That’s how confident the businesswoman and her IT department were that their firewall and security systems would keep the hacker at bay. So she signed the $100,000 contract.
Fast forward three months. The hacker arrives at the business with stacks of paper containing all the vendors’ and customers’ sensitive data, along with a flash drive with all the data.
How did he do it?
Instead of conducting a traditional hack into the company’s computer system, the hacker applied for a job at the company, landed the job and then downloaded all the sensitive information on a flash drive on his first day.
The hacker submitted his resignation from the job in exchange for the $100,000 check. To the businesswoman, it was $100,000 well spent.
This example of how companies place their sensitive data at risk was cited at the Jan. 16 gathering of the Middle Market Entrepreneurs of Colorado Springs.
Panelists spoke about cyber security and risks and business continuity during disasters.
“You’re probably not going to be compromised the way you think,” said Trevor Dierdorff, president and CEO of Amnet, a Colorado Springs IT company. Dierdorff served as moderator.
Business leaders should look at all the risks and prioritize critical information that should be protected, said Steve Schneider, CB Insurance.
“Don’t look at everything and think it’s all going to fall apart,” Schneider said. “Look at what truly will put [you] out of business.”
“Business managers don’t think about threats. We don’t think about this as much as we should, until we’re driven to,” said Gary Bain, president of Delta Solutions and Strategies. The company specializes in systems engineering and technical assistance. “What you do pre-loss will help you tremendously post-loss.”
Looking at a company’s vulnerabilities can be overwhelming, said Kris Beasley of Centurion Strategies. After serving more than 20 years in the Air Force, Beasley created Centurion to provide cyber security and other services.
It’s not possible to be protected 100 percent of the time, Beasley said, “but you can protect yourself 98 percent.”
[pullquote] “Business managers don’t think about threats. We don’t think about this as much as we should, until we’re driven to.” – Gary Bain, Delta Solutions and Strategies[/pullquote]Companies looking to hire an information technology (IT) specialist should ask around, Schneider said. Eventually, there will be a national certification system in place for people working in cyber security, which should delineate trust[make hiring less risky? or?].
As for insurance to protect companies from losses as a result of hacking, “like anything else, insurance will help you recover,” but it won’t help a business’ reputation recover, Beasley said. “Some things insurance won’t cover at all if you haven’t done a pre-loss assessment.”
Companies can use social media to help manage any reputation damage as a result of cyber breaches, Schneider said.
Every year in Colorado Springs, the Rocky Mountain AFCEA (Armed Forces Communications and Electronics Association) holds a cyberspace symposium. This year, it takes place Feb. 3-5 at The Broadmoor. Beasley is chair of the conference. For information, rockymtn-afcea.org/registration.
There has been a “major shift to try to figure out how to really share information,” when there has been a breach, say for example, in the case of Target, Beasley said. “The president supported a national standard for breach notification. A lot of companies are not willing to share unless they’re pushed.”
“We need to be open about it,” said Schneider.
Beasley agreed, saying the military’s position is to “get out in front of the problem. Your reputation is going to ride on how you handle it.”
The issue of cyber security is “coming at you, regardless of your business,” Schneider said.
The most important thing a business owner can do to thwart cyber threats or to protect information prior to a disaster is to “just start,” Beasley said.