Recently, I was honored to be invited as a panelist at a recent seminar hosted by Capital One Spark Business to share some views on fraud prevention and cybersecurity with their customers. I was joined by a few other industry experts, Gerald Glickman, a Manager of Capital One’s Fraud Analysis team, and Jennifer Smith, who led the Cybersecurity and Data Privacy group at the Shulman, Rogers, Gandal, Pordy & Ecker law firm, to round out a diverse group from various parts of the industry. Each of us deal with fraud daily, but we have very different roles: Jennifer on the litigation side, Gerald from inside a bank, and myself from the technical perspective.
The questions from the audience had a similar undertone of fear and uncertainty. Most attendees have either been a victim of cyber-related fraud or knew they didn’t understand it well enough to feel they could defend against it. We covered topics such as ransomware (including a discussion of Bitcoin), phishing, insider threats, and CFO fraud. Between the questions being asked by the audience during the panel and the conversations I had with business owners both before and after the event, I empathized with many who didn’t know where to start. Many of them had IT firms they worked with for basic administration, but had no idea what those firms were doing in terms of security. When I asked attendees about some of the basics, such as vulnerability scanning and hard drive encryption, I was presented with blank stares or even more questions about what I was asking. Forget multi-factor authentication and locking down hardware with strong security configurations.
My general message had to come up a few levels, asking if cybersecurity had been budgeted for, and if anyone within the organization had cybersecurity responsibility. These questions were well understood, and the answer was usually no from attendees.
Large organizations spend millions on cybersecurity for a reason, because they understand the reputational and financial impacts of an incident. Small businesses need not spend millions, but asking the right questions of third party IT firms and getting internal training for users and administrators is a good place to start. The basics of cybersecurity don’t need to come with a large price tag. Multi-factor authentication can be had for $1/user per month. An industry-leading vulnerability scanner can be purchased for less then $2,000.
Coalfire can help as well of course, offering Vulnerability Assessment as-a-Service (VA3S) and Virtual CISO services, so organizations can buy fractional cybersecurity personnel if they aren’t ready to take the plunge and hire their own experts. Our advice to customers is, don’t wait until Gerald is calling you because the bank sees something suspicious, or until you need to call Jennifer for legal help to handle a breach!