BUSINESS SECURITY: Keep Your Small Business Safe in a Digital World

Inside:

KEEPING YOUR BUSINESS SAFE: A road map for protecting against cyberattacks.

LENDER SPOTLIGHT: A Q&A about how Service Credit Union protects personal data with a team of cybersecurity professionals.

MEMBER SPOTLIGHT: A recruiting company matches cyber professionals with jobs using a unique formula.

A glossary of cybersecurity terms you need to know.

VETERAN SPOTLIGHT: A former Marine talks about his work as a Service Credit Union Fraud Investigator.

How CISA, a federal agency, can help small businesses create a secure Infrastructure.

Service CU can help you enhance the digital security of your small business.

Dear Reader,

As our world becomes more and more digitized, the importance of keeping your business secure online becomes increasingly vital.

Organizations of all sizes are investing more of their resources into security, because not doing so could result in permanent damage, or in the worst case, a total collapse. In fact, according to a survey by search engine company Startpage, 72% of Americans say they are “very concerned” to “extremely concerned” about their online privacy, and 62% say they have become more aware of how their personal data is used online.

Additionally, a survey from Deloitte showed the majority of consumers are more likely to do business with a company they believe protects their personal information.

But there is no reason to panic. Staying secure in the digital world is necessary to keep your business thriving for years to come. In this issue, security and privacy experts share their tips on how to use technology to keep your small business safe in a digital world. Not only will you be protecting yourself and your customers, you’ll also be increasing their trust and loyalty by enhancing their customer experience.

As always, feel free to reach out and learn how Service Credit Union’s business lending team can help you enhance your businesss’ efforts with a variety of products and services suited to your specific needs.

DAVID WEED

SERVICECU.ORG/BUSINESS

Your partner in success,

ASSISTANT VICE PRESIDENT BUSINESS SERVICES

Staying Safe phish·ing /'fi-shing/

1. the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.

Phishing is the same as fishing. You bait a hook, drop it in the water and hope something will bite. The only difference is that phishing is done in a digital sea, a vast sea filled with millions of people who all too often take the bait.

“That’s where malware gets deployed into a company’s systems, typically through phishing, and locks all of the data with encryption,” Laham says. “The data is held hostage until the company either pays a ransom or is able to recover the data from backups. It’s incredibly profitable, and all they have to do is send phishing emails and just wait for someone to click a link.” Studies show that, worldwide, $20 billion was paid by companies in ransomware attacks, and that figure is expected to grow substantially in the years ahead.

They respond to a phishing email and end up giving out confidential information — at worst, account numbers, usernames and passwords — to a cybercriminal or, in the parlance, a “bad actor.” Those bad actors then use that information to take their money, often thousands of dollars. Or they simply sell it on the dark web, where special software allows the bad actors to remain anonymous and untraceable. Either way, someone has been scammed, likely with the help of a technique called social engineering.

“Social engineering is psychological manipulation that scammers use to trick people into taking action that, in this case, is not in their best interest and not something they would normally do,” says Alex Laham, Assistant Vice President of Information Security at Service Credit Union. “It’s a newer version of the phrase 'con game.’”

The manipulation, Laham says, involves provoking an emotional response that will lead someone to take the action the bad actors want: “They will say, for instance, ‘Thank you for your payment of $6,000 to Amazon’ and ‘Click this link if you didn’t do that.’ You’re going to freak out, and because you didn’t do that, you click the link, where they then can get your confidential information. That’s how the emotional manipulation works.”

Phishing is only one of the bad actors’ scams. There’s also smishing (a new trend where phishing is done with a text instead of email), vishing (with a phone), spoofing (a method to convince a target they are dealing with a trusted source), and the most serious of all: ransomware.

“Whenever there’s money available, people will try to steal it,” Laham says. As head of Information Security at Service CU, his job is to make sure that doesn’t happen and that all of the members’ accounts and data are protected. He leads a team of cyber professionals who watch over company’s operations 24/7, alert to any kind of intrusion. “Our goal is to make sure that those who require access to data have it, and those who shouldn’t, don’t,” he says. “And we have all of the technical requirements that are needed to support that action.”

