Forum raises cybersecurity awareness

By Audrey Posten, Times-Register

Grant Langhus, information technology manager at Luana Savings Bank, is spearheading an effort to create a local cybersecurity group to raise awareness of the issue and form a support network for organizations experiencing a cyber incident. 

“It’s a hot topic, but a lot of people don’t understand what it is,” said Langhus, who organized a cybersecurity forum at the bank's community room earlier this month. “People are scared of cyber threats, and they install antivirus on their computers and they think that’s it. But it’s a little more complex than that.”

Having a local network might not necessarily be able to provide local businesses or individuals with in depth tech support, Langhus said, “but we certainly have a lot of resources available and, collectively, we can get a lot of people over the hurdle. Otherwise, you might be wondering what do I do, where do I go, and throw up your hands and quit. We don’t want that.”

Prior to the forum, participants answered three survey questions related to their businesses’ computer use. Despite a smaller sample size, Langhus said it’s not surprising that most businesses say they can’t function if their computers are down. Of those who regularly use computers, all are connected to the internet.

That’s concerning considering the level of attention cybersecurity receives at some organizations. While several respondents noted it has a lot of focus, others answered “none.”  

“If all the computers are connected to the internet and no one’s trained on how to use it safely, that can be an issue. That’s why we’re here,” Langhus said.

He cited a statistic that showed 85 percent of today’s breaches involve a human element rather than a piece of hardware. Ten years ago, it was the opposite.

“That illustrates we’ve done a pretty good job of protecting our networks,” Langhus said. “Now, the bad guys have determined that, since they’re protected, the human element is what they’re going to attack.”

According to Langhus, Luana Savings Bank looks at kill chains, analyzing the steps—and order of steps—that need to be executed before a cyber attack is successful. 

Chains often start with phishing emails, fraudulent communications that appear to come from a reputable source and are intended to steal sensitive data. The second step is when someone clicks on the email, and the third is the introduction of malware into network without antivirus detection. 

“Ransomware is eventually installed and finally they make the kill. They send the ransom and your machines are all locked out,” said Langhus. 

The goal is to utilize knowledge and technologies to prevent, or deal with, cybersecurity threats in a manageable and cost effective manner. Langhus suggested focusing on “low hanging fruit.”

One of the biggest tips: don’t connect computers directly to the internet. 

“That makes it that much easier to attack,” Langhus said. “The more devices, more routers, more firewalls, more wi-fi, the more any of these things you have between your computer and the outside world, the harder it is for some of those vulnerabilities to be discovered. It doesn’t necessarily protect against the human element, but definitely from people hitting you directly.”

Many computers don’t need to be connected to the internet at all, and Langhus warned against web browsing on production machines, like servers. Keep networks isolated and remove apps and software that haven’t been used in awhile. Invest in intrusion protection and vulnerability scanning. Automatically update and back up devices and don’t disable antivirus, even if you find it disruptive.

When on the internet, resist clicking on every link.

For example, said Langhus, “You start at a website that’s trusted and click an affiliate link to a third party website that might be trusted, and they have a cool affiliate link to another site that’s less trusted. Pretty soon, you’re at a really un-trusted level.”

“A lot of our issues can be prevented if we just don’t click an email or website we shouldn’t be on, especially at work,” he added.

Using different usernames and passwords for different sites. 

“If you use the same password with all your online banking accounts, with Facebook, with Google, and one of those passwords is exposed, I can guarantee you they’re going to try to use that username and password combination,” Langhus said.

Using a pass phrase, or string of words, instead of a password is becoming more popular, he noted. There are ways to organize passwords and automatically fill them in, for those worried about remembering everything.

“Think about all the layers of security you can have easily, affordably and simply,” Langhus stated. “We don’t want to have ridiculously complex layers. You want them to be manageable.”

Langhus said it’s best to maintain the attitude that you have been, or will be, hacked every day and assure you have controls in place to deal with it. Have a mitigation plan in place for when you do get breached. 

“You’ll want to have your insurance company information on hand. In fact, does you insurance company even cover cyber incidents? Do you have IT support? If you don’t have it at your institution, who do you call when that happens? Depending on your business, you may have regulators you need to report to. Regardless of your business, all of us are required to notify the state attorney general if you have a breach, if it affects a certain number of customers and there could be financial damage. Every business has that obligation,” he explained.

“It’s what are we doing to make sure we’re not hacked currently and what do we do if we are hacked. You just want to have one page of paper somewhere that has a basic plan for incident response,” he concluded.

If you’re interested in further cybersecurity networking opportunities, contact Langhus at glanghus@luanasavingsbank.com.