fbpx

Business risks from technology

Technology has become an integral element of today’s business operations. By embracing and leveraging advances, businesses can gain access to significant opportunities for growth, efficiency and innovation. 

Unfortunately, as businesses large and small increase their reliance on technology, there is an increased risk of predations from cyber criminals. As reported by the Harvard Business Review, the IBM Data Breach Report revealed 83% of organizations experienced more than one data breach during 2022. The 2022 Verizon Data Breach Investigations Report indicated the total number of ransomware attacks increased by 13% year over year. 

For companies seeking to protect their sensitive data while also maintaining the trust of clients who have shared their own sensitive data, cybersecurity becomes an increasing concern. 

Cyber insurance, also known as cyber liability insurance or cyber risk insurance, is a type of insurance coverage designed to protect individuals and organizations from financial losses and liabilities arising from cyber-related incidents and data breaches. As both technology and companies’ reliance upon it continue to advance, cyber insurance has become an increasingly essential component of risk management for businesses and individuals alike. 

While it will not eliminate the need for robust cybersecurity measures, it represents a vital adjunct to these activities. Key features of cyber insurance policies will include the following coverages: 

Data Breach Coverage: This aspect of cyber insurance will help to cover costs stemming from the effects of a data breach. These costs will include notifying affected individuals whose data integrity has been compromised by the data breach, investigating the breach and providing credit monitoring services to affected parties. 

Network Security Liability: Cyber insurance can cover legal fees and damages resulting from third-party claims due to network security failures and breaches leading to data theft or unauthorized access by rogue actors. 

Privacy Liability: This coverage addresses claims related to violations of privacy laws, including improper handling of personally identifiable information and confidential data. 

Business Interruption: Cyber insurance could potentially cover losses resulting from a cyber-attack disrupting normal business operations, leading to revenue loss and extra expenses. 

Extortion Coverage: Certain cyber insurance policies will provide coverage for “cyber extortion.” In these instances, cybercriminals will demand payment to prevent or discontinue a cyber-attack upon a targeted company whose web presence and/or digital assets are being held hostage. 

Digital Asset Restoration: This covers expenses related to restoring or recovering data and digital assets lost, damaged, or corrupted as a result of a cyber incident. 

It is important to note cyber insurance policies will vary significantly in terms of coverage limits, exclusions, and specific conditions. Organizations and individuals should carefully review and understand policy details to ensure they align with specific cyber risks and needs.  

It bears repeating cyber insurance is only one aspect of a comprehensive cybersecurity strategy. Robust cybersecurity measures, scheduled risk assessments, staff training and incident response plans are vitally important when it comes to safeguarding against cyber threats. 

While the threat to large and small businesses from malicious cyber actors is not new, it is a complicated bit of business characterized by an evolving and expanding profile. It is therefore advisable to consult with your trusted risk management professionals and cybersecurity experts to make informed decisions about cyber insurance and cybersecurity measures. 

 

Zach Boyer is an Account Manager at KMRD Partners, Inc., a risk and human capital management consulting and insurance brokerage firm serving clients worldwide. Zach can be reached at 267-482-8486 or [email protected] 

 

 

Protecting you and your business from financial predators

These days there is no shortage of scam calls, phishing e-mails, and bad actors trying to steal what’s yours. They’ve managed to creep into every corner of our business and personal lives – our computers, our phones, our front porches, and our inboxes. So, how do you protect your business from these financial predators? To keep it simple – stay educated and diligent.  

Scams change constantly. New technology is developed, new scammers are trained, and current events from as recently as yesterday are exploited. Therefore, one of the best things you can do to protect your business is to keep your employees up to date on current scams. There are businesses that provide cybersecurity training to organizations based on your company’s needs.  

Staying diligent involves many technology-based solutions. First, protect your physical devices by following five simple practices: 

  • Don’t connect to public Wi-Fi when you intend to access sensitive business information on the web.  
  • To ensure you have control over that first item, don’t allow your devices to automatically join unfamiliar Wi-Fi networks. 
  • Disable automatic Bluetooth pairing on your phone, which can allow bad actors to sync up with your phone without you noticing. 
  • Don’t borrow phone chargers from strangers or use USB public charging stations, which can be loaded with malware.  
  • Keep the software and operating system on your computers up to date. Updates often fix known security vulnerabilities and should be made as soon as they’re available. 