Another aspect of providing safety to Service CU members is having a staff that’s savvy about what the bad actors are up to. “One thing that’s been proven over the past few years is that no matter how impressive a company’s technology is, the world’s greatest firewall, the best endpoint protection system, sometimes it only takes one person on the inside giving credentials to a fake phishing site to circumvent security platforms,” Laham says. “Training people with a security awareness program is just as, if not more, important than having technical measures in place.”

One part of the training is the simple directive: slow down. “The biggest savior for somebody who may be the recipient of a phishing email is time,” Laham says. “Slowing down allows you to really take a good look at the information that’s being provided to you and to not respond to the emotional generators that bad actors employ. If it’s an email, does the address look legitimate? Is the email unexpected, out of the blue? Does something just not feel right? If you’re suspicious, take a moment and confirm with the institution directly. The fallback is when in doubt, throw it out.”

Small

Cybersecurity Checklist

think your small business would be a target for

43% of

victims are small businesses

Within the last 12 months, 47% of SMBs have suffered

The average cost of

on a

is $200,000

Think again.

Nearly 60% of SMBs fold within six months after

Use multiple layers of protection

also known as multilevel

Defense in Depth (DiD). Set up intentional securtiy redundancies so that if one system fails, another steps up immediately.

Limit user access

to

email restrictions

remember them, but then they’re easy to break.”

The solution, he says, is length. Change it from a password to an easily remembered phrase. Because so many passwords are now available to the bad actors, Laham says, “Eight characters doesn’t cut it anymore; those can be breached fairly quickly. You get exponential strength the more characters you add. We advocate for a passphrase with a minimum of 18 characters on any account.” And, he adds, use a password/passphrase manager for secure storage.

Information about how to prevent being victimized is regularly passed along to Service CU members, but if a member’s account is compromised or even if they suspect it has been, Laham says get in touch with the credit union right away: “If a member becomes aware of it early enough, we will lock the account and reset those credentials. Then, we’ll do an evaluation to make sure that there aren’t any untoward charges.”

Ask Laham what he sees ahead in cybersecurity, and he says, “Phishing,

or some form of social engineering, is always going to be in the tool bag of the cybercriminal. But the use of machine learning and quantum computing will add a whole new layer of difficulty to how we defend against systems that are stronger, faster, and with more capabilities. And, because account compromise is such a huge component of cybercrime, I think we’re going to see aggressive moves toward using biometrics or different forms of multifactor authentication instead of relying on passwords.”

He says, trusting in a company to keep data safe will become a deciding factor in whether to do business with them. “We want our members to understand that we value their data the same as if it were ours. I’m a credit union member. My information is here; my family’s information is here,” he says. “We have a fiduciary responsibility to maintain the sovereignty of members’ information. We want to make sure they feel comfortable knowing our focus is on ensuring their financial health.” n

‘‘

People forget that your email is basically the window to your life.’’

MEMBER SPOTLIGHT

Fighting Cybercrime

CyberSN finds the cyber professionals to do the job

CyberSN is the only recruiting company in the country that is focused solely on cybersecurity.

SUETONIUS, LIFE OF JULIUS CAESAR

More than 2,000 years ago, the messages that Julius Caesar sent to his generals as they fought battles across the Roman Empire were encrypted. Called the Caesar Cipher, it used monoalphabetic substitution, where each letter was replaced by another letter located a few spaces further down the alphabet.

Trying to hide sensitive information from prying eyes has a long history, but the invention of a computer networking system called the Arpanet, the precursor to the internet, would make hiding information more difficult, exponentially more difficult.

Back in the early days of the Arpanet, which became operational in 1971, the number of computers connected to the system was small, and the threat of information being revealed — data loss, in today’s terms — was equally small. Viruses were nonexistent. That is, until the Creeper worm appeared on the scene.

