The world is quickly becoming a digital utopia where almost every task can be completed with the help of technology. This shift has been embraced by most modern businesses, but it has also resulted in organizations encountering a new type of threat - cybersecurity risks. To learn more about the measures that business leaders can take to protect their companies from potential cyberattacks, we interviewed Eric Sugar, President at ProServeIT.
In this blog, we’ll introduce you to Eric and highlight some of the topics that were discussed during our interview. Read on to find out how you can use advice from an experienced leader to keep your business and its valuable data secure from potential hackers!
In a hurry? Jump straight to your section of interest.
👎 The Negative Consequences of Poor Cybersecurity Practices
📜 What Are Some Compliance Requirements for Businesses
👨💼💻 How Can Businesses Best Meet These Compliance Requirements
🔒 Best Practices for Protecting Sensitive Business Data
🛡️ How Can Businesses Deter Cyberattacks
💻🔐 The Importance of Cybersecurity in The Modern Workplace
Who is Eric Sugar?
Eric Sugar is the President at ProServeIT and describes himself as both super-open and adventurous.
Despite a terrifying experience of rowing across the Thames, Eric is still passionate about the sport. He has participated in races for both University of Toronto and at the international level for the Don Rowing Club, and even owns a single-scull boat from Cuccietti. When Eric finds moments to relax, however, he enjoys cycling, playing hockey, and reading books of all genres as quickly as his busy schedule allows.
Eric believes in giving back and passionately supports the Princess Margaret Cancer Foundation. To contribute to this cause, he established the ‘Friday Charity Barbecue’ at ProServeIT. Held during nice weather (May-October), one of ProServeIT’s executives runs the barbecue for employees and guests present that day, with donations going directly to the cancer foundation.
He has over 20 years of experience in the Information Technology sector and has been at ProServeIT for 15+ years.
The Negative Consequences of Poor Cybersecurity Practices
Question: What can happen if businesses and other organizations fail to adequately prioritize cybersecurity?
Eric Sugar: If businesses aren't both paying attention to and investing in cybersecurity, they put their valuable data at risk. They put their employees’ data, their business processes, all their confidential intellectual property (IP), and their customer information in danger of being stolen by expert hackers.
From a possible negative outcome perspective, you can have data breaches where sensitive data is stolen and used against you as a business or used against your clients. You can have incidents like ransomware happening where your systems get encrypted, and you're asked to pay money to unencrypt those systems. Tied into cybersecurity, I think backups and then recovery from backups are also really important because that will help protect you against some of these issues (a proactive tactic).
Other risks that can happen outside of data breaches and ransomware would be loss of productivity, where your team can't do their work because they don't have access to systems which aren't available. We would have brand experience or brand exposure as a negative outcome when you think about all the businesses in the news for cybersecurity incidents.
And you can also have a situation where you're impacting your customers or suppliers because a cyber-criminal can use you as a way to get to your customers or your suppliers. In that case, you could have both brand and business impact.
These are some of the possible outcomes that can occur if a business chooses not to prioritize cybersecurity investments.
What Are Some Compliance Requirements for Businesses
Question: What compliance requirements do businesses face in this domain? What penalties may they incur if they do not comply?
Eric Sugar: Compliance requirements are different from country to country. In Europe, we have the GDPR (General Data Protection Regulation). We have other requirements in Canada and the US, but they tend to align with the GDPR and depend on the type of data you're protecting, managing, and responsible for.
If you have data or are given data, you're in charge of protecting that data. You have responsibility and accountability for that. So we have the HIPAA (Health Insurance Portability and Accountability Act) and PHIPAA (Personal Health Information Protection and Access Act) regulations when it's personal information and they prescribe what you must do to protect it.
The penalties can be very steep, so you can have businesses fined up to 5% of revenue depending on the type of information they lose and what they've done to protect that information. I think the main focus is to show that you're trying and you're putting investments into becoming more compliant around data, governance, and around security. If you can show you've done, at least, a certain level of minimum viable effort to protect your data, and to protect your employees, you may be exempt from the fines, and the major issues you will face are your brand and your employee exposure.
There can be costs tied to remediation as well, so you may be stuck with costs as a consequence of a breach. For example, if private information is released, you might have to pay for credit protection for the people involved. These are major issues that businesses are dealing with today.
How Can Businesses Best Meet These Compliance Requirements
Eric Sugar: There are probably a few items that are vital to protect against cybersecurity compliance and governance issues.
There are two or three easy tech fixes that will help protect against a number of items:
- 📱 Multifactor authentication (MFA) is super important.
