Cybersecurity
Summary: A business of any size is vulnerable to cyber-attacks. David Hodgdon, president and CEO of PCG, discusses how a company can protect itself from a cyber-attack. Listen or read more to find out about cybersecurity.
John Maher: Hi. I’m John Maher, and I’m here today with David Hodgdon, president and CEO at PCG, a managed service and IT provider servicing New Hampshire, Massachusetts, and Maine. Today we’re talking about cybersecurity. Welcome, Dave.
David Hodgdon: Welcome.
John: So, Dave, should my company be concerned about a cyber-attack?
David: Absolutely. Most small businesses feel it won’t happen to them, but actually the bad guys, we call them the actors, that’s who they’re actually targeting, because they don’t really have some of the security layers in place. But it definitely should be top of mind.
Cyber Attacks Can Shut Down a Small Business
John: Okay. And even if I have a small company or maybe a medium size company, why would I be as concerned as a larger company that I would think would be a big target?
David: Any small company is in to make money. If the bad actor, or the cybercriminal, has your data and can lock it down, it could shut you down. Some statistics have come out that most small businesses that have been attacked, 60% of them can’t stay in business.
John: Wow. Amazing.
David: Staggering number.
How to Protect Against Cyber Attacks
John: Yeah, yeah. What are some of the processes or ways that I can help to protect my business?
David: First thing is you have to start at a baseline. We call it the security assessment. At that point, kind of think of it as a grade. Where do we stand? A business, whether you’re a medical, you’re financial, you’re a manufacturing, you’re a car body shop — the layers are more important if you have to deal with certain compliancy. So, a medical might have higher compliancy compared to a car body shop. Not every business needs every layer, but there’s a baseline that we should have in place.
John: Right. Okay. So, certain places, like you said, like a medical company, they’re going to have some requirements where they can’t even do business unless they have certain security procedures in place. Whereas a car body shop doesn’t have any of those requirements, but it’s still a good idea for them to have cybersecurity measures.
David: Correct. So, medical, you think about the HIPAA, but a car shop, think about all the people repairing their cars, so there’s information about the customers and that’s what they’re really going after. Not necessarily the car shop, but if they can get to that database, get that person’s email, then they have the ability to start phishing that person.
Vulnerabilities in a Company’s Security
John: Right. Okay. What are some of the biggest vulnerabilities that you find with companies?
David: Number one, by far: passwords. The average person uses three or four passwords for 50 websites. They are usually not complex. They typically follow a sequence of a date of birth, their husband’s name, their dog, so once they figure out something, the changes to the next site is very minimal. Once they figure it out, then that’s when they’re going to start wreaking havoc.
John: Right. I know a lot of people will just take the same password and then maybe when it comes time that they have to change their password, they just add an exclamation point onto the end or something like that.
David: Or a number, yeah, and add the month. That they’ll put Dave1, Dave2, Dave3, right?
John: Right. And that doesn’t change anything. It’s easy to guess those.
David: Yeah. Passwords need to be complex; they need to be changed, and you need a password manager. Today, there’s no way you can remember 50 passwords. And no matter the website, whether it’s your banking, you’re going to Best Buy, you’re going to Amazon, you’re on W.B. Mason, you’re on your websites for your business, each password needs to be unique. It really helps to have . . . there’s products like LastPass, KeePass. We use a product called MyGlue. The ability to store those passwords that are complex and simplify it for you.
John: Okay. What are some of the other vulnerabilities that you see in terms of cybersecurity?
David: A lot of people just don’t pay attention to their computers and they’re not being updated, so if they’re not being updated, they’re vulnerable there. A lot of people still running Windows XP machines, those have no more updates. There’s big news with Windows 7 end of life on January 14, 2020. We need to start thinking about that. So, doing the computer updates and making sure you have a good antivirus. They call it an advanced endpoint detection, constantly monitoring the machine, running its updates, and minimizing those risks.
Pinpointing Cybersecurity Issues
John: Okay. How do I figure out, as a company owner, where my company is at in terms of cybersecurity, what my issues are, what needs to be addressed?
