By Richard Conn, CREO Staff Writer
Massive data breaches at large companies usually make the headlines, but it’s the smaller businesses that are the most targeted and at risk of having critical information compromised.
That was one of the messages from Jon French, a security analyst at AppRiver, a Gulf Breeze-based cybersecurity firm. French gave a presentation that included tips on how to lower the risk of cyber-attacks during a CEO Roundtable on Cybersecurity held June 29 at Beggs & Lane law firm in downtown Pensacola. The roundtable was presented by Innovation Coast and attended by area business leaders.
“A lot of these are big names,” said French, after mentioning companies such as Target and The Home Depot that have been victims of cyber-attacks. “But, what you never hear about in the news are all the smaller companies that (get) hit.”
Cyber-attackers will go after any private information available at a business, including the names, addresses and phone numbers of its customers. They will especially target credit card information, French said.
“With that, a lot of the banks will catch the fraud and stop it beforehand, but all of the stuff that ends up slipping through, that could be millions of dollars if they have enough credit cards,” French said. “And, they can sell these for pennies on the dollar.”
Attacks with ransomware, where a hacker installs malware to prevent a device from working properly until a sum is paid, are on the rise, French said. Hospitals and universities are among the most vulnerable, he said.
“Ransomware isn’t about how important the files are to the attacker,” French said. “It’s about how important the files are to you. “
Not all preventive measures to stave off potential cyber-attacks are costly to businesses. Setting up password policies, encrypting disks, auto-locking devices and establishing information technology policies are all steps that can easily be taken, French said.
“These are all things that can be enabled,” he said. “This isn’t something again you have to go pay to do.”
Giving employees unrestricted access to company files and drives can also cause information to be comprised, even unintentionally. Trust alone isn’t enough, French said.
“Having everybody have unmitigated access to it – such as someone in sales having access to marketing data, someone in engineering having access to billing data – that can be a huge problem for the company, as well,” French said.
A lot of the data stolen by hackers is being sold on online marketplaces on the “dark web,” French said.
Employees are also vulnerable to spear phishing, where an email sent from a seemingly trusted source is actually aimed at getting access to a company’s confidential data. CEOs of companies are also subject to these threats, attempts dubbed “whaling.”
“These guys that do this, they really put their research in,” French said. “They go to your LinkedIn account, they go to your company ‘about us’ web page,” French said. “If your Facebook is open, they’ll go through your history. They will put a lot of effort into getting this data, because a few hours of work could net them thousands of dollars, tens of thousands of dollars, for access to company servers, things like that.”
While steps such as encrypting phones and laptops and keeping antivirus software up to date are measures that can be taken, French said there is no silver bullet to prevent cyber-attacks.
“It’s a multilayered approach,” he said. “You have to really target everything internal and external and make sure it’s secure.”