Cybersecurity testing is a must for businesses of all sizes

The notion that your company is not at risk of a cyberattack because you have nothing of value for a hacker to take is a flawed argument that fails to take into account what most hackers are really after, says Sassan Hejazi, Director of the Technology Solutions Group at Kreischer Miller.

“Most hackers are just looking for quick cash,” Hejazi says. “They’ll take $3,000; $5,000; or $10,000 – whatever they can get their hands on. In most cases, your local FBI office will tell you to just pay it and then go back and secure your system.”

It’s also unlikely that the perpetrator will ever be brought to justice, especially if the hacker is from another country.

“These criminals are shielding themselves through multiple layers of identity,” Hejazi says. “And their favorite method to get money is digital currency such as bitcoin. Traceability is nearly impossible. Law enforcement is not going to aggregate all these crimes, so they get away with it. To them, it’s easy money.”

Fortunately, there are cybersecurity practices that can reduce your risk of being the next victim.

Smart Business spoke with Hejazi about the value of vulnerability and penetration testing and how it can protect your business.

Why don’t companies do more to protect against cybercrime?
Middle-market companies typically have had limited resources to protect their networks and systems against attack. But the good news is that the prevalence of these attacks has led to more companies entering the cybersecurity market.

There are now tools available that five years ago were very expensive and required extensive resources. Many of these tools are now cloud-based, allowing companies to buy a slice of that service and get great value for their purchase. Cybersecurity has become much more cost-effective for the masses.

What is vulnerability testing?
A vulnerability assessment is a review of all your IT systems to identify potential weaknesses. This includes your servers, your work stations, your telecommunication and phone systems and your network. It involves hiring an independent third-party with expertise in cybersecurity to do a deep-dive review of your systems, similar to an audit.

Every system has vulnerabilities. This assessment develops a document that identifies those weaknesses and the risks associated with them. If you don’t know where you’re weak, you can’t address the problem.

Once those vulnerabilities are identified, the next step is to determine the risk level you can tolerate. You can’t protect against everything, so you come up with a risk plan. What are the things that you should do that are common sense, cost-effective and represent good business management practices?

If you come up with a list of 15 items, you might decide to tackle the first seven items on the list. Even if you can’t cover all 15 items right away, at least you’ve started that process of looking at your security footprint and building remediation into your budget.

What is penetration testing?
The next step is leveraging your IT resources, either internally or externally, to fix those weak spots. Once that’s done, you need to know if your fixes will be able to stand up to potential cyberattacks.

Penetration testing, also known as pen testing, involves someone acting as a hacker who tries to infiltrate your system. That infiltration takes two forms. Your hard systems are your firewalls and your security monitoring systems. Are your devices properly configured? Are your systems updated?

The other part is your soft systems. Social engineering is when the behavior of your employees is tested. The “hacker” will send suspicious emails or direct employees to do things that they should not do and see how they respond. Employees need to be trained to avoid practices that put your data and your systems at risk.

How important is continuous education?
Protecting against cybercrime is an ongoing process and employees need to be participating in training sessions on a regular basis to learn about different cybersecurity topics. It’s about changing behavior and creating a culture in which cybersecurity is always at the forefront for your team. It’s not going to eliminate the risk, but it can reduce the probability of a cyberattack. ●

Insights Accounting & Consulting is brought to you by Kreischer Miller