David: I usually . . . when we sit down with the management staff, we try to do a state of the union. We’ll do a security assessment. We ask about 15 to 20 questions and we go through the components of what they have. An example: Do you have spam for your email? It’s a yes or no. If it’s no, that’s a risk. Do you have a password policy in place? No. Do people change their passwords? No. That’s a risk. Do you do security awareness training? With the big buzzword there is phishing. People do the old casting of the hook. Let’s see who will bite. You won a $50 Amazon card. Your password to your 365 needs to be changed.
So, security awareness, and we just go through the checklist. Do you run multifactor authentication? A lot of people don’t, but that’s the new thing. Do you have a firewall in place? A lot of people don’t. So, without those measures in place, the risks tend to grow.
John: So, there’s some technical things, like you said, a firewall in place that maybe you need to come in and change, maybe add some equipment, maybe add some software, things like that. But then there’s also training for my employees to make sure that they understand that they’re going to be attacked through email, through phishing scams, whatever it is, and I need to train my employees to make sure that they’re not going to fall victim to one of these.
David: John, I almost feel that’s the biggest one. The weakest link is typically the employee, or the person. They’re not intentionally doing anything wrong, but they’re just trying to do their job. The more we can educate them about their passwords, and they need to understand it’s not their data, it’s the company data, and you, as the owner or the business management team, need to do all you can to protect that data. It only takes one person. If you got a 20-user business, 19 are doing great, you have the one link, you’re vulnerable.
The Dangers of the Dark Web
John: Right. I’ve heard of something called the dark web. What is that, and —
David: It’s scary.
John: . . . and how does that relate to cybersecurity?
David: All right. The dark web has been a big buzzword for quite some time. There’s been a lot of shows, and recently on 60 Minutes, but the dark web is the bad side. The regular web, we know it’s Google, it’s CNN, it’s the where the stuff is. The dark web is . . . kind of think of it as an iceberg. It’s what’s down below in the water. It’s murky, it’s dirty, it’s where there’s a lot of drug trafficking going on. There’s a lot of activities of trafficking people. It’s where the bad actors live and breathe, and they’re the ones buying this data, and they’re the ones trying to wreak havoc on you.
The nice thing about the dark web is that it’s prevalent, but there’s tools in place now that we have a dark web tool that we’re constantly monitoring the activity of your users and email addresses. So, if an attack or a password is compromised, the dark web’s trying to buy that. They’re trying to use that against you, but once we see that information on the dark web, we’re able to contact our client and we’re able to tell them, “We got to change his password ASAP, not only for you, but company-wide.” The dark web is really about email compromises. They’re looking for ways to get in.
John: Right, right. And it’s called the dark web because they’re not just advertising themselves out there. They don’t have a big website saying, “Hey, I’m right here.” It’s hard to find these guys. They’re hiding through whatever means they are, and it’s difficult.
David: It’s difficult. It’s amazing, and a lot of it’s happening over in Russia, India, and China, but the age, because a lot of these kids, they’re 12, 16, 18. They’re just trying to make a little bit of money. It’s scary. And you, as a business, need to be aware of these potential risks.
Improve Cybersecurity to Protect Your Business
John: Right. Any final thoughts on cybersecurity and the risks that it poses for a company?
David: Well, as I said, the key is the checklist, the assessment, and just finding out based upon your business, and where you feel you should have your security layers. Then we go through each one of those. It could be something as simple as your backup. A lot of people don’t have a good quality backup that’s not only on premise or in the cloud, because if you have a good backup, you get hacked, you have the ability to go back in time. A lot of people don’t encrypt their email, a great way to get hacked right there.
The key to it is to be vigilant, be aware. It’s going to happen, and it’s going to happen to every business. It’s at an amazing track. I think the most recent number I saw is about 33% or 34% of businesses, they have been breached. It’s the question to what degree. Our goal here at PCG is to minimize those risks and to educate.
John: That’s great information, Dave. Thanks again for speaking with me today.
David: My pleasure.
John: For more information, visit pcgit.com or call 603-431-4121.