As an experiment in self-replication, an engineer at a technologies company created a computer worm that copied itself on computers throughout the Arpanet, leaving a message that said, “I’m the

creeper, catch me if you can!” The Creeper wasn’t intended to be malicious, but it was disruptive enough that the world’s first antivirus program, the Reaper, was created to delete it.

It was at that moment that the business of cybersecurity was launched. ****

Forty years after that first intrusion into a computer system, there is, according to a Clark School of Engineering study, an intrusion, or cyberattack, every 39 seconds, affecting one in three Americans each year. The attacks involve accessing data, extorting money and disrupting company operations.

Because of the prevalence of attacks and the need for businesses to protect themselves, cybersecurity has grown into a $139 billion business worldwide, with double-digit growth rates expected for the foreseeable future. That means there’s huge demand for people to work in cybersecurity.

Among the jobs: cloud forensic analyst, insider threat analyst, security engineer, penetration tester and enterprise security architect. In management, the jobs include chief information security officer, security director and security manager.

“We have identified 45 functional roles in cybersecurity that fall into 10 categories, which include defense, offense, research, response, compliance, education, planning and sales,” says

‘‘

If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out.’’

Dom Glavach, the Chief Security and Technology Officer for CyberSN, the only staffing and recruiting company in the country that is focused solely on cybersecurity.

Because the profession is “immature,” as Glavach puts it, that system of classification of roles, or taxonomy, didn’t exist. As a result, what one company called a security engineer might mean something different at another company. “So there was this large disconnect,” he says. “To remedy that, we created this taxonomy and applied it to a matching algorithm that takes a professional’s profile and matches it to an open job.” Another unique aspect of the algorithm, what Glavach calls “the secret sauce,” quantifies the degree of professionals’ interests and qualifications.

“We’re using that type of matching algorithm as our core, along with the traditional recruiters that reach out and discuss positions with cyber professionals and with companies,” Glavach says. The taxonomy makes it easy for applicants to determine which jobs to apply for, and it’s used by businesses to build better job descriptions, for staff planning and development, and to find candidates who fit and will last in the jobs.

Companies want people who will last in the jobs because there’s a shortage of qualified cyber professionals. “The shortage is significant,” Glavach says. “It’s been that way since I joined CyberSN six and a half years ago. It’s a real challenge, so we advise companies to focus on the retention of cyber professionals currently in their company or the people that we assist in the placement.”

One of the biggest challenges is hiring women, now just 14% of the cyber workforce, and people of color, less than 5% of the workforce. It’s a challenge that CyberSN has taken on, in part because the company’s founder and current CEO is a woman, Deidre Diamond. A founding partner of Secure Diversity, a nonprofit to increase the hiring of under-represented groups, Diamond has made the company a leader in connecting diverse professionals to cybersecurity roles. One of the CyberSN initiatives: Resumes can be created without identity data, shared only when an application is made, to remove the possibility of unconscious bias.

Glavach says a cyber program at a university — with courses in programming, mathematics and sociology (helpful for understanding the psychology of phishing) — is the preferred choice for the needed education. But fouryear degrees aren’t the only path to a cyber career. Some cyber professionals come from community colleges or trade schools; some are self-taught, like the high school graduate who started cyber as a hobby.

Most important, Glavach says, is passion and curiosity: “Many companies are saying, ‘I’ll take someone who’s passionate and curious and willing to learn over someone who has a four-year degree who’s not passionate and curious. The cyber community is very passionate about what it does. I truly, truly love what I do. It’s my passion and do not see it as a job”

For more information, visit cybersn.com. n

Protecting Your Identity

Wn Nate Glines did a sevenyear stint in the Marines, he was an avionics technician for a combat aircraft that’s been described as “unlike any in the world.” It’s the V-22 Osprey, which can take off vertically, hover and land like a helicopter. Once it’s in the air, it can be converted to a turboprop airplane that can fly fast and high. As you can imagine, its operational systems are complex.

