7 minute read
Protecting Data
Cybersecurity threats target the Midwest, but there are solutions
BY KAYLA PRASEK
In the past several years, cybersecurity and hacking have become major concerns for not only large corporations, but businesses of all sizes. Local information technology experts say if a business hasn’t deemed this important yet, it must.
“A lot of companies don’t have a managed network,” says Justin Stansbury, general manager of Corporate Technologies’ Fargo, N.D., location. “They just plug everything in and never check it again.” Corporate Technologies is a reseller of IT solutions, networks, hardware and IT staffing. Jim Beske, senior network engineer at Corporate Technologies, says most companies “don’t give it a second thought, so they don’t have the proper equipment and they don’t run tests to ensure everything is secure and working correctly.”
Weston Hecker, a network security engineer for High Point Networks in Bismarck, N.D., says he sees companies either ignoring security or relying solely on hardware without having the staff to fix problems. Corey Steele, also a network security engineer for High Point Networks in Sioux Falls, S.D., says most companies “don’t follow the best practices, either because they think it’s too expensive or because it’s too complicated. In return, they’re exposing their clients and themselves to countless threats.” High Point Networks, headquartered in Fargo, is a reseller of IT solutions including infrastructure, unified communications and security, while also providing service to all products.
Mike Pagán, service manager at Network Center Inc., says he, too, sees companies make their biggest mistake by relying “too much on a piece of technology. That is not enough for the threats that are out today. There’s not enough intelligence built into a product to alert you about everything, whether it’s antivirus or a firewall. There are too many ways into a network.” Network Center, headquartered in Fargo, is a network consulting company that provides managed services, IT solutions and app development for small and medium companies.
Kristine Lunde, lead deposit product specialist at Alerus, and Jerry Wynne, chief information security official at Blue Cross Blue Shield of North Dakota, both are involved with IT and cybersecurity at their respective companies and are aware of the mistakes other companies make in regard to security. Both companies have in-house IT departments.
“The two biggest mistakes I see companies making are that the leaders don’t educate themselves and their employees regarding security best practices and threats and then they don’t stay abreast to changing threats and changing technology,” Lunde says. Wynne says the biggest mistake he sees companies make is a “lack of maintaining equipment and not understanding critical threats. There’s also a lack of maintaining patches and keeping software and operating systems updated.”
Best Practices
Beske says the best place for businesses to start strengthening their security is an assessment of weaknesses. “That’s the first thing we do when we start working with a business,” he says. “We’ll assess their operating systems, any updates that may need to be done and their firewalls, along with all the other parts of their network.” Stansbury says Corporate Technologies also makes it a priority to look at critical areas of the customer site, “not just anything that is security-related, but also access and permissions given to employees and former employees, which also need to be taken seriously.”
Hecker says the starting points for businesses should be getting their systems up-to-date and patched. “There are appliances that can fully protect you, but you need to continue upgrading.
- Kristine Lunde Lead Deposit Product Specialist Alerus
If you’re still using Windows XP as your operating system, for example, you are totally vulnerable. They are no longer updating that system, so it’s time for you to move on.”
Pagán says the first line of defense for businesses should be their employees. “You need to educate the users about what to look for in emails and attachments that identify them as viruses or threats. They could receive an email asking for a wire transfer or a phone call from a person who claims to work for Microsoft and they just need to be connected to the computer to fix it. We’re too trusting in the Midwest, and that leads to your business getting into trouble.” Lunde echos what Pagán says, but adds that companies and their employees need to also be educated about security best practices, breaches and reading data.
Businesses should also take a layered approach to security, including an antivirus, a firewall to monitor traffic and restricting what employees can access on the Internet. “You could restrict being able to send and receive traffic to specific countries that have been deemed to have many security threats coming from them,” Pagán says. “This can help protect you from having data stolen and from having a virus that encrypts all your data.” He says companies should also back up all their data, so if it’s compromised, it can easily be restored.
Companies also need to pinpoint the biggest threat to themselves and to their industry, Wynne says. “Figure out what kind of data you have and understand the value of what you have. That will help you determine what kind of security and how much you need.” For companies that have transactions online, Lunde suggests speaking to a bank for best practices when using fraud protection. Alerus offers a free product that will protect computers while on a business’ online accounts, she says.
