Research & Marketing Strategies, Inc.

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

Research & Marketing Strategies, Inc. (RMS) recently added JAMES FLEMING as a health-care transformation specialist. As an integral member of the RMS Healthcare Division, his primary responsibility is to provide targeted health-care consulting by partnering with clients seeking to achieve and maintain Patient-Centered Medical Home Recognition, as well as other health-care transformation projects. Fleming works […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

DURELL CULL

People on the Move, Subscriber Only

DURELL CULL has been appointed track and field head coach/athletic specialist at Mohawk Valley Community College (MVCC). He has worked at MVCC since 2013 in a variety of part-time positions, including assistant sprint coach, adjunct instructor, technical assistant, head cross country coach, and head track and field coach. Prior to joining the college, Cull served

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Wegmans pays $400K penalty after data breach exposed customer information

Law, Accounting & Taxes, Subscriber Only, Technology

Grocery store chain Wegmans is paying $400,000 in penalties to New York State after its data breach exposed the personal information of more than 3 million consumers nationwide, including more than 830,000 New Yorkers. Wegmans is also required to upgrade its data-security practices to protect consumers, New York Attorney General Letitia James said in a

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Wegmans is also required to upgrade its data-security practices to protect consumers, New York Attorney General Letitia James said in a June 30 announcement.

“For years,” Wegmans kept consumers’ personal information in “misconfigured” cloud storage containers that were open, making it easy for hackers or others to potentially access the information, James’ office said.

The compromised data included usernames and passwords for Wegmans accounts, along with customers’ names, email addresses, mailing addresses, and additional data derived from drivers’-license numbers.

“Wegmans failed to safely store and seal its consumers’ personal information, instead it left sensitive information out in the open for years,” James said. “Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers’ personal information on the internet. In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.”

Probe details

In April 2021, a security researcher informed Wegmans that a cloud-storage container hosted on Microsoft Azure was left unsecured and open to public access, “potentially exposing” consumers’ sensitive information, James’ office said.

Wegmans “immediately reviewed” its cloud environment and identified the container, which had a database backup file with over 3 million records of customer email addresses and account passwords. The container was misconfigured from its creation in January 2018 until April 2021.

During that time, an unauthorized actor could have accessed and cracked account credentials, using them to log into customers’ Wegmans accounts or to access consumers’ accounts on a different website if the customers had reused their passwords.

In May 2021, Wegmans discovered a second cloud-storage container that was also misconfigured. The storage container, which was left publicly accessible since it was set up in November 2018, housed a database that included customers’ names, email addresses, mailing addresses, and additional data derived from drivers’-license numbers.

In June 2021, Wegmans began notifying affected consumers whose personal information was compromised during the incident.

James’ office determined that, in addition to failing to appropriately configure the cloud-storage containers to limit access to its contents, at the time of the incident, Wegmans failed to inventory its cloud assets containing personal information, secure all user passwords, and regularly conduct security testing of its cloud assets.

In addition, Wegmans maintained checksums derived from customers’ driver’s license numbers “without a reasonable business purpose” to maintain any form of driver’s license information “indefinitely.”

Wegmans also failed to maintain long-term logs of its cloud assets, which made it “difficult to investigate security incidents,” James’ office said.

Protection measures

Besides the $400,000 in penalties, Wegmans must also adopt new measures to protect consumers’ personal information going forward.

The company must maintain a “comprehensive” information-security program that includes regular updates to keep pace with changes in technology and security threats and reporting security risks to the company’s leadership.

It must also maintain appropriate asset-management practices, including maintaining an inventory of all cloud assets.

Wegmans will also establish policies and procedures to ensure all cloud assets containing personal information have appropriate access controls to limit access to such information. It will also develop a penetration-testing program that includes at least one annual “comprehensive” penetration test of Wegmans’ cloud environment.

In addition, Wegmans is implementing centralized logging and monitoring of cloud-asset activity, including logs that are readily accessible for a period of at least 90 days and stored for at least one year from the date the activity was logged.

The grocery-store chain is also establishing appropriate password policies and procedures for customer accounts, including hashing stored passwords with a hashing algorithm and salting policy commensurate with NIST standards, encouraging customers to use strong passwords, educating customers on the benefits of multifactor authentication, and prohibiting password reuse.

Wegmans is also maintaining a “reasonable” vulnerability-disclosure program that allows third parties, such as security researchers, to disclose vulnerabilities. It’s also establishing appropriate practices for customer-account management and authentication, including notice, a security challenge, or re-authentication for account changes.

