In the world fast-changing world of IT, security is still “the burning thing, the hottest thing going,” said Mark Shaw, owner of Stored Technology Solutions (StoredTech),
“The cyberworld is a really dangerous place,” said Jim Lapointe, president of Colden Company in Ballston Spa. “And, more often than not, it’s the small business that has the vulnerability.”
While agreeing that security should be a business owner’s “first and foremost” concern, Dan Bardin, CEO of Tech-II Business Services in Saratoga Springs, emphasized the importance of businesses having a recovery plan and making sure that it works. Computer systems are vulnerable to disasters ranging from hackers and scammers to fires and floods, he said, but with a consistent and reliable backup system, they can recover.
All three emphasized the critical need to educate employees on security issues.
“Users themselves are the biggest threats,” Bardin said, because they can inadvertently go to a malicious link and open the door to a threat.
“The very first thing is to look at your people,” he said, because a disaster often begins with “good people trying to do their job and making a mistake.”
Shaw sees three levels of security needing attention: physical security, cybersecurity, and insurance.
He emphasized that the first level of security should be “at your door.” Business owners should consider good locks on the doors, outdoor surveillance cameras, and other means of controlling access to their buildings. Second is cybersecurity, beginning with educating personnel on the risks and the latest scams making the rounds.
Then, consider technical protections like encrypting data and setting up good backup systems. Remember, he warns, that a hacker may be less interested in who you are than in who you touch. That includes client lists, a heating and air conditioning contractor’s access to a hospital’s computer system.
“You see how crazy these things can get,” said Shaw.
Businesses should also face the fact that the precautions may not work perfectly and purchase a good cyberinsurance policy. He said “companies like mine work hand-in-hand with insurance companies everyday,” he said.
Lapointe pointed out that a company is legally bound to protect private information. The law varies from state to state, and New York state has a fairly detailed law.
A company may not only be breached but may be fined as well if private information gets out, he warned. Newer software systems like Windows-10 Professional make it a lot easier to encrypt data so that a thief will not be able to read what is stolen from a hard drive. “It’s something more businesses should be doing,” Lapointe said.
Bardin said having both a local backup—such as an external disc drive—and a remote backup, which could be an image-based backup of an entire computer system, not just data. The remote backup is typically at a data center (“the cloud”), but some companies have a physical backup, such as a disc, that can be stored in a safe and taken out from time to time to be backed up.
“If I can recover your files,” Lapointe said, “You know there is going to be an end to the pain.”
If, for example, a hacker steals data, encrypts it, and demands ransom before it will be unencrypted and returned, Lapointe said there are three choices: lose the data, pay the ransom, or restore the server from backed up data.
He recommended routine maintenance of the system, regular software updates and retaining a reliable provider to take care of he business in case of disaster.
Shaw said it is good to have a written internet service policy (WISP) to guide employees. He emphasized that security is not something that is only done once. You need to know that it’s a process.”
Part of the process can be testing the security system to see how well it works. His company uses third party vendors to try to penetrate a system. “I can’t be the guy finding the weak spots and fixing them. That’s too shady,” he said.
Also work with the “legal and insurance guys,” said Shaw.
Lapointe said there has been a tremendous growth in wire fraud over the past five years and, in particular, in the past year. Losses from wire fraud totaled about $675 million in 2017 and $685 in just the first six months of 2018, he said.
Typically, someone will send an email ostensibly from within the company asking for information or money. The recipient may not realize that it is a bogus message and send the requested data or money. The key to avoiding such attacks is to educate and train personnel to recognize the message as fraudulent, Lapointe said.
Five years ago, he said, the attacks targeted hedge funds and other large financial organizations. “Now they are hitting the small mom and pops.”
Lapointe has taken a particular interest in the ransomware problem. “We really dug into how some of these ransomware programs work,” he said.
Shaw described his company, Stored Technology Solutions, as a “holistic IT provider,” specializing in both physical and virtual security. They began in 2010 in Queensbury and now have offices in Plattsburgh, Albany, and Raleigh, N.C.
Colden has been in business for 15 years. Their offices are in Ballston Spa and St. Augustine, Fla.
Tech-II is headquartered in Saratoga Springs with another location in Latham. The company began 36 years ago, developing telephone systems. Bardin worked for Apple and then formed his own company which was acquired by Tech-II. He has been there for 20 years.