rom its inception, Anchorage-based DenaliTEK has focused on addressing cybersecurity issues and a range of other IT services. But for years, many businesses did not want to hear about cybersecurity, including medical practices that are legally required to maintain strict security practices, says President Todd Clark. Now due to a rash of security breaches and evolving federal laws, more companies are ready to listen.
“Now people understand that it’s a real, urgent business need—and in some cases a problem,” Clark says. “And they want to know their IT provider is prioritizing cybersecurity.”
Cybersecurity is such a critical issue that it’s now part of DenaliTEK’s official mission statement: “Alaska will be the most cybersecure business community in America.”
rom its inception, Anchorage-based DenaliTEK has focused on addressing cybersecurity issues and a range of other IT services. But for years, many businesses did not want to hear about cybersecurity, including medical practices that are legally required to maintain strict security practices, says President Todd Clark. Now due to a rash of security breaches and evolving federal laws, more companies are ready to listen.
“Now people understand that it’s a real, urgent business need—and in some cases a problem,” Clark says. “And they want to know their IT provider is prioritizing cybersecurity.”
Cybersecurity is such a critical issue that it’s now part of DenaliTEK’s official mission statement: “Alaska will be the most cybersecure business community in America.”
There’s no silver bullet when it comes to safeguarding a business, says Cindy Christopher, director of Managed IT at Alaska Communications. That’s why Alaska Communications promotes the practice of using several layers of security, which can provide multiple defenses against cyber attacks. It also embraces best practices and employs best-of-breed products to support its customers and their networks.
Alaska Communications also prioritizes end-user training and employee awareness. “No cybersecurity solution can block 100 percent of attacks,” Christopher explains. “Your employees are your first line of defense. You could have the tightest security controls in place and still be infiltrated if an employee falls for a phishing attack.”
Robert Thurston, chief technology officer at Ampersand (originally founded as AlasConnect), helps clients focus on effective IT risk management as a whole. “What it boils down to is we help organizations effectively look at their security risk from top to bottom and putting together a plan, so they can sleep at night,” he says. “This may not be flashy, but it comes down to having a risk management mindset.”
The real value, Thurston says, is in adopting a holistic approach and seeing the “whole battlefield.” He explains: “The threat in the news is ransomware, but that is just one battlefield. So we have to take that long view and make sure our clients are prepared to move into the future.”
The length of time that DenaliTEK works with clients varies. Its free network assessments are completed and reported on within a week. It takes about a month to complete projects that involve providing full network audits for businesses concerned about security and compliance. DenaliTEK’s managed services and co-managed clients are typically on annual contracts for full support. “Our clients welcome an ongoing multi-year relationship,” Clark says.
Addressing cybersecurity can mean different things to different businesses. DenaliTEK’s cybersecurity offering is based on National Institute of Standards and Technology standards, which ensures 24/7 security for all users, endpoints, and systems. “Our offering is developed using best-in-class components with comprehensive process, policy, and training,” Clark says. “With end-user training and a 24/7 Security Operations Center team, no question goes unanswered.”
DenaliTEK’s specific approach to cybersecurity encompasses five areas:
Identify: Network vulnerability assessments to determine potentially vulnerable or weak systems
Protect: Best in class firewalls, endpoint protection, and other systems to protect clients
Detect: 24/7 system monitoring with a 24/7 Security Operations Center
Respond: Written process for responding to potential security events, coupled with a 24/7 Security Operations Center
Recover: Written process for recovering from potential security events, coupled with 3-2-1 backups [three copies of data, including one original and two backups stored separately]
Unfortunately, many businesses tend to concentrate on the “protect” facet of cybersecurity, Clark says. They focus less on the aspects of detect, respond, and recover, which can be short-sighted. Clark thinks of these three areas this way: “Imagine if you’re in a boat and are taking on a bunch of water. Detect is when you’re taking on the water, and you can really minimize the damage if you have good tools and processes in place. Respond is like patching the hole. Recover is like bailing out the boat.”
DenaliTEK has staff with Certified Ethical Hacker and Certified Hacker Forensic Investigator credentials.
But as a softer skill, cybersecurity also requires professionals that can exercise constant vigilance. Vigilance must be a core value of all team members, coupled with process, teamwork, and strong leadership, Clark says. “Staying ahead of the threats requires a team of qualified personnel and strategic partnerships with exceptional cybersecurity vendors,” he says.
Ampersand works with medium and enterprise-scale businesses that need extra guidance to address specific concerns and complex issues. “We can help clients of any size, but we try to help them realize how we provide value in terms of risk mitigation and outcomes,” Thurston says. “We try to position ourselves as a partner to our clients; we try to make sure they are spending their resources effectively.”
When working with clients, Ampersand has a range of options. Its goal is to meet businesses where they are on their cybersecurity journey. In some cases, this can mean starting with a vulnerability risk assessment that could take four to six weeks to complete, depending on the complexity involved. In other instances, the company builds longer-term relationships with clients. In all cases, Ampersand tries to be flexible to what its clients’ needs are without compromising the security of their organizations. “We’re not just trying to sell someone a product, we want to make sure their security needs are addressed,” Thurston says.
Many businesses hire Ampersand for an initial assessment to evaluate their security program. In these situations, the company always recommends a solution to fix any problems that are identified. Then clients can take it from there and address the issues on their own or allow Ampersand to resolve them. Or clients can opt to have Ampersand manage their security program so they can be better prepared to address potential cybersecurity issues—before an attack happens.
Ampersand can help clients employ tabletop exercises to rehearse how they would respond to a security incident. This can help them avoid making mistakes with breach notification, compliance, and not bringing in the management, all of which can make cybersecurity incident more problematic and costly to mitigate. Thurston says: “If you’re not prepared before the attack, you can have a haphazard response… So prepare for the worse and hope for the best.”
