One Sunday night a colleague of Eileen Manning at her event planning company was dialing in remotely to do some work but was finding the connectivity slow.
When she couldn’t get on to the company’s network she called Manning and described a scenario that just seemed odd.
Though it was late, Manning advised her to call the The Event Group’s technology partner and, sure enough, hackers had gotten into a couple of the company’s computers and were causing havoc. The hackers had sent a ransom notice demanding Bitcoin in exchange for restoring The Event Group’s data. But the IT firm was able to shut the infiltrators down.
“Because we caught it early, we just shut the whole thing down, wiped those two machines, reinstalled the information on everybody’s machine and we were up and running by 10 o’clock the next morning,” says Manning, founder and CEO of The Event Group. “It was because we had a plan in place.”
Manning had long played a hunch when dealing with technology that having a partner would pay off. Turns out she was right.
“We’ve always had an outside technology company to protect us and be our IT support,” she says. “When I started the business, I just knew from very early on it was really critical for some of the stuff I was doing.”
Manning leads cybersecurity event
Having an outside partner and spending time training employees allowed Manning’s company to thwart a cyber incident on her own turf. She’s become well connected in the statewide cybersecurity arena in recent years, as well.
In 2011, the University of Minnesota’s Technological Leadership Institute (TLI) approached her to find out what she knew about cybersecurity.
“I said ‘cyber what?” she says. “It was 2011. Cybersecurity wasn’t a household word.”
But with the highest per capita collection of Fortune 500 companies in the U.S. and as a state with all 16 critical infrastructure sectors, as defined by the U.S. Department of Homeland Security, located here, “we were going to be a target,” she says.
The TLI tasked Manning with producing a cybersecurity summit. This year, October 28-30, Manning will oversee the ninth annual Cyber Security Summit. For the fifth consecutive year there is a stand-alone track for small- and medium-sized businesses.
Cyber security is a vital topic for small businesses for a couple reasons, she says. First, large companies are requiring small business partners to fill out lengthy security questionnaires to show that their cyber practices are secure before they can ever do business together.
Second, statistics show that many, if not most, businesses affected by an attack don’t survive. The upside for small businesses, Manning says, is there are a lot of steps they can take to protect their businesses and any companies they partner with that don’t cost a ton.
Businesses seem to be noticing the importance of cybersecurity, she says. She’s expecting at least a couple hundred small businesses to attend.
“It’s not like back in the 50s and 60s,” she says. “When the military wanted to protect us they could point a missile at Cuba. Today we are being attacked while we are sitting in our living room with our fuzzy slippers on. We aren’t even aware they are in the door.”
Training, outsourcing can help
The Event Group’s technology partner is Protocol 46, which provides cybersecurity technology and services to businesses. It’s comprised of former military personnel who use their experience combatting rogue nations to build a business fighting off cyber bad guys.
Eric Ebner, chief technology officer, says even with the highly publicized hacking instances in recent years, business owners are still often trying to do cybersecurity themselves or, perhaps worse, doing nothing.
He feels for them.
“They didn’t get into business to file paperwork with the government and to become experts in compliance with this regulation or that regulation,” he says. At the same time, burying your head in the sand is taking a big risk and “the gamble is definitely not worth it.”
And businesses big and small are taking note of the horror stories relating to companies similar in size to them getting hacked, he says. They’re realizing they need to address their cyber-shortcomings.
Small businesses tend to not update or patch systems or have mature IT departments and practices, even though technology changes often, relatively easy changes that could decrease the odds of being victimized.
Other changes are ensuring businesses don’t have a choice but to address cyber issues. The payment card industry, for example, has been shifting the responsibility for dealing with fraud to business owners. And the hackings have become much more complex and authentic looking, Ebner says.
In the event a company is hacked, Ebner says the first thing they should do is call their service provider. Protocol 46 works 24/7 to figure out how the breach occurred and will preserve the information.
“It’s just like a crime scene,” Ebner says. “If there is a breach that requires the computer forensics people to figure out why it was breached and how it was breached … that crime scene needs to be preserved.”
When installed on a client’s network as a preventative measure, Protocol 46’s software looks for hostile activities inside networks, simulates phishing activities, working with the company’s existing security system, Ebner says, adding that the firm also does trainings on best practices and hygiene.
Among the easy steps Ebner and Manning say companies can do to reduce the risk of being hacked are regularly updating their technology and conducting trainings with employees on the latest trends in hacking they should expect to see.
“You’re starting to see people realize there is something that needs to be done,” he says.
Sensitive information needs protection
Few industries have more access to people’s personal information than banks. When Scott Dressler left a larger financial institution to become chief information officer at Sunrise Banks, his budget for cyber-security decreased significantly. But that’s not to say the company doesn’t take the issue seriously.
The bank has an internal team focusing on the issue and it also teams with Protocol 46 for some of its tools and software. Among its most valuable services is helping Sunrise Banks with its phishing campaign.
“That’s usually the first place a hacker will come in is through an email with a hyperlink,” he says.
“Every bank and financial institutions big and small has to be doing those same things. I just have an external vendor doing some things and I have my in-house team doing other things.”
Anecdotally, Dressler says he’s learned the company’s model is not common. “The combination of those two things usually get me very high marks with the major auditors in the country,” he says. “I hire smart people and put them all around me. I think it’d be silly any longer in 2019 and beyond to suggest that any in-house department is going to have all the answers.”
Dressler says there is some additional cost involved in the dual-approach but it’s also easy to make a case for the return on investment, when a security incident does arise.
Sunrise had one incident where company officials went through the process and it was determined there was no breach. There have been no other security situations in the nearly three years he’s been at Sunrise.
“It isn’t because we aren’t well equipped or we’re lucky,” Dressler says. “It’s that we have invested correctly in all the tools and we fight off on a fairly regular basis all the attempts that come up through our firewall.”
Insurance can mitigate risk
Cybersecurity is very dynamic, says Keith Burkhardt, a vice president with Kraus-Anderson Insurance. “Just as you start to figure out what’s going on, the bad guys come up with a new way to engage,” he says. “The consequence of all that is to think about insurance as a part of how a business survives a digital event that is not in their control.”
“It used to be perceived that it’s an optional coverage,” he says. “Today I would say most businesses are buying it. I don’t believe they know how to consume it — how relevant it is — until they have the event.”
About 80 percent of Kraus-Anderson’s commercial client base has addressed cyber insurance. Small businesses are often among them, he says, especially in supply chain businesses where Burkhardt says one or more of the partners in that chain typically require a financial means of fixing any potential damages that could arise from a breach.
“Reliance and interconnectivity between businesses is escalating,” he says. “If you are in a supply chain or an end user distributor chain your partners in that chain are going to begin or have already started requiring you to be prudent in your cybersecurity.”
One key:
Make sure you look out for your own needs, as well. He recommends buying cyber-risk insurance that will cover expenses you incur from an attack as well as those of a third-party affected by an incident. If you buy a cyber-liability policy, it’ll cover the third-party, but “they’ll have no way to repair their own systems,” he says.
Contact:
Keith Burkhardt, vice president at Kraus-Anderson Insurance: 952.707.8210; kburkhardt@kainsurance.com;
www.kainsurance.com.
Scott Dressler, chief information officer at Sunrise Bank: scott.dressler@sunrisebanks.com; www.sunrisebanks.com.
Eric Ebner, chief technology officer at Protocol 46: 651.300.0946; info@protocol46.com; www.protocol46.com.
Eileen Manning, CEO and founder of The Event Group: eileen.manning@eventshows.com; www.plantoastound.com.
