Companies Need to Stay Vigilant Against HackersIt turns out Target wasn’t the only … well, target.
A year ago, Target announced that hackers had stolen personal information from some 110 million customer accounts. A handful of similarly high-profile breaches followed, including the breach of some 83 million JPMorgan Chase accounts in August and financial data from 56 million Home Depot customers in September.
Other high-profile victims of cybercrime in 2014 included Staples, Healthcare.gov, Neiman Marcus, and, of course, Sony, which endured the release of e-mails that strained relationships across the entertainment industry.
But those are major corporations, household names. The smaller companies that dot Western Mass. don’t have to worry about such attacks, right?
“Small to medium-sized businesses tune out because they think, ‘I’m just too small; no one’s going to want to attack me.’ The reality is, attacks on soft targets are going up astronomically every day,” said Charlie Christianson, president and CEO of Peritus Security Partners and CMD Technology Group.
“We want businesses to understand that there’s no magic bullet, no one product or solution that’s going to eliminate all the security risks,” he added. “Defenses need to be layered, and you have to include your people in the process. You’ve got to educate the people using your systems and make sure the culture in your organization is security-centric, and that everyone understands the risks that are out there.”
James Baker, lead security consultant for Peritus, agreed.
“Those are extreme cases,” he said of cases like Target and Sony, “but people shouldn’t have the attitude that ‘it won’t happen to me.’ A lot of hackers go after low-hanging fruit; they’re not focusing on a specific company or organization. Maybe your firewalls are misconfigured, and someone’s doing a scan, looking for certain ports open, and all of a sudden you pop up. It can be done fairly easily. It’s not a direct attack on your organization — it’s about low-hanging fruit, and your fruit is exposed.”
Although awareness is growing of the threats, he added, smaller companies often figure it’s not worth investing scarce resources into hiring a full-time cybersecurity professional or using a consultant.
“They think, ‘we don’t find a significant need for this. Why would we want to budget money on something we don’t feel we need?’” Baker told BusinessWest. “But once people do get compromised, they become very reactionary. Target did not have a CISO [chief information-security officer]; they did not have a security representative in the executive organization. Since this happened, they hired a brand-new CISO and compliance officer, who have that voice in management.
“But at smaller companies, where budgets are tight and personnel are overworked, they just go to the IT person whose responsibility is to keep the organization running, thinking, ‘he understands security.’
“We see that a lot,” Christianson added, “especially in small companies, where one person in the house has a little tech savvy and they’re the guy or woman who handles everything, who wears a whole bunch of hats. They put out the fires as they exist, and although they give it their best shot, security is not what they do. They don’t understand what the best practices are; they don’t understand all the things you need to do to secure an organization.”
For this issue’s focus on security, BusinessWest explores the reasons why that mindset is changing at many companies — sometimes, unfortunately, after the damage is done.
Head in the Cloud
One major change that has complicated cybsersecurity is the fact that so much data is stored in the cloud and shared among remote devices, said Dave DelVecchio, owner of Innovative Business Systems in Easthampton. He believes companies need to take a hard look at how data is shared and where, with the goal of “letting the good guys in and keeping the bad guys out.”
For example, “if you’re a 40-, 50-, or 100-person company, whether you have an internal IT department or outsource to a company like us, what are the appropriate safeguards to put in place if you want to allow remote access on company-owned devices?” he asked. “Now that employees have more technology in their hands, and they want to store their calendars and contacts on their smartphone, what if a device is stolen or falls into the wrong hands?”The question companies need to ask is what benefit they’re getting from allowing remote sharing of data. “I think it’s important to go back and see what people are trying to accomplish. The goal of working with technology in any business is to improve efficiencies and be able to get more done with less. That goal hasn’t changed in 40, 50 years, since ENIAC, in fact,” he said, referring to the first computer, built in the 1940s.
