Cybersecurity has increasingly become one of the major concerns for corporations and small businesses alike, with any number of well-publicized data breaches at the likes of Equifax, Target and Facebook costing companies potentially millions of dollars, not to mention shaking consumer confidence in who’s handling their personal information.
In May, Gov. Dannel Malloy introduced a new cybersecurity plan that seeks to increase security in state agencies and the General Assembly, establish municipal cyber defenses and implement other measures to prevent unauthorized access to government and personal information.
Recently, the U.S. State Department issued a report in response to an executive order by President Donald Trump calling for recommendations “on the nation’s strategic options for deterring adversaries and better protecting the American people from cyberthreats.”
Nevertheless, “In our experience, many businesses are woefully unprepared for attacks,” according to Larry Szebeni, a founding partner and chief operating officer at Apex Technology Services in Norwalk. Instead, he said, “They are hoping for the best.”
A huge problem most companies miss are simple system patches, Szebeni said. “Virtually all software has security holes found over time. Once exposed, the software vendor will patch the affected systems. Hackers keep track of these holes and look for systems that haven’t been patched. Once identified, they are very easy to break into.”
The hack at Equifax, which last September said that cybercriminals had accessed some 145.5 million of its American consumers’ personal data, could reportedly cost it well over $600 million after, including costs to resolve government investigations into the incident and civil lawsuits against the firm. The breach “resulted from one system which didn’t get patched,” Szebeni said.
Generally, he explained, companies looking to improve their cybersecurity need to: audit and document their systems via an outside organization; have a penetration test regularly performed and utilize anomaly detection; and have a backup appliance with duplicate copies on-premise and in the cloud. Cybersecurity training is also a crucial area to focus on, Szebeni said.
“Sadly, we get a lot of calls from new customers after they have been compromised,” he said. “We have seen ransomware attacks shut down entire companies. Another organization had their main customer database erased twice and the backup systems were only partially functioning, meaning a lot of lost work and money. Just the productivity loss from a week of nonfunctional computers can be a tremendous loss for a small business.”
Knowing that a single attack can shut a company down for days or weeks means that every company should consider a second opinion from a reputable firm, Szebeni said.
“Human error is a huge reason breaches happen,” he said. “With a second set of eyes, you are likely to spot more problems. The goal needs to be to find and fix these problems before the hackers become aware of them and exploit them.”
Sometimes an in-house IT team lacks the necessary experience to start or complete a project, Szebeni said. An outside vendor can offer the skill set of an entire team “for potentially less cost than a single worker,” he said. “Because they see so much, outside firms are in a superior position to advise many companies about what they should be doing with their systems.”
As for the State Department report — which said the key elements of cyber deterrence should include creating “swift, costly and transparent consequences” that the U.S. can impose in response to attacks below the threshold of the use of force, as well as building partnerships with other states for intelligence-sharing — Szebeni said: “While government has an important role in deterring cyberattacks, the reality is these attacks are often difficult if not impossible to trace — meaning no matter what the government does, business is still the frontline of attack in this new cyberwar.
“Moreover,” he added, “even if the government is successful in deterring state-sponsored hacks from Russia, China, Iran and North Korea, there are numerous other bad actors we need protection from such as organized crime, individual hackers, groups of hackers and terrorist organizations like ISIS.”
Apex was founded in 2012 to address local businesses’ need for help with their IT systems and cybersecurity needs. Its leadership — which also includes CEO Rich Tehrani and managing partners Michael Genaro and David Rodriguez — has years of experience in providing IT services to hedge funds and Fortune 1000 organizations.
The company’s operations are centrally managed at its 535 Connecticut Ave. office in Norwalk, while an office at the Empire State Building is used primarily for prep work.
Declining to provide specific figures, Szebeni said revenue has grown every year since it began. “We do expect to keep growing and adding more valued team members,” he said. “We have identified other cities to expand into but for now are focused on growing in the New York area.”