Every individual, whether at work or at home, relies on electronic information and communications in some way. Recent events remind us that those communications and that information is vulnerable to exploitation by criminals and others. Protecting yourself against cyber-crime is an essential part of living in today’s connected world.
Recognizing this need for electronic self-defense, Enterprise Bank held a free seminar this week at the Westford Regency Hotel called “Protecting Your Business Against Cyber Threats.” Speakers were Michael Gallagher, the Chief Risk Officer at Enterprise; Paul Brown, a Principal Security Technologist at Arbor Networks; and Meaghan Lally-McGurl, a Senior Risk Management Manager at Enterprise. (For me, an added bonus was the chance to see old friend Mark Duci, formerly of LTC, now executive director of Acton Cable TV (www.actontv.org) who was filming the presentation).
While the program was geared to business owners, much of what was said is applicable to individuals and other organizations. The seminar was well-run and interesting throughout. Here are some of the things I found to be most useful.
One of the primary cyber threats we face comes from ransomware. This is software slipped into your computer that encrypts the files on a computer so that they can no longer be used. This is accompanied by a demand for a payment of “ransom” to decrypt the files. The most common way for ransomware to get onto a computer is for an unwitting user to accidentally download a file or click on a malicious but innocent looking link in an email. Ransomware then presents you with instructions on who to pay how much to (hopefully) regain access to your files.
Seminar speakers emphasized that your cyber security program must rely on a “defense in depth” strategy, because no one method of protection is foolproof. The first line of defense is always user education. Don’t click on links in or download attachments from unexpected emails you receive. At one time, spelling errors or nonsensical content were sure tip offs of a malicious approach. Unfortunately, hackers have become more sophisticated and now tailor malicious emails to closely resemble those from people with whom you regularly correspond, so even if you are aware of this type of threat, you still might fall victim to it.
Another part of user education is to maintain a password policy that requires users to have strong passwords that are changed frequently and are kept in a way that prevents unauthorized disclosure (i.e., don’t tape your password to the bottom of your keyboard).
Besides user education, maintaining a firewall and up-to-date anti-virus software are critical security measures. Even with both of them, one of the speakers said, “you are only 80% protected.” Then, depending on the size of your organization and the sensitivity and value of your information, you can take more sophisticated measures. These might include security monitoring and intrusion tests by third parties. But also be careful about third party access to your system. What access does your vendor have? How is the vendor protecting your information? What happens if the vendor has a cyber incident?
One of the final layers of defense you have is to regularly make and preserve good backups of your data, and have a plan for quickly restoring that data and resuming operations after a cyber attack has occurred.
If your run an organization with multiple computer users, be aware of the insider threat, both intentional and unintentional. When an employee leaves, cut off computer access immediately. Be aware of which employees have what level of access to the computer system. When someone from IT transfers to a job in finance, perhaps their rights on the network should be curtailed.
Throughout the presentation, speakers shared many helpful hints. Be careful about networked printers and copiers, especially those with WIFI capabilities. Security on these devices is often weaker than on PCs so they create a vulnerable entry point into your network. Beware the internet of things. As more and more devices such as televisions, security cameras, thermostats, and other previously innocuous appliances are joined to the internet, they too become points of vulnerability. Never insert a “found” USB thumb drive into your computer and be leery of those presented as gifts at events (I left the complimentary Arbor Networks thumb drive on the table, suspicious it might be a “test” of whether we were paying attention to their admonitions). Thumb drives are an excellent delivery system of malicious software onto your computer. Regularly check bank and credit card statements for unauthorized activity and report it immediately.
One of the main takeaways from this seminar was this: It is not a question of if you will become a target of hackers, it is a question of when. Just as important as mounting defenses against cyber attacks is, it is equally important to plan in advance how you will respond to a cyber attack. How quickly and how well you do that will be the first steps in rehabilitating the operations and the reputation of your organization. Doing this in advance takes a certain amount of time and effort, but waiting to consider it until after a cyber attack has occurred only guarantees it won’t be done well.
So thanks to Enterprise Bank for this excellent seminar on an important and timely topic. For more information about cyber security, check out the FBI’s Internet Crime Complaint Center and the cyber crime pages of the websites of the FBI and the Department of Homeland Security.