Second, protect your online presence by implementing a strong password policy for your employees. Businesses should strongly consider utilizing a password manager for their employees. The password manager should be protected with multi-factor authentication and a long password or passphrase. Twelve characters is long enough for a perfectly random password, but human-created passwords must be more than 18 characters to evade hackers. The good news is that passphrases are just as strong as long, random-character passwords and are likely easier to remember. Examples of good passphrases might be:  Ilikedaffodilsinspringtime or Today,Ihadanomeletteforbreakfast.  

Suggest your employees use the How Secure is My Password? tool at Security.org to check the strength of their passwords.   

Unfortunately, utilizing technology-based solutions alone is not enough to protect your business from the most effective scams of all, which are referred to as “social engineering.” Social engineering is when a bad actor manipulates an employee into performing an action (such as willingly transferring money) or divulging confidential information (such as account numbers) to be used for an illegitimate purpose. There is also a type of social engineering scam targeted at businesses that is called “CEO fraud” or “business e-mail compromise.” This is when a scammer impersonates the e-mail of a high-ranking executive within the company, then e-mails employees requesting them to do tasks that will benefit the hacker. The information they use can all be found online. In this case, there is no reason for the scammer to hack into a computer or mobile device; this scam works when an employee willingly follows instructions from the so-called “executive.”   

These types of scams are particularly dangerous because banks don’t generally offer the same protections if you fall victim to a social engineering scam that they would if someone hacked a business account or credit card.  

Luckily, you can train your employees to identify a social engineering attack using these red flags: 

  • Scammers pretend to be from an organization you know and trust, or they pretend to be an executive within your company. 
  • Scammers present a problem you would want to take care of or a prize you would want to claim. 
  • Scammers pressure you to act immediately. They present the issue as urgent and discourage you from consulting with anyone else, including a manager or advisor.  
  • Scammers give specific instructions on transferring money that is not how your business typically operates, such as sending money through a money transfer company or buying gift cards. 

The best way to avoid getting scammed in a social engineering or business e-mail compromise hack is to train your employees to recognize, and then ignore, the attack.  

Ultimately, the best defense is to train employees to use their best judgment. Train them to ask questions and ensure the answers make sense. Make sure they don’t give out business and financial information in response to a request they didn’t initiate. Don’t pay someone money to get money back in a different form. Make sure your employees are knowledgeable about company policies and don’t operate outside of company norms, even if it’s for “the big boss.”   

 

Jennifer Pieson, FPQPTM, is a Financial Planning Analyst at Agili in Bethlehem, who assists clients with her financial planning and strategy expertise. She is a Financial Paraplanner Qualified ProfessionalTM. 

 

Amber Ott is Director of Operations, Chief Compliance Officer at Agili in Richmond, VA, who manages the firm’s internal operations and maintains its compliance program. She oversees cybersecurity training for the Agili team.  

 

Russian cyber criminals target LVHN with ransomware attack

Lehigh Valley Health Network is reporting that it was the victim of a ransomware attack. 

The attack came from a cybersecurity ransomware gang called BlackCat, which is associated with Russia. 

In a statement, health network President and CEO Brian Nester said that the attack has not impacted hospital operations to date. 

Based on an initial analysis, the attack was made against a network supporting a physician’s practice in Lackawanna County. 

According to LVHN, it detected unauthorized network activity on Feb. 6 and immediately launched an investigation and notified law enforcement. 

While the health network said the investigation is ongoing, at this point it is believed that it targeted patient images for clinical radiology oncology treatment and other sensitive information. 

BlackCat demanded the health network pay a ransom, but LVHN refused.  It said it is aware that the gang has targeted other institutions in the health care and education sectors. 

The health network said it is working with its cybersecurity experts to evaluate the information involved and will provide notice to any patients impacted by the attack. 

