Local experts share their knowledge on risks, costs and ways to protect your data
In one way or another, technology plays a major role in today’s business, regardless of a company’s size, product or service offerings. Securing that company data is paramount, especially when you read the horror stories about businesses paying exorbitant amounts to retrieve their own data via the ransomware virus.
The cost of security breaches is soaring. In 2014, the Wall Street Journal estimated that the cost of U.S. cybercrime was $100 billion dollars, a figure many security experts pegged as low. Forbes recently published an article that estimated the cost of security leaks will be $2 trillion in 2019.
Today, IT security is much more than just anti-virus software installed on a personal computer. NWIBQ asks local experts to share their knowledge regarding risks, costs and the best way to achieve the ultimate protection for your company’s most critical possession – its data.
How much is enough?
“The amount of funding that should be allocated to IT security should not be a percentage of operating income,” says Robert Johnson, president of Merrillville based Cimcor Inc. “The amount of funding should instead be directly proportional to the potential risk associated with your line of business.”
Johnson explains almost all businesses use technology in some form and have a base level of exposure to potential risks. Some companies have more risk than others and use technology more heavily.
“For example, companies that handle private information, health care related information, or perform e-commerce types of activities may have a higher amount of risk than other businesses,” he says. “These higher-risk businesses should consider doing an assessment to identify the areas of significant risk and its potential impact on customers or business operations.”
With the results of this risk assessment in hand, a company has what it needs to identify the proper amount of funding to spend on cybersecurity. Johnson uses a study from the SANS Institute as a point of reference.
“The SANS study indicates that a company with an IT budget between $500,000 and $1 million allocates seven to nine percent of their budget for cybersecurity,” he explains. “I believe that small businesses should consider spending ten percent of their IT budget as a baseline amount for cybersecurity software and hardware, and be prepared to modify this number upward based on risk.”
Management should be aware that hardware typically wears out and needs to be replaced every three to five years. A smart IT security budget can take that into account and replace a percentage of hardware annually. This will help avoid a situation where a significant cost is incurred by replacing a large amount in each year.
Intelligent, proactive use of funding
Having a cybersecurity budget in only the first step. With so many tools available, how do you determine the highest priorities for your business?
Tim Bucher, president of Valparaiso-based BucherTech, says, “It’s challenging to limit the number of tools or the costs. But there are some things that stand out as high-priority items.”
First, Bucher recommends on-site image backups done continuously, preferably hourly.
“Ransomware has dictated this as it is the number one threat to businesses,” he explains. “If ransomware is contracted, the only sure cure to getting back in business is to restore a fresh image of your system before the attack.”
His second recommendation is a robust firewall. “Users of state-of-the-art firewalls were not infected by the Wannacry attack in May of this year,” Bucher says. “Business-class firewall users are continuously updated by the manufacturers and proactive IT management practices with software to block known threats.”
Bucher provides a solid example of the value of a firewall through his own company. “We are a part of a consortium of seven IT service companies in the United States and none of our members had any clients infected by Wannacry.”
His third priority is antivirus software. Bucher says current products include ransomware protection.
“You’ll note that I did not include email protection,” he says. “This is ironic in that 59 percent of ransomware attacks came through email. However, the attacks are initiated by users who opened attachments from unknown sources. The tools listed above will help to mitigate damage if properly implemented.”
Bucher’s last comment leads into one of the biggest challenges facing cybersecurity today: user personnel who unknowingly initiate a virus attack within their company.
Cost of education vs. cost of ignorance
Jim Gillen is the managing associate of J.P. Gillen & Associates in South Bend. The topic of user training and education is one that gets his juices flowing.
“Internal personnel are the single biggest point of failure,” he says. “System users are not IT experts. That’s not their main job or focus. Hackers are increasingly clever. That combination provides a fertile base for cyber-attacks.”
Gillen believes there are several steps companies should take to help minimize the risks associated with user personnel.
“Corporate security policy should include user education,” he says. “Each company should have a written, tangible security policy. And in that policy, user training and education should be emphasized.”
Gillen reasons that, when a business puts the importance of user training in writing and distributes it to the employees, it helps them understand the importance of their role in keeping the company safe.
“Initial education should include an outside consultant to come in and educate staff on the use of security tools in relation to their job,” he says. “If your company is large enough, that task can be handled in-house. Either way, don’t assume staff knows how to best use or misuse security software.”
Training and education needs to be ongoing, Gillen believes. “There’s several ways to keep cybersecurity in the mind of employees,” he says. “For example, send out a weekly email that discusses recent attacks at other companies. Hang posters in the coffee or lunch room with clever security slogans. Send out a notice when your software catches an attack that never got out.”
In short, follow up on that initial education. “Inundate your staff with constant reminders, until they become cliché,” Gillen says. “At that point, it is second nature to them, and you have added another layer of security for a relatively low investment.”
Collaboration between end users and security staff
Chris Kotul is a division manager with Chester Inc., a Northwest Indiana IT company. He believes that a comprehensive collaboration between end users and security staff can build a stronger defense against outside attacks.
Kotul explains that pass phrases are hard to crack and are the easiest for end users to remember. “Pass phrases are so much better and stronger than passwords,” he says. “Security staff can implement them, and it’s equally important to make sure end users understand their significance.
“A nearly uncrackable scenario would be pass phrases combined with two factor authentications. Something you know, your pass phrase, and then something you possess, such as a code sent to your mobile phone.”
Kotul then touches on the critical nature of remote access security. “Remote access to office networks should only be given to those that need it, and should only be allowed through company owned and protected devices.”
Kotul says it is important for end users and security staff to understand what happens when someone connects to the business from home.
Allowing someone remote access into your office network from their home or personal device provides connectivity between the two networks, and any issues on their home device now becomes an office issue, according to Kotul. “All of the potentially harmful software on their devices now has a direct connection to your critical business systems.”
Some companies alleviate this issue by supplying computers to connect remotely. Others have standards regarding anti-virus, email and internet software. Firewall rules can be implemented to check the risk level of outside devices before they access the business system. They can filter traffic before it becomes an issue. The bottom line is establishing a strong collaboration between end users and IT staff, whether it is onsite or at home.
In-house or outsourced IT?
Joe Grossbauer is the security analyst for GGNet Technologies, located in Chesterton. He tackles the question of outsourcing vs. in-house IT security.
“I have seen companies of all sizes succeed with both in-house and outsourced IT,” Grossbauer says. “As a rule of thumb, companies with under 50 employees do not typically have a dedicated IT person. They may ask an employee to perform IT functions as part of their duties.”
Grossbauer says that many companies find this convenient and great for handling basic needs. However, no matter how smart and savvy that person is, they will not have the opportunity to develop the depth of experience and knowledge of a full-time IT person.
“Balancing IT requests with primary job responsibilities can also be overwhelming,” he says. “The lack of dedicated time and knowledge can add up to a weak security system.”
While the cost of outsourcing IT may seem high to a small business, the cost of a data breach can be devastating. “Companies between 50 and 100 employees can go either way,” Grossbauer says. “Most companies with over 100 employees have at least one dedicated IT person.
“Companies with 100 to 500 employees typically outsource major network deployments and possible server setups,” he says. “An in-house IT person only has the opportunity to work on these setups once every few years. Outsourcing a large project brings in the expertise needed and sets downtime expectations for the business.”
Third-party vendors provide software as well as hardware. Grossbauer says it is important to vet these companies thoroughly.
“Software vendors often mention firewall protection and encryption, and those should be there, but neither of these address the ways most data is lost,” he explains. “The best way is to find an extensive independent review.”