Experts share cybersecurity best practices

Jessica Perry//February 28, 2022

Experts share cybersecurity best practices

Jessica Perry//February 28, 2022

According to Mike Bridges, president and chief operating officer of Paperclip Inc. – a tech company focused on secure document capture, processing and storage – as the third anniversary of COVID-19 approaches, businesses are also dealing with a “breach pandemic.” Even operations not on the scale of, say, the Colonial Pipeline, may not be safe.

Bridges spoke during a virtual NJBIZ panel discussion exploring cybersecurity on Feb. 22, joined by Karen Painter Randall, chair of cybersecurity, data privacy and incident response at Connell Foley LLP; Julie Tracy, vice president of cybersecurity at Withum; and Carl Mazzanti, co-founder and president of eMazzanti Technologies.

Ransomware attacks, for example, are proliferating. According to Randall as many as 4,000 take place each day. And that adds up in dollars and cents, as well. A Financial Crimes Enforcement Network Financial Trend Analysis covering the first six months of 2021, found that the value for ransomware-related transactions reported in suspicious activity reports, or SARs, was at its highest since 2011: $590 million – or a 42% increase – compared to 2020.

Maybe you think being a smaller-scale operation can inherently protect you from being a target. But according to Randall, that’s no longer the case. “Unfortunately, in this day and age, these attackers are focusing on the small- to medium-sized businesses,” she said.
And even if you think your business – a hair salon, for example – doesn’t deal in the kind of data bad actors are looking for, you must account for the kind of information you have on hand.

“People need to sit down and classify the electronic data they have,” Bridges said. “Do I capture any non-public information? Or is there any personal information that I’m collecting, in the conduct of my business? Because that’s going to be a big defining line.”

And, Bridges cautioned, it’s important to remember that once you capture that data, you’re on the hook for it.

“[W]hen you get into the areas of a breach that’s when people are able to steal confidential information that you’re entrusted to protect. … [I]f you’re collecting confidential information you are considered the data owner, and you’re ultimately responsible. Even if you hire someone or take information and put it … into a third party, they are considered the data holder.

And if the data holder has data that’s extricated, you’re on the hook.”

Help on the way

So what can you do? Mazzanti says start building.

“Defense and depth … the idea is you layer it, like a cake … Here’s one device, and if it got through that then there’s another one below that, there’s another one below that,” he said. “So when we mention firewalls, email security, endpoints on the devices, DNS security for outbound request — you can layer on a whole bunch of different technologies so that no matter which ones fail, it would be very difficult to go through all of them and then have some sort of outbound result take place.”

Password tips from the pros:

  • The longer, the better.
  • Use it and lose it: Once a password expires don’t recycle it, anywhere.
  • Those computer-generated passwords, “fantastic.”
  • Passwords are passe, try out a “passphrase” instead.
  • Definitely don’t use your go-to. Also, don’t have a go-to.
  • All your passwords should be unique.
  • Don’t share your passwords over chats, “it’s the new email vulnerability.”
  • Passwords work best with other protocols in place.
  • There’s no better password than education.

Maybe all those layers sound expensive – even more likely, they probably sound confusing. According to Tracy, when it comes to costs – and confusion – there are options. Like, hiring a qualified consultant instead of bringing someone into your organization full time. Another important precaution is to figure out where you stand with a business impact analysis.

“Saying, OK, so this is my business, this is what it costs me … if I were to have a breach, these are the things that could happen and so really looking at it in a dollars and cents perspective from people, and not just a firewall … But understanding that those costs are investments in securing what is most precious to them and helping them keep those costs in line with our business,” she said.

After you have your layers in place, it’s important to test your work.

“Once people start to layer these defenses – the firewalls, features, email filtering, the endpoint MFA [multifactor authentication] and the like – you need a se-curity test. Like a pen test or assessment or something out of the environment to point out all the things that you don’t do,” Mazzanti said.

No, the other MFA

If you’re in search of some further peace of mind, there’s also cyber insurance. But that investment doesn’t mean you can forgo those other defenses.

According to Randall, “the insurance market has really hardened with regard to cyber liability.” What used to be a simple application process – “someone in the organization would fill it out, submit it and … get pretty decent coverage” – has evolved to develop layers of its own.

But, as Mazzanti pointed out, the insurers want you to have your defense and depth – those layers – in place. And these days, even if you have cyber insurance, you better also have MFA.

Covering your bases

When it comes to insurance, Randall offered two tips to make sure you’re getting the coverage you  need.

First, not all brokers are created equal; make sure you work with one who specializes in cyber liability protection. Second, try to protect it with attorney-client privilege.

“[A]t least include them on the team that is going through the application to … find the right answers,” she said. An important piece of the puzzle
as applications become more and more granular. “If you make a misrepresentation on these applications that later surfaces, you could lose coverage for [a] pretty significant incident.”

Alas, as coverage has become more complicated, new policies also include less of it–and come with coinsurance, which means you’re on the hook
for part of any ransom your company may pay.

“[H]ave, you know, certainly the right team to understand what you’re getting and what you’re not getting if you don’t have insurance and you’re uninsured,” Randall said.

“You know, in a lot of cases you go out of business, quite frankly.”

“You know, I feel like that’s a hero skew for 2022,” Mazzanti said. “[Y]ou can’t renew your cyber security policy any longer [without it], it’s a table stakes … [Y]ou can’t get cyber insurance if you don’t have them.”

Multifactor authentication is why you get a text message, or an email, with a code to enter when you log into your credit card account, for example. Basically, you’re letting the operator know that you are, in fact, you. So you’re probably already familiar with MFA, and even better, “[i]t’s not terribly expensive to implement that and understanding what that is,” Tracy said.

If things don’t seem easy to understand – or even if they do – training and developing good habits cannot be underestimated. Learning how and where you’re vulnerable, and doing the simple things – like choosing the right password – can help.

“The bad luck clicking on bad links is one thing,” Bridges said. “Getting your people to use strong passwords is another. You’d be surprised to know the differ-ence between an eight character, a nine and a 10 character password and how long it takes to crack it.”

In an ever-increasingly digitized world, making sure you’re not ignorant to what’s going on with your cybersecurity and taking a proactive approach to protect your information can be the biggest boon to making sure you’re not vulnerable.

“You’re not going to be judged as much by the cyberattack because the number of cyberattacks are increasing on a daily basis,” Painter Randall said, “but you will be judged by the response effort.”

Want more? You can register to watch the entire NJBIZ Cybersecurity Panel Discussion njbiz.com/webinars