Please ensure Javascript is enabled for purposes of website accessibility

The weak link (video)

When it comes to cybersecurity, a business’ biggest vulnerability walks in the door every morning

Don’t be so quick to click that link. That urgent email is one of the biggest cybersecurity threats out there, and hackers are getting smarter in figuring out just how to get you to share your personal information allowing them access to everything about your business.

A panel of experts offered advice on how to avoid that fate during an NJBIZ thought leadership discussion on Feb. 25 in Somerset. Panelists pointed out that criminals are waging cyberattacks on businesses, stealing money, accessing private information and eroding trust between consumers and companies. And they urged nearly 100 attendees to think critically and recognize an attack when one appears.

Michael Geraghty, chief information security officer of the state and the director of the New Jersey Cybersecurity and Communications Integration Cell, moderated the panel. Geraghty is responsible for developing and executing cybersecurity strategies; he knows first-hand that many companies have suffered breaches that compromise their customers’ information.

Michael Geraghty, New Jersey's chief information security officer moderates an NJBIZ discussion on cybersecurity with panelists, from left, Dominic Genzano, CEO of Secure Technology Integration Group; Timothy Guim, president and CEO of PCH Technologies; Carl Mazzanti, president of eMazzanti Technologies; and John Wolak, chair of the Privacy and Data Security Team at Gibbons PC on Feb. 25, 2020. - JEFFREY KANIGE

Michael Geraghty, New Jersey’s chief information security officer moderates an NJBIZ discussion on cybersecurity with panelists, from left, Dominic Genzano, CEO of Secure Technology Integration Group; Timothy Guim, president and CEO of PCH Technologies; Carl Mazzanti, president of eMazzanti Technologies; and John Wolak, chair of the Privacy and Data Security Team at Gibbons PC on Feb. 25, 2020. – JEFFREY KANIGE

As a former New Jersey State Police employee, Geraghty invites citizens to see a threat and report it. And it is something he advises in his role with the NJCCIC. “You get hit with malware. Report it to the NJCCIC. … We want to share the bad actors with everyone so they can take preventative measures.”

Businesses lost $1.2 billion last year because of cybercriminals who sent fraudulent emails, he said. But people should use critical thinking skills as a first step to recognize cybercriminals. “Not everything needs a technical solution,” he said.

Panelist Timothy Guim, president and chief executive officer of PCH Technologies, expanded his business from a one-person organization to a global cybersecurity and information firm. He said people open a normal-looking email that was sent from a criminal because the email in question looks to have been sent from a legitimate source. The recipient clicks on a link within the email that causes a breach of his or her personal information or company information.

Dominic Genzano, the CEO and founder of Secure Technology Integration Group, who leads cybersecurity strategy services in which he designs and implements cybersecurity initiatives said: “Hackers are becoming smarter and they are not trying to break into technology.”

“They are exploiting normal channels of communication,” he added. “They are going along with the normal channels of communication. They are exploiting the human factor.”

On the subject of ransomware, Genzano said hackers are installing ransomware and planting encryption software, so businesses need layers of security in its applications.

Guim advised having a backup solution and not paying money to the perpetrators who installed the ransomware.

Carl Mazzanti, president of eMazzanti Technologies, provides information technology consulting services for businesses. He was working in the World Trade Center on Sept. 11, 2001, yet said some of the things that keep him up most at night are emails, and their aftermath; emails targeted at high-level executives, sent by criminals.

After a breach, an executive often knows he or she opened the email that caused it, but doesn’t report the problem. “They know their computer is slow but they do not get reprimanded,” Mazzanti said.

Quick reactions

John Wolak, a chairman of privacy and data security team at law firm Gibbons PC, recommended employees take time and not open an email if they think it was sent from a suspicious person. He recommended that employees report a problem as soon as one is recognized. Wolak stressed that breach notification is a real issue and said it was part and parcel for your incidence response.

“The faster you get into that compromise, the faster it will be solved,” Wolak said. “You do not have to take ownership of it. You simply have to report it.”

Wolak also spoke about insurance against cyberattacks to provide coverage for the risks related to cybercriminals.

