How to Protect Hawaiʻi’s Companies from Cyberattacks

September 21, 2019

Hawaii Business Staff,

Thursday, January 1, 1970, 8:30 am – 10:30 am

The phishing emails that clutter our inboxes are becoming more refined and harder to detect and are being joined by hacks on our social media, phones and other devices, said a panel of cybersecurity experts.

“The theme is sophistication,” said Gary Barnabo, senior associate of the international cyber strategy team at Booz Allen Hamilton. “A lot of what you read about in the media is the volume of cyberattacks, but we worry about the networks of criminals that are pulling together very elaborate multi-layered attacks,” using artificial intelligence to learn which attacks are most successful and apply them to similar businesses.

The experts spoke at a Hawaii Business Magazine event on Thursday called “Preventing: “You’ve Been Hacked!” The breakfast event was held at the Salvation Army Kroc Center in Ewa Beach.

Attendees catch up during breakfast at the Kroc Center. Photo by Aaron Yoshino

Attendees catch up during breakfast at the Kroc Center. | Photo: Aaron Yoshino

Other panelists were Loren Aquino, President and COO of HI Tech Hui; Derek Gabriel, cofounder & CEO of Ignite Solutions Group; Vincent Hoang, the State of Hawaii’s chief information security officer and Michael Miranda, associate professor of information security at UH West O‘ahu.

The good news is that are steps businesses and companies can take to greatly reduce their risk. Among the suggestions from the panelists:

Keep your business and personal equipment separate, such as a having two routers at home: one for the family and the other strictly for business. That way if one of your children’s social media or other accounts are hacked, your business records and clients’ data is safe.
Hoang advised the audience to focus on the three Ps: passwords, phishing and patching.
- - Create long and unique passwords for every account and use multifactor authentication whenever possible.
  - Multi-factor authentication often requires you to use a code sent to your smartphone when you try to log into a website. A recent Google report said 99% of the attacks launched against its G Suite customers were blocked with multi-factor authentication, Hoang says.
  - Patching means promptly doing all the upgrades to your software. And, he said, the best tool to fight against phishing is your engaged and cautious mind.
Spend a little extra money on an Office 365 or G Suite subscription, which are not expensive yet provide more cyber protection than free or almost free services. Miranda said such paid email services with anti-malware settings can cost as little as $5 a month; free accounts don’t offer the same protections.

The bottom line, Aquino said, is that “anyone can get hacked.” Small businesses are just as vulnerable as larger organizations, and it only takes one convincing email or call to compromise an entire system.

Unfortunately, Aquino said, it is not a matter of if but when you will experience an attempted data breach. Everyone on your team should be prepared. Gabriel said one of the biggest impediments to cybersecurity is human error, so companies should have policies to prevent these issues and handle them if they happen.

Derek Gabriel talking about phishing during the panel discussion. Photo by Aaron Yoshino

Derek Gabriel talking about phishing during the panel discussion. | Photo: Aaron Yoshino

If your system is hacked, getting out in front of the problem is crucial. The panel agreed that a company should admit the problem, do its best to alert clients whose data may have been compromised and actively work to resolve the problems. And be aware of your legal responsibilities: state law requires business of any size to report data breaches to law enforcement or face fines.

Most of all, seek expert IT and cybersecurity advice. After all, “You wouldn’t try to do your own books without a CPA,” Aquino said.

Targeted Attacks

Gabriel listed two of the ways that phishing has become more sophisticated:

Spear Phishing: The criminal hackers will gather data about you, your associates and your business from public sources like the company’s website or LinkedIn. They use this information to craft messages that look like they are coming from a trusted source and contain malicious links or requests.
Whaling: Attacks directed at C-suite executives. Because these scams are intended for senior members of an organization, they have the potential to be even more destructive than normal spear phishing. The panelists said some of these emails are so sophisticated that the fake logos and signatures are virtually indistinguishable from the real thing.