We need to chat about something and it’s going to be unpleasant …
… no no, I’m not referring to THAT convo that my wife often wants to have with me,
It’s about cybersecurity. Everyone knows it’s important but I am afraid most people just want to put it off or not have the conversation at all. My friend Sandy Jacolow of Silverstein Properties is ALWAYS nagging me that we need to raise this issue every chance we can. It’s THAT important! And he is right, as usual.
It’s one of the biggest issues facing anyone who is online in all areas of their life. But it’s also a huge issue for businesses and for commercial real estate, in particular.
And so I went to one of the real experts in in my network on cybersecurity, SAX Technology Advisors, and wanted to learn more about the things we should be doing now and in the future to protect ourselves from these massive thefts happening daily.
Michael: How big of a problem is cybersecurity in the U.S. business sector?
Matthew: Cybersecurity is the most prevalent wave of threats that face businesses today. The reason being is that cyber threats are coming from many different angles and are growing in sophistication and increasing in frequency. We’ve seen the damage these threats can inflict on enterprises who were recently breached, like Yahoo, Equifax, Target, and Sony. These are organizations who certainly already have security measures in place, but it goes to show have savvy and sophisticated some attacks can be. So, what does that say for businesses who have limited resources? 43% of cyber-attacks target small businesses, and that is because they are not as secure and can be a gateway into larger organizations they are affiliated with. The good news is that combative technology is evolving as well, and active security measures can be put in place for any company, at any size. End users need to stay abreast of the existing and emerging cyber threats by way of security awareness training and leveraging technology to combat them.
Michael: What are some of the most common mistakes you see companies making in leaving themselves vulnerable for cyber breaches?
Matthew: The most common mistake I see companies make with respect to leaving
themselves exposed to cyber breaches is believing an attack will not happen to them.Therefore, they do not maintain a strong security posture because it is not an initiative they are willing to allocate time and resources to. Also, many companies fail to use professional service providers to monitor and maintain their IT environment so the implementation of various products introduce threats themselves, simply by not being adequately maintained and changing manufacturer defaults. Lastly, a lack of proper technology leadership or guidance can ultimately lead to a cyber incident that negatively impacts a business. This is often times not the fault of a business owner as they may believe it is being handled by their existing IT team. When I ask, “How is your data being protected” to many key management members of various companies, I commonly get the deer in headlights look. Business owners are often times unaware of the behind the scenes with regards to how their data is being protected, and whether it is at all. This causes significant issues, because just relying on the word of your IT provider may not be enough. An incident response plan should be in place in the event of a cyber-attack, and business owners should understand what that entails should an incident occur.This plan and these measures to protect a company should be consistently tested and evaluated. If this is not the case, you may be vulnerable and not know it.
Michael: What are some of the basic things companies can be doing on their own to protect themselves?
Matthew: Technology solutions require specific expertise to be effective. With that, the most important thing a company can do to protect themselves is to enlist a trusted advisor to maintain their IT environment. Aside from that, it all starts with employees who are on the front lines. The most effective measure to implement internally to protect a company from within is to build an internal education program in addition to procedures and policies for staff to follow that provides true security awareness training and teaches team members what to look for regarding outside threats attempting to breach. Also, companies should consider Cyber Liability Insurance. Even after you train your staff, one potential misstep from an employee can bring an entire company to its knees. Cyber Liability Insurance can cover you for damage inflicted as a result of a cyber breach or incident. Lastly, leverage emerging technologies that make sense for your specific industry and company size. Then, you must be proactive with maintaining them so your investment is worthwhile.
Michael: How does Sax Technology Advisors approach cybersecurity and what is the process to protect clients?
Matthew: Sax Technology Advisors leverages the National Institute of Standards and Technology (NIST) 1.1 Cybersecurity Framework which is a proven, structured process to identify critical process issues, system vulnerabilities and various forms of protection needed at the host and network level. Sax also leverages Security Information and Event Management (SIEM) technology which allows us to get a proactive view into the various systems through real-time analysis of security alerts generated by applications and network hardware. Another main component is education. A company’s staff is on the front lines when it comes to company data that is the lifeblood of any organization, and they are also the lowest hanging fruit for cyber criminals. Sax Technology Advisors helps to develop internal training programs, policies and procedures to better equip a company’s staff on best practices with regards to security awareness and protection from within. Education on the Internet of Things (IoT) is also necessary. This is the system of interrelated computing devices that transfers data over a network and is an emerging technology which will be coupled by emerging threats. Staying on top of advancements like these not only allows a company to maximize on technology to streamline efficiencies, but also allows them to be better prepared to protect the technology from within.
Regarding our process to protect clients, we start out with some level of a network assessment (based on their preference) for each company to get a firm handle on their technologies in place and where immediate and long-term needs lie. Technology solutions are not one size fits all, so once we identify the needs and provide our recommendations for improvement, we work together with key management to come up with an action plan to address those needs and a process to implement the plan. We also provide ongoing advisory because technology products are not “set it and forget it” type of solutions. They need ongoing maintenance and monitoring, and a business needs ongoing technology guidance to be kept abreast of emerging enhancements so they stay competitive, productive and secure at all times.
Michael: Are there things you do differently for real estate companies in particular?
Matthew: The real estate industry is one of great breadth and complexity, in addition to being a very competitive space. Real estate companies also handle sensitive data like Personally Identifiable Information (PII) so we need to take a thorough approach to providing technology expertise in a way that best conforms with the way they do business and protects their sensitive information. There are many SaaS (Software as a Service) solutions real estate professionals can leverage under monthly subscriptions which grants them access to cloud-based technology to improve capabilities and efficiencies (such as Office 365) without having to manage it. This in-turn allows real estate professionals to utilize technology that improves their business, while not be bogged down by its maintenance or hiring a staff to oversee it. Also, augmented reality (AR) is an incredible, up and coming technology that will bring showing properties to prospective renters or buyers to a whole new level.
Michael: What does the future of cybersecurity look like and are you confident we will eventually be able to one day prevent these massive company hacks?
Matthew: I would love nothing more than to say “Yes, we will eventually stop all cybercrime”, but the reality is that will just not be the case. As our technologies and defenses advance, so do the ways hackers infiltrate systems. We can only try to avoid the threats or dilute the damage inflicted when a threat hits. Artificial intelligence (AI) tools will play a big part in allowing us to identify threats before they happen based on behavior trends, but we cannot be naïve in thinking cybercrime won’t continue to evolve as well. Cyber criminals are banking on us letting down our guard. Small and medium sized businesses will continue to be the target of more and more cyber breaches as they are easier ins for cyber criminals. Moving forward, we must continue to educate ourselves and our staff on best practices for protection, and be diligent with the security of our company, our people, and our data.