“Ultimately, what really matters is providing a secure and stable user environment to allow users access to technology to allow them to do their jobs,” he went on. “Employers need to decide whether allowing sensitive data on [remote] devices helps them achieve those efficiencies, and if so, they need to make sure employees understand how to protect that data.”
Baker agreed. “Years ago, there was a perimeter around your infrastructure to protect you. But that perimeter is gone. With the cloud and mobile devices and the need for businesses to virtualize and have information in the cloud, the idea of having a perimeter around your infrastructure to protect your assets is going away,” he told BusinessWest.
More important, he said, is the human element — educating employees in best practices to protect data, whether that’s creating strong passwords and storing them properly or restricting company-wide access to certain records. “Whether they work for a hospital dealing with patient records or they’re handling credit-card information, your employees have got to understand the data they’re working with, how to protect it, and what are the tools in their repertoire to assist in that.”
Mark Jardim, lead engineer for CMD, said companies can’t secure data without knowing where it is. “We see laptops out in the field, and they have Dropbox, and the person is saving all his stuff there, maybe synching the laptop to work, and it’s not encrypted. Now he has all this data, not encrypted, not backed up. What happens if someone steals or hacks the computer?”
One common hacker ploy is to break into a device, encrypt important data, and extort the victim for money — often hundreds or thousands of dollars — to unencrypt it. “A police department in Massachusetts got infected with malware and actually paid the hacker money to get the data back,” Jardim said.
Christianson said his company recently tested a client’s employees by creating an e-mail that looked like it came from an internal source but was actually a faux phishing scam. “When they clicked the link, it took them to a bogus webpage that looked like the organization’s webpage, where they were asked to enter their name and password.” Thirty percent of the recipients gave up their data.
“People opened the e-mail thinking it was from a trusted resource,” Baker said. “That is where education and awareness come into play. You can explain to them what happened and how they were tricked and how they can protect themselves in the future.”
Because of the sophistication of hackers and phishing scams, Jardim concedes that today’s environment is much more of a minefield for companies. “Before, you had a firewall, and everything was behind the firewall. Now you have data everywhere, and you have to find a good balance between user convenience and protecting that data.”
Compliance and Common Sense
DelVecchio noted that companies in regulated industries, like finance and healthcare, face a strict regulatory environment that guides their cybersecurity decisions and, in many cases, forces them to employ compliance and security personnel. But for other types of business, it’s a gray area.
“The industry is a big determining factor in how they define their security and remote-access plan,” he said. “But for any business, regardless of industry, there should be a plan. If you fail to plan, you plan to fail — it’s an old, silly line, but it’s true in this case.”
Even with the Sony hack, which didn’t necessarily threaten regulated data, “they got into sensitive e-mails,” Christianson said, “and now all these stars are getting this information about what people are saying behind their backs. It affects contract negotiations and all kinds of things.”
Jardim said the fundamentals are still strong passwords, strong firewalls, and lots of education. “The easiest way to get a lot of the risk out is to have good practices in place. When JPMorgan recently got hacked, basically, one of their servers didn’t have two-factor authentication. What’s scary is, JPMorgan spent $250 million on secure systems. But, because of one small mistake, they got violated. Best practices were overlooked.”
Christianson agreed, noting that the security of an entire system is only as good as the weakest point.
“Security companies have to be right 100% of the time,” Baker added. “A hacker only has to be right 1% of the time.”
And the threats come from everywhere, he noted. “Somebody from Canada can hack you as easily as a 15-year-old in the Philippines practicing his hacking skills, or the guy next door. There are no boundaries. And to think you can call some sort of law enforcement to assist in this is a bit naïve. If you’re a Home Depot where billions of dollars are involved, the federal government will get involved, but otherwise, it’s not significant enough in cost. They have much bigger fish to fry.”
For the hacked organization, however, it’s a very big deal. The Target attack cost the company $148 million and affiliated financial institutions $200 million. In Home Depot’s case, those figures were $62 million and $90 million, respectively. For small companies, the cost of cleaning up a breach can be even greater, even though the numbers are much smaller, because budgets are already stretched thin.
