Aaron Warner, CEO of ProCircular, speaking at the opening of the CBJ’s 2017 Cyber Security Breakfast. PHOTO ADAM MOORE


By Katharine Carlon

When even global behemoths like Equifax can’t keep their data and customers safe, can small and mid-sized businesses stand a chance against hackers?

Absolutely, says Aaron Warner, CEO of Coralville-based ProCircular, who prefaced the CBJ’s second-annual Cyber Security Breakfast with both a warning and a pep talk aimed at encouraging businesses to create a plan to deal with cyber threats.

“You’re inundated with all kinds of numbers and statistics and there’s a lot of doomsday involved in what we do,” Mr. Warner said. “But today I’d like to talk as much about solutions as the risks involved in the world of cybersecurity.”

The risks are obvious. Mr. Warner pointed to a “dizzying” number of significant incidents over the past year, including the Wikileaks Vault 7 and Shadow Brokers breaches last spring, which dumped a trove of NSA exploits and hacking tools out in the wild and into the hands of bad guys and “15-year-olds with a lot of time on their hands.”

The Wanna Cry and Not Petya bugs in May and June “underpinned the challenges IT departments have in keeping computers updated and keeping them up and running when those things are in competition with one another.” And the giant Equifax breach in September, which compromised the personal information of 143 million people, will be “the gift that keeps on giving,” Mr. Warner said.

“Unlike a lot of breaches where it’s just a credit card number … you don’t get a chance to replace your Social Security number,” he noted. “That data is going to be around for people’s nefarious use for quite a while.”

Even so, Mr. Warner argued that companies with a response plan in place are not only more likely to recover quickly from a breach, but also pay 25 percent less dealing with the fallout. Companies, he said, should ask themselves five questions to ensure they are prepared if and when cyber calamity occurs:

How does my company manage risk? “Do you think about cybersecurity as being an ‘IT thing,’ or is it something in the organization that everyone, including the people at the front desk, think of as their responsibility?”

Is everybody on board? “Lip service to this subject doesn’t do much good. If you have the whole team behind you in cybersecurity – everyone knows and the CEO, the CFO and the general counsel are behind it – then the IT folks can go out and make the case for it. If that isn’t true, it can be a really major challenge in terms of implementation.”

How secure are acquired companies? “This is a question of the weakest link,” Mr. Warner said, adding that it’s an especially important point in the Corridor, where many companies grow through acquisition. “So while you, as the parent organization, may have top-class cybersecurity solutions, that clinic or that small company that your firm just acquired can be the way that the bad guys get in the back door.”

Are we testing our backup/disaster recovery/business continuity plan? “Most organizations have [a plan] … Most organizations also don’t test it. We see this a lot with ransomware. It’s easy to make those ransomware guys go away … if you have good backups of your data.”

Are we prepared for a breach? “The time to work out how to call the FBI or whether general counsel should be involved or what the CEO needs to know is not during an incident. That’s actually the worst time because people are nervous, nobody wants to lose their job. That is never the time to work out, ‘what are we going to do?’”