In recognition of October being National Cybersecurity Awareness Month, Account Supervisor Krystal Patout sat down with Senior Vice President and Crisis Communications Expert Chris Jones, and Operations Manager at Advantex and IT Services Provider to Pierpont Eddie Garcia to better understand the cybersecurity risks facing companies today.
Eddie addresses how these security threats can affect your professional and organizational reputation and offers tips to implement threat prevention strategies in your own business in this episode of the Pierpont Podcast. Additionally, Chris shares how companies can better prepare their response to cybersecurity incidents and plan an effective crisis management strategy in advance. Read the highlights from their conversation below or listen to this episode of the Pierpont Podcast on Apple Podcasts or Spotify.
The Pierpont Podcast: National Cyber Security Awareness Month
Krystal: October is National Cybersecurity Awareness Month – why is this important and who needs to worry about it?
Chris: Well, I think you’ll hear from Eddie that just about anyone can be a target. It’s important to be aware of threats, know how to prevent them and be prepared to respond if a cyber-attack happens to your organization. It can happen to anyone, so it’s important that you know how to minimize your risk, and once you are a victim, you need to know how to respond to different crises.
Krystal: Can you walk us through the different areas of cybersecurity? We hear a lot about ransomware right now, are there other forms of cyber-attacks we need to be aware of?
Eddie: Sure, so you mentioned phishing, where attackers report to be one thing when they’re not, but there’s another similar attack called spear phishing, which is an attack aimed at extorting a specific member of an organization for monetary gain. Spear phishing is a little more targeted, so instead of going after your entire company for credentials, they may focus on a department, like the finance department, to try to get someone to inadvertently send money via wire transfer. We’ve seen that quite a bit, unfortunately.
Cryptojacking is where “bad actors” get into your network and install malware to use your computers to mine cryptocurrency. They use your resources, electricity and computing resources, which may not sound like a very bad thing on the surface but can add up quickly when you’re having to pay the extra electricity bill every month, your computers are wearing out a lot faster, you are having to turn the air conditioner down a little more because your computers are producing more heat, etc. Ideally, they want to do this on a large scale, so they can make quite a bit of money.
And then, something that’s become more common lately, is extorsion. They pray on people’s image or concern for their image, by reporting to have private information, or videos or pictures of you in compromising positions. That capitalizes on the fear of people, because many have the kneejerk reaction to just pay the ransom or the extorsion to prevent that compromising content from being shared.
Krystal: From a prevention standpoint, what do you recommend companies do? What steps do you recommend companies take to protect themselves?
Eddie: Anybody who has an email address is vulnerable, and everybody has an email address. So, what can companies do? Educate the users, train them and give them the resources that they need to be able to navigate through these emails. We can put the best tools in place, the best filters and firewalls, but ultimately that last mile, the 18 inches between the screen and the chair behind the desk, is the most important. That’s where we need to have a good, savvy user behind the keyboard that knows what to look for and what to be wary of.
Krystal: What if an employee receives a threatening email where their information appears to be compromised, and/or they’re being threatened to provide payment in bitcoin, what should they do?
Eddie: The first thing would be to notify your IT department, so in your case, notify us. We’ll be able to tell right away what exactly it is, what we need to do about it, if there is any cause for alarm or if we can just delete it. Also, it helps us see if we can do anything better on our end to prevent that email from getting to your inbox.
Krystal: Once a company realizes a cyber-attack has occurred, how do they handle communications both internally and externally?
Chris: While it is just another vulnerability that’s in the crisis plan, it is unique enough that the response should be different. In some cases, what that means is the timing of the communications is critical, and the audiences that you’re communicating with during the first few hours and days of this crisis may be different. The people most impacted, that most need the update, could very well be your employees, and in any crisis we want to keep employees informed. In this case though, we may need to tell people that there’s a possibility your payroll information, routing number or bank account number that you use for direct deposit may have been compromised, so they should be monitoring for that. Customers that pay by credit card will need to know to look at their accounts as well. So there is a sense of urgency to be accurate and responsible with that information. While you don’t want to be communicating to the “bad actors” the extent in which they have impacted your operations, you do need to be responsible in sharing information with your employees and customers.
Krystal: How does cybersecurity fit into a company’s overall crisis communications plan?
Chris: When we help companies update their crisis plans, we assess the risks and vulnerabilities they face and typically add in responses to cyber threats, if it’s not already accounted for in their plan. Cybersecurity threats have taken the place of workplace violence as the number one thing people want to plan for in their crisis plans. As a result, we need to plan for those threats in the communication processes, so we are prepared to respond, and can exercise and train for them. In most cases, we don’t like to put a crisis communications plan in place before we have a chance to do an exercise or tabletop, so we’ll practice an exercise that involves a cyber threat.
Krystal: Out of curiosity, Chris, does that team look different than a traditional drill that you would do for let’s say a weather incident, or a workplace accident? Are the departments different?
Chris: The makeup of the team can be a little different. It’s the IT’s time to shine in a crisis like this, so usually yes, it’s a little bit heavier on IT and accounting, payroll, etc. – things that may not normally play a front and center role in a crisis response. However, the plan needs to be flexible enough that it calls together the appropriate resources.
Krystal: So, we’ve talked about what cyber-attacks are and common threats right now, but is there anything else customers or companies should be aware of during National Cybersecurity Awareness Month?
Eddie: Yes, having a good business continuity plan is very important. We’ve talked about it from a PR perspective, but from a purely IT perspective, having a plan in place where you can continue operating in the unfortunate event of an attack it critical. You’ll need to continue your normal operations, pay the bills, pay your employees, etc. so having a good security awareness training in place is very important. And of course, check on all these systems from time to time. What we like to do with our customers is a quarterly business review. We sit down and talk about what’s new and what is coming up, and I think that is a very good time to address these concerns.
Just know that the threat is real, this isn’t something that you just read about on the news. It can happen to you. Cyber-attacks do not just happen to household names. They can happen to small businesses because attackers are aware of the limited resource and money available to control the attack. We’re boots on the ground, we see it firsthand, unfortunately. We’ve seen the aftermath what these threats can do to a company. An ounce of prevention goes a long way. Make sure you are doing everything you can to not only plan for an event, but also to prevent it, educating your users the best you can and having good backups.
Chris: Echoing what Eddie said, this can happen to anybody, so don’t think that your company is below the radar, that you are not a target. Again, the kind of information we talked about earlier, bank accounts and credit cards, are proprietary, important, industrial information. You can be a target in almost any industry or company, so make sure your plans are ready for that, and know how you are going to respond.