SIOUX CENTER—The people of N’West Iowa are trusting. It’s the kind of place where you can leave the house unlocked or the keys in the car.
But that kind of trust is easy to take advantage of, especially when it comes to their digital presence.
Senior network consultant Josh Folkerts has worked with Premier Network Solutions in Sioux Center for eight years, and for all eight of those years, area businesses have been impacted by cyber security breaches.
“It doesn’t always make the news. There has been big ones and small ones,” Folkerts said. “There was a situation recently where a company’s e-mail was hijacked. Someone created a rule and put all the e-mail in a folder and then they engaged with the customers pretending to be the company, trying to get them to direct the money to a different account.”
There’s big money to be made through cyber crime, and it’s a growing problem.
People think their information isn’t useful to a cyber criminal, Folkerts said, but that’s not true. If it’s important to you, it could become something a criminal tries to leverage, letting you regain access or control in exchange for money.
Frank Bulk, chief technical officer for Premier Network Solutions, agreed.
“If you’re a plumbing store and you have all your orders and billing history and inventory on your computer, a hacker isn’t going to care that John Smith ordered a toilet,” Bulk said. “It might not be important to the hacker, but if you can’t do business and you don’t have that information anymore, all that information is locked up or encrypted, then that’s a big problem for you. Maybe you’d be willing to pay $5,000 or $10,000 to have that information back.”
Folkerts has seen instances where an e-mail is sent notifying payroll that an employee has moved, so paychecks should be sent to a new address, when the employee hasn’t really moved.
Keeping a business secure from these kinds of attacks is not just an IT department problem, according to Folkerts.
“IT security is an entire organizational issue. Your IT departments can help you with this stuff, but it takes everybody in the organization to stay safe,” he said.
A good place to start is by preparing ahead of any cyber security breach. That begins by thinking of it as inevitable rather than something that likely won’t ever happen.
“It’s going to happen, whether it’s a major, crucial event that cripples your business for a longer period of time or else just a small blip,” Folkerts said. “It will happen.”
One of the best things that a business can do is invest in business-level firewalls, anti-virus and anti-malware software, as it’s more sophisticated in its protections.
But investing in the right software isn’t enough. Training all staff is necessary, too.
Phishing, for example, is an increasingly popular attack. Phishing happens when the criminal attempts to dupe a person into opening an e-mail or other message and following a malicious link. This is done by disguising themselves as a trusted entity, like a manager.
In training sessions that Folkerts has done, more time is given to help staff better recognize these phishing attempts.
“I emphasize that it’s for everyone in the company, from the part-timers all the way up to the CEO,” Folkerts said.
Another hazard for businesses is that most people use the same few passwords for their personal lives as they do at work. Keeping different sets of passwords for work and for private use is an important step to maintain security.
There’s long been insurance to protect home and property against a number of natural disasters, but now people can guard their businesses against digital threats with insurance for cyber crime.
“There’s some wisdom there that in case something bad happens, you’d have some way to pay for forensic analysis or recovery,” Bulk said. “Then also if you have to do something for your customers, maybe you have to compensate them in some way or get a lawsuit.”
“A lot of times we find that people are unwilling to spend money on the security products upfront, but as soon as an event happens, then the checkbook opens and it’s easy to decide to pay for stuff,” he said. “Why not reverse that and try to pay for those security measures upfront? It’ll do more to protect your business so you don’t have to pay so much on the back end — not to say there won’t be any costs on the back end.”
If there is a data breach, IT consultants can help analyze the situation and determine what needs to happen next to bring the company back to a secure position. That’s the kind of work that Folkerts does, as well as work with clients ahead of any problems.
The most important thing is to have an intentional, thought-out plan ahead of time, a set of procedures for a company to take should any security breach happen. Doing so can speed up recovery time and limit losses.
There are many questions that business owners should be asking themselves as they prepare: “How are you going to deal with it? What will your action be? If you lost data or it’s encrypted, do you have a way to recover it? Are you OK with losing a week’s worth of information or only an hour of information? Those conversations need to happen in advance.”
Folkerts used railroad work as an example of the power of planning.
“If they notice a problem with the railroad, they have umpteen people here in very short order,” he said. “Why? Because they have practice at it, yes, but they also have their procedures down and people trained so that when something happens, they can call people to come.”