Is your company’s data safe? If you’re not sure, it’s time to check

Lehigh Valley Business’ Feb. 24 Cyber Technology Webinar featured Michael Hawkins of Netizen Corp., Clinton Eppleman of Morefield Communications, Anthony Cartolaro of Weidenhammer and Travis Lenker of BlackCSI.

It may be time to reevaluate your business’ cyber security protocols, but according to a panel of area experts, you could already have access to many of the tools to make your network that much safer.

This week, four IT experts joined the Central Penn Business Journal in its Cyber Technology Webinar to discuss the technology that helps Pennsylvania’s businesses operate effectively and what firms should be doing to protect their data in the age of remote working.

The abrupt move to working at home as a result of the COVID-19 pandemic led many businesses to shift to remote working within days, and while many firms may have invested in steps to protect their data, the risk of a data breach is higher than ever.

“The potential risk that a breach would bring to the business not only affects your customer, but the company’s reputation and, frankly, our society is becoming much more increasingly cyber aware,” said Anthony Cartolaro, vice president of digital platforms at Philadelphia-based digital strategies and technology solutions firm Weidenhammer.

Michael Hawkins, CEO of Allentown-based Netizen Corp., said that for small businesses that don’t have a big cyber security budget, the basics go a long way.

Educating staff on who they share their information with, making sure that technology in the office is configured properly and staying up to date on software updates across the network are all accessible ways to secure a firm’s network.

“We have embraced a culture of working anywhere at any time and having that access is an additional burden for organizations to secure,” said Cartolaro. “Oftentimes, what would have been a reasonably secure policy for working in the building became lax so employees could install what they needed on their laptops.”

Doing more to protect the data of your firm and its clients could be as simple as reviewing the software you already to see if there are security features built in that are not being used.

Companies like Microsoft and others offer features that can improve a company’s security but may not be activated. Fr example, Microsoft’s Office 365’s mobile device management, allows staff to access corporate data safely through a personal phone.

Clinton Eppleman, team lead and IT professional services and senior systems Engineer at Gettysburg-based Morefield Communications, said that the same can be said about the many communications platforms that businesses have adopted.

“If you look at the feature charts for tools, a lot of times these premium tools have security features to allow us to communicate and work remotely effectively,” he said, adding that some of those features may come with an upcharge.

While companies like Microsoft and Zoom offer the tools to secure a firm’s network, Cartolaro said the tools are not foolproof. It’s up to an organization to build a strategy around those tools, he said.

If a firm is unable to do that for themselves, it may be time to seek outside help, said Travis Lenker, director of managed services at BlackCSI in Mechanicsburg.

“All of these things we are talking about can be offered as a suite of services and provided to you on a monthly, budgetable basis,” Lenker said.

Even businesses with a dedicated IT staff may need to look into hiring a managed services provider to help with the influx of tickets coming from across the organization, he said.

In the work-at-home landscape, a strong cyber security plan won’t just help protect a firm against potential attacks and the legal fees that follow, but is also a great selling point to clients, said Cartolaro.

The panelists also stressed the importance of good cyber security insurance with Hawkins noting that someone shouldn’t wait until a fire happens to work with the fire company.

“I wouldn’t say your risks are so great that you should be scared in your boots that you need cyber insurance today, but you need to think about that cost and what it can do to your business,” said Lenker.

Netizen Corp. adds to its executive team

Akhil Handa

 

Allentown-based cybersecurity firm, Netizen Corp. has named Akhil Handa as its new chief operating officer.

Experienced as a senior executive in the federal and defense markets, Handa has had leadership roles and has worked in cybersecurity engineering and management.

He will oversee company operations, strategic relationships and solutions engineering based out of the firm’s Washington, D.C. office.

Other leadership changes at the firm include the promotion of Doug Ross to chief strategy officer. He was previously Netizen’s director of business development. Before joining the firm he was president and founder of SPARC LLC and Morgan6 LLC, where he earned more than $1 billion in federal contracts.

He will be based out of Netizen’s Charleston, South Carolina office.

Emily Dietrich Withmer has been promoted to director of human resources and legal affairs. Previously Netizen’s administration officer, Withmer has been an attorney since 2001. She will be based out of Netizen’s Allentown headquarters.

