Cybersecurity forum spells out risks to small businesses
NH Business Review event stresses the importance of preventive measures
‘Some small businesses don’t believe they have a need for [cybersecurity] until they get hacked,’ keynote speaker Jeff Bardin told participants at the NH Business Review-NH High Tech Council forum on cybersecurity.
Photo by Jodie Andruskevich
Even the smallest businesses are at risk of a security breach — in fact, those businesses may be the most vulnerable to cyberattacks.
That’s according to Jeff Bardin, chief intelligence officer of Treadstone 71. Bardin was the keynote speaker for NH Business Review and NH High Tech Council’s second Executive Series Forum on Cybersecurity, which took place Tuesday at the Radisson Hotel in Manchester.
“Some small businesses don’t believe they have a need for [cyber intelligence] until they get hacked,” Bardin said during his presentation.
Bardin and panelists at the forum outlined reactive and preventive actions for potential such threats as a data breach or ransomware situation, which occurs when a hacker breaches a business system and installs an encryption code that can’t be unlocked until the business pays a ransom.
According to Bardin, 50 percent of small businesses think they are too small to be a target of cyberattacks like these — however, 40 percent of cyberattacks are aimed at companies with 500 employees or less.
He warned that ignoring security threats due to biased thinking – like “we’re too small to be hacked” – can end up greatly increasing security risks for a business when potential issues are ignored.
“Some of the problems we go through with critical thinking relative to intelligence is that we don’t think clearly and logically,” Bardin said. “We look at the problem as too big to tackle.”
A ‘common language’
Cybersecurity expert and panel moderator Candy Alexander said that breaches happen overwhelmingly through two common problems: when a system has not been properly patched or when employees’ credentials are stolen or hacked.
Panel member Todd Waskelis, head of AT&T’s security consulting business, outlined more specifically what he thought to be the number one entry point for malware: social engineering, or when an employee receives a suspicious link in an email that contains the damaging software.
Waskelis suggested using an email system that effectively filters spam and malware and employing cloud web security services, a third party that performs internet-based filtering for inbound and outbound traffic on a business’ server.
He also stressed the importance of teaching employees about the danger of such emails.
Other panelists emphasized how vital it is for IT workers to collaborate with the rest of the company for greater safety.
“Security is not real fun,” said panelist Ryan Barton, founder of the IT services firm Mainstay Technologies. “It’s sometimes difficult to get the entire organization involved. But it’s a collaborative effort, not just IT’s responsibility.”
According to Waskelis, “We have to have a common language. We have IT people talking about ‘security,’ and we have businesspeople talking about ‘business risk,’ so we have to get a common ground. So the IT department really has to … start thinking about business risk.”
Bardin and the panel members also kept returning to the importance of “the basics.”
“If you build it, secure it,” Bardin said. That’s a short way of saying that every system should be built with security in mind from the start, not built and then saddled with an ill-fitting security system afterwards.
Five easy questions
During his presentation, Bardin also outlined five easy questions that businesses can ask when beginning to revamp their security:
• What sensitive data does your company maintain?
• Where does this data reside?
• Who has access to this data at each location listed?
• If this data was modified, destroyed or discovered and disclosed would the company survive?
• What are you doing to protect this data and what will you do after today?
Even though making a business secure can be daunting, Barton also suggested that a few small steps can make a huge difference, despite the sophistication of modern technology.
“It’s becoming increasingly challenging to be aware of the risks and mitigate them,” he said. “But a few simple, repeatable things you can do in your organization, like training, patch management, data filtering and good email security, can mitigate the vast majority, but always be doing what you can to understand [your risk].”
Alexander summed up the speakers’ thoughts when she said, “It really comes down to the basics. Change your damn passwords, patch your systems and look at the basics. There are a lot of resources in New Hampshire, so don’t be afraid to reach out.”
Some of the resources outlined by the panelists included the National Institute of Standards and Technology, the Center for Internet Security, the U.S. Small Business Administration and the Verizon Data Breach Investigations Report.
Joanne Stratoti, president of The Business Clinic, said she attended the forum to learn more about keeping clients’ data safe when it is stored in the cloud.
“Computers are so vulnerable, and it’s scary when you have sensitive data,” she said. “We’re responsible when our clients’ data is compromised … But if we can keep our breaches to a minimum, we’ll be better for it.”