The Business Side of Cybersecurity

Much has been written about the consequences of opening an email that has the appearance of being legitimate, when in fact it contains malware, exposing a company’s network to hack attacks.  Beyond the immediate damage to a compromised network, the financial repercussions are many when sensitive customer information is breached, opening the door to the potential of widespread identity theft.  Financial liability can do significant damage to a business as the result of a cyberattack, but there exist steps that can be taken to protect against inherent vulnerabilities. And while they may seem simple, it is important to make sure that the basics aren’t being overlooked in light of a focus on advanced threat response. Equally important is to make sure your customers are following these steps as well.

For starters, it is important to make sure that updated patches are being applied on all servers and personal computers.  A patch is typically a set of changes to a computer’s operating system/programs and is designed to update, fix or improve security vulnerabilities and other bugs.  Since a patch’s primary job is to repair issues or fix security flaws, these updates should be mandatory.

The second “must do” prevention is updated antivirus software.  Typically, these updates are pushed out without the knowledge or input from a user.  That is the good news!  Unfortunately, we have seen situations where a user is able to and decides to turn off virus protection.  There is a simple solution … do not do this.  Make sure the antivirus software is on and the updates are actually occurring on a regular basis.

It may be one of those “goes without saying” measures, but strong and complex passwords are, to my thinking, an important component of thwarting hackers.  A 12-character password, changed every 180-plus days, is the way to go.  The 12 characters should not include a straight-forward dictionary word but rather should be a random mix of letters and symbols.

Also, make sure that the standard user ID and password of any third-party device that connects to your network – as an example, a wireless router – is changed.  Anecdotally, an IT assessment performed recently resulted in an “F-“ in terms of a device responsible for securing and locking doors and having security cameras in place.  The vendor that implemented the device never changed the standard user ID and password within the security system.  As a result, we were able to externally access the system, open and close doors and move cameras around.

Be aware of other vendor access to networks; often third-party access for HVAC or VOIP systems on networks, etc. are given without thought to the possibility of security violations.  Word to the wise – find out what vendor security protocols are while limiting when and how the vendor(s) can access your network.

The importance of employees knowing their role in securing both their and the company’s information cannot be overstated as there is a high rise in phishing and spear-phishing attacks.  These are personalized email attacks whereby a hacker creates a message that appears to come from a trusted co-worker or known business entity – with the ultimate goal of stealing sensitive/confidential information. Train employees to “trust but verify” email.

This brings up another important point. Given the frequency at which cyberattacks occur these days, be sure to have an incident response plan in place.  Many organizations have a head-in-the-sand attitude, believing a cyberattack will never happen to them, but in fact all businesses need to prepare for the worst.  Incident response planning and upfront training is a must for an organization to proactively deal with a security breach situation.

Cyber insurance is on the rise and can provide some peace of mind for businesses, but you need to clearly understand what these policies cover and to the extent they protect.  Regardless of what and how much it covers, cyber insurance should be one spoke of your cyber protection plan, not the entire wheel.

In order to best protect your organization against a cybersecurity attack, you need to know your security weaknesses.  A professional assessment can identify immediate risks in many categories, including:

  • Network and application access
  • Perimeter technology
  • Wireless communication
  • Endpoint security controls
  • Security posture
  • Network design and segregation
  • Network share resource access
  • Backup recovery capability
  • Email protection
  • Remote access technology
  • Personnel cyber readiness

Assessments are based on operational and technical controls to quickly and accurately identify any gaps and weaknesses that may expose an organization to a cyberattack.

With a few fundamental measures, organizations can take preemptive steps against the cyber threat to their company.

Jeffrey Ziplow, MBA, CISA, CGEIT is a partner at blumshapiro, the largest regional business advisory firm in New England.  He can be reached at