“The culture starts at the top, with management or the board of directors,” Baker said. “They play a key role in this. They need to realize this is an important aspect of their organization, that there are consequences if you don’t protect sensitive data.”
In other words, don’t make yourself a target.
Joseph Bednar can be reached at [email protected]
Serv-U Locksmiths Knows the Nuts and Deadbolts of This BusinessThe phone rings at all hours of the day and night, 365 days a year.
Many callers have an immediate crisis, which might range from a business owner who just terminated an employee and needs to have the locks on their building changed, to a supervisor who misplaced the master key to an apartment block that opens hundreds of units, and fears it could get into the wrong hands.
There are also new store managers who want to change the combination to a company safe, and others who discover their door won’t close properly due to damage or wear and tear, and thus cannot be locked.
“About 80% of our business is commercial, and our customers call us whenever they have a security issue and need help resolving it — we’re on the road every day,” said Steve Horowitz, owner of Serv-U Locksmiths in Springfield, adding that the company’s fleet of six mobile vehicles allows it to respond quickly.
But selling and servicing security products is not all Serv-U does. Educating clients is critical to its success because the security industry has changed significantly over the years and continues to evolve. So, in addition to selling locks, keys, and devices, and replacing, rekeying, or repairing them, the company’s employees spend time talking to clients to determine what products will best meet their needs.
Solutions can range from something as simple as a deadbolt doorknob with a key lock to a highly sophisticated security system, to a fire-resistant or burglar-proof safe.
Horowitz told BusinessWest that specific types of security devices, locks, or systems are used in certain industries.
“For example, retail storeowners often have shoplifters leave through their back doors with merchandise,” he explained. “They need a lock with an alarm built in that will go off if someone opens the door, but still allow them to maintain the door as a fire exit. We have products to solve every security issue and fit every situation.”
Hospitals also require special security in areas such as rooms or closets where medications are stored. “If a hospital gave an employee a generic key, it could be copied at any hardware store,” Horowitz said. “So, we have several high-security lock systems that are exclusive to our store.”
He added that, whenever a key to these systems is issued, the person who gets it must sign a registration form. The forms are kept in the store, and a key can be duplicated only by a Serv-U employee after the person requesting it shows their driver’s license and re-signs the registration form, to ensure the signatures match.
“It makes it impossible for them to go to any other locksmith to get another key. It’s a very high level of security used to prevent stealing or ensure safety,” Horowitz went on, noting that special keys are also used in areas that contain hazardous materials within a factory or hospital.
Seven of Serv-U’s 12 employees have worked for the company for more than 20 years and continually take classes to stay current with changes within the industry.
“There is a lot more to security than buying a lock or having a key made, and a lot of customers come to us after they purchase a product and find that it doesn’t resolve their problem,” he added.
The first Serv-U store was opened in 1954. “My father, Sam Horowitz, and two of my uncles, Ben Horowitz and Jordan Rosenkrantz, opened Serv-U Hardware in Springfield. The original store was part of the True Value Home Center chain, and in addition to other products, they duplicated house and car keys and sold locks to homeowners,” Horowitz said, as he recounted the history of the business.
In the ’70s, the trio recognized the growing demand for security and hired a locksmith, which allowed them to expand their line of products.
During the next decade, Horowitz, his brother Lenny, and four of their cousins took over from their fathers and expanded the operation. “We opened hardware home centers in Northampton, Westfield, and Enfield, which all included full-service lock shops,” Horowitz said. They also added a number of specialty sections, including a home-decorating department that carried everything from paint and wallpaper to unfinished furniture; an automotive supply department; and a Baby Castle that sold infant furniture and accessories.
However, by 2001, big-box stores made it difficult to compete, and the family closed everything except the Springfield store. “My brother Lenny and I owned it, and we kept the lock shop and the decorating center open,” Horowitz said.
