October has been designated Cybersecurity Awareness Month since 2004, according to the U.S. Department of Homeland Security's website.
"The two biggest what we call vectors — the way that bad guys get in or breach a system — have not changed a whole lot over time, and are phishing and social engineering," Scott Cooley, president of Honolulu-based IT services company Indevtech Incorporated, told Pacific Business News.
Indevtech Incorporated has provided IT support to Hawaii small businesses in the health care, legal, financial and manufacturing industries since 2001, according to the company's website. PBN recently spoke with Cooley, who shared questions business owners can ask themselves in regard to their cybersecurity, as well as tips they can use to keep themselves protected.
- Where is the data?
"When we're working with a company on a backup or a disaster recovery plan, the first thing we want to know is what are we actually protecting? Where are their critical systems located? Are they in a cloud facility? Is it in Google Drive?. ... A lot of times they might think that they know where the data is ... and then we come to find out people are storing files on their laptops or they're using their personal Gmail account, or they're using Dropbox or something like that, so we want to make sure to first identify what you're trying to protect."
- Is the backup actually working?
"So maybe you'll pay an IT company to set up a backup system, but how do you actually know [it is working]? What most IT providers do is some type of automated testing. ... And then in our case, for the purpose of our own disaster recovery, we outsource that to a Mainland provider. And the reason for that is that if there was some kind of catastrophic issue affecting all of Honolulu, then that would likely affect us, too."
- What would you actually do in the event of a cyber incident?
"That word is kind of loosely defined of what constitutes a cyber incident, in terms of 'Is it a virus or a system crash or a phishing email?' But we have helped companies draft incident response plans, and it's one thing to put it on paper, but it's another thing to actually do what is called a tabletop exercise and sit down and simulate what you would actually do and go through the plan. 'Who are you going to call? What are you going to do?' And then just role-playing worst case scenarios. You really can't account for all the possible millions of ways that things could go wrong, but you can identify what's likely to go wrong and then also what would be more severe if it happened. We're not trying to mitigate every possible risk, but we're trying to see what is likely, or even what's unlikely, that could be catastrophic."
- How do you protect yourself?
- Security awareness. "The biggest thing is security awareness for all employees of the organization. We provide to our clients security awareness training, which is like a series of training videos that they'll get through their email, and when they complete the training, it logs it in the system. That's something good to have, if you had a cyber attack and you have cyber insurance, to show that all of your employees are doing security awareness training on a regular basis. We'll send simulated phishing emails and see who falls for it, and then we'll track that and then do remedial training for those users."
- Cyber insurance. "Basically, the role of cyber insurance is like an insurance policy. They're assuming that risk for you in the event that you get a breach that causes damages to your company. ... These are great policies to have. We recommend everybody has a standalone cyber insurance policy. What I mean by standalone is that there are some general liability policies that will throw in, like, $50,000 in cyber coverage. That typically is not enough. Many small businesses will want to have, like, a $1 [million] to $3 million actual cyber insurance policy."
- Multi-factor authentication. "Multi-factor authentication is probably the No. 1 way to neutralize the phishing attacks. ... Let's say they did a phishing attack and they got your username and password. They can only get so far with that without having that second factor — authentication. ... I think there's things that anyone can do, whether you're an individual or a small business, and that is take advantage of any websites that offer multi-factor authentication."
- Don't reuse passwords. "You can leverage what's built into the iPhone when you're creating a new account or changing a password, where it'll suggest a password. It'll store that to your keychain and that syncs to your devices, which is handy. But having a different password on the different sites that use, especially banking and anything sensitive like that, just ensures that if your Gmail got compromised that they wouldn't be able to then use that to get access to all of your things."
