By Tom Ballard, Chief Alliance Officer, PYA
“Make yourself a hard target and protect yourself,” Paul Sponcia said near the end of a Friday morning workshop titled “Why Cybersecurity Should Be In Your Strategic Plan.”
The event was a joint effort of Sponcia’s The IT Company, Maryville-based Allevia Technology, and the local chapter of C12 Group, the national organization that networks Christian Chief Executive Officers (CEOs) in ways that help them build “a great business for a greater purpose.”
With all of the recent attention on cyberattacks – from the Colonial Pipeline and JBS, the meat packing company, to last week’s advice from the White House, we accepted Sponcia’s invitation to attend the event and share some of the advice with our readers.
“Our objective is not to scare you, but to equip you,” Sponcia told about 30 attendees. “You have a moral obligation to protect the data you hold.” The Principal and CEO of The IT Company shared the workshop content duties with Stefan Wilson, Allevia Technology’s Owner.
Using a familiar analogy that you really cannot prevent someone from breaking into your house, Sponcia told the attendees to assume that they will be breached. “You can’t necessarily stop them, but you can minimize it (the outcome).” That means planning in advance, minimizing a company’s risks, and learning from the inevitable when it happens.
“Your biggest risk isn’t technical,” Sponcia observed. “It’s your company.”
Wilson followed-up, asking and answering his own question. “Who is the highest value target in your organization? It’s anyone or anything. There are literally risks all around us. At the end of the day, there is the human element.”
He emphasized that it is the responsibility of the top executive in each business to set the tone and outline the expectations. To that, Sponcia added, “You need to have a continual training program. You need a sufficiently trained and sufficiently paranoid workforce. The role of business executives is to train, teach and preach.”
The duo offered three practical steps to best protect a business and minimize the impact of a data breach. The first is implementation and use of multi-factor authentication. “If it (an application) doesn’t support it, don’t use it,” Sponcia emphasized.
The second was password management with Sponcia again offering an admonition. “Our passwords are everywhere,” and he said the best solution is utilization of a password management system like LastPass.
The third step is to ensure administrative privileges are separated.
Both Sponcia and Wilson urged attendees to develop a cybersecurity plan that would cover what a company does if it is hacked, what its business continuity plan is, and how it would recover going forward. A good starting point is a self-assessment where: (1) all applications used by the company are listed; (2) they are classified as restricted, confidential, sensitive or public; and (3) they are further described by what they do – create data, store data, transmit data, or receive data.
The final step is making sure multi-factor authentication is in place for every application.
Another recommendation was to have some type of cyber insurance coverage if it can be secured.
“The internet wasn’t initially designed with security in mind,” Wilson reminded everyone.