This month marks the 20th occurrence of Cybersecurity Awareness Month, an annual awareness campaign underscoring the importance of proactive, diligent cybersecurity in both the public and private sectors. Two decades after its inception, the monthlong effort has evolved to keep pace with the breakneck speed at which technological innovation and advancement move, and is now a truly collaborative effort between government and industry to reduce online risk and facilitate discussion about today’s cyber threats.
South Jersey is not without its own crop of tech experts sharing their own areas of expertise and passion for being on the cutting edge of modern technological defenses. And while an individual security breach is frightening enough, ensuring the cyber safety of the region’s businesses is especially important, as one compromised organization can spell disaster for entire swaths of teams, clients and end users, many of whom might not even be aware of the risk for days after it happens.
Cybersecurity is a multipronged, ever-evolving practice, with its actual application and suite of defenses being inherently specific to a company’s needs, size, industry and more. But there are a number of best practices and educational approaches that apply to anyone doing business in a world full of hackers, phishers, spoofers and other malicious entities who are always seeking new and unfamiliar ways to capitalize on any vulnerability in cybersecurity they can find—which is, more often than not, a human error born of being caught off-guard or launched into panicked action.
“People should be using artificial intelligence-based cybersecurity that can read an email and give you a red banner, or give you an alert, or look for VIP impersonations,” notes Timothy Guim, president and CEO of PCH Technologies. “A human being is not always going to be as cognizant of that or figure out that this email’s coming from a Gmail address and not the actual company it claims to represent. That’s why I think using AI as one area of your cybersecurity is really important.”
Preying on human emotions is a frequently driving force behind the increasingly sophisticated tactics exploiting how fear and a pretense of requiring immediate action often undermine the rational thinking that would otherwise set off mental alarms at the threshold of a potential cyberattack. No longer just the instantly recognizable scams of Nigerian prince beneficiaries or a supposed distant relative in need of help, today’s biggest risks come from socially engineered phishing attempts: malware or ransomware infiltration disguised as a link from a trusted colleague, AI-generated impersonations made to appear or sound like a CEO’s directive, text messages made to look like a legitimate company’s outreach, and anything playing up a sense of urgency to override a target’s closer assessment, like money owed to a service provider or an angry email screed threatening a lawsuit over copyright infringement with a link to the allegedly offending page that, instead, launches the digital attack.
Since those modern-day Trojan horses are designed to find any point of ingress, whether it’s a manmade weakness or by sheer force, industry experts emphasize that a good cybersecurity program relies heavily on employee education—and begins at the top, with company decision-makers reinforcing the critical role that constant vigilance and frequent refreshers play in securing a company’s digital fortress.
“The emphasis is going to be on minimizing the risk of being attacked as opposed to stopping all attacks, because you’re never going to stop an attack but you can take steps to minimize your risk,” explains Vin Spinelli, CEO of VSpine Networks & Advisors, LLC. “One of the primary ways of doing that is through education and training. This is key. You need to teach your employees that if it looks too good to be true or it looks suspicious, it probably is. … There are companies that provide managed security services and have automation tools that help clients with security awareness training, mandatory online training at your own pace.”
That education, just like the field of cybersecurity itself, must be a many-layered, hands-on approach to have any chance of truly safeguarding an organization against outside attacks—attacks that experts concede are less of an “if” and more of a “when,” given the sheer number of bad actors trying to infiltrate anyone’s digital defenses at any given time and the variety of threats at their disposal.
Which is why Art Leiby, president of The Lerepco IT Group, is concerned about how often he sees companies not fully and proactively attempting to secure the virtual doors to the building, especially since he says that roughly 90% of successful data breaches start with phishing emails.
“It still involves good old things like firewalls but now it might involve firewalls actually running on each of the clients because people are working remotely instead of in the brick-and-mortar offices, or involve DNS and web-filtering-type software on their machines, or, instead of anti-virus tools, having very sophisticated EDR—fancy words for advanced security tools—on the client’s PC that actually capture and report all those events out in some centralized stored area so forensic teams can monitor them 24/7 and quarantine them if something’s going on,” he says. “It’s just not about spam anymore: It’s about detecting a phishing simulation or impersonation.”
After all, documents, information and money aren’t the only things at risk if a company’s cybersecurity is compromised: Its reputation can take a significant hit, too—Leiby notes that studies indicate that an estimated 83% of U.S. consumers said they would stop patronizing compromised companies for several months after an incident, while 21% said they would never again return to the business in question.
Losing the trust of loyal customers and clients is one more hurdle to clear in a long and expensive recovery process that typically includes reporting the breach, consulting with advisors like your legal and insurance teams, and informing clients, patients and employees that their sensitive personal data may be exposed to a nefarious force.
The upfront cost of investing in top-notch, many-layered cybersecurity might seem a little daunting at first, but experts advise to consider the price of the alternative.
“You want to spend a little more on an ounce of prevention than invest in a pound of the cure, because remediation and recovery are expensive,” Spinelli points out. “We know of a company that was ransomed for $1.2 million. The FBI negotiated it down to $500,000 but when all was said and done, this company spent $1.6 million on the recovery and remediation. So spending $30, $40,000 a year on protection for a small or medium-sized business is a drop in the bucket compared to what you’re paying
One of the most glaring errors an organization can make is assuming that since they’re a small business, their comparatively smaller presence makes them essentially invisible to hackers surely seeking a bigger payload. Instead, mom-and-pop shops are be essentially sitting ducks for bad actors, since their budgets rarely allow for impenetrably reinforced cybersecurity and their faulty belief that no malicious forces are targeting them means with lowered defenses.
With cybersecurity being an increasingly imperative part of a company’s operations and budget, it similarly necessitates a prominent place in recovery plans and emergency drills, as well as regular hands-on stress tests designed to internally zero in on holes in one’s digital armor before an infiltrator can. Just like you should have preventative, proactive and post-event policies in place for any other disaster, as well as back-up a company needs both a roadmap for minimizing cyber threats and a response plan for when those issues do rear their ugly heads.
“Each individual company needs to do an IT risk assessment to understand where their cyber risks are and to put in the big mitigating factors in people, process and technology to protect the organization,” says Guim. “It comes down to the managers to have the proper policies and procedures in place, implement cybersecurity awareness training, and then for the end users who take the training, to follow the company’s policies and procedures so they don’t put themselves or the company at risk.”
Leiby does advise that, at this point, organizations do need to go even further with their cybersecurity philosophies, taking them beyond the given of implementing a stacked cybersecurity system and into more advanced concepts. It’s taking a higher-level approach that will continue to advance the effectiveness of cybersecurity while continually promoting the importance of education, implementation, diligence and vigilance all working together to optimize an organization’s digital safeguards.
“How can companies avoid falling victim to sophisticated threats? One of the terms we use today is ‘zero trust,’” Leiby says. “A tool we use, ThreatLocker, is installed on clients’ PCs: If something isn’t explicitly approved to be used, it won’t allow it to run. An end user can request access if it’s a legitimate piece of software they need to download, but unless it’s approved, it won’t be able to unless it’s explicitly stated. ‘Zero trust’ means we’re going to try and be proactive against everything and, for us, is the current standard.”
Click here to subscribe to the free digital editions of South Jersey Biz.
To read the digital edition of South Jersey Biz, click here.
Published (and copyrighted) in South Jersey Biz, Volume 13, Issue 10 (October 2023).
For more info on South Jersey Biz, click here.
To subscribe to South Jersey Biz, click here.
To advertise in South Jersey Biz, click here