20 Minute Tuesday: Cybersecurity and Your Business

Wendy Northcross: I’m Wendy Northcross, CEO of the Cape Cod Chamber of Commerce, and today we’re bringing you the fifth installment of our 20 Minute Tuesday. This is a special video series that we produce in cooperation and collaboration with The Cooperative Bank of Cape Cod. It’s designed to bring good, timely business information to our constituents on Cape Cod, and we thank you for joining us today. Our focus on today’s 20 Minute Tuesday is cybersecurity and how we can avoid becoming victims, either personally or especially in our businesses and help safeguard our employees as well. So, today with me I have two new stars at The Cooperative Bank of Cape Cod of Maeghan DeLellis and Paul Forni. They’re going to introduce themselves to you and tell you what their positions at the bank entail. So, why don’t we start with you, Maeghan.

Maeghan DeLellis: Thank you, Wendy. It’s a pleasure to be here today as a Small Business Banking Specialist and Branch Manager at The Cooperative Bank of Cape Cod. We focus our efforts on proactively listening to our customers, so that we can learn about their successes and struggles, their needs and industry trends. We make it a priority to try to understand what they’re going through, so that we can offer solutions that best fit their day-to-day operations because we are so passionate about their success.

Northcross: So, Paul, tell us about you and your role at The Coop.

Forni: Yes, I’m Paul Forni, The Cooperative Bank of Cape Cod’s Information Security and Red Flag Officer. My primary function at the bank is making sure that we’re doing what’s necessary to secure customer information and also to prevent identity theft.

Northcross: Thank you! Glad to have you both with me today. So, this is a big topic, and I know anytime the chamber has addressed cybersecurity we get a lot of attention, a lot of questions. And I think that it’s such a broad topic. It encompasses so many systems, such as mobile devices, computers, point-of-sale computers, websites and more. So, maybe if we could, Paul, maybe you could help us define exactly what cybersecurity means and set the stage for our discussion today.

Forni: Sure, happy to. Cybersecurity is basically the means that we use to secure and protect our network our devices such as laptops workstations, mobile devices, and our data from unauthorized access. It’s the ensuring of the confidentiality, the integrity, and the availability of our data and our customer data.

Northcross: So, as a business owner, what’s my best defense against cyberattacks? Paul, I’ll throw that to you again.

Forni: Thank you. Well, the key is that there’s no one magic thing you can do to make sure that you’re securing your data, your infrastructure. It’s really a combination of three major things. The first being is the technical controls that we use to secure data, and these would be your firewall, your anti-virus protection, your data-loss protection software on those type of things. The next control would be administrative controls, and those would be the standards we ourselves put in place and things like acceptable use. Telling ourselves what’s acceptable for our employees to do or us to do and what’s not acceptable for them to do while they’re using these resources. It’s also things like having standards in place for using only manufacturer supported hardware and software and installing those very important security updates when those are made available by the various vendors and manufacturers. Some people will refer to those as security patches. Lastly probably the most important of the three is providing education and training to ourselves and our employees staying up to date with what scams that the cybercriminals are using. Most importantly understand social engineering. This is the phishing that has done the pretext telephone calling. It’s very important that we understand how the criminals are attacking our infrastructure, and they usually don’t attack our technology – they usually attack our weakest point, which is the human element of that. Of what we’re using to safeguard our employees. So fishing is very well-known, very popular right now. It’s gone up over 600 percent since the beginning of the pandemic, which started back in February and March.

Northcross: That’s incredible, Paul. Thank you. I know that even we have a small staff at the chamber, and frequently they’ll get emails that say, ‘hey, can you go run to the store and get me some gift cards.’ And they always check with me to make sure that that’s not really, you know, what I want. At least they know that, but it’s amazing how many times those emails come through. So, let me ask you another question about logins. You know, there’s so many passwords in my life that it seems overwhelming, and I know passwords are pain in the neck but are they important. Can I just use the same password for everything and maybe a better question is how can I keep track of all of them. Paul, I’m going to ask you.

