Staying secure in the face of
constant cyber threats
By Amy Smolik
For the Greater Sioux Falls Chamber of Commerce
It can be as simple as receiving an email from a trusted source with an expected file name attachment and clicking on it — opening your device to malware. Or a printer that hasn’t had its software updated in years, which is connected to a work computer that allows access to employee credentials and financial documents. Or that music player you use in your office that uses your work log-in credentials.
All of these examples are pinholes that attackers can use to work their way into your system. And what attackers can do when they have access to your information can be devastating. Security should be in the top five concerns for employers, along with how to pay their employees, said Tom Pierigastini, a security analyst and penetration tester with RedTeam Security.
“If you fail (at security), the costs can be catastrophic,” he said.
A security breach can bring lawsuits, data breaches, costs in fixing security or technology and loss of reputation, he said.
Pierigastini is one of the presenters at the upcoming Greater Sioux Falls Chamber of Commerce-sponsored Cybersecurity Conference, which will be held Sept. 30. The conference is designed to share information pertinent to businesses of all sizes to better protect them from cyber threats.
Cyber threats are not a new business concern, but perhaps because more employees are working remotely they are more top of mind. SDN Communications Vice President of Engineering, Operations and IT Jake VanDewater said SDN saw a jump in customer requests for bandwidth increases and additional VPN connections for remote users to have secure connections back to their office.
VanDewater is also a presenter at the conference. Earlier this spring he shared a webinar with Chamber members about ways to stay safe while working remotely. His presentation at the Cybersecurity Conference builds on that information, with a focus around working remotely and staying safe while working remotely.
Being cyber safe is important wherever employees are working, VanDewater said. Ransomware and business email compromise both result in a loss of productivity as well as potential costs to restore those network resources, he said. Historically, hackers have used ransomware to lock businesses out of their own data. They request a ransom in order to return access. The mitigation plan has been proper back-ups, VanDewater said. Now, hackers are threatening to release private data to the public if a business does not pay the ransom.
“Businesses should have policies in place to help guide employees and another key thing is know your insurance,” VanDewater said. “The advice we’re hearing more and more at cybersecurity conferences is that you should have cyber insurance. It’s become more commonplace. The assumption now is that you have it and if you don’t, you should.”
The weakest link, however, still comes back to humans, VanDewater said. A business’s network can be secure and have top-of-the-line security, but all it takes is a single employee to click on a link and allow the wrong thing to come into the network. Keynote speaker Mary Franz will address how hackers use social engineering as a cyber threat.
Conference attendees will also be able to see how easy it can be to gain access to sensitive information — even from devices found in the home. RedTeam Security’s Pierigastini will do a live hack in real time, showing how internet of things devices like surveillance cameras, music players, thermostats and more can become the way an attacker gains access. It’s not unheard of, he said, for attackers to find a pinhole through a device that someone forgot about.
“Our job is to identify vulnerabilities and assess risk.
We use tactics and techniques that are able to determine how vulnerable an organization is — this can involve breaking into buildings, email phishing tests, seeing how far someone can get into someone’s network, it’s a never-ending space,” he said.
RedTeam Security works with businesses of all sizes, from non-profits to financial corporations and everything in between. Many employers shifted to remote work during the pandemic, which has made security awareness even more important. A hacker’s end goal is not to breach — their objective is getting the data they want.
“As people get more remote, you need to enforce separation between work and home,” Pierigastini said.
That can mean keeping a separate laptop dedicated for work items only, as well as policies about what can be plugged into those laptops, when and how files can be accessed — all to help keep information safe.
“You need to think heavily about what assets you need to protect and what employees need in order to do their jobs,” he said. “Otherwise, you can lose data left and right and never even know it.”
