Education, applying security patches, and reasonable due diligence are essential to maintaining digital security, said “What’s missing from your data security” panelists at WRAL TechWire’s Executive Exchange event, “Hackers, Malware, Ransomware and You” on Tuesday.

Panel moderator Sophia H. Bahhur, vice president and treasury management sales consultant at Wells Fargo, asked the panel, “What security vulnerabilities are leading to attacks?”

Jim Guido, CTO of Security Practice, NorthState Technology Solutions, based in High Point, recommended looking at the Center for Internet Security (CIS) list of the top 20 controls.

Guido said that companies neglecting to apply patches to security holes are one major problem. Weak passwords are another. Human nature yet another. “The human firewall is the weakest security vector faced today,” he said.

Chris Beal, chief information security officer with MCNC noted that “Employees can also be a tremendous asset. They can recognize when something is happening that isn’t right.”

Will Cherry, an attorney with the security practice at Manning, Fulton and Skinner, said, “Humans need to be educated,” a theme all the panelists would return to again and again.

“A large number of security breaches at small and medium-sized businesses occur from things like people leaving a laptop in a car, cell phones that are not password protected, clicking on phishing emails.” Later, he mentioned walking by offices at night and seeing laptops where people had not logged off before leaving.

“Internal controls are the key,” Bahhur said.

Beal said embracing multi-factor identification would cut down on stolen credentials. “It used to be a burdensome thing, but there are solutions in the market today that make it simple.”

Bahhur said 76 percent of businesses toady experience digital fraud and suggested, “Know your infrastructure.”

Laws different in every state

On the legal side, Cheery said, “Once you know something happened, don’t panic. Before you notify people, take a step back. Has personal information been compromised? You need to spend time to figure out exactly what happened.”

One of the most important things a company can do, Cheery said, “Is have a plan in place, all the steps you need to take before notifying customers.” There are specific and different laws in all 50 states regarding who has to be notified with what information and under what circumstances, he said.

WTW Insider event coverage:

  • What’s driving all these attacks? An IBM expert explains
  • Where can you find talent to fill cybersecurity roles?

Law enforcement should be notified within the first 24-to-48 hours. Courts, in determining liability, look for “reasonable due diligence,” Cherry said.

Guido said “A lot of folks spend a lot of resources on protection but not on response (to a breech). Detection is critical. You can’t stop everyone, no one can. Monitoring your environment and every device on your network is critical. But have a plan and reduce your time to resolution.”

Bean said it’s no longer a good idea for companies to scan their digital systems once a quarter or less. “Continuous monitoring is needed. Thousands of new vulnerabilities change the threat landscape continuously.”

Threats we need to be aware of, said Guido, include public WiFi and the Bring your own device (BYOD) problem at companies. When an employee brings his own device to work, “Who knows where it’s been or what it picked up on public Wi-Fi at Starbucks,” he asked.

Security is a business problem, not a technology problem

“I don’t think you can get away from the BYOD paradigm, but there are ways to keep those devices away from what really matters. Plan for it.”

Cherry added, “Whatever security you have, biometric, passwords make sure your employees use them.” Keep that reasonableness standard courts use to establish liability in mind. “If your employees leave their computers on all night, the court might rule you didn’t take reasonable measures.”

But, he said, “Lawsuits are the least of your threats” if you experience a company security breech. They cost up to $300 per customer per breach just to engage digital forensics and legal counsel. That doesn’t even include loss of reputation or stock price drops.” It puts up to three quarters of small or medium-sized firms out of business within a year of a breech.

“It’s important for businesses to understand this is not a technology problem, it is a business problem,” added Beal. “Look at Equifax. The CEO is no longer there and it will have to fight for survival. Every business needs to know cyber security is a business function. Don’t bury it three layers down.” It needs to be at the C-suite and board room level, he said.