Forni: That’s a great question, Wendy, and a lot of people don’t still put the same emphasis on passwords that they should. And keep in mind, when I talk to you today here, we also have to consider size and scope of our organization and what we’re trying to do. You know, at a community bank such as The Cooperative Bank of Cape Cod, we’re very strict with our password standards because we are safeguarding customer data customer information. With those usernames and passwords that we use to log in, so the complexity of the password how often you change that password and those type of standards have to go hand in hand with what you’re trying to protect. You know, just for instance, some keys for passwords is make them as strong as you possibly can, don’t share those passwords with anybody else, don’t use the same password for a number of different applications. For example, you know, personally I have a Paypal account, I have an eBay account, I have an Amazon account, the list goes on and on. I don’t want to use the same passwords for all of those accounts because if I did and somebody was able to get access to one of my usernames and passwords they would be able to access all of those different applications. Also those applications that I just named don’t force a user to change your password periodically, but still it’s a good idea to change that password even if you’re not forced to because if somebody does try to break that password eventually given enough time they’d be able to. Another couple of other good points would be don’t write down passwords and leave them unsecured. In other words, you know I’ve seen before where people would write down a password and leave it under their keyboard in the office where anybody who come in and have access to that person’s desk could look under the keyboard and there would be the password. If you’re going to write them down, do it someplace safe. I also get questioned a lot about password vaults. In a password vault, it would be up to you to do your due diligence to make sure that’s the correct application for you and that the vendor that you’re going to do business with hasn’t been involved in any data breaches in the past. Because again, if you’re storing all of those passwords in one spot with one vendor and a cybercriminal is able to gain access to that application, that vendor. They’re going to have all your usernames and passwords, so you have to do your own due diligence to make sure you’re getting what you’re paying for.

Northcross: Great advice. Thanks, Paul. So, Maeghan, let’s shift over to you. In your role as a small business specialist, do you help businesses daily with their banking needs? What are some of the common issues and questions that you’re getting? This day in age, in this technology-laden era, and all of us working remotely. What’s the kind of things that you’re helping people with to help them keep organized and safe?

DeLellis: Recently through the pandemic, we have seen a large uptick in unemployment fraud and employers are calling, and it’s nice to have a fraud kit available for them. We refer them to their fraud kit so that they can protect themselves the best they can after they’ve already been compromised. We will also ask them to visit the three credit bureaus so that they can report their identity theft and freeze their credit until they’ve had enough time to make sure that they haven’t been compromised in that way either. And then we refer them to the police department and ask them to please file a report with them so that all of the cases can be tracked appropriately. Another issue, not really an issue, but an uptick has been online banking with the pandemic. We have been transitioning a lot of customers to electronic banking. And with that on the business side, a lot of businesses are learning that they can have online banking with multiple users. When set up, the users can be given a specific permission so that they can only have access to what they need to in order to perform their job function. Paul touched on password changes, but you know very briefly it’s important to have a secure password and it is recommended that it is obscure enough so that someone would not be able to get what it is but that they can also remember it. Requiring the employee to change their password frequently makes it harder for the password to be compromised. So, to put that in play in in your business practice is a really great idea monitoring your accounts and setting up alerts is something you can do on our online banking service. For example, the bank will notify you if a charge has gone through that’s over a certain amount of money or if your account goes negative. You can also set up alerts to have the bank notify you if password changes have been requested or if there’s an address change request. Those are important because it allows you to monitor your account in real time, and you can address it right away. Paul also touched on sharing accounts. Please do not share your password or your online username with anyone. We have the ability to set up anyone you want to be able to help with your online banking, and if something were to happen with that employee we can revoke that access right away. Once you’ve given them your username and password, it makes it a little bit more difficult and we have to start from scratch. So, please don’t share your accounts.

Northcross: Again, great advice. You know, it’s pretty daunting figuring out how to assess your safety risks, how to prevent cyberattacks. So, Paul, is there a way that you can guide businesses to help identify their strengths and weaknesses and try to head off any cyberattacks before the start? What advice do you have there?

