In our daily lives, we check email and use social media, enter personal credit card information to buy birthday and Christmas gifts and freely offer up our bank account numbers to pay phone bills and mortgages online.
We do these things under the impression of security, assuming that the websites we are using are protected and our private information is safe to share and store.
Companies, both small and large, conduct their business much in the same way, except on a grander scale. There is not just one person’s private information to worry about; in some cases, there are thousands or tens of thousands.
According to the Identity Theft Resource Center, 2015 had the second highest number of data breaches in the United States since the center began tracking breaches in 2005. Of the 781 data breaches, nearly 40 percent were publicly reported from the business sector, followed closely by the health and medical sector.
If you think that number is small, or that you’re protected because you’re only one person or one business, check out this number given to us by Dr. Christopher Rodriguez, the director of Homeland Security for the state of New Jersey. The Garden State Network— consisting of the NJ.gov domain that includes all state departments and agencies— gets about 1.4 billion malicious attempts a day that officials block, Rodriguez says.
“Our folks are very busy,” says Rodriguez, who is in charge of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) sect of Homeland Security.
The big push now, and going forward, is for protection, since the bad guys may always be one step ahead of the good guys. And the key is to be as proactive as possible. Experts say it’s critical to not only have a solid IT department, but also a cybersecurity plan in place, no matter the size of your company or how many employees you may have.
David Suleski, president and founder of TechStarters, a Cherry Hill-based full service IT company started in 2010, says 10,000 to 15,000 businesses per week are hit with some sort of ransomware. Ransomware is malicious software that blocks access to a company’s computer network or system until an amount of money is paid to the clandestine criminals.
These viruses can shut down hard drives, steal information and virtually cripple networks unless a ransom is paid, usually within a set amount of time. The ransomware messages usually come in the form of unsolicited emails or downloaded attachments.
IT departments that do not specialize in cybersecurity are just not enough for protection, Suleski says.
“You don’t want to be the low-hanging fruit,” he adds. “In South Jersey, there are a lot of companies so local that you would never know [they get hit with threats] because all you hear about are the big guys. It hits a ridiculous amount of businesses around here. Ransomware is devastating. If the business doesn’t have a proper backup, they are dead in the water.”
And sometimes, companies will even get hit with two ransoms, something Terri Rossi, co-founder of PICS iTech, a technology consulting firm based in Mount Holly, has seen before. These cyber criminals oftentimes will send a malicious email, infect the system and then send another one, hoping they get a second click. Sometimes, they do.
Concern for the future, says Rossi, is that more items are connected to one another and going online. There are computers, cell- phones, tablets, webcams and a host of websites and data-sharing programs that companies do on instant messaging or email services.
“Every company has had a raised awareness in their information security programs because I think there’s a heightened awareness because of all the breaches that have made headlines,” says Joyce Brocaglia, founder and CEO of Alta Associates, based in Flemington. “Companies in the past didn’t really care as much about information security. They are now recognizing they can be affected.”
Alta works to place security professionals in careers with companies across the country in the fields of insurance, health care, financial services, pharmaceutical, retail and more. It’s quickly becoming a hot job.
“It’s a trend that more companies are hiring information security officers and building more in-house security departments where they are centralizing a security function,” Brocaglia says.
She adds that there is just about zero unemployment in cybersecurity. Experts account for about 10 percent of all IT jobs, she says. And, she adds, the demand for security professionals is expected to grow by 53 percent by 2018.
One area where all the experts agree is that having a standard IT department just isn’t adequate.
“It’s definitely not enough,” Brocaglia says. “These companies are already drinking from a fire hose. They aren’t specialized enough to do the type of deep dive into specific information security issues. They think of it as just the hacking piece of it. But it covers a much broader area.”
Rossi says that in the past, for small- and medium-sized companies, a firewall and anti-virus software was enough.
“That’s really not the case anymore,” he says.
Another trend Rossi is seeing is that clients and shareholders are questioning companies about their cybersecurity protections. They want to make sure they are protected, too, Rossi says.
Smaller companies within South Jersey simply may not have the budgets, or even the needs, for a cybersecurity expert, but those security and IT companies that offer protection are also offering what they say is the best bet against online criminals: education.
“Being proactive is key,” says Suleski. “It all starts with company policy. Implementing a solid security policy for each company is a foundation. You must train employees on best practices. What that means is not sticking USBs into a computer and making sure employees can better recognize not to click on links they don’t know in their email.”
Phishing scams are the most common. They are attempts to acquire social security numbers, credit card numbers, passwords and more. They typically come as emails and disguise themselves as legitimate senders or websites. They also come more often during tax season, to both businesses and individuals.
