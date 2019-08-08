Long gone are the days when business security could be handled by locking the doors.
Especially in the cyber realm, local officials say business owners need to be aware of all of the potential risks and how to prevent — and mitigate — the damages that can be incurred to themselves and clients.
Safety of employees is another concern at the forefront for employers, especially the potential for an active shooter or other workplace violence. The Dubuque Police Department is willing to work with local businesses to offer security improvement ideas and train staff on how to evacuate.
“Every building has its own unique concerns,” said Lt. Joe Messerich.
Messerich and other local experts offered their suggestions on stepping up security on a variety of fronts.
Tech
Investing in the right IT infrastructure is an important safeguard against cyber threats, according to Dekker Pfab, owner of DBQ Tech Experts.
Pfab offers a range of IT support services to local businesses, as well as installing video surveillance systems.
One of the most important security steps is to install a hardware firewall, a standalone device that protects a business’ network from unwanted outside access.
Especially with an upward trend of employees working from home, having that barrier becomes an important deterrent against bad actors.
Aside from the tech infrastructure, Pfab said cyber security also is the responsibility of employees.
They should be mindful of opening suspicious emails, clicking links or downloading attachments that might lead to viruses and malware affecting the network.
One particularly devastating consequence is ransomware, which encrypts data and holds it hostage until victims pay to unlock it.
Pfab said he’s seen ransomware affect two business clients in recent years. One had to pay a $600 ransom, but he said the other had its data properly backed up on an unaffected device, so they did not have to pay anything.
“If you do not have adequate back-ups for your business, you’re exposing yourself to risk,” he said.
Those back-up protocols require ongoing attention, he added, so that the most up-to-date data is being properly stored.
Insurance
Pfab said while preventative measures are important to reduce risks, they are not always foolproof.
“If someone wants to get in, they will get in,” he said.
That’s why businesses should also consider adding liability insurance specific to cyber attacks that can help cover related losses to their business and clients.
Dan Wellik, vice president and shareholder at Friedman Group, said cyber liability insurance has become increasingly common among clients of the Dubuque-based insurance and financial services agency.
“Right about now, at least a third or so of our customers have cyber liability on their businesses,” Wellik said. “We’ve quoted it to well over half (of our customers).”
According to Wellik, costs for such coverage have been coming down in recent years, as more insurers are competing to offer it. Companies need to weigh the cost of that coverage with their risks and potential losses.
He said the policies can vary greatly depending on what a client decides it needs. Cyber liability insurance can include coverage for losses related to viruses, hacking and network failures, as well as the compromise of personal information of clients and employees. Coverable losses can include costs for legal fees, crisis management and credit checks for employees and clients.
Wellik said clients often ask how much coverage is enough, and “that’s never an easy question to answer.” He said agents can work with clients to evaluate what risks are out there and the potential costs associated with those risks in order to make the most informed choice possible.
Financial
While some might feel more comfortable with the old-fashioned method of cutting a check for payments, it’s not the safest method.
Benjamin Gander, senior vice president and treasury management sales leader at Dubuque Bank & Trust, said the bank encourages clients to look at electronic payment strategies that require more oversight.
“You need to look holistically at how you’re making payments and if there are more cost-effective, safe ways to do it,” he said.
Gander said DB&T offers a variety of electronic payment methods and internal controls to prevent fraud. One example is a policy of dual controls, where two different people at a business are required to sign off on ACH payments or wire transfers.
Fraud risks with checks include someone altering the payee or amount on a legitimate check, or someone stealing blank checks to forge. Should clients want to use checks, Gander said most banks offer positive pay protections. That involves banks having a register of the checks being issued by a client so that they can be double-checked for the correct amounts and payee when they are cashed. The same protections apply to ACH payments.
Gander said a rising trend is impostor fraud, where someone reaches out through email, posing as a high-ranking company official or as a client, saying that a payment needs to be made.
“You can’t take that at face value,” he said of such emails. “Ask questions. Call the person and make sure. If something smells fishy, it probably is.”
Workplace
Security planning also should encompass safety for employees.
Messerich said any local business, school or religious institution can call Dubuque police to set up a walk-through of their facility to suggest security upgrades, as well as schedule training with staff on how to respond to a crisis situation. In 2018, officers provided more than 30 entities with such services.
How secure a building should be depends on the type of business, especially if there needs to be public access for customers.
“We need to strike a balance, looking at the goals the organization has to maintain its livelihood and keep everybody safe inside,” he said.
Another component of their consulting, Messerich said, is asking companies to provide emergency response agencies with information such as floor plans, pictures of the inside of the building and contact information for key leadership in order to improve their response to incidents.
Messerich said surveillance camera systems can be extremely helpful to law enforcement if a crime occurs at a business. While the clarity of the image is very important, he said an oft-overlooked need is ease of access to quickly provide that footage to law enforcement to keep their investigation moving.
“It seems we run into that issue more than shoddy footage,” he said. “If it’s a matter of (someone in IT) being the only one who’s able to pull that footage, and that person’s out on vacation, then it’s an issue for us.”