How your company can get a cybersecurity boost through these inexpensive methods

The "Follow This Story" feature will notify you when any articles related to this story are posted.

When you follow a story, the next time a related article is published — it could be days, weeks or months — you'll receive an email informing you of the update.

If you no longer want to follow a story, click the "Unfollow" link on that story. There's also an "Unfollow" link in every email notification we send you.

This tool is available only to subscribers; please make sure you're logged in if you want to follow a story.

Please note: This feature is available only to subscribers; make sure you're logged in if you want to follow a story.

Subscribe

Strong firewalls and passwords are essential defenses in a business’ cybersecurity plan, but the weakest point in any plan might just be the person reading these words.

Cybersecurity experts in the North Bay say training staff about methods to trick employees into compromising company security is one of the most cost effective and essential pieces of a digital security strategy.

“Social engineering is probably the biggest vector for hacking,” said Allan Jaffe, vice president of technology at Top Speed Data Communications in Petaluma, using the industry term for cyber attacks that target individuals, often through emails. Common social engineering attacks include phishing, where a hacker sends a fake email that looks legitimate and includes links or attachments that when opened can give them access to a company computer network, bypassing external security measures like passwords and firewalls.

“Security training can be $2 to $3 dollars per month per user,” said Jaffe, noting it can he highly effective to educate employees on common features of email phishing attacks like misspellings in emails, that signify they are not actually from your bank for example.

To combat this, Jaffe said outside consulting companies can send dummy phishing emails to employees. If they open them, they are directed them to training.

“They get a sense that their action was inappropriate,” Jaffe said.

According to Steve Moore of Vista Consulting, the problem with implementing proactive measures like training “is getting managers to pay for them.”

“Entrepreneurs are by nature gamblers,” Moore said.

Many smaller businesses will look at even a $5,000 expenditure on training and choose instead to invest that money elsewhere because they see a hack as unlikely, he said.

Moore said many companies only hear about large hacks in the news like those perpetrated against Target and Capital One. But hacks can happen to any company.

He said strong defenses can be expensive but encouraged businesses to purchase what training they can afford.

One of the more obvious, cheaper ways of hardening your business against hackers is also simple: your password.

Moore recommended using computer settings that require a periodic change of each employee password while not letting them reuse old ones and calling for a certain level of complexity.

He said the “single-sign-on movement” offered by companies such as Okta allows users to remember only one longer password that gives them access to their larger cache of passwords. Employees don’t have to remember multiple code words.

But Moore noted even this defense has its limits.

“It’s a threat because it’s a single point of failure,” he said. noting that if the main password is hacked into, a bad actor has access to a trove of other password data.

Scott Schulze of Fusion Technology Solutions LLC in Healdsburg said long passwords with numbers, letters and special characters are particularly difficult to guess. Programs like LastPass can also encrypt passwords and store them online for added security, although they too are not immune to intrusion.

Schulze said customer information, including passwords, from hacks of large companies like Capital One can be purchased illegally on the so-called “dark web,” an unregulated anonymous portion of the internet. Frequently changing a password or making it more complex can help to mitigate the risk from these breaches.

During the North Bay Cybersecurity Summit for Business last month, Ryan Donham, director of information technology at Empire College in Santa Rosa, demonstrated another threat — phones that can be accessed remotely even when they appear to be off, allowing hackers to use its camera and microphones to spy on its owner and those around them.

Experts said while this kind of corporate espionage is possible, it is not common in the their every day work. What is more of a threat is personal devices without the proper security software being connected to a company network and being hacked to access company data.

Even companies with “firewall” protection for data from external intrusion can see weak points like unprotected devices be exploited.

“Bringing personal devices behind the firewall is problematic,” Jaffe of Top Speed said. Creating a guest wireless network for personal devices and devices not owned by the company is an ideal way of ensuring that unauthorized devices aren’t linked to a company network according to Moore of Vista.

The damage from a network compromised by malicious software can be a hacker destroying all the data on a company server or holding it for ransom until a fee is paid.

To back up data, Moore said some specialists recommend backing up to tapes daily. But that process is cumbersome.

Rather than do that, he suggests using the “air gap” strategy, where a company backs up its server and then puts that backed up information in another digital location so that it is not accessible through the company’s central server.

Cost is always a factor in paying outside companies to consult and build these kinds of protected systems. Moore stressed that one way of keeping costs down and security is up is to realize that the newest products are not necessarily the best or the most secure.

“Because of the illusion that all new information technology is better somehow, consumers and managers crave new features,” Moore wrote in an email. “Industry responds to and feeds that illusion, producing ever more complex, feature-laden technology at an ever-faster pace—all at the expense of security, privacy, reliability, and productivity.”

“Occasionally we need to ‘just say no’ to being overloaded by the unbridled pace of low- or no-value new technology and focus on using technology with discerning wisdom.”

Staff Writer Chase DiFeliciantonio covers technology, banking, law, accounting, and the cannabis industry. Reach him at chase.d@busjrnl.com or 707-521-4257.

Show Comment

Our Network

Santa Rosa Press Democrat
Sonoma Index-Tribune
Petaluma Argus Courier
Sonoma Magazine
Bite Club Eats
La Prensa Sonoma
Emerald Report
Spirited Magazine