Forni: My advice would be to do a risk assessment of your practices, for your standards, what you allow your employees to do. So, just do a quick risk assessment and sometimes people are intimidated by the sound of doing a risk assessment, but believe me it’s not that difficult to do. We’ll even provide you a boilerplate form, which you can fill out, just answer some simple questions, and that’ll tell you how much risk you’re exposed to. And it’ll also give you some tips on how you can reduce that risk by just making some very simple changes. And again this is a time to also emphasize again size and scope. You know, there’s a lot of things that we do again at a commercial, at a community bank, that you know we put a lot of time attention and money into making sure we’re securing information. You may not have to do all the same things that we do so it is a size and scope. You have to find out what’s appropriate for your infrastructure. More importantly, it’s important for you to be able to discover your weaknesses before a cybercriminal discovers those weaknesses and use those weaknesses against you.

Northcross: So, Maeghan, can you point us to other resources that would be helpful for businesses?

DeLellis: The Cooperative Bank of Cape Cod’s website, mycapecodbank.com, has a resources tab available to customers and non-customers. There are some really great videos that explain the security that the bank offers and how to protect yourself and your business. In the resources tab, there’s also a link to our security page. There you’re going to find important facts on how to protect yourself from fraud, identity theft, lost or stolen debit cards. And the security tips tab, it has insightful information on how to protect yourself from various types of cyberattacks that your business may face. It includes everything from phishing scams to imposters scams, wire fraud, IRS scams and more. So, there’s a lot of information there on our website available. The code of Massachusetts regulation for data privacy, also known as the 201cmr17, can be found on mass.gov. It is a standard for protection of personal information of residents of the commonwealth of Massachusetts. It is a law that businesses need to make sure they are in compliance with, but many businesses are unaware of the law ensures the security and confidentiality of a customer’s information. In a manner that’s fully consistent with industry standards, it protects against anticipated threats, hazards to security or integrity of such information and protects against unauthorized access or use of such information that may result in substantial harm. You can get a lot of information on this on the mass.gov website. So, I highly suggest that you visit it. The Federal Trade Commission also offers a lot of information and free resources for business customers. It is a great website to visit if you would like some free brochures for your business. ftc.gov is where you would go to find all of those resources. The Department of Homeland Security offers updated information and articles on how the government is helping businesses combat cyberattacks, lots of information there. A great resource. SCORE offers a lot of training that is pre-recorded if you’ve missed the live webinar. So, you would visit their website and you would just visit the tab that says recorded webinars. If you scroll down on their homepage, the topic you will choose when you’re looking for information security is technology. There are recorded webinars that include data privacy, overcoming cybersecurity challenges and what small businesses need to know about cybersecurity. And the SBA does offer businesses some guidance. If you visit the business guide on their website and visit the manager business tab, staying safe from cyber threats, has a lot of information. Also a lot of information is repeated on all of these websites, but it’s great to grab information from here and there because you may find that one covers something that one doesn’t for fraud and id theft. I would visit the Federal Trade Commission’s website. I think it’s a great resource, and you can order fraud kits like we have here at the bank and you can provide them to your employees if they were to become compromised with unemployment fraud or if they happen to mention to you that they feel like their Social Security number has been compromised in any way.

Northcross: That’s great. We know even though we’re a year into the pandemic, there’s been another cycle of unemployment insurance fraud that the state of Massachusetts has been issuing notices to employers to just stay, you know, on heightened awareness. So, I think all of this can’t be repeated too many times. So, thank you, Paul. Thank you, Maeghan. This actually wraps up today’s 20 Minute Tuesday, and I want to thank you for participating and representing The Cooperative Bank of Cape Cod.  I’d like to remind you and our viewers that if you have any questions or topics that you’d like to see in the future, please visit the link below, fill out the survey, and we promise to get right back to you. Thanks again to The Cooperative Bank of Cape Cod. You are great partners with the Cape Cod Chamber of Commerce, and you’re making this video series possible. And we look forward to sharing the next edition with you soon. Thank you.