Photo: Eileen EscardaJames Parrish is chair of Nova Southeastern University's Department of Information Systems and Cybersecurity in Davie.
Cyber-security in Florida
Cyber-Defense: The cost of doing business
Bankers hate talking about cyber-security issues but, once in a while, hints emerge. Last year, in testimony before a congressional panel, Frank Cilluffo, director of George Washington University’s Center for Cyber and Homeland Security, made news when he reported a major U.S. bank told him it faced 30,000 attacks — including 22,000 from criminal groups and 400 from nation states — in the week before he testified. “This amounts to an attack every 34 seconds, each and every day,” Cilluffo said.
Another case: J.P. Morgan Chase still got hacked in 2014 despite spending about $250 million on cyber-security [“Hacking as a Business Model,” page 102]. It now plans to spend $500 million.
Spending on cyber-defense is like spending on a security alarm system — except the costs keep rising, upgrades are frequent, the nature of the threat changes and it’s widely said that hackers will break in anyway.
Cyber-defense is a frustrating cost of doing business but a necessary one. “Security adds to the bottom line just as much as electricity adds to the bottom line,” says James Parrish, chair of Nova Southeastern University’s Department of Information Systems and Cybersecurity in Davie.
“You have to secure these systems to use them,” he says. “What’s the alternative? You go back to handwritten letters and wax seals?”
Businesses today face cyberthreats from criminals, terrorists, nation states, hackers for profit, hackers for a cause, saboteur employees and ex-employees. Here are the top cyber-security tips from experts in Florida.
Do a risk assessment. What do you have?Where is it stored? Which employees and vendors can access it?
Insiders are the greatest threat, whether it’s a careless employee or a disgruntled one.
The maxim: People are the weakest link. Read through lists of data-breach cases in Florida and you’ll find a hefty share come from an employee bad actor or an employee who clicked on the wrong thing and let in malware or an employee who downloaded customer information onto a laptop, smart phone or thumb drive and then lost the device.
Rare is the case of a hacker breaking into a company’s system like a safecracker opening a vault.Employees have to be trained effectively on security policies. “Any email you get in your inbox, you have to stop, look and think before you click and take a second or two to make sure it’s not a scam,” says Stu Sjouwerman, founder of KnowBe4, a Clearwater- based security awareness training company.
Encrypt important data. Having data encrypted provides a measure of liability protection.
Purge old records no longer needed. Don’t be liable for a breach of data that’s unneeded.
Backup everything. Ransomware only works if you don’t have backups.
Outsource when you can, says Jorge Rey, director of information security and compliance at accounting firm Kaufman Rossin in Miami. Cloud service providers build their business on security and, given the economies of scale, can provide protection superior to that found in small- and mediumsized businesses. “Trust is a major part of their sales pitch,” Parrish says.