One way to prevent a cybersecurity attack is through not providing exceptions to a company’s cyber defense measures, according to panelists at an NJBIZ-hosted panel discussion on cybersecurity Tuesday in Somerset.
The discussion was moderated by Michael Geraghty, director of cybersecurity and state chief information security officer at the New Jersey Cybersecurity & Communications Integration Cell. He provides security to municipalities, businesses, and other organizations.
“Over the past few years we have seen a ton of data breaches,” Geraghty said, citing the Target Corp. breach in 2013. “Two American companies including New Jersey-based Merck lost a total of $1.2 billion due to data breaches,” Geraghty added.
“We have a long and storied history of attackers but we also have a long and storied history of defenders. Many of us have been victims of credit card theft and identity fraud. With all these breaches, no one seems to have been spared,” he continued.
John Wolak, co-leader of the privacy and data security team at Gibbons PC, represents start-up companies to medical practices who have suffered by cybercriminals freezing their medical records.
A 2018 law, called the General Data Protection Regulation, applies to all businesses that offer goods and services in European Union nations plus Iceland, Lichtenstein, and Norway, is a comprehensive regulatory regime concerning the collection, protection, and storage of data of businesses, Wolak said.
A danger of failure to comply is fines, penalties, or loss of control, Wolak said.
Carl Mazzanti, founder and president of eMazzanti Technologies, recalled his firm helped 400 customers after Hurricane Sandy struck New Jersey in 2012 return to operations within 72 hours.
“While many of us are based in New Jersey, and your location is here, but you have a customer who goes back to the European Union,” Mazzanti said. “No customer has ever lost their data from Home Depot and said I am going to buy another power tool because you have great cybersecurity insurance.”
Instead Mazzanti called blocking and tackling the better insurance.
Robert Egan, a lawyer and partner at law firm Archer & Greiner, is the chairman of its data privacy and cybersecurity practice group. “Both the GDPR and the California statute’s definition of privacy is much broader than the rest of the United States,” Egan said. “There are business-to-business agreements that incorporate these standards. You have to be careful about privacy policies on your website.”
Geraghty said businesses are taking on policies on cyber liability insurance, noting third-party vendors can be a problem.
Carl Scalzo, chief executive officer and founder of Online Computers, makes sure businesses’ information technology needs are being met and protected. He informed attendees about giving access to third-party vendors. “That is how a lot of these breaches happen. You are trusting in a third party. Make sure the third-party has trusted practices,” Scalzo said.
He then encouraged people to be proactive and ask lots of questions to protect their clients’ personal information.
Asked how to mitigate risks, Scalzo said education is key to securing data.
“Email has become a race to the click,” Scalzo said. “Slow down and read. Do not assume your employers know what they are doing. Engage an IT professional to protect your system with a firewall, malware, and patching. … Make sure you have a plan in place.”
The Department of Homeland Security provides free services, Scalzo said. The Federal Trade Commission provides free services through its website, Egan said.