The company is also updating its data collection and retention practices, including only collecting a customer’s personal information “when there is a reasonable business purpose for collection and deleting personal information when there is no longer a reasonable business purpose to retain such information. For information collected prior to the effective date of the agreement, Wegmans will permanently delete all personal information for which no reasonable purpose exists within 240 days of the effective date,” James’ office said.

Wegmans reaction

In a company statement, Wegmans says it takes security of customer information “very seriously and immediately remedied the situation once it was discovered.”

“We have improved our processes to better protect customer information in the future. While we do not agree with some of the conclusions drawn by the attorney general, we cooperated fully in the investigation and are glad it has been concluded,” Wegmans said. “This was a configuration issue with two cloud storage containers, and did not involve any other part of the Wegmans network. This type of configuration issue is common, unfortunately, and Wegmans has redoubled its efforts to avoid the issue in the future. There was also no indication that customer data was accessed improperly or otherwise misused. No customer credit card or other sensitive data was involved.”

Cybersecurity resilience focuses on staying operational

Regional News, Small Business, Subscriber Only, Technology

UTICA, N.Y. — A growing mindset in the world of cybersecurity is cybersecurity resilience, which is the idea that hacks are inevitable, so businesses need to figure out how to remain operational when those hacks happen. According to the National Institute of Standards and Technology (NIST), cybersecurity resilience is the ability to anticipate, withstand, recover

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

According to the National Institute of Standards and Technology (NIST), cybersecurity resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.

“Cybersecurity is in the headlines every day,” says Alex MacDiarmid, director of advanced programs at Quanterion Solutions, Inc. in Utica. That resilience element is all about how a business can continue to perform its essential functions if and when a cyber attack happens.

It’s almost impossible to develop a cybersecurity plan that prevents all attacks, says Cully Patch, senior program manager for cybersecurity and intelligence at Quanterion. That’s because the functionality of a system is inversely connected to its security. In other words, the more secure a system is, the less functional it is.

Businesses need to find that sweet spot in between, he says, where systems are well protected but are still functional enough for employees to do their jobs. They also need to fine tune their resilience plan, he adds.

In the ever-growing digital age, it really is crucial. According to Quanterion, there are 14.4 billion active “internet of things” devices, with that number growing about 18 percent annually. Internet of things means devices with sensors, processing ability, software, or some form of technology that connects it to the internet or other communication network. This can include anything from machinery in a factory or hospital to smartwatches and other wearables and, of course, the phones and computers we use in our everyday personal and work lives.

Ransomware remains a popular choice for hackers going after businesses. The workday is humming along and all of a sudden, a message pops up on computer after computer on the business’ network. Hackers have control of the network — and all the data and programs on it — effectively griding business to a halt.

That’s where the resilience plan comes into play, MacDiarmid says. Many times, companies just pay the ransom. “The bad thing about all that is even if you pay the ransom … it doesn’t unlock as fast as it locks,” he notes. Plus, the business is out the ransom money.

Other downsides of being the victim of a cyber attack can include damage to the business reputation, loss of revenue, and even fines in some cases, MacDiarmid notes.

One example of resilience that’s a better solution, he says, is having routine backups to which the company can revert back. Rather than pay the hackers, the company can simply revert back to the most recent backup. Some work may be lost, but the business isn’t at the mercy of hackers and can continue to operate.

Another option is to separate business systems so they can operate independently from each other, MacDiarmid adds. That way, if one area is compromised, the rest of the business can continue to function.

In order to produce a plan for resiliency, there are five key cyber functions that come into play, MacDiarmid says. They are identify, protect, detect, respond, and recover.

Within those functions are basic things such as strong antivirus programs, company protocols regarding passwords, and good cyber hygiene practices (keeping software up to date, removing outdated users, etc.) as well as more-advanced actions such as monitoring network activity for anomalies, diagramming the network, and developing an incident response plan for distinct types of incidents, Patch and MacDiarmid say.

NIST’s Small Business Cybersecurity Corner offers a number of planning tools to assist businesses that may not have an in-house cybersecurity person or the means to employ an outside firm.

AIS wins AFRL contract

Manufacturing & Engineering, Regional News, Subscriber Only, Technology

ROME, N.Y. — Assured Information Security, Inc. (AIS) recently landed an Agile Cyber Technology 3 (ACT 3) contract, a $950 million indefinite-delivery/indefinite-quantity (IDIQ) pact from the Air Force Research Laboratory (AFRL). Both organizations are located in the Griffiss Business and Technology Park in Rome. The contract for technical documentation, technical reports, software, and hardware serves

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

The contract for technical documentation, technical reports, software, and hardware serves as a vehicle for rapid execution of critical needs, says Dan Kalil, chief commercial officer at AIS. Essentially, that means any federal government agency with a rapid