Sometimes, IT or cybersecurity compa- nies who work with businesses will send a phishing email to employees to see who will click on it. Rodriguez says this isn’t to “name and shame,” but a way for security experts to see where they need to educate and train people a bit more.
David Humphreys, security consultant for Avasek, a Cherry Hill based cybersecurity firm suggests mandating a yearly education video on cybersecurity for employees. And, he says, using NJCCIC is key.
NJCCIC was formed last year and is the country’s first operations security cell. It’s New Jersey’s one-stop shop for cybersecurity information sharing, threat analysis and incident re- porting. Rodriguez is a former senior analyst in the counterterrorism unit of the CIA. He headed a unit that handled global economic and energy security. He’s taken his expertise to running New Jersey’s program, which helps with security efforts all over the country. And he’s seeing a big charge of the group’s services among smaller businesses in the Garden State.
“We have a lot of demand for our services among the small- and medium-sized businesses. We’re constantly pushing information. Some don't necessarily have the budget or expertise for IT. We have been able to show value in training and employee awareness.” Rodriguez calls these smaller businesses “the vulnerable majority.” He also says health care is the No. 1 target for cyber attacks. That’s because these criminals can get access not only to names and addresses but also to social security numbers, medical histories and their family information. He says that health care records are about three times more valuable on the black market than financial records. And with strict HIPAA laws, confidentiality and security of health care information is only going to get more important.
“There is a big push right now to trickle down enforcement of HIPAA compliance so it becomes more of a state enforcement, not just a federal enforcement,” Humphreys says.
Rodriguez and NJCCIC offer up some more ways that companies—and individuals—can help protect themselves. In addition to not clicking on unidentifiable links or opening attachments from strange addresses, he advises people to frequently change their passwords and not have the same one for every site they manage. Companies that use instant messaging services can also enact a two-step verification process to protect confidential information they may be sharing.
“That is going to be de facto going forward,” Suleski says, “to have multiple layers of authentication, especially for sensitive data. I can’t emphasis how important that is.”
Rossi adds to that list to keep your operating system up to date, whether you use Safari, Firefox, Chrome or others. Always have good anti-virus software and if you’re not expecting an email attachment through your work email and you get one, just delete it.
“Companies should definitely look at their environments. We’re not big fans of inflicting uncertainty and doubt. We’re not trying to [use] scare tactics. But there is a level of responsibility,” Rossi says.
But it can be hard to convince companies that cybersecurity is a real issue that could affect them, especially if it hasn’t yet.
Humphreys says that more and more people are starting to talk about cybersecurity, but not enough are really acting on it yet.
“A lot of times, they view it as an insurance policy,” says Humphreys. “They don’t take the time to educate themselves. That is the challenge we have now. It’s not about acknowledging, it’s about acting upon it.”
Steps employees and individuals can take to keep themselves safe are key but so is education on the part of the experts. With new technology and legislation always on the horizon, these IT and security experts have to keep themselves informed so they know what they are dealing with and what to look for.
“It’s literally non-stop,” says Suleski. “There is constantly continued education for it. [Cybersecurity experts] always bounce ideas off of each other. We’re always aware. We’re always educating our- selves in ways that we can help our clients.”
With that education comes new legislation. Most of the challenges experts in cybersecurity face are on the state level, Rodriguez says. But, at the federal level, he says he’s hoping there’s legislation passed ensuring that businesses and those in the private sector will not be punished for re- porting cyber incidents to the government.
NJCCIC has met with members of the New Jersey Business & Industry Association and the New Jersey Hospital Association to help spread the word of potential dangers and how there is free help out there at the state level.
“Our view is that if we can share information, share intelligence, provide training and situational awareness, we can raise the barriers for entry from malicious people,” Rodriguez says.
On the NJ Cybersecurity website, anyone can log on and get information about ransomware threat profiles, chip card technology, the trending industries that could be threatened with hacks or malicious emails, a way to report threats, types of cyber threats, tips on keeping your business and yourself protected and so much more.
There’s also an indicator for New Jersey’s current cyber alert level, which can range from low to severe. Businesses and individuals can gain free membership to get alerts, training notifications and more, “You are never going to be 100 percent safe, because no one ever can be, but there are steps you can take,” Rodriguez says.
Published (and copyrighted) in South Jersey Biz, Volume 6, Issue 12 (December, 2016).
For more info on South Jersey Biz, click here.
To subscribe to South Jersey Biz, click here.
To advertise in South Jersey Biz, click here.