Glines says he had to train for more than a year before he was allowed to actually work on the aircraft’s avionics, which he did both here in the U.S. and on deployments to Europe and Afghanistan in the years between 2009 and 2014. He would soon qualify as a CDI (Collateral Duty Inspector), which meant he had a huge responsibility: “You’re the last person to sign off before that plane goes to spin up again.”

To make sure an aircraft is ready to “spin up again,” the technicians have to be sure all of the electrical systems are working properly. When an aircraft has a system failure, Glines says, “The question is, ‘Is this one of the aircraft computers failing, or is it a wire leading to that component that’s failing?’ The job was mostly troubleshooting.”

Glines left the military eight years ago, first taking a job in the call center at Service Credit

‘‘We catch fraudulent applications every week, if not every day.’’

A FORMER MARINE STANDS

AGAINST FRAUD

Union and then, two years later, becoming an investigator in the Service CU fraud department. When asked if he thinks his troubleshooting experience in the Marines helps him in his job as a fraud investigator, he says, “That’s exactly how I view it. It’s definitely how my brain works, things that involve troubleshooting, spotting inconsistencies, or odd discrepancies — that kind of thing. Even though the two jobs couldn’t be more different otherwise, they definitely share that.”

Inconsistencies, discrepancies — that’s what Glines and his fellow fraud investigators look for in their 24/7 work to protect all of the accounts at Service CU. Though their methods of detection are mostly secret, it can be said that their work is aided by computer algorithms that trigger alerts if unusual patterns of activity are seen. Unusual activity can include a new device accessing a member’s account, new check deposit patterns, and logins from suspicious IP addresses. “That’s a recipe for fraud,” Glines says.

Once an alert has been

Being an avionics technician for the complex V-22 Osprey honed Glines’ troubleshooting skills. V-22 photo courtesy of wikimedia.org

triggered, the mission becomes stopping and mitigating fraud — identity theft is the most common — before it happens. The fraud investigators check the information that’s been provided on an application for, say, a loan and check it with external data sources, such as credit bureaus and other online resources. Glines says fraud attempts happen more often than you think: “We catch fraudulent applications every week, if not every day.”

Investigators are frequently in contact with members who are victims of fraudulent activity and compromised information; they educate members on topics such as avoiding scams, the various consequences of fraud, and give advice on how to determine if something is suspicious. Common advice includes topics like being suspicious of unsolicited emails or texts asking for sensitive personal or account information, verifying who you’re communicating with, and other such prevention tactics.

“Scammers are pretending to be someone they’re not, perhaps pretending to work for a company

that’s legitimate, and that can be verified,” Glines says. “Go to the company’s website, look up their number and call it. Ask to talk to the person who’s representing themselves as an employee. Just doing that would significantly reduce the number of scams that people commonly fall for.”

Unlike other kinds of fraud, identity theft may not mean you lose money directly. But there is still a cost, possibly a high cost, if the scammer is successful. Glines says, “You might be talking months, sometimes even years, to get all those fraudulent inquiries and lines of credit, loans, etc. removed from your credit profiles. If you’re trying to buy a house, even just rent a place, you’re getting your credit checked. If you have unresolved, unpaid loans, even if you explain it to them, the landlord or mortgage company may not trust what you’re saying.”

The best way to avoid all that, Glines says, is “don’t give out your personal information. You might not get scammed right away, but the more you put your info out there, the more chances it has of being compromised. It’s just a numbers game.” n

LENDER SPOTLIGHT: Q&A with David Weed

With a graduate degree in finance, David Weed started his career in commercial lending in 1988. He worked at both large and small regional financial service firms before joining Service Credit Union as Assistant Vice President in 2012. Since David’s arrival at Service CU, his work has garnered a noteworthy number of awards and recognitions. To name just one, David was the recipient of the NH Business Review’s Business Excellence Awards in Financial Services for helping Granite State businesses stay afloat amid the Covid-19 pandemic. David says, “We are grateful to New Hampshire businesses for trusting in us, and we are there for them, no matter what.”

