quickly spread to its clients, infecting and locking out more than 2,000 users in just one day.
To provide some level of protection, businesses need a good security plan. An effective one will be custom developed to meet the needs and vulnerabilities of each specific business, but there are some common basics.
One starting point involves MFA, or multifactor authentication. This adds a layer of protection — by adding a step — to the sign-in process before email and other accounts or apps can be accessed. With MFA, a user is prompted to provide additional identity verification, such as scanning a fingerprint or entering a code received by a phone or other device.
The zen of cybersecurity
Developing and implementing an effective cybersecurity plan is not just about hardware and software. It also involves attitude.
A company needs buy-in from top executives. When C-suite execs do not personally embrace necessary policies and procedures, it sets a bad example for everyone else and may leave a gaping hole in a company’s cyber-defenses. And it exacerbates vulnerabilities, because when a CFO, for example, gets roped into a cyber-scam, the odds are that he or she will not suffer for it.
Get a second set of eyes to review your framework. No matter how diligent you are about designing your cyber-defense, it pays to have an outside consultant take look. A qualified consultant can review your systems and check for vulnerabilities with a penetration test, or ethical hack.
Once your system is in place, review it, maintain it and upgrade it. The best cyber defense will only work properly if it is used properly. Today’s remote work environment means that there is unprecedented entry points to a businesses’ data files, so policies should be in place, and enforced, requiring laptops and other devices to meet minimum security standards before they can be plugged into the company’s system. And these policies, as well as the cyber-defenses themselves, should be periodically reviewed, tested and upgraded. Remember, cybercriminals keep evolving, so businesses have to do the same.
Strong passwords are another basic. Individual hackers and state actors alike have advanced tools to crack simple – and in some cases, not-so-simple — passwords, but many business owners continue to use combinations (like 1234) or names, like their mom’s maiden name, which are easily cracked. Machine-generated passwords, which can run up to 100 characters, are fantastic, but people have trouble remembering them and often change them the first time they are used, or they end up writing the long passwords down on a Post-it Note that is left on desks or other accessible areas. Recently, when I was on a videoconference with a CEO, I could not help but notice that he had a password written on a board that was clearly displayed on the call. So for daily use, one option is to use words that are easily remembered, but in a string that would not occur in normal use, like “surfboard string building.”
Other cyber-defenses include firewalls — or network security systems that monitor and control incoming and outgoing network traffic based on preset security rules — email security; behavior-centric threat detection-and-response security on endpoints like laptops, smartphones, servers and other devices that communicate with networks; DNS (domain name system) security that can help to prevent users from visiting dangerous sites or can keep malware from communicating with its operator. This layered approach is designed to keep users and data secure even if one or more individual systems are compromised.
In addition to reducing the chance of suffering a time- and money-draining attack, business owners have other incentives to enhance their cybersecurity. Insurers, for example, have tightened their underwriting standards and increasingly require businesses to attest to (and often prove) that they meet a variety of cybersecurity standards. Companies that fail to meet them may find they cannot renew existing policies or get new ones.
And government agencies that contract with firms are increasingly pushing cybersecurity down the supply chain, to the point where a small company that makes a minor component may no longer qualify for a contract if they cannot prove their systems are adequately protected. This trend is likely to accelerate and expand as “smart” medical and other devices proliferate.
Even unregulated industries like beauty salons, lawncare companies, and just about any business that has liability insurance and processes credit card transactions, can benefit by having a sound security framework in place. Even if they never sell to the Department of Defense, an in-place cybersecurity framework will increase their chances of obtaining and renewing their liability policies and, if they ever are hacked, will offer a better defense.
And remember that hackers, like business owners, generally follow certain sustainable principles: they want to maximize their revenue stream over the longest period possible. Legitimate companies do this by providing quality goods or services at competitive prices that encourage client loyalty and retention. Cybercriminals, however, often do it by snaring a victim — usually by locking up their files — and then demanding a payment to release the data. And once they get the first payment, they are likely to stick with that “good customer,” and target them again.
Carl Mazzanti is the president of eMazzanti Technologies in Hoboken.