Businesses face significant financial loss when a cyber attack occurs. In 2018, the U.S. business sector had the largest number of data breaches ever recorded: 571 breaches, according to the Cybersecurity & Infrastructure Security Agency (CISA). CISA was created in 2018 to help improve cybersecurity across all levels of government. Cybercriminals often rely on human error — employees failing to install software patches or clicking on malicious links — to gain access to systems. Businesses of all sizes can benefit from penetration testing like what RedTeam Security offers. But even without using security testing, there’s a number of basic safety protocols businesses can put in place to keep employees, data, customers and capital safe while working in the digital space. See the box below for some basic security tips from CISA.
Employees at Real Property Management Express’s Sioux Falls headquarters have been working with remote team members for several years, both in the Philippines and the Mason City, Iowa satellite location. Since the rise of COVID-19, however, the number of remote workers has grown.
The transition to remote work was easier for some employees more than others, said Merlin Huff, President, COO & Integrator at RPM. Initially, working remotely seemed highly productive, Huff said. Like other employers, they dealt with challenges like maintaining a sense of morale, making a clear delineation between work and home life, and inroads to productivity that can happen while helping teach children from home, for example.
“All that being said, we were set up very well for transition to home work,” Huff said. “The challenges are more of a social aspect than technological.”
Some of the technology tools the RPM team used to stay working include Voice Over Internet Protocol (VoIP) telephone systems that don’t require a phone line. Each employee also has a laptop equipped with a microphone and camera. The team still gathers — virtually — for a Monday morning all-hands tactical meeting, which helps with boosting morale and staying connected. And the operations team still huddles daily to review key performance areas and ensure everyone is moving in the same direction.
Wednesday, Sept. 30
8 a.m.–1:30 p.m.
Details at siouxfallschamber.com
Sioux Falls Cybersecurity Conference
An online conference for business owners, managers and IT professionals.
Additional breakout sessions include:
When Smart Homes Attack
Cybersecurity for Small Business
Cybersecurity Tips for Remote Workers
Current Cybersecurity Threats and DHS Resources
Eye of the Cyber Storm — Managing Cyber Risk for Your Organization
Huff credits being in the property management industry for giving their team the comfortability to look at physical spaces and see how to make a better use of real estate. They’ve adapted their Sioux Falls office space to enable more social distancing and still have team members working remote.
“We’ve always wanted to approach what the future of work looks like. The technology we’ve built-in can still be used with business as usual. It has the added advantage of applying when we’re in an emergency situation,” he said.
While the RPM team doesn’t include a dedicated IT professional, staying on top of digital and technological trends — as well as how to be safe and secure — is important. Since the pandemic, Huff has participated in a number of webinars about working remotely and ensuring security. He also attended the 2019 Cybersecurity Conference in Sioux Falls. Huff took away new information from these presentations, which has been helpful for the team.
“I don’t know what I don’t know. And what you don’t know can hurt you,” he said. “As we grow, there’s a greater likelihood that someone will step into a phishing trap. How do we protect our customers and staff?”
From password keepers to working in the cloud to having best practices for using technology, some of the tools they already had in place continue to serve them well as employees work remotely. As the team in Sioux Falls continues to grow, Huff expects to look into ways to best use their physical space and the varying ways they want to adapt with how employees want to work — and how they best work. It is an iterative and cyclical process, he said.
Adapting as information and technology changes has served the company well and is a mindset they seek when hiring employees. While the future of work during an ongoing pandemic is still unknown, being adaptable and paying attention is key, Huff said.
The RPM team is already doing many things well to keep their data safe, according to RedTeam Security. Having the right technology and tools can ensure employees are productive while working remotely. But cybersecurity remains important, whether working from the business office, home office or at a coffee shop.
“Security is not a game of perfection. It’s a game of getting better. No one is 100%. We’re still discovering these things all the time. We’re trying to raise the costs and efforts to the point it becomes unreasonable. We’re trying to make it harder for unskilled attackers to successfully attack an organization,” said Pierigastini. “At the end of the day, it comes down to culture or process.”