We talked to him about another way Service CU is there for businesses, no matter what: keeping them safe in a digital world.

In this digital world, there are malicious actors who are growing ever more sophisticated about how to hack information and profit from it. It seems that it’s increasingly important to trust the financial institutions you’re dealing with.

Yes, trust is critically important. We need to earn the trust of the members and the businesses that we deal with by ensuring

‘‘We are grateful to New Hampshire businesses for trusting in us, and we are there for them, no matter what.’’

that we handle their money in a secure, compliant fashion. If we aren’t able to ensure that a transaction won’t be comprised, it affects not only the member but the reputation of our business. It’s also important to be transparent about whatever happens, whether it’s a data breach or something else, to communicate that it’s happened and how it’s being resolved.

How do you ensure the safety of transactions?

We meet the very highest standards. For example, we don’t rely on instructions given by email. If, say, officers in a company change, we ask for written letters of authorization or updated LLC agreements to make any amendments. We’re carefully maintaining the record, from a legal perspective, of who’s authorized to do what and why.

Also, we have a dedicated team of information security professionals that monitors all of the traffic that comes in and goes out of the credit union for malware, for phishing, for malicious emails. They train all the staff on a quarterly basis to trust but verify. Plus, we have good, firsthand relations with our members, and therefore have a good sense of who they are. If something seems amiss, then we follow up on it. That happened just recently.

What happened?

A business was infiltrated by a provider that they use, and that individual or group gained access to the business’s email system and parked themselves there, amid all of the corporate dialogue that went on. That way, they learned

the business and the players well enough to mimic their writing and try to gain access to the business’s finances.

Because we know our businesses so well, one of our staff members sensed that something didn’t quite feel right, that the tone of the email conversation was off. It bothered her to the point she picked up the phone and called the business to verify the authenticity of the email. That was when the hack attempt was discovered and shut down.

If it hadn’t been for that staff member picking up the phone, that business could have lost money …

Yes, thousands of dollars, maybe hundreds of thousands.

Also, if you’re hacked, your business could have to shut down.

That’s a problem as well. Not only can that damage your customers’ trust in you and affect your business’s reputation, you’re not making money when you’re not operating. And changing your IT infrastructure, your servers, your cellphones and so on, can mean a significant amount of time — and expense. Most businesses have insurance coverage for these types of things, but it’s important for a business to check in with their carrier on a regular basis to ensure that they have the appropriate coverage.

Are small businesses more vulnerable than larger businesses?

I think, to a degree they are. They’re more likely to get caught up in the type of breaches you see on the news, where a multitude of accounting information is stolen

and then sold to third parties. Larger businesses are more susceptible to sophisticated attacks like malware being installed. But we’re seeing more and more deliberate hacks on businesses in general.

All businesses need to be vigilant in this environment. There is no total protection in terms of information security even if you use the industry’s best practices. You have to be sure to update your IT infrastructure, update your information security protocols, and make sure you’re dealing with someone who maintains their security standards. And, again, remain vigilant. It’s easy to get complacent.

Does the fact that so many people are working from home add to the challenge of ensuring information is protected? And what about the storing of information on the cloud?

Certainly, a remote working environment poses additional challenges. It gives a hacker many more points of entry, but there are designs that allow you to protect against hacks, like encrypted VPN connections for all communications. For the cloud, while the servers are in third-party hands, let’s say Amazon, but the information is still controlled by the companies or, in our case, the credit union’s IT professionals. So, it’s not altogether different than what’s been going on in the past.

What do you see ahead?

