By Paul Lane, originally published in Buffalo Business First on Apr 26, 2018, 10:35pm.

Education, Action Needed to Protect Business from Cyber Threats

The good news when it comes to threats to your data security, experts say, is that most would-be assailants don’t target a specific business. That means with adequate protection, threats can be minimized.

The bad news is that most would-be assailants don’t target a specific business. That means if any weakness is found, they’ll walk in and wreak havoc.

Panelists discussed these sorts of threats during the most recent State of the Region presentation April 17. The event was sponsored by Phillips Lytle LLP at the law firm’s downtown office. 

The panel included Keith Wojcieszek, associate managing director of cyber security and investigations at risk solution provider Kroll; Sam Marrazzo, chief innovation officer of Buffalo Niagara Medical Campus Inc.; Michael Moskal, senior vice president and chief information officer of CUBRC Inc.; and Holly Hubert, a former FBI cyber crime investigator who runs Global Security IQ. 

While there may be no perfect answer to protecting business information and systems, the consensus was that continued diligence and collaboration are the best foot forward for a business.

Cyber attacks at major companies tend to get the most attention, but hackers don’t really care about their target, according to Wojcieszek.

“There is no face. In general, they’re just looking for open spaces to attack,” said Wojcieszek, who spent 15 years on cyber investigations with the Secret Service before joining Kroll. “Do you have a fridge tied to your network? People laugh, but that could make you vulnerable.”

Other weak spots could be through smart watches or other smart devices connected to a central network. Panelists said the easiest ways to prevent attacks remain the most commonly used.

“You can have the most advanced firewalls, updated protections, but if one person clicks one phishing link, the bad guys have broken through all that,” Hubert said.

“The fact that people keep clicking things when they don’t know what they’re clicking is amazing to me,” Wojcieszek said.

That’s where employee education comes into play. It’s vital to make sure that employees understand best practices in data security, Hubert said. That includes follow-up checks and regular updates due to the ever-shifting nature of how data is shared.

Spreading responsibility can help, he said. Giving information security personnel more direct access to CEOs and other upper management can ensure everyone is up to date on best practices for data security. Panelists said the more people in on the process, the better – even if that means sharing with other companies what works best, getting valuable advice in return.

“I can’t imagine any one person being able to stay up to date,” said Jennifer Beckage, a data security lawyer at Phillips Lytle who moderated the discussion. “It’s a huge burden to take on.”

Management should be ready to learn and grow, Moskal said. Getting a grasp of new technologies such as blockchain that allow for information storage without the chance of human manipulation can make life easier for business leaders later on.

“Removing the human element improves security,” he said. “We are getting smarter in trying to apply these technologies.”

Getting smarter also means bringing a company’s technology operations out of the IT room and into every executive’s office, Marrazzo said.

“I believe that technology is now cross-cutting into other aspects of any organization,” he said. “Everyone has to embrace it and take a role in it.”

Bad news about data is what’s most often shared, according to Hubert, but not everything in the subject area is negative. Data collection helps businesses make money and helps agencies track societal habits. For example, recording how often supermarket shoppers buy facial tissues can help pinpoint areas with high seasonal disease rates, for example.

Data collection also paves the way for doctors to be able to perform remote checkups via devices that can be waved across a person’s head.

But in order for everyone to benefit, there has to be some level of trust that big-data collectors have users’ best interests in mind.

“This digital trust economy is something we’re really going to have to consider before we leverage innovation,” said Marrazzo, adding that small and medium-sized businesses may have to wait for blockchain and other technologies to be scaled down to a size suitable for them.

That doesn’t mean businesses of all sizes should be unprepared, Wojcieszek said.

“Have a plan expecting (a breach) is going to happen,” he said. “(Assailants) don’t care about you. All they are about is the data you have and the data they can get.”