Penn State Lehigh Valley to offer degree in cybersecurity

In response to a growing demand for cybersecurity professionals, Penn State Lehigh Valley in Center Valley is launching a new four-year degree program in the field.

The school said that cybercrimes cost organizations an average of $13 million per year and the number of security breaches has grown by 11 percent over the last year.

A Bachelor of Science degree in cybersecurity analytics and operations (CYAOP) will be offered starting fall 2020.

“A degree in cybersecurity from Penn State Lehigh Valley will provide our students a desired skillset that is in high demand at the professional level. They’ll be able to take advantage of the numerous internship and job opportunities in the Lehigh Valley and Philadelphia areas,” said  Dan Jalosinski, information security and risk analysis analyst at Johnson and Johnson who is a 2020 PSU-LV alumnus with a degree in information sciences and technology.

The program is offered through a University College Statewide Consortium with Penn State Beaver, Brandywine, Greater Allegheny, Lehigh Valley, Schuylkill, Shenango and York. Six focus areas allow CYAOP students to create a custom application sequence for further study.

These focus areas include Application Development, Geopolitics, Law and Policy, Economics, Health Care and Custom Application.

“A degree in cybersecurity prepares students with hands-on technical cyber defense strategies, risk management and data-driven cybersecurity experience,” said Tina Q. Richardson, chancellor of Penn State Lehigh Valley. “Graduates of the program enter a profession with great salaries, flexibility and high levels of job satisfaction.”

Manufacturers face increasing potential for cybercrime, expert says

While cybersecurity is an issue of concern for all companies, manufacturers face a considerable challenge in potentially having their whole production operation shut down because of a hacker. (PHOTO/THINKSTOCK) –

While cybersecurity is an issue of concern for all companies, manufacturers face a considerable challenge in potentially having their whole production operation shut down because of a hacker.

That’s one major reason why manufacturers should take action to educate themselves and prevent threats from doing damage, according to a local expert.

“Industrial systems have become the focal point of cybercrime,” said Alex Greenzweig, lead SOC engineer and penetration tester Netizen Corp., a computer security firm in South Whitehall Township. “They can take down a whole production facility, like that, if they get in.”

On Wednesday, Greenzweig provided a presentation on “Cybersecurity and Industrial Control Systems” as part of the Manufacturers Resource Center’s breakfast and learn series.

With more sophisticated technology that manufacturers use to operate their facilities, that means more of these controls could be open to hackers.

The source of the break-ins could be state or nation-sponsored hackers, including those from any country looking to take down the U.S., including potentially Iran, Russia or China, or any malicious insider or whistleblower looking to do harm, he added.

Naturally, one of the barriers manufacturers face in having more secure operating systems is the cost.

Cybersecurity programs are expensive and the software could cost as high as $30,000 per year, he added.

However, the downside to not having a more secure system is the estimated $4 million to $10 million cost in damages that hackers do when breaking into the system and stealing data or shutting down operations, according to Greenzweig.

“Most companies pay that to overcome a cyber-security breach.”

And potentially, when companies get breached, particularly small ones, they’re out of business.

What leads to companies and manufacturers in particular to experience these attacks?

Two main elements are resource disparity and the outsourcing of more data to the cloud, he said.

Many of the devices manufacturers are using to power their facilities have open protocols, which makes them more vulnerable to attacks. Furthermore, smaller companies, in particular are unable to secure their infrastructure.

By next year, cyber security is estimated to cost the global economy up to 6 trillion, he added.

While no companies are 100 percent secure, there are ways to protect infrastructure, such as making sure to scan for open ports on devices and closing them. It also helps to run a vulnerability scanner and perform a penetration test, which involves hiring a third party to test the system so the company gets a true, honest report, he said.

Another strategy is to make sure computer numeric controlled (CNC) machines are separated from the corporate network so they are not directly connected to the internet.

“Build a culture of security,” Greenzweig said. “A lot of times you have to get everyone on board. Do workforce training campaigns.”

Companies should also perform monitoring and auditing of their systems and do a risk assessment, as well as have a backup server for data storage.