Ampersand employs experts in various disciplines. Its information security team is well versed in vulnerability management, incident response, risk assessment, and other areas of cybersecurity operations. Beyond that, the company’s professionals are equipped to help with basic maintenance, patch management, firewall configurations, network and software architecture, and a range of other requirements.
Although the IT industry often highlights technological acumen over soft skills, sometimes this can be a detriment, Thurston says. “At the core of it, the folks who are most successful [in IT] are those with soft skills and those who have an empathy for the people they protect,” he says.
As Ampersand’s slogan points out, technology is uniquely human. And the people behind the technology have to be “human” or it won’t be successful, Thurston says.
Businesses need a provider that can provide layers of security, protecting from external threats, Christopher says. Alaska Communications’ engineers follow current cyber trends and employ industry best practices to help businesses protect themselves against attacks. As part of these efforts, the company offers a wide range of managed security services, including user education and awareness; network security and monitoring; threat detection and response; data backup and recovery; malware prevention; security assessments; and security consulting.
Alaska Communications and its broad segment of industry experts serve the security needs of customers through assessments, consulting, and product sales. Its specialties include firewall engineering, network segmentation, identity and access management, gap assessment and remediation, incident response, and end-user training. “From common threats to compliance management, our team delivers unified threat management and security services with advanced detection technology to protect our customers,” Christopher says.
In terms of its expertise, Alaska Communications’ managed security solutions experts are expected to earn and maintain advanced certifications. Additionally, they are trained to implement and support the security products it offers. “For us, cybersecurity is a passion,” Christopher says. “Our team members are dedicated to their craft and to our customers.”
The duration of time that Alaska Communications works with customers is also flexible. The company provides custom solutions to meet customer requirements and objectives. Sometimes that happens in a short span of time, but more often it requires a longer-term relationship.
Christopher says Alaska Communications works to support Alaska businesses with robust end-to-end support. The company’s managed IT customers receive proactive monitoring and alerting, which is critical to thwarting and mitigating cyberattacks. Alaska Communications can also step in and work with new customers after they have experienced a cybersecurity incident, which can result in significant financial damage, business disruption, reputational harm, lawsuits—or even worse consequences. “Some attacks may even cause a business to shut down entirely,” Christopher says. “It’s always best to be as proactive as possible, with robust monitoring and business continuity plans.”
Phishing—using fake emails and other schemes to try to trick someone out of their personal information or money—is the single biggest threat to businesses. Phishing emails can come from trusted vendors or coworkers whose email addresses have been compromised. “The tell-tale signs of phishing have become harder to spot, requiring even more vigilance from employees,” Christopher says. “Employee awareness training remains the best, first defense against business email compromise.”
Clark agrees, saying that a lack of employee training for computer users is the number one threat to cybersecurity. A simple click on the wrong web page or email can set off a major security event. “Recent studies reveal that well over 80 percent of all breaches in recent years are due to human error,” he says. “The lack of training contributes to ransomware, CEO fraud, and other insidious threats.”
Companies can enhance employee awareness by conducting ongoing cybersecurity training and testing. And they can go a step further by emailing out simulated phishing attacks and monitoring to see if the recipient clicks on it. “The idea is that you find out which employees are leaving you vulnerable, then you can go back and deal with the issue,” Clark says.
Phishing, ransomware, and other cyber attacks have become even more prevalent during the coronavirus pandemic. The FBI’s recently released 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. The accompanying report for Alaska shows that nearly 2,300 victims in Alaska filed complaints of suspected internet crime to the FBI’s Internet Crime Complaint Center and reported losses exceeding $6 million. One of the top money-losing scams for Alaska victims was business email compromise, a type of phishing attack (also called CEO fraud) in which fraudsters impersonate company owners or executives to trick employees into transferring money or turning over confidential data.
Cybersecurity incidents—many of which go unreported—have been increasing among businesses and individuals worldwide. In Alaska, for example, a recent cyber attack caused the Alaska Court System to temporarily disconnect most of its operations from the internet. Court filings, court record searches, payments of fines, and other services were temporarily inaccessible online, causing a major backlog.
Cyber attacks have become so widespread that many contractors now have to prove they are cybersecure before they can do business with the government. The Department of Defense requires companies bidding on defense contracts to certify that they meet the basic level of cybersecurity standards articulated in its Cybersecurity Maturity Model Certification.
Clark says cybersecurity attacks will continue to persist. “This problem is not going to go away,” he says. “Businesses are going to have to learn sooner or later how to deal with cybersecurity.”
This past year, there have been some remarkable trends in the business world involving the use of technology for remote work and the increased adoption of communication services. But it’s not the right time to take an eye off the ball, Thurston cautions. The capability of the adversary has evolved, with bad actors often having more resources than the companies they are targeting. So it’s important for businesses to leverage allies to their defense and capitalize on any available resources that can help.
In addition, it’s essential that everyone—not just the security team—is well armed with the information they need to exercise good cybersecurity practices. “We need to help employees with practicing good ‘digital hygiene,’ but we can’t make it too cumbersome,” Thurston says.
Continuing, he explains: “Our challenge is to find that balance, to find what is effective and what is safe, so people will be able to get their work done. For example, simulated phishing campaigns can make people feel fatigued and then they might not reach out to the IT team when there is a problem. Or if it is too cumbersome for me to share a document safely, I might sign up for a Google account… We can’t make the medicine more harmful than the condition.”
Thurston adds: “Technology is a tool that we use to achieve human outcomes. We’re trying to solve human problems, so we have to make it fundamentally human.”