Things changed again three months ago, when Lenny moved to Florida and Horowitz became the sole owner. He closed the home-decorating department in October and made the decision to dedicate the business entirely to locksmithing.
Today, Serv-U Locksmiths has a fleet of six fully equipped service vehicles and a long list of commercial customers who have been with the business for decades. “They include banks, hospitals, colleges, manufacturing facilities, property-management companies, federal and state agencies, and housing authorities,” Horowitz said, adding that the company also provides products and services to homeowners.
Its mobile team serves clients within a 30-mile radius of the store, which extends into the Berkshires, Northern Conn., and even south of Hartford. “People call us with a variety of problems, and if someone needs us, we are there, which is how we have built our business and our reputation.”
One thing that sets Serv-U apart from other area locksmiths is its large showroom. “It makes us unique and gives customers the opportunity to talk to a locksmith, see how different products work, and get advice,” said Horowitz. “It also allows them to bring their locks here to be repaired, which can save them money.”
The number of security systems Serv-U carries is extensive, he added. “Originally, locks were only used with keys. Today, keys are still very prevalent, but there are also locks that use combinations or key fobs.”
He explained that the key-fob system is used frequently by businesses due to its sophistication.
“A fob can be programmed to only allow a person to enter a building or area at a certain time or certain day of the week,” Horowitz said. “The idea is to give a company more control over which employees have access to certain parts of their building. For example, someone with a fob who works third shift may not be able to enter the building at other times of the day. Plus, the person managing the fobs can delete them at any time and can also print out an audit trail, which shows not only who entered the building, but what door they used and the time they entered.”
He added that, when a company purchases this type of system, a Serv-U employee goes to their office and trains designated staff members in how to use the software.
“The fobs can be reprogrammed from a computer, which gives a manager control over security even when he or she is not there,” Horowitz went on, adding that many hospitals, banks, and colleges use this type of system.
Safes are another important security product, and Serv-U sells, services, delivers, and installs models that range from $100 to $3,500. Some are made to secure guns, while others are fire-resistant, burglar-resistant, or both.
But they are not all created equal, and Horowitz said people frequently purchase models that are inadequate for their needs.
“People think ‘safe’ means secure. But it depends on the type of security they are seeking,” he told BusinessWest, noting that, although most safes have undergone testing by Underwriters Laboratory, the length of time they can withstand fire, water, or other elements can differ greatly.
In fact, the materials used to make the safe, as well as the way it is constructed, play an enormous role in whether or not it is likely to protect against theft.
“Although they have locks, fire safes are not constructed to keep burglars out, and safes that protect against burglary have a hole drilled into the floor of the unit that allows the safe to be bolted to the floor of the building, so once the door is closed, it can’t be removed; the materials need to be strong enough to resist drills and other power tools,” Horowitz said. “We see a lot of commercial customers using safes that are not appropriate for their needs. It all goes back to education. There are answers to things people don’t know to ask about and solutions to every security problem.”
In addition, Serv-U also installs and repairs commercial doors. “We carry far more than locks. We also sell door closers, hinges, doors, door viewers, and weather stripping,” Horowitz said, adding that these products are also necessary to ensure security.
The business also serves the public, and the demand for car keys with embedded computer chips is on the rise. “In most cases, we can cut them for less than the car dealers,” Horowitz said. “But since these keys contain anti-theft devices, they typically cost between $25 and $200. And although some people say they don’t want to spend that much, we inform them that, if they lose all of their car keys, we can make new ones, but it will be much more expensive if we have to generate a key from nothing.”
Keys to the Future
Times have changed since Serv-U Hardware first opened its doors. “But our locksmith business has survived for 60 years and will continue to do so; it’s satisfying because we solve problems every day,” Horowitz said, adding that his employees take a proactive stance in continuing their own education as well as educating the public about changes in the industry.
“Our business keeps growing,” he added, “and although I am not sure where the locksmith trade will be in the next 15 years, I can assure you that Serv-U Locksmiths will be there too.”