Planning for a breach is helpful as is collaborating with industry, academia and the government to gain new knowledge and insights on cybersecurity advances, he added.

“A hacker goes for the most easy target,” Greenzweig said.

Phishing emails, which are emails sent by a hacker disguised as legitimate emails, are often a way for hackers to get into a system to send malware or gain access to data, particularly for small to midsize companies.

A helpful hint is to always check the email address to ensure it’s accurate.

As a relatively new crime, cybercrime has also helped spark the emergence of cybersecurity insurance as a more prominent role in managing the loss of a data breach and helping with the recovery process.

Chip Buck, an insurance and risk management advisor for HMK Insurance, Hanover Township, Northampton County, gave a presentation on how cybersecurity can help manufacturers, while acknowledging its “Wild Wild West” nature for a sector of the insurance industry.

“The language they are using is not standardized, every carrier writes their own policy,” Buck said.

Many times, the language of the cybersecurity policy is outdated, he added.

“All of the policies out there are written by individual companies,” Buck said.

The catastrophic cost of a data breach is one reason to buy cybersecurity insurance, since a company has to tell the world it experienced a breach, and that will affect future business, he added.

The cost for this type of insurance starts at about $1,000 per year but depends on the type and size of the business.

Cybersecurity insurance is a classic case of “a new and breaking product,” he added.

 

 

 

 

 

 

 

 

 

A conversation with Michael Hawkins of Netizen Corp.

Michael Hawkins – Submitted

Michael Hawkins, 37, is CEO of Netizen Corp. in Allentown. He founded the company in 2013.

Hawkins, a U.S. Army veteran, previously worked for federal agencies including the Departments of Defense and Veterans Affairs, leading developers, testers and analysts in the engineering and security of health-related systems and applications across the nation.

He has a degree in computer science and business administration from the University of Maryland.

Outside of work he enjoys working with technology and cybersecurity, reading non-fiction novels, and creating and developing new software.

He also has a strong interest in aeronautics and astronautics. He participates in amateur rocketry.

LVB: What have been some of Netizen’s biggest challenges and opportunities? What are some of the perks of being a veteran-owned business?

Michael Hawkins: We’ve had great experiences with the Lehigh University SBDC/PTAC and LVEDC/AEDC organizations. Outside of that, it seems there is little real support in the area for businesses that aren’t developing apps or manufacturing products, for example. Companies that are predominantly service-based, though they are the chief engines of job creation in the country, are looked down upon even by state-funded venture organizations and incubators in the area whose primary mission is, ironically, to create more jobs. A lot of institutions in the area also don’t understand our primary market, the federal government, so it is hard to get places like banks to understand how we operate.

As far as opportunities, the biggest ones for us lie in our expansion into the commercial and defense sectors with products to help companies and federal agencies manage their cybersecurity risks more effectively.

One of the perks, if you will, of being a veteran-owned business, besides set-asides for government contracts, is the sense of camaraderie you get with other veteran-owned enterprises. We are a community that supports one another, generally, and like to see each other succeed. We understand the sacrifices each has made in their lives, and, as such, we give back to the community and fellow veterans as much as we possibly can.

LVB: What is your guiding philosophy as a business leader?

Hawkins: I have two – one is “give first” and the other is, simply, “proceed as if success is inevitable.” Give first, which I learned from a TechStars program called Patriot BootCamp I participated in life, promotes the free and open exchange of ideas, information, experience and advice with no expectation of anything in return. It has been one of our defining mantras at the company. The other philosophy, “proceed as if success is inevitable,” is one which has helped me through the lean times early in the company’s life – it is designed to motivate someone to push through the difficult parts of entrepreneurship, as too many people simply give up when the going gets tough.

LVB: What have been some of the most notable projects that you’ve completed on a local level?

Hawkins: We support a number of large customers in the region – ones that have been in business for decades or longer and are well known across the nation or world. We also support small and midsized companies across the area and beyond. Each project, in its own way, is “notable” to us. I will say, however, that supporting Lehigh Carbon Community College programs and scholarships has been one of the most rewarding and fruitful parts of our community outreach programs.

[class^="wpforms-"]
[class^="wpforms-"]