Michael Geraghty, New Jersey's chief information security officer moderates an NJBIZ discussion on cybersecurity with panelists, from left, Dominic Genzano, CEO of Secure Technology Integration Group; Timothy Guim, president and CEO of PCH Technologies; Carl Mazzanti, president of eMazzanti Technologies; and John Wolak, chair of the Privacy and Data Security Team at Gibbons PC on Feb. 25, 2020.

Michael Geraghty, New Jersey’s chief information security officer moderates an NJBIZ discussion on cybersecurity with panelists, from left, Dominic Genzano, CEO of Secure Technology Integration Group; Timothy Guim, president and CEO of PCH Technologies; Carl Mazzanti, president of eMazzanti Technologies; and John Wolak, chair of the Privacy and Data Security Team at Gibbons PC on Feb. 25, 2020. – JEFFREY KANIGE

“Historically, people looked for coverage under other policies,” Wolak said. “That coverage may still exist under those other policies … Know your business. In order to mitigate risk, you need to know your data, who has access to it, and where it is stored. You can get coverage tailored to your needs so you are not overpaying for it.”

Mazzanti urges people to safeguard themselves in their careers and personal lives by using multi-factor authentication. This system uses “something you have, something you are, and something you know.”

A person can use a token that features changing numbers, a cell phone that receives a text message or receives a phone call; a person knows one’s name, and a person uses one’s face, fingerprints or a scan of the eyes to unlock a mobile phone.

“Facebook and LinkedIn offer multi-factor authentication,” Mazzanti said. “You know your username and password. You get a text message to your cell phone or the app authenticates you. For your bank accounts or your social media components, I think it is a requirement now because passwords are too easy to guess.”

He recommends changing passwords regularly because some people use common words.

Genzano advises business people to have a comprehensive cybersecurity plan and to follow it.

“There are a number of frameworks that can be used as the control basis to establish these programs, but ultimately if you find yourself in a continuous loop of identifying security vulnerabilities in your environment and it seems to go on forever that is because you don’t have a structured information security program that consists of the technical and procedural controls, the monitoring controls, the regular testing, and third-party risk management,” Genzano said. “You need to have that program established in a structured manner in order to be able to manage your environment in an evolving threat landscape.”

He added that cybercriminals can exploit technologies or exploit human beings. “The software and hardware manufacturers are getting smarter in putting all these safeguards in their technologies that make it harder to exploit. So if it is easier to exploit the human element by tricking somebody into doing something, whether it is opening an email or browsing a web site where you have planted malicious software, then it is much easier to exploit the human element. It is the path of least resistance. Hackers have been basing most of their attacks recently on the human element.”

Wolak said business people should review third-party contracts with vendors or service providers regarding cybersecurity to understand one’s responsibilities from the perspective of security, privacy, and indemnity.

“From an individual perspective, it is a matter of your own practices with respect to disclosing your personal information and who you are disclosing it to and when,” Wolak said.

Guim advises business leaders pick trusted partners as attorneys, service providers, and security providers “to make sure you are getting the best service possible to protect your business and make sure it is always up and running.”

Companies lose more than money when they are attacked by cybercriminals.

“Not only is there the financial impact of a cybersecurity incident, it also effects the public image of a company, which could devalue it significantly if the public loses trust in the company storing its data,” Guim said. “It is not only the initial financial breach that occurs, it is a secondary public image loss that will cause further loss of financial revenues.”

1 of 1 article

0 articles remaining

Advance your business edge with news from NJBiz. Register now for more article access.

David Hutter
David Hutter grew up in Darien, Conn., and covers higher education, transportation and manufacturing for NJBIZ. He can be reached at: dhutter@njbiz.com.

NJBIZ Business Events

2022 NJBIZ Panel Discussion: Cybersecurity

Tuesday, February 22, 2022
2022 NJBIZ Panel Discussion: Cybersecurity

NJBIZ Digi-Tech Innovator Awards 2022

Thursday, March 31, 2022
NJBIZ Digi-Tech Innovator Awards 2022

NJBIZ Leaders in Finance 2022

Wednesday, April 27, 2022
NJBIZ Leaders in Finance 2022

NJBIZ Leaders in Law 2022

Wednesday, May 25, 2022
NJBIZ Leaders in Law 2022