It was in 1943 that psychologist Abraham Maslow first put forth his hierarchy-of-needs pyramid detailing the requirements individuals must satisfy, starting with the most basics tools for survival, all the way up to self-actualization. Maslow argues that as each of these needs are satisfied, the subsequent, higher level in the emotional hierarchy dominates our conscious functioning. In other words, we need to check off each item along the way—having love leads to esteem, which creates the path toward self-actualization—before we can reach our full potential.
Just above the basic needs (food, water) at the base of Maslow’s pyramid are safety and security. While Maslow was considering people, it might well be said that it has an application for business. Beyond having the mere tools that enable a business to function—customers, a product or service, employees, a physical (or virtual) work environment—an entity must have safety and security in order to function on a daily basis and continue its path toward actualization. (I’ll leave the balance of Maslow’s business pyramid to individuals far more intelligent than yours truly.)
Dealers can play a key IT-security role to ensure their clients are operating at an optimal level and utilizing the most modern tools for defending against would-be cyber criminals. Peter Kujawa—president of Locknet, the managed IT division of EO Johnson in Wausau, WI—offers a metaphor for optimal defense that significantly predates Abe Maslow.
There are a lot of IT companies out there that call themselves managed security providers, but if they’re not audited by an outside firm and certified in what they’re doing, how does a customer know what they’re really getting?
Peter Kujawa, Locknet/EO Johnson
Going Medieval
Imagine a medieval fort, encircled by a moat, built with reinforced walls and a fortified drawbridge. Atop the perimeter, there are archers at the ready and people dumping hot tar on attackers. No single safeguard among these measures can guarantee safety for the fort—and a determined attacker may ultimately be successful, regardless. But with all of the measures properly functioning in conjunction, it provides maximum deterrent.
“Our job is to make sure we know the latest-and-greatest security tools, so that were building the best wall for clients, providing them the best archers, digging the deepest moats,” Kujawa said. “That’s a constant learning challenge. and that’s the value of having a dedicated security team entirely focused on security issues. They tend to stay abreast of the latest threats and latest ways to keep clients safe.”
Locknet is a full managed security service provider (MSSP) that addresses security needs of more than 600 clients in 18 states, primarily within Minnesota, Wisconsin and Iowa. Roughly half of the client base consists of community banks and credit unions. Regulated businesses, such as health care, not-for-profits, large automotive dealerships and law offices, account for the second-biggest percentage of the client pie.
Part of what EO Johnson offers through Locknet is an annual SOC2, Type 2 audit conducted by an outside accounting firm that audits Locknet’s business practices to ensure it is being compliant for customers. “There are a lot of IT companies out there that call themselves managed security providers, but if they’re not audited by an outside firm and certified in what they’re doing, how does a customer know what they’re really getting? And how secure is the provider’s data? We need to be able to demonstrate our house is in order when it comes to security, then we need to provide documentation to prospective clients in terms of what we’re going to do for them.”
Locknet has seven dedicated, full-time security engineers to handle security issues. Its MSSP offering includes managed perimeter security through the Fortinet infrastructure, with Locknet deploying, configuring, managing and monitoring all of the firewalls for its clients. In the event a client firewall goes offline or has a significant event, Locknet is alerted and can mobilize to take action. In addition to providing full managed wireless capabilities, the company offers vulnerability-management services for clients to assist them in monitoring and remediating any vulnerabilities on their network.
Repeat Offenders
One of the reasons why malicious actors are successful in breaching victims is the unfortunate truth that, at virtually every customer office, there is someone (and sometimes more than one) who will click on everything sent to them. It can be an email attachment for a free coffee at Starbucks or an unexpected invoice—anything that might entice the recipient to click. Which is why education is perhaps the biggest tool in the dealer’s arsenal.
At Atlantic, Tomorrow’s Office of New York City, the dealer has crafted a three-pillar offering that is the foundation of its managed security suite, according to Bill McLaughlin, chief technology officer. The first component is user-based training, utilizing the KnowBe4 suite. This allows the dealer to phish the client’s user base like a phantom attacker, see which employees take the bait, then work with the offending parties. Employees are provided with an educational video, which they must test out of to pass. The dealer also conducts “phishing expeditions” on an ongoing basis. When a user clicks on the faux attack, a video pops up that tells the user what they did wrong, and what they should look for in suspicious email correspondence.
One of the reasons user training is a key pillar is because 91 percent of the infections most organizations get are through the users.
