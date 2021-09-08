Limit Administrator Access — If you or anyone else in your company is using an administrator-level account for daily use, you’ve just upped the danger level. If you get infected while logged in with admin-level access, the infection will easily spread to every corner of every machine of your network. We recommend administrators have one account for daily use and a separate admin-level account for those times you need to perform admin functions.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Sam Gridley of Intech Hawaii.

Sam majored in Management Information Systems and minored in Computer Science at Eastern Washington.

University in Washington state. He started programming his first personal computer in 1981 and what started as a hobby turned into a college major, and then eventually a career. In the late 80’s and early 90’s Sam worked as an IT Director, managing networks for Hyatt Hotels where Sam was involved in building one of the first IP-based wide area networks in Hawaii. Sam left the hotel industry to start Intech Hawaii and 30 years later, Intech is nationally ranked by MSP500, Inc Magazine’s “Inc 5000” and by Hawaii Business Magazine as one of Best Places to Work in Hawaii for 9 years running. Sam spends most of his free time with family and his wife Kerry enjoying Hawaii activities like golf and scuba diving.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Coeur d’Alene, Idaho in the 1970’s. Both of my parents owned small businesses so running a business was a regular part of life. Today both of my siblings run their small businesses so it may run in the genes.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I live by The Golden Rule and it pains me to see bad guys get the upper hand. From the early days of the Internet, it was apparent that there were people trying to take advantage of other people and I’ve always fought against that.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

A great manager I really look up to gave me my first job in IT — Riley Saito. Riley coincidentally became my first customer in Intech Hawaii years later when he was managing a resort hotel on the Big Island. It was a dream job working on computer networks while staying in one of the most luxurious resorts in the world during the week. We all have someone who gives us a leg up along the way and I’ll always be grateful to Riley for helping me.

Are you working on any exciting new projects now? How do you think that will help people?

Hawaii’s 2nd largest industry (next to tourism) is the military and defense contractors. The recent changes in cybersecurity compliance are forcing defense contractors to increase their security posture, and some of them are being caught off-guard. The regulations are called NIST 800–171 and CMMC (Cybersecurity Maturity Model Certification) and any contractor who can’t comply with the regulations will lose their contracts. We’ve developed a process to streamline the process of compliance while keeping the costs as predictable as possible. This cybersecurity program is helping our customers reduce their security risks — both for defense contractors and our customers in other industries. We have a blog article that explains more about CMMC in detail: https://www.intech-hawaii.com/2021/07/what-is-cmmc-nist-compliance/

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I like the saying “When you love what you do, you’ll never work a day in your life.” It’s not always as easy as it sounds, but everyone in our company gets personal satisfaction from helping people succeed, and that’s the part that recharges us every day.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

First, as I was saying earlier, we really like helping people succeed and thwarting bad guys at the same time. I guess the second thing is the dynamically changing cybersecurity industry, there’s never a dull moment. And third would be the ability to solve complex problems with technology. There’s a lot of room for creative problem-solvers in this industry.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Ransomware is the biggest threat to businesses because there is so much money in it for the bad guys. One ransom costs a business on average 20,000 dollars – 80,000 dollars plus the costs of cleanup.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

About 5 years ago, we were called in to clean up an infection after an employee opened a malicious email with a zero-day exploit. The malware that infected that machine was a Russian banking trojan that had siphoned 30,000 dollars from the businesses bank account. The speed at which the transfers happened was mind-boggling, but due to the quick reaction the bank was luckily able to recover about 20,000 dollars. This was relatively early in the virus/malware industry and the attacks are much more sophisticated now, so it requires more planning and preparation on our part to defend against them.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

The 3 main tools every business should deploy for protection are:

Advanced email filtering. Most attacks arrive through email and prevention will stop many of them. Security Awareness Training. Users are the weakest link in security, until they know what to look for. Modern Endpoint Security. The newer behavior-based AV software can stop more malware and alert faster than older signature-based AV software.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

A CISO is expensive, if you can even find one since they’re in high demand right now. A cybersecurity agency provides a range of skills on a team that can function with or without an in-house IT department. The demand for skilled cybersecurity workers is so high that retaining cybersecurity talent is the biggest challenge. Unless you have a good recruiter, outsourcing is probably the most cost-effective and least disruptive for most SMBs.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Once upon a time, malware symptoms included things like pop-ups, browser redirects or slow computers, but these days an attacker is more often completely silent until they pull the trigger. Modern cyber tools are the only reliable way of detecting bad guys these days, but educate your users how to avoid phishing emails, texts and even “vishing” phone calls.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

First, disconnect computers from the network, but don’t power down the computers or you can make things worse. Then call your cybersecurity company and your cyber insurance company, many policies include incident response services to help coordinate recovery efforts.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

New York and California are leading the way in computer privacy and security regulations, but we believe the rest of the country is not far behind. As increasing attacks cause supply chain disruptions and privacy issues, I can see a time where some sort of national cybersecurity rules will be put in place. This evolution happened in the payment card industry where after multiple costly attacks the PCI standard was created and it became required for all merchants to comply.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The biggest mistake is thinking you’re not a target because your data isn’t worth anything to a bad guy. These days, it’s not how much your data is worth to them, it’s how much your data is worth to you.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

We’ve been proactive with our customers in providing secure remote access well before the pandemic started, so we haven’t personally seen an uptick in incidents. But by using home computers for accessing work networks, remote workers basically doubled the number of endpoints that could be compromised.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

The largest corporations in the world can’t prevent security and privacy breaches, remember the Home Depot, Sony Pictures or the recent Colonial Pipeline breaches? Billion dollar companies have huge IT budgets, but are still vulnerable. Here are the top 5 things we recommend to keep businesses safe:

1. Security Awareness Training — It can’t be said enough. User training makes a huge difference. While hacking causes many large corporate breaches like Facebook’s breach Yahoo’s breaches that exposed the personal information of millions of people, SMBs are most likely to be breached by user error.

2. Password Management — The Dark Web created a huge industry where user information, including passwords, is bought and sold. The days of reusing a favorite password are long gone… Make sure you use unique, complex passwords and use a password manager like Roboform or LastPass to help you manage them without writing them down.

3. Two-Factor Authentication — The same way your bank sends you a text code when you log into their system, you should implement 2FA on your business network in a similar way. 2FA will stop many of the bad guys’ techniques in their tracks.

4. Limit Administrator Access — If you or anyone else in your company is using an administrator-level account for daily use, you’ve just upped the danger level. If you get infected while logged in with admin-level access, the infection will easily spread to every corner of every machine of your network. We recommend administrators have one account for daily use and a separate admin-level account for those times you need to perform admin functions.

5. Update Software Patches — Next to user error and password compromise, the next largest area of risk is outdated software. Microsoft, Java, Adobe, Google, Firefox and every other software company out there is under constant attack by bad guys trying to find bugs in their apps. Once a bug is found, it can be quickly exploited to infect thousands or millions of networks. China recently created a Microsoft Exchange hack that exposed millions of networks worldwide, and hopefully your IT provider quickly patched this zero-day exploit.

None of these protections are too expensive. In fact, on a per-user basis businesses spend much more on health insurance or social security than they pay for IT support and cybersecurity protection combined.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂

(Think, simple, fast, effective and something everyone can do!)

Backup, backup, backup. The 3 most important words in computers. If you have backups of your data, you’ll never be held hostage.

How can our readers further follow your work online?

Reach out to us at www.intech-hawaii.com where you can find my contact info and our blog.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!