Lexington-based Integrity IT conducts an initial client security assessment to tailor effective training programs and solutions.
Barely a week goes by without another online security breach making headlines. Credit card companies, retail stores, hospitals, financial institutions, universities and an array of businesses large and small have all found themselves on the wrong side of hackers. When breaches happen, firms risk not only a loss of data and intellectual property, but also incalculable damage to their reputation and client trust. There’s also the matter of financial burden, in the form of potential ransom, lawsuits or recovery fees.
So how can business owners stay ahead of the threat? Local cybersecurity experts say it all starts with creating a work culture that prioritizes security—both online and in daily, onsite operations. “You can have all the corporate policies and rules and regs out there—and we do, and everybody does,” said Greg Anderson, data protection officer with Lexmark. “But until you make it part of your company culture and get everyone on board, you won’t have effective change, and you won’t have your employees embracing what you’re trying to do.”
Create a workplace that values security
Lexmark has gone all-in on its mission to create a security-focused workplace culture. Its latest program, called “Privacy@Lexmark,” even has its own mascot: a cuddly animated German Shepherd named “Pal” (written as P@L, an acronym for the program) who now adorns stickers on employee computer stations, white boards, in conference rooms and more. The fun, instantly recognizable mascot helps keep security front of mind for everyone. It’s been so successful, in fact, that the program will be recognized as one of the top 50 business security initiatives of 2019 at the CSO50 Awards, to be presented in April in Scottsdale, Arizona.
Lexmark’s program incorporates a holistic approach to security and privacy that includes both state-of-the-art IT security systems as well as ongoing employee training. “You can have all the tech in the world, but it only takes one person to click the wrong link at the wrong time, and you have an issue,” Anderson said, alluding to the threat of phishing scams or malware attacks.
Invest in employee education
Employee training is an essential first-line defense against attacks, no matter how large or small your business. “Humans are typically the weakest link in any company’s security practices and protocols,” said Ryan Hardesty, president of Lexington-based PhishingBox, which runs simulated phishing campaigns for clients in order to identify potential employee vulnerabilities to cyberattacks. “If you can educate employees and get them to buy in to what you’re doing, then that’s going to be your best approach.”
Matt Hadden, an account executive at PhishingBox, agrees that ongoing employee training and awareness is essential. “The inherent value in what we offer is organizational change,” he said. “It’s behavioral modification through simulation and ongoing education.”
1 of 2
Phil Miller, left, president of Integrity IT, consults with a client during an onsite business technology review.
2 of 2
At Lexington-based Integrity IT, which offers security as well as other IT and cloud services, an initial client security assessment always includes recommendations for “a good cybersecurity awareness training program for their staff,” said Joe Danaher, Integrity IT’s chief information security officer.
At minimum, employees should be trained to identify phishing emails and other social engineering scams. “They should also be aware of the risk of too much sharing on social media, which could put the business at risk, as well as the dangers of re-using their business passwords for platforms outside of business,” said Danaher, who also encourages employees to use multifactor authentication for log-ins whenever possible.
Don’t overlook baseline security steps
Simple, low-cost cybersecurity steps—such as simply keeping anti-virus software and firewalls up to date—are often forgotten or overlooked until it’s too late. Third-party applications, such as Flash and Adobe, can be an easy way for hackers to gain access to your systems, so it’s essential that they’re appropriately patched and monitored, Danaher said.
“A lot of security risks can be averted if you keep your systems updated to the newest version. One of the simplest ways is just to install an up-to-date firewall, which offers at least some baseline protection of your internal systems,” said Zongming Fei, Ph.D., one of the co-directors of UK’s new undergraduate Cybersecurity Certificate Program, which will officially launch this fall.
(The program, a joint effort by the Department of Computer Science and the Department of Electrical and Computer Engineering, will offer specialized courses for students pursuing majors in those departments who wish to work toward a focus in cybersecurity.) Fei feels it’s important for businesses to hire or contract IT managers with at least some cybersecurity experience.
But equally important, he said, is developing a written office protocol for how data should be securely handle—and ensuring that all employees understand and utilize these procedures.
“You need to categorize all the kinds of data you handle, and label them with different kinds of security requirements. Then you need to have a document [outlining these guidelines] so employees can explicitly see what the security policy is” in each case, Fei said.
Beyond developing a formal security policy, which PhishingBox’s Hardesty and Hadden also recommend, businesses should also invest in data backup as well as encryption software to provide an additional level of security around sensitive data, such as employee records or clients’ health or financial information, Hardesty said.
"At the end of the day, staying one step ahead of would-be hackers centers on having a well-educated workforce and a culture that prioritizes privacy and security."
At the end of the day, though, staying one step ahead of would-be hackers centers on having a well-educated workforce and a culture that prioritizes privacy and security.
“You want to encourage reporting of certain activities. You don’t want employees hiding things. If someone clicks on a phishing email, you want a culture that enables that employee to report it to the proper person quickly, because those minutes really count,” said Hadden. “A positive, proactive cybersecurity culture is really paramount.”