Bill McLaughlin, Atlantic Tomorrow’s Office
“One of the reasons user training is a key pillar is because 91 percent of the infections most organizations get are through the users,” McLaughlin said. “So by educating the user, it helps to mitigate your risks from them doing something that will cause some sort of infection. I like to call it creating human firewalls.”
Another aspect of the first pillar is multi-factor authentication (MFA). Consumers sometimes experience this in online banking, where the person logs in, then is sent a four- or five-digit PIN code before being able to access the account. Atlantic, Tomorrow’s Office recommends end users employ it on their infrastructure. “Clearly, the firewall is extremely important, so we must ensure we’re putting in managed firewalls with a Trojan detection system,” McLaughlin noted. “The operating system is a little more advanced. It has the ability to see and understand more of the threats that are out there today, as opposed to some of the legacy switches.”
Restricting access to websites that are fertile ground for infections/hackers is another safeguard for the network. The primary landmine sites include those related to alcohol, tobacco and firearms (ATF); real estate; shopping domains and, quite predictably, pornography haunts. Also, the dealer recommends users only access their personal website accounts through their personal mobile devices that are on an independent network (Verizon, AT&T).
The second pillar is security information management (SIM), or security information event management (SIEM). McLaughlin equates it to adding the ADT security system onto one’s network. While it won’t prevent hackers from trying to break into the network, it will notify the user if there has been a breach, along with where it occurred. Less time is spent on root cause analysis, providing more time for issue resolution.
Citing research figures, McLaughlin notes that for an unprotected network, the average number of days that pass before a breach is detected by a company is 191—six full months that allow ransomware or a virus to wreak havoc before the actual attack becomes apparent. And for these unprotected environments, the average time to purge, clean and restore the environment to its previous standing is 66 days. That can be a death sentence for an ill-prepared SMB. It is not surprising that ransomware was a $5 billion business in 2017.
The third pillar is a sound backup and disaster recovery (BDR) solution. Atlantic, Tomorrow’s Office relies on Datto. The Datto box on the user’s operating system has intrusion detection, which allows the dealer to see where the infection is in order to remove it and restore the environment. It’s critical to ensure that the virus is not being reintroduced to the user’s environment during the restoration process, and that the client can be back at normal status without having to pay a ransom to get their data unlocked.
Summit Success
One of the dealer network’s biggest proponents of IT security awareness is Impact Networking of Lake Forest, IL. Last summer, Impact held its inaugural Impact Optimize summit, an annual business conference that focused on IT and business security in 2018. Held at Impact Field, the event included speakers from IronNet Cybersecurity, Datto, DocuWare and other experts in the security discipline.
“Attendance was great, and the event was well-received,” noted Jeff Leder, director of managed IT security services for Impact. “(Optimize) gave us the opportunity to have conversations with people about where they’re at with security posture, their concerns and to think about the risks their organizations face.”
Impact reviews client-security posture across seven high-level categories, as well as 18 subcategories. At the upper level, these categories fall under assessment (aspects of the environment, vendors, third parties, tools already in place), perimeter defense (endpoint protection, exchange of data and data loss protection), authentication, monitoring and services (compliance requirements).
(Optimize) gave us the opportunity to have conversations with people about where they’re at with security posture, their concerns and to think about the risks their organizations face.
Jeff Leder, Impact Networking
Monitoring is one of the more critical elements, according to Leder, as prospective client organizations have far too many blind spots. “Many companies are doing the basics and they have that baseline security implementation through their standard IT support and practices,” he said. “We’re attaching additional insight into the environment in terms of how users are interacting with their systems, how it’s stored, and how packets are flowing. Being able to reference that information and make the correct decisions about security incidents or potential faults is definitely important.”
Each of the categories have corresponding preferred solutions, some of which address needs across multiple categories. Among the tools Impact relies on are Cisco Umbrella for DNS protection, Cisco Meraki MX UTM devices with advanced security licensing for perimeter defense, Cylance for NGAV (next-generation antivirus), and Arctic Wolf for NDR/SIEM/VM.
Perhaps the space that is most vulnerable is the SMB set, where companies operate under the impression that they are too small of a catch for cybercriminals to focus on, which is a broad misconception. Or they feel outmanned in their quest to have enterprise-level security. “A lot of organizations, especially in SMB space, know they can do more and they’d like to do more, but they find that perhaps they don’t have the time or the resources in order to actually do anything about it,” Leder notes.