- ✉️ Deep e-mail scanning is where you protect against links and attachments sent as an e-mail to help your staff protect themselves. It's essential. Products like Microsoft Defender for Office can help.
👀 After that, you monitor and manage how people access your data.
Having a security operation center and a security incident management tool that's either run internally 24/7 or outsourced to a partner who provides managed security services is one way to meet this compliance requirement and ensure you protect your business. You're doing what you need to do to protect your staff and your customers, your vendors, and your partners.
The last thing is thinking about limiting access as much as possible. So how do you get to the point where you have conditional access? You should only allow access to your information from trusted areas or areas you should be in, and you monitor how people use it, when they use it, and where they are.
These tools, technologies, and processes can help protect and govern what you're doing.
Best Practices for Protecting Sensitive Business Data
Question: What are best practices to help businesses protect sensitive information and confidential data?
Eric Sugar: Daily encryption is really important. Conditional access, as I mentioned, is setting up rules such as only allowing access from the country you're doing business in and if you travel from one country to another country, the network won't allow access without accounting for a minimum travel time. So if you're flying across North America and you access information in Toronto at 9:00 AM and then ask to access it in Texas at 10:00 AM you will be denied access since you can't fly that fast between the two locations.
That action should block access or set off a security alert from a monitor-detect-response service which can be associated with a managed security services provider (MSSP). This is probably the best practice you can use as a business if you haven't been investing much in cybersecurity to make sure that you're covering all the right angles.
And employee training is also important which leads to the next question:
Question: Which kind of training should employees at businesses receive to ensure they protect data appropriately? What are the top 3-5 takeaways training should impress upon them?
Eric Sugar: I think that cybersecurity training should be continuous. We must train all our employees to understand that they are the “last piece” between cyber terrorists or cybercriminals and our company data. So it's about understanding that the employee is the most important piece, and knowing that you shouldn't trust everything that is presented to you. Even if it's in your mailbox, it doesn't mean it should be trusted.
Questions to consider when unsure about a link sent to you or a “surprise” email from your manager asking for access that they already have:
- 🤔 Should I click this?
- 🤔 Does this feel right?
- 🤔Why would my boss ask for login credentials that should already be available to them?
- 🤔 Do I trust where this email is coming from?
If you have any inclination that “this isn’t right,” go talk to your IT team, supplier, or managed security service provider (MSSP) to understand if the link/email is legitimate or a cyberthreat. Picking up the phone to verify is really important.
The Top 3 to 5 Takeaways from Cybersecurity Training Should Be:
- ✔️ Trust nothing. Trust no one. Always assume someone's trying to breach you.
- ✔️ Leveraging technology like multifactor authentication (MFA) and conditional access should be essential.
- ✔️ Ongoing cybersecurity training (monthly or quarterly) to ensure you're staying current on cyberattacks and cyber breaches.
- ✔️ Pick up the phone and call. When in doubt, call whoever sent you an e-mail and say, “Hey, I got an email from you. It doesn't feel right. Was this you?”
How Can Businesses Deter Cyberattacks
Eric Sugar: As I mentioned, the two most important components to deter cyberattacks are multifactor authentication and conditional access. Those two pieces will reduce your available attack surface in your business very quickly. It means that whenever someone logs into your system, they're being “challenged” for that login. So you're now reducing the risk of someone stealing or breaching your password.
We have clients who have implemented multifactor authentication. We can see now in the logs that unknown people have tried to get access, and they couldn't do so because of that multifactor authentication.
So that's the biggest thing you can do, as a business, to protect yourself.
The Importance of Cybersecurity in The Modern Workplace
Eric Sugar: Cybersecurity is part of the minimum standard in today's technology environment. You need to have an intentional focus on cybersecurity.
Suppose we, as business leaders, are not choosing to invest and manage the risk of cybersecurity, protecting our teams with cybersecurity solutions, using monitor-detect-response services via an MSSP, or internally using tools like MFA. In that case, we're responsible for the consequences, financial or otherwise.
On the other side, we have to know that we're in control, and if we're proactive, we can protect our organization from cyberattacks. If we're reactive, we will have to defend against some sort of data breach or ransomware incident (and that's not much fun).
Cybersecurity can no longer be taken for granted in today's digital age.
With the prevalence of cyberattacks and data breaches, businesses need to ensure that their networks and data are protected from potential hackers. It's important for business leaders to understand their compliance requirements and to find ways to meet them best. Following best practices such as enlisting an external provider or implementing a secure identity platform are key strategies for mitigating risk and protecting from a potential data breach or cyberattack. Cybersecurity should be a top priority for businesses because it protects sensitive company information and assets.