I’m worried. The world changes every day, and these folks are very tactical in their approaches to get access to information. We work every day to keep on top of that. n

Financial Literacy (or FinLit, for short)

At Service Credit Union, part of our mission is to provide the resources needed to improve our members’ financial well-being. One of those resources is financial literacy, which allows people to make informed decisions about their finances. An element of that literacy is knowing what financial terms mean. Here, we define terms that relate to cybersecurity.

Cybersecurity Definitions

Alert: A notification that an attack has been detected or directed at an organization’s information systems.

Antivirus Software: A program that monitors a computer or network to detect major types of malicious code and to prevent or contain malware incidents.

Attack: An attempt to gain unauthorized access to system services, resources or information, or an attempt to compromise system integrity.

Authentication: The process of verifying the identity or other attributes of a user, process or device.

Bad or Malicious Actor: Someone who attempts to attack and infiltrate digital systems and are motivated by money, politics or some other malicious intent.

Blue Team: A group that defends an enterprise's information systems when mock attackers (i.e., the Red Team) attack, typically as part of an operational exercise conducted according to rules established and monitored by a neutral group (i.e., the White Team).

Brute Forcing: Multiple password attempts with the aim of breaking into an account.

Dark Web: A part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous.

Data Breach: The unauthorized disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.

Encryption: Converting data into a form that cannot be easily understood by unauthorized people.

Event: An observable occurrence in a network or system, which indicates that an incident may be occurring.

Exposure: The condition of being unprotected, potentially allowing access to information that an attacker can use to enter a system or network.

Firewall: A hardware/software device or program that limits traffic between networks or information systems according to a set of rules regarding access.

Hacker: An unauthorized user who attempts or gains access to an information system.

Intrusion: An unauthorized act of bypassing the security mechanisms of a network or information system.

Malware: Software that compromises the operation of a system by performing an unauthorized function.

Passphrase: A string of words used for authentication that is longer than a traditional password, easy to remember and difficult to crack.

Phishing: A digital form of social engineering to deceive individuals into providing sensitive information.

Plaintex: Readable text before it is encrypted into ciphertext, or readable text after it is decrypted.

Ransomware: Malware that threatens to publish a victim's personal data or block access unless a ransom is paid.

Recovery: Restoration of essential services and operations after a security event — in the short, medium or long term.

Risk: The potential for an unwanted outcome from an incident, as determined by the likelihood that a particular threat will exploit a vulnerability.

Social Engineering: An attempt to trick someone into revealing information to be used in a system attack.

Smishing: Sending text messages purporting to be from a reputable company to induce individuals to reveal personal information.

Spoofing: Disguising an email address, display name, phone number, text message or URL to convince a target that they are interacting with a trusted source.

Vishing: Making a phone call purporting to be from a reputable company to induce individuals to reveal personal information.

Expert Help: Cybersecurity & Infrastructure Security Agency (CISA)

More than 40% of small businesses reported being the victim of a cyberattack in the last 12 months, with an average cost of $9,000 per attack. That’s according to CISA, which is a federal agency, part of the Department of Homeland Security, that’s tasked with working with partners — businesses, organizations, government agencies — to defend against today’s cyber threats and build a more secure and resilient infrastructure for the future.

If you’re a small business owner, CISA’s website has lots of information that you can use to safeguard your data — and your profits. Among the resources:

• Cyber Essentials: A guide for developing an actionable understanding of where to start implementing cybersecurity practices.

• Cybersecurity Resources Road Map: A guide for identifying useful cybersecurity best practices and resources based on need.

• FCC Small Biz Cyber Planner: How to create a custom cybersecurity plan.

• FCC Small Business Tip Sheet: 10 key cybersecurity tips.

• U.S. Computer Emergency Readiness: How to secure your business network.

• FTC Compliance Resource: How to collect sensitive data from consumers and employees.

• National Cyber Security Alliance: How to safeguard your business, employees and customers.

• Stop. Think. Connect.: An awareness campaign to promote safe online habits.

• Workplace Materials: Posters and brochures about how to protect workplace, report cyber incidents and report suspicious behavior.