Five Questions With: Kevin Ricci

Director of information technology at LGC+D talks about the lurking cyber threats companies should be thinking about. More

To continue reading this article, please do one of the following.



technology

Five Questions With: Kevin Ricci

“It is not enough for a company to rely on an annual audit, because as valuable as it is to receive a third-party assessment, it is only a ‘point in time’ look at the state of a company’s security. Evaluating a company’s data security is a perpetual endeavor.”
Posted 11/27/13

Kevin Ricci is the director of information technology at LGC+D, and since 2006 has served as a founding member and a co-leader of LGC+D Solutions, the firm’s IT Solutions group offering clients specialized information technology expertise and services such as IT auditing, consulting and data analysis.

Following LGC+D’s recent cybercrime breakfast seminar for leading business women, Ricci spoke with Providence Business News about what businesses need to know about cyber attacks and how to protect themselves.

Ricci holds a B.S. in computer information systems from Bryant College, as well as several industry-recognized certifications, including ISACA’s Certified Information Systems Auditor, Certified in Risk and Information Systems Control, and Microsoft’s Certified Systems Engineer.

PBN: Companies today are becoming more and more aware of the basic tenets of cybersecurity – implementing strong passwords, encryption, antivirus software, etc. – but what are some potential threats of the cyber world that are not yet well known or safeguarded against?

RICCI: One of the key threats that can circumnavigate many of the best technological defenses is “spear phishing.” This type of attack, which is less of an attack and more of a well-crafted deception, is when an attacker sends an email to you posing as a trusted person or entity, such as a bank or credit card company that you do business with. At a quick glance, the sender’s address looks authentic and the message includes details that are specific to you, such as a purchase you have recently made (and posted about on Facebook), so you lower your defenses believing the message to be legitimate.

From there, you will be asked to reply with information, open an attachment, or click a link to a website. If you fulfill any of these seemingly benign requests, the spear phisher has succeeded in making you do their bidding. The reply containing sensitive information such as a PIN number is not going to your credit card company, the attachment no doubt contains malware that potentially opened a backdoor for accessing to your computer or network, and the link you followed to your bank’s website where you entered your social security number is in fact just a well crafted facsimile run by the spear phisher.

PBN: What kind of training should companies provide for their employees to ensure a strong defense against cyber attacks?

RICCI: The best way to avoid spear phishing and many other types of cyber attacks is by educating your employees on how to be aware of potential security risks, how to avoid them, and to immediately notify the security contact if they suspect one has occurred. This type of training should be held at least once a year, with emailed reminders and mini-trainings being provided on a more frequent basis as risks change or evolve. In addition to providing guidelines and best practices, these trainings should include examples of what damage an attack can inflict to drive home the point of how real these attacks are and how important security is to a company. The training should also include a policy that each employee is required to read and sign, indicating that they understand and will follow the company’s security policies.

PBN: What is cyber insurance and how can it benefit companies looking to protect sensitive data?

RICCI: Cyber insurance are policies purchased by a company that help mitigate losses in the event of a cyber crime. There are several different types of cyber insurance policies available that aim to mitigate the wide variety of expenses that can stem from a data breach, including privacy and network liability, network damage, and public relations and response expenses. In addition to limiting the financial damages resulting from a cyber attack, there are other advantages to having cyber insurance. Because most insurance companies base the cost of premiums on a company’s level of preparedness against cyber attacks, this type of insurance may help curb the number of successful attacks by promoting widespread deployment of preventative measures and best practices.

PBN: Is it enough for a company to rely on an annual audit by a third-party IT administrator to ensure its data is protected, or should companies implement other practices as well to evaluate the security of a system?

RICCI: No, it is not enough for a company to rely on an annual audit, because as valuable as it is to receive a third-party assessment, it is only a “point in time” look at the state of a company’s security. Evaluating a company’s data security is a perpetual endeavor, and to accomplish this, periodic internal audits as well as real-time monitoring solutions should be in place, with results reviewed and documented on a frequent basis to assure that the proper security baselines are being met.

PBN: How does LGC&D help its clients understand, identify and prevent cybercrime and other cyber threats?

RICCI: LGC&D can help prevent cyber threats by evaluating your company’s current IT policies, procedures and security and identifying and explaining any vulnerabilities that may exist. An important part of this process is data mapping, or the documentation and understanding of where a company’s most sensitive and important information and data resides so policies and procedures can be designed to protect those sources. From there, we can provide guidance and solutions that can help you establish the security that you need to protect yourself and your data from the many cyber dangers that threaten your business.

Calendar
PBN Hosted
Events

Two Great Programs...One Great Event. PBN's Annual Celebration of Growth and Innovation is now underway. 2014 applications are now available. Deadline August 1st.
  • Healthiest Employers
    Celebrate with the Healthiest Employers in RI on August 14th at the Providence M ...
  • 40 Under Forty
    Thank you to our sponsors and to all those who attended the 10th Anniversary of ...
Advertisement
Purchase Data
Book of Lists
Lists
Book of Lists cover
PBN's annual Book of Lists has been an essential resource for the local business community for almost 30 years. The Book of Lists features a wealth of company rankings from a variety of fields and industries, including banking, health care, real estate, law, hospitality, education, not-for-profits, technology and many more.
Data icons
Data can be purchased as single lists, in either Excel or PDF format; the entire database of the published book, in Excel format; or a printed copy of the Book of Lists.
  • Purchase an e-File of a single list
  •  
  • Purchase an e-File of the entire Book of Lists database
  •  
  • Purchase a printed copy of the Book of Lists
  •  
    National
    Local
    Latest News
    Advertisement