“They need to make sure they’re utilizing all the tools out there,” Lunde says. “It’s important to understand what goes into keeping their data secure. Knowing what to do when there is a problem, knowing who to contact and being able to catch a problem early are also important. If something seems suspicious, don’t email back or just do what the email says; a phone call is the best way to defend yourself.”
Potential Threats
As Beske points out, potential threats aren’t coming just through an Internet connection, but also via email or by clicking on a link. Steele says the biggest threat, particularly in the Midwest, is ransomware, which encrypts a user’s files and holds those files for ransom. Hecker says this can result in data loss. “Tons of people are being targeted because they don’t protect themselves. No matter where you are, anyone can touch you. The Midwest is one of the highest payers of these ransoms because these companies don’t have sufficient backups or paying a ransom is cheaper than hiring a service technician to recover the data for them,” Steele says. This type of threat is usually either an attachment on an email or a link in an email that seems important.
Another major threat Pagán is seeing more often is cold calls from people claiming to be technicians with Microsoft who need to fix the user’s computer and say they need to be connected remotely to that computer. “These (two threats) are where a majority of attacks are coming from. It’s easier and cheaper to attack a user than to hack a firewall. It’s easier for a criminal to go through users because they have a lot of access to the system and are the weakest links.”
“But that’s not all that’s out there,” Steele says. “There are still 10-year-old viruses out there.” Additionally, there are now what’s called zero-day viruses. “There’s no antivirus solution that can protect you from these,” Wynne says. “Ten years ago, these would’ve made national news. Now, we see one to two of them per week. They’re so common that they’re very hard for most organizations to combat.”
Point-of-sale (POS) systems, particularly at small businesses, can also be attacked, Steele says. “Every small business has a POS system, which attacks can be aimed at. They need to know what the POS system company is doing to protect the client, especially if they have a full-blown POS system that can be compromised.”
IT Services
When it comes to managing IT, a company has two options: build up an in-house IT department or outsource IT management. Lunde, of Alerus, which has an in-house IT department, says it’s important a company partners with the right firm if outsourcing. “If you’re outsourcing, they may not be part of your environment, so you need to make sure they understand your business. You also need to know how quickly they can help you if there’s a security breach.”
Steele says it’s important businesses “look for a partner who’s going to bridge the gaps the company may have. The IT company you choose will be your partner who knows the IT side and can come in and fix any issues you may have.” Hecker says companies need to make sure they choose someone who “genu- inely cares about the customer. Make sure they aren’t just selling a solution, that they’ll be there to service it when something goes wrong.”
When choosing a partner, “it’s important for customers to have an idea of the history of the organization,” Pagán says. “Make sure they’re qualified to do everything you need. It’s important to have things planned out if there are issues. Accountability is important.”
Stansbury says Corporate Technologies has a 24/7 help desk and multiple technicians always available. “We’ll try to resolve your issue at our help desk, but if we can’t, then we’ll dispatch a technician. If it’s an emergency, we can always pull someone to get them to the company immediately.” Corporate Technologies provides managed IT services to about 15 percent of the businesses in the Fargo area, Stansbury says.
Pagán says it’s also important that the IT company provides user-initiated support. “They should not have unlimited access to your network unless you want that. There also needs to be communication about what has been done during a service call.”
In parts of the Dakotas and Minnesota, unemployment in the cybersecurity industry is at zero so “it can be very difficult for businesses to find good people to manage their IT,” Wynne says. “On the flip side, outsourcing can bring in people who may not treat your network the way you want.”
For in-house IT departments, it’s important the technicians have the experience needed to support the company, Lunde says. “At that point, IT really becomes part of the culture. Your IT technicians can interact with you on projects and really become part of the company’s day-to-day operations.”
Wynne says BCBSND values its members’ information “so we have invested a lot of time and money into protecting it. We stay up on what our data is worth. The amount of time people spend recovering data is astronomical, and they will walk away from brands because of it, so organizations need to be aware of what they have and protect it.” PB
Kayla Prasek Staff Writer, Prairie Business 701.780.1187
kprasek@prairiebizmag.com