Enterprise-Level Protection
AIS of Las Vegas takes a comprehensive approach to security that starts “behind the scenes” on the network by managing work stations, firewalls, access points, devices, applications and servers, according to Monique Phalen, director of technology. Perhaps the key value proposition to AIS’ offering is working with partners that bring the enterprise-level protection to the SMB level of client. The dealer offers Bitdefender antivirus (which does 11 billion security clearings per day), Fortinet for unified threat management (which protects against external threats and internal network utilization), Solar Winds for remote management and end-point protection, and Datto on the BDR end.
The leaders of the pack in the security sector that offer enterprise-level protection have all taken a step toward the SMB consumer, who now can get that level of protection when looking at managed IT service.
Monique Phalen, AIS of Las Vegas
“They all have the bragging rights when it comes to security, and they feel that they set the standard in threat protection,” Phalen remarked. “All these partners have made a concerted effort to offer enterprise-level protection, which usually comes at a premium from an investment standpoint. The leaders of the pack in the security sector that offer enterprise-level protection have all taken a step toward the SMB consumer, who now can get that level of protection when looking at managed IT service.”
The biggest evolution in recent years for AIS is the focus on end-user training and awareness. Two of the three biggest threats emanate internally, through employee click/open errors or malice. With the continued onslaught of ransomware and cryptolocker threats, conditioning employees on the proper way to conduct business communications has been the key to mitigating risks. Beyond education, AIS offers virtual CIO services to its clients, and on a quarterly basis, they will review any incidents along with security logs that can educate the business owner on the origination of threats—internally/externally or both. AIS also employs simulated phishing attacks leveraging their Webroot relationship to ferret out click-happy workers. In addition, AIS provides employee security certifications for a variety of industries, so the clients can feel like there is some light at the end of the threat-protection tunnel.
Access Systems of Waukee, IA, employs a risk-based approach, using both software and IT-dependent manual processes to help protect the integrity, confidentiality and availability of client systems, notes Derick Tallman, IT security and operations manager. This approach puts in place security products such as antivirus and anti-malware, spam filtering, active directory privileged access monitoring and strong patch-management, including third-party patch management, multi-factor authentication and vulnerability scans. It pairs the security products with reviews to focus on the security of systems.
Having this tiered, multi-layer, risk-based approach provides strong monitoring and detection controls for our client’s security.
Derick Tallman, Access Systems
“These reviews look at access to systems in place, password controls, remote access and other critical functions that the business has,” Tallman said. “Having this tiered, multi-layer, risk-based approach provides strong monitoring and detection controls for our client’s security.”
One of the biggest changes for Access Systems was moving from traditional antivirus and operating system patching to full system scans, as well as providing end-user education, third-party patch management and security-controls reviews. “We are checking for persistent threats, which may exist on a network and get past antivirus,” he added. “We’re assisting customers with logical access reviews, reviewing user accounts on the system and ensuring they are appropriate, as well as password, lockout, logging and monitoring settings. We also focus on educating our customers on current cybersecurity risks and what they need to do to stay protected.”
Last Line of Defense
Jim George, president of Cincinnati-based Donnellon McCarthy Enterprises (DME), believes it is important to not lose sight of managed IT support. He feels implementing a disaster-recovery strategy helps provide that last line of defense against ransomware and other attacks.
“Every business needs an effective way to back up their data offsite,” he said. “Even apps like Office 365 need a separate backup. Cisco’s services offering is great at protecting clients. StealthWatch and FirePower are two Cisco services that have a great reputation for behavior monitoring and detecting suspicious activity.”
We help businesses that don’t have the budgets of the Fortune 500 companies with proactive services that scale for the small-business market.
Jim George, Donnellon McCarthy Enterprises
In recent years, DME has stepped up its focus on preventive measures, and the dealer meticulously analyzes security services and software that benefits current and prospective clients. “We know which services are resource hogs and which allow clients to still work effectively,” George remarked. “Not every service is fit for every client. We help businesses that don’t have the budgets of the Fortune 500 companies with proactive services that scale for the small-business market.”
KDI Office Technology of Aston, PA, offers a product line of defense that includes advanced firewalls, antivirus and backup systems, with services including proactive patching, firmware updates, enterprise-level email filtering and system monitoring. According to Greg Bryan, chief technology officer at KDI, the dealer recommends all aspects of security, from gateway to end point and the cloud. KDI ensures customers have a firm grasp on BDR and continuity for all of their systems.
…our offering has focused more on internal end users and providing additional training on how to combat email phishing and spoofing.
Greg Bryan, KDI Office Technology
“In addition to looking at all aspects of customers’ hardware and potential vulnerabilities, our offering has focused more on internal end users and providing additional training on how to combat email phishing and spoofing,” Bryan added.