Business leaders shook their heads at the alarming vulnerability and high costs associated with phishing emails, data breaches and scams exposed in a recent cybersecurity program.
About 100 people attended the March 21 program, “Real World Cyber Security Knowledge for Your Business and How to Apply it,” at The River Club.
It was sponsored by the Association for Corporate Growth North Florida, a networking association for executives, investors, business owners and professionals.
Cyberattacks are becoming more common, according to panelists, and it can take months for a breach to show up and reveal the harm to the company and its reputation.
Phishing emails, or when an attacker masquerades as a reputable company or person, are the most common type of attack, representing about 90 percent of business breaches, the panelists said.
They cited new phishing scams that hook employees by purporting to be about the delivery of a FedEx package or a way to check their pay stubs.
An FBI agent on the panel, who asked not to be identified for security reasons, referred to a December case involving 11 Nigerians who were indicted on federal charges in a phishing operation that duped a Jacksonville business and other companies across the country.
High-level employees were persuaded to turn over thousands of W-2 Forms that the cyberthieves sought so they could defraud millions from the IRS.
The most urgent questions raised Thursday involved ransomware and whether a company should pay an extortionist so it can get back to business.
The jury is still out on that question. While the FBI agent didn’t recommend it, other panelists said it’s a difficult decision that should be made case by case, considering liability, the cost of data restoration and the cost of being shut out of business.
Attendees heard that a Jacksonville company recently paid $1 million to release a ransomware attack after concluding it couldn’t function without the information that was being withheld.
It often works, the panelists warned, because the scammers want to get paid and keep the option open for the future. Apparently, there’s still honor among thieves, they said.
“It can be a very disruptive, chaotic situation,” said Eric Canavan, senior vice president of information security and technology risk at TIAA Bank.
He recommended businesses play “war games” to test their defense system’s ability to respond to attackers.
“If you have that preparation, you’re a lot better off,” Canavan said.
No security program is foolproof, and many companies don’t understand their risk, said Rodney Murray, principal IT adviser at the Dixon Hughes Goodman accounting firm.
“Often, there’s a general disconnect between IT and upper management,” Murray said.
Here are some steps the panelists recommended to reduce the risk of cyberattacks:
• Do annual network penetration tests to ensure your system is up to date.
• Have educational campaigns to train employees how to identify phishing messages.
• Segment networks, such as human resources and research and development, to diminish the impact of a disruption.
• Test backup systems.
• Develop a user-friendly incident response plan the average employee can understand.
• Know your level of sensitivity and what you’re trying to protect, such as sensitive business plans, personal information and credit card data, or the cost of business coming to a halt for a few days.
• Have a well-planned response policy and a response team that includes IT, chief executives, a lawyer and public relations people.
• Use a mix of in-house IT resources, the cloud, third-party advisers and multiple backup systems.
• Get to know who the bad guy is and how he might attack your network.
• Keep abreast of cyberattack trends by reading data breach reports from sources such as Verizon or publications from the U.S. Department of Defense.
• Buy cyberinsurance to cover liability and the recovery costs of technology data destruction, extortion, theft and attacks.