This story is the sixth in a statewide series about cyber security and small businesses, supported by the Michigan Small Business Development Center. [Read the rest of the series here.]
In an increasingly connected world, education is the number one deterrent against hackers who hope to profit by stealing people's personal and financial information.
That’s the message Oakland County and Tech248 reiterated during a recent free seminar held in the Board of Commissioners Auditorium in Pontiac. The seminar was aimed at both governments and small- and mid-sized tech companies in the Midwest seeking to learn more about cyber security measures and SANS cyber security training.
Oakland County hopes to bring SANS Institute training to Michigan. Recognized as a leader in cyber defense training, SANS provides live and virtual, classroom-style training. According to the company’s website, its programs reach more than 165,000 security professionals worldwide, ranging from network administrators to chief information security officers. Its clients include global corporations and universities.
Phil Bertolini, deputy county executive/CIO of Oakland County, discussed County Executive L. Brooks Patterson’s commitment to helping businesses combat hackers. “The problem you have with any kind of organization, whether it’s a government or a business that’s mid-sized or small, is that they don’t have the resources on board to help fight the fight,” Bertolini said. “They’re less likely to have cyber security professionals on the team that can just focus their time entirely on that fight.”
What most companies end up with is IT people or other operational people trying to wear two hats – which might be one too many.
“What we’re trying to do is raise awareness, and provide an avenue for them to be educated so that they’re better able to fight,” Bertolini said. “This is a battle that will never be won; it’s going to go on forever, but we can raise that knowledge level.”
Chris Burrows, Oakland County’s chief information security officer’s goal was to educate attendees about real and potential threats to their computer systems. It was also an opportunity to show SANS that Michigan—and Oakland County—take cyber security seriously. He hopes to push for courses held locally on a quarterly or annual basis.
There are some pockets of training in Michigan, Burrows added, but not enough. “That’s why I invited them (SANS) to come here. I imagine that if I get enough feedback, they can offer a class or two later this year.”
Chris Burrows, Oakland County’s chief information security officer
Burrows said that all too often, small businesses don’t regard themselves as having anything a hacker would want to steal. That’s an erroneous conclusion.
“If you are a business, you have money. You have intellectual property. You have assets that can be valuable to someone else,” Burrows said. “You’re going to be breached one way or another. If you can make it harder, the chances of you being breached decreases."
“There’re three billion people online right now – lots of opportunities for [hackers] to try to hack them, rather than hack you. Educate yourself. Educate your team,” Burrows adds.
Keynote speaker Jeff McJunkin, a senior technical analyst with Counter Hack Challenges, delved into some recent security breaches that made big news, particularly a cyber-attack on Target that resulted in the theft of credit and debit card information from 40 million customer accounts. Target brings in $72 billion in revenue annually had a system that was well guarded by most industry standards, but that still wasn't enough to spare them.
“You can’t spend your way out of this,” McJunkin said. “Compromise is inevitable.” Hardware and software alone won't solve your problems, he added, citing a 2015 study from Verizon that found that in 60 percent of cyber breaches, hackers are able to compromise an organization within minutes.
Jeff McJunkin, a senior technical analyst with Counter Hack Challenges
As far as McJunkin is concerned, the best cyber defense is detection. “Some exploitation will absolutely happen. Period. Regardless. You can’t make a wall so high no one can go around, above, or under it,” he said
McJunkin believes far too many people focus on prevention and not detective controls. In which case they build the walls higher, but don’t man the gates or guard the towers.
“I would much rather have great detective controls than having really, really awesome preventive controls,” McJunkin said. “But I have no way of knowing if someone is on my network. You need those detective controls. They are a must.”
Small business owners used the seminar to stay abreast of new techniques in cyber defense. Don Dietz, a managing partner with IT company TruSyzygy, helps companies eliminate their legacy applications. He notes that getting rid of the old applications helps to reduce cyber threats.
“Legacy IT is a huge cyber security risk because it’s riddled with holes,” Dietz said. “If you look at some of the people that work in cyber security, one of their main statements about how to reduce the risk is to get rid of the legacy technology.”
Dietz likens cyber security to car insurance. “You buy insurance for that accident you [may] never have. You need that cyber security to protect you from breaches you hope you will never encounter. Once you encounter a breach, it’s a lot of money in order to correct [it].”
Walled Lake’s Real Green Systems hosts customer data, and as network administrator Brian DeGiorgio sees it, the company is always concerned about staying up-to-date, including maintaining Payment Card Industry Data Security Standards (PCI DDS) compliance. This ensures that credit card information remains secure.
“It’s more a burden for the businesses,” DeGiorgio said. “The consumer should know better, but it’s our job to protect them from themselves in a way. The little mom and pop coffee shop around the corner…they take credit cards. They need to adhere to these standards as well. All we can do is stay in front of it—keep your eyes open.”
And even if something is effective today, it’s not guaranteed forever, Bertolini adds.
“We’re trying to raise the floor of awareness on cyber security,” he said. “Education is everything. We’re educating them on something that six months from now might be obsolete. We’re all part of the same community.”
This story is a part of a statewide series about cyber security and small businesses edited by Lauren Fay Carlson. Support for this series is provided by the Small Business Development Center, which has just launched a free online security assessment tool and resources at www.SmallBusinessBigThreat.com to help small businesses measure their cyber security preparedness.