Layering your defenses: NJBIZ panel explores cybersecurity concerns

According to Mike Bridges, president and chief operating officer of Paperclip Inc. – a tech company focused on secure document capture, processing and storage – as we approach the third anniversary of COVID-19, we also find ourselves amid a “breach pandemic.” And even if your business isn’t operating on the scale of, say, the Colonial Pipeline, that doesn’t mean you’re safe.

Bridges spoke during a virtual NJBIZ panel discussion exploring cybersecurity on Feb. 22, joined by Karen Painter Randall, chair of cybersecurity, data privacy and incident response at Connell Foley LLP; Julie Tracy, vice president of cybersecurity at Withum; and Carl Mazzanti, co-founder and president of eMazzanti Technologies.

Ransomware attacks, for example, are proliferating. According to Randall as many as 4,000 take place each day. And that adds up in dollars and cents, as well. A Financial Crimes Enforcement Network Financial Trend Analysis covering the first six months of 2021, found that the value for ransomware-relation transactions reported in suspicious activity reports, or SARs, was at its highest since 2011: $590 million – or a 42% increase – compared to 2020.

Maybe you think being a smaller-scale operation can inherently protect you from being a target. But according to Randall, that’s no longer the case. “Unfortunately, in this day and age, these attackers are focusing on the small- to medium-sized businesses,” she said.

And even if you think your business – a hair salon, for example – doesn’t deal in the kind of data bad actors are looking for, you need to take into account the kind of information you have on hand.

Replay: Cybersecurity, a NJBIZ panel discussion

Click through to register to watch the full panel discussion!

“People need to sit down and classify the electronic data they have,” Bridges said. “Do I capture any non-public information? Or is there any personal information that I’m collecting, in the conduct of my business? Because that’s going to be a big defining line.”

And, Bridges cautioned, it’s important to remember that once you capture that data, you’re on the hook for it.

“[W]hen you get into the areas of a breach that’s when people are able to steal confidential information that you’re entrusted to protect. … [I]f you’re collecting confidential information you are considered the data owner, and you’re ultimately responsible. Even if you hire someone or take information and put it … into a third party, they are considered the data holder. And if the data holder has data that’s extricated, you’re on the hook.”

Help is on the way

So what can you do? Mazzanti says start building.

“Defense and depth … the idea is you layer it, like a cake … Here’s one device, and if it got through that then there’s another one below that, there’s another one below that,” he said. “So when we mention firewalls, email security, endpoints on the devices, DNS security for outbound request — you can layer on a whole bunch of different technologies so that no matter which ones fail, it would be very difficult to go through all of them and then have some sort of outbound result take place.”

Maybe all those layers sound expensive – even more likely, they probably sound confusing. According to Tracy, when it comes to costs – and confusion – there are options. Like, hiring a qualified consultant instead of bringing someone into your organization full time. Another important precaution is to figure out where you stand with a business impact analysis.

“Saying, OK, so this is my business, this is what it costs me … if I were to have a breach, these are the things that could happen and so really looking at it in a dollars and cents perspective from people, and not just a firewall … But understanding that those costs are investments in securing what is most precious to them and helping them keep those costs in line with our business,” she said.

After you have your layers in place, it’s important to test your work.

“Once people start to layer these defenses – the firewalls, features, email filtering, the endpoint MFA [multifactor authentication] and the like – you need a security test. Like a pen test or assessment or something out of the environment to point out all the things that you don’t do,” Mazzanti said.

In an increasingly digitized world, making sure you’re not ignorant about what’s going on with your cybersecurity and taking a proactive approach to protect your information can be the biggest step toward making sure you’re not vulnerable.

“You’re not going to be judged as much by the cyberattack because the number of cyberattacks are increasing on a daily basis,” Randall said, “but you will be judged by the response effort.”