Cybercrime is projected to cost businesses $2 trillion in 2019, so cybersecurity continues to be top of mind for businesses. With hacking, malware, social engineering, and other breaches on the upswing, Wintrust recently invited dozens of area business leaders to a seminar about cybersecurity threats for businesses.
The three presenters were:
- Tom Wojcinski, director, risk and advisory services at Wipfli LLP
- Jay Shelton, senior vice president of executive risk at Assurance
- Ezra Jaffe, group senior vice president and head of treasury management sales at Wintrust
Wojcinski, Shelton, and Jaffe took part in a question-and-answer roundtable on a variety of topics related to cybersecurity, including the lack of knowledge about cybersecurity, how to train employees, and cyber insurance.
Here’s a brief recap of some of the topics, edited for brevity and clarity.
Where do you start when you have a client or a prospect who doesn’t know a lot about cybersecurity?
Ezra Jaffe: If your goal is to create a perfect system to capture everything, I think you’ll curdle under your own weight. So, from a process standpoint, I’d start by making some improvements along the way. We could give you a list of a dozen things you’re supposed to do. But, if you don’t do any of the dozen, it won’t be a manageable process. I think companies should use a continuous process focused on always improving.
Jay Shelton: Sometimes it’s the simplest things you can start with. What are your vulnerabilities? We talk a lot about employees being the weakest link to the greatest security system in the world. Do your employees know what to look for in vulnerabilities? Social engineering? Emails? Secondly, what are you going to do if you are hacked? This leads you down the road starting with two easy things: how do you prevent it, and how do you respond to it? Plus, seek out professionals to help you. You don’t need to be a technical expert to know the fundamentals.
Tom Wojcinski: The conventional wisdom within the industry has always been to start with a full-risk assessment and implement a full framework. But, what we’ve found in small to medium-sized businesses, is that’s a challenging place to start because these frameworks require so much. So, we like to start with a penetration test. We sit down with the management team and owners and ask what their critical assets are. Then we’ll see if we can break in. If we can get to those assets, we’ll show them how we did it so they know what to improve. Then, from a continuous-improvement perspective, they should get on a cadence with staged break-ins. They need to do them annually or every two years to make sure their defenses are as evolved as the tools and tactics of the attackers.
How do you handle the end user?
JS: Employee training is critical. How is an employee supposed to know what a socially engineered email looks like until they’ve actually gone through training and seen it? And, then, what do they do—or don’t do—with it? I’m talking about monthly training for 12 months of the year. It has to be a continuous training cycle. Send phishing emails out and test your employees. If they click on it, that means they failed and they get immediate training. It’s a continuous program that’s no different than safety training.
TW: The key is repetition. When security awareness training first started, everybody thought it was a multi-hour event. But, studies have shown that’s not the way adults learn. It’s all about training with digestible components on a more frequent basis. The good security awareness programs that are out there break it into five or 10-minute sessions so they can get the message out there. Then you’ve got to follow it up with the simulation and track who is continuously failing those tests.
EJ: If your business is banking online, a single employee shouldn’t have the authority on their own to send any money from the online banking system. It should be dual control, where one person initiates the payment and another sends out the payment. So, even if they mess up, there’s a second set of eyes. That way you can put control on it.
Why should a company consider cyber insurance?
JS: I’m of the school that good, preventative measures are where you need to start. If you can do everything you can to prevent the hacking and any kind of breach, that’s where you should spend your money. Looking at cyber insurance, though, people make mistakes. Hackers change how they get into the system. So, the question you want to ask yourself is: If you get hacked, do you want to repay that by yourself, or do you want someone else to share the cost?
A cyber policy is unique compared to other policies in that it comes with a lot of resources. If you have a breach, you don’t know exactly what’s going on, but you know something happened. And, it might take you three days to figure it out. Having that resource, you have a person who is going to help you navigate something that’s coming apart on you very quickly.
Would it be in the best interest for a company to use credit cards to pay their bills?
EJ: I love when businesses use their credit cards. Credit cards have some great safety features built in. You’ve got limits you can put in place, you’ve got curbs on which vendors you can go to. We believe credit card is one of the top ways to pay.
We’ve talked about a lot of negative stories today. Do you have any success stories in regards to cybersecurity threats?
JS: What I am seeing is people starting to take this serious. Companies are hiring CISOs (chief information security officers) instead of using the IT team. CISOs come in and design a system focused on that next-gen type of cyber security and keeping the system functionable, because the system has to evolve; it can’t stay stagnant.
TW: A lot of the recent successes we’re seeing are with companies that have implemented managed-detection response teams, which have a real-time understanding of malicious activity within their network. I was talking with the company that’s our technology provider, and they successfully thwarted a ransomware attack because they recognized the lateral movement and the reconnaissance on the network. Because they’re in there on a real-time basis, they were able to shut down those processes from running on those computers and prevent the ransomware from taking place.
At Wintrust, we understand the importance of fraud prevention. That’s why we offer several services geared to protect your business from cybercrime.