Two cybersecurity specialists spent time trying to scare business owners with stories about businesses that got hacked.
In "Hacking Trends and How Companies Can Fight Back" at ITEXPO 2023 in Ft. Lauderdale, Florida, the pros lamented how good the hackers have become. They also mused about how some company owners continue to resist using planning for disaster by backing-up data religiously.
The best you can do is try to scare away the less dedicated and sophisticated hackers, the experts said. "At the end of the day, none of us are going to be unhackable," said panelist Valentina Flores, CEO at security software producer Red Sentry. "Try to make them go to an easier target."
Professional hacking groups have thousands of vectors for attack available to them now, she said. "Really, the sky's the limit."
"Over one half of businesses that get hacked don't recover," she said. "They just close down."
Those that do make it, all the sudden find religion in their security software, she said. "The most secure company is a company that got hacked a year ago," she said.
Incorporating a secure backup system is a must if you want to get back on your feet quickly following a hack. "My first word is immutability," said panelist Stacy Hayes, co-founder and executive vice president of Assured Data Protection, a global managed services provider. "A lot of people claim it but don't have it."
Hayes said the first thing many customers do once they realized they go hacked is to "start pulling all the wires out of the backs of the computers." There's no plan, no backup and nobody on staff who can handle the problem, he said.
Companies need the ability to backup code that contains malicious code, then restore the data after the malware has been excised safely. "I say this all the time, cyber response planning is difficult," Hayes said. "But it's a very different thing once the balloon has gone up."
It's not just data that gets compromised during an attack, he said. "The most surprising thing to people after an attack is that they've lost access to their infrastructure," Hayes said.
Telecommunications consultant Peter Radizeski, president of RAD-INFO (News - Alert), moderated the discussion. Who does your company call if they get hacked with ransomware, he asked the panelists.
"Your first call on ransomware is to the FBI," Flores said. "Then you call your insurance company, then you call legal.
Flores says the FBI maintains a database of ongoing ransomware infiltration, so they may be able to provide you with information about how to deal with your specific hack, she said.
She suggested companies work with their security vendor to create strong vendor security policies. Flores said that more than 60% of hacks are initiated somewhere in your vendor chain.
Issuing security challenges to your own staff has positive benefits, she said. Keeping employees on their toes so they don't have to take remedial security lessons works, she said. "One of the biggest challenges is getting the customer to take the time to do the drills," she said.
Hayes says he puts his company through infiltration drills at least twice a year. Each effort results in a detailed report that helps them design their defenses against real attacks, he said. His company provides a certificate to clients who pass the test, so they can share them with the board of directors or other potential clients.
If you're new to the cyber security game, or you just haven't taken it seriously, a little effort can go a long way, Flores said. "Changing passwords once a month would be a good first step," she said. "Then get a cybersecurity audit."
"Ten percent of your budget is the minimum you should spend," she said. "It's getting more and more affordable, due to increased competition."Flores says costs to recover from a professional hack range from $120,000 to $1.2 million. For larger businesses, the tab can run toward $4 million for a serious event, she said. "Whatever you're paying for cybersecurity, it's a lot less than a hack costs," she said.
Edited by Greg Tavarez