Hackers will always find a way in, so your business must plan for it, says cybersecurity expert

David Trepp has been a technology entrepreneur since 1989, leading more than 1,100 information security-penetration test engagements for major industries throughout the United States and abroad.

He's partner for BPM IT Assurance and partner in charge of the accounting firm's Eugene, Oregon, office. Trepp has given dozens of presentations to audiences nationwide, on a variety of information security topics. Prior to joining BPM, he was founder and CEO of Info@Risk, a comprehensive penetration test firm.

Trepp, one of the presenters at the North Bay Business Journal’s Protecting Your Business Cybersecurity Conference Sept. 28, talks with the Journal about cybersecurity and business security.

As a firm that tests the ability of businesses to ward off hackers and malware among other threats, are businesses better prepared today than two years ago, why or why not?

The somewhat ironic answer is that businesses are better prepared today, but they are still at greater risk.

While businesses have done a good job improving things like email security controls and employee training over the past couple years, the bad guys have, armed with NSA hacker tools released into the public domain, leapfrogged ahead in creating new avenues of attack.

The sad truth is that many businesses are working hard just to try and maintain their security posture from two years ago.

What key mistake by companies do you see being made again and again in your work?

The biggest deficiency I see over and over is a lack of executive participation in information security.

Executive participation starts with setting a good cybersecurity example for employees to follow.

Additionally, executives and board members need to view cybersecurity as a strategic investment in the future of the business, not just a painful set of expenses.

Lastly, executives and board members need to remain informed about the company’s cybersecurity posture, setting standards for what risks are and are not acceptable, overseeing the development of good policies and procedures, and knowing the results of tests to determine where vulnerabilities lurk are all part of all executives’ cyber responsibilities.

If workers are a weak link in a company’s security, like opening an email attachment from an unknown source, is the only hope to attack the problem additional training?

There are plenty of technical tools, such as strong email and web filters, password safe applications, and easy-to-use multi-factor authentication solutions that can halt attacks, or at least make them far less impactful.

Ultimately though, attackers will find ways to circumvent those controls and the onus will lie squarely with the employees. So a good training program is still an essential weapon in the fight against hackers.

What businesses are most likely to be subjected to a ransomware attack? Why?

Unfortunately, all businesses are equally subject to ransomware attacks. Recent case studies clearly demonstrate that many ransomware criminals target their attacks indiscriminately, not even knowing who the victim is until ransom negotiations commence. If your business has a web presence, it may be subjected to a ransomware attack.

Describe why a business owner who thinks his or her business is too small to worry about hackers, ransom or malware might be wrong about that.

Small businesses may be less likely to be targeted by hackers seeking monetize-able information, but any business that can round up a bitcoin or two is fair game for ransomware.