Teach a man to shoplift and he will eat for a day. Teach a man to steal your identity and he will dine on steak and caviar far into the future. Conservative estimates claim 140,000 U.S. companies have had more than 500 million financial records hacked in 2014. Another 9 million folks had their identities borrowed for obtaining fraudulent refunds from the IRS. The limitless gifts and reach of the internet have spawned the ugly stepchild of seemingly limitless fraud and SNAFUs.
So what’s a company to do? A good start might be to attend the free Cybersecurity Workshop on Monday, April 20, at 8:30 a.m. at the College of New Jersey in Ewing. The seminars and panels provide opportunities to learn from where the cyber-threats are coming and what protective tools might be employed. Sponsored by the Small Business Development Center and TCNJ, this event features speakers Dan Minoli, principal consultant for DVI Communications; Andrew Donofrio, MSA Investigations’ director of cybersecurity; and panelists Tom Antosiewicz, service solutions consultant for CISCO; Carol Gabel, CEO of Seven Pearls LLC; and Sean Daly, president and COO or IDT911. Visit www.marriahmedia.com.
As savvy as any hacker, Minoli is a computer mentor and engineer with 68 books to his credit, ranging from the first ever published books on VoIP and on Enterprise Networking, to Satellite Communications Technology. He has had a hand in more than 160 patents, and has served as adjunct professor at Rutgers, Stevens Institute, and Mercer County College.
A native of far-northern Italy, Minoli grew up under the tutelage of a grandfather who herded cattle across the Alpine border, and a father who was a precision cabinet maker. “My father taught me much,” says Minoli. “He would make doors with one hundredth of an inch tolerance and entire cabinets with only five percent waste. He was fanatically exacting.”
After graduating from Polytechnic University of New York with a bachelors in mathematics in 1974, Minoli earned a masters from that school, and a second masters in computer science from New York University. Since those pioneering days of the cyber age, Minoli has kept himself as top inventor and leader of new Internet technology. He has worked as director of network infrastructure architecture for Capital One Financial; director of terrestrial systems engineering for the satellite company, SES; and CTO for Secure Enterprise Systems. He has written columns for ComputerWorld, Network Computing Magazine and others.
“Today most small and mid-size business owners underestimate the need for cybersecurity,” says Minoli. “They do not have enough knowledge.” On the other hand, catching a haunting paranoia from the sensationalized headlines, he says, offers no practical protection.
Attitude adjustments. For small and midsize firms, security is a matter of comparison and appropriately managed protection. It begins with knowing your enemy and realizing what he wants. Obviously, all thieves tend towards the big score. JPMorgan, Target, P.F. Chang each holds client lists, account information, and credit card data numbering into the millions. Against this, the allure of your firm’s 178 client records pales to near — but not total — insignificance.
Minoli’s first advisory: Defend against the most likely attack. Unless your midsize company is developing ground-breaking stealth missile guidance systems, invasion from government agencies (what he calls “three-letter institutions”) need not keep you awake at night. “And if they want you,” says Minoli, “they’ve got the tools to get you, no matter what you do.”
But before resting too easily, realize that the small business has become the prime target of the casual hacker. These grifters typically are individuals with limited skills and equipment, who may not hold any real knowledge about your company beyond the website address. Yet they form a vast, malicious majority of thieves on the prowl.
Minoli’s second advisory: The discipline of risk management is a matter of probabilities. Determine the cost of your expected loss from an invasion or theft. If the cost of replacing lost data is, say, $1 million and the odds of your company falling victim to a successful data-loss attack are one in a million, then it’s not worth much more than a dollar’s worth of protection. When the cost grows to several million, and the odds shrink to 50 percent, it may be time to look into security insurance and to upgrade your precautions.
Unfortunately, such exacting extrapolation doesn’t always hold up. If the loss of client’s identity falls on your head, or major clients grow suspicious of your ability to operate securely, everything you have slaved to build could crumble in a few short weeks. So while calculating your security risk/expense ratio, keep in mind the less quantifiable good-will factor.
People attacking people. The easiest and swiftest hacker portal leads straight to the end user. A sharp hacker need not study up and learn any great volume of information on a company, when it may so willingly be offered by employees. Doorways that allow malware, or information-gathering software are opened daily by workers who open attachments from strange E-mails or pass on vital information to seemingly official authorities.
Hackers have become excellent social engineers, Minoli says. If a hacker can’t get employees to open attachments, she may simply redouble her efforts — sending an overwhelming number of ads that force viewers to the “unsubscribe’ button. Then, when the beleaguered employee clicks to rid himself of the pest, he inadvertently opens the malware or virus gate. Staff training and awareness may pose the best possible defense, but clever hackers can actually turn this vigilance against the end user.
One of Minoli’s best defenses is to separate access units. If attack seems likely, or the data on a user’s computer is of greatest value, why not provide an inexpensive, secondary computer right at the side to handle E-mail and web browsing. Keep the corporate crown jewels in a separate vault, and operate out of a front computer with its value limited to the messages involved.
Along this same separatist principle, Minoli suggests storing highly valued data on a distinct server, which traveling employees may access via the company laptops. This keeps sensitive records off portable laptops, and out of susceptible sites like wireless cafes and hotels.
And speaking of susceptible sites, how thoroughly do you trust the nebulous cloud into whose silver lining you have entrusted the company fiscal and personnel records? Despite all the hype, kicking data to the cloud (someone else’s physical data storage bin) does not buy security guarantees. An extra set of 64-gig hard drives which hold images of the company C-drives might offer more assured defense with similar costs and only slightly more tending than commercial cloud storage.
Not all data loss is malicious. But when it is your precious labor that is lost in cyberspace, you really don’t give a hoot. You only want it back. “It takes me about 500 hours to create a book,” notes the agile-penned Minoli. “So each time I work on a chapter of a new book, I back up all that updated work separately.” This may give the author 50 versions of each hard-wrought chapter, but if today’s labor gets lost or stolen, it involves only a few hours sacrificed.
Precious policy. Every company that employs people and computers needs a carefully thought-out security policy, says Minoli. This entails a widely published and commonly understood set of rules and protocols for all aspects of operations. It is vital that it reach beyond the office door, out into the world of vendors, suppliers, even frequent clients.
Some such regulations may involve:
— Limits of where company computers may go, and what data they may hold.
— Strict protocols for linking of personal devices to company computers and servers.
— Passwords of no fewer than 15 letters that change every two to ten weeks.
— Encryption processes that use rotating keys so they may not be stolen.
Of course, no amount of training programs and ultra-sophisticated protective technology offers guarantees for today, or places your data beyond the reach of hackers tomorrow.
Every age of business faces its unique set of risks. Cyber-invasion is merely this era’s version of pirates with sharp swords climbing their way over your gunwales. Plan carefully, invest in the most appropriate cannons you can afford, and train your crew as best you can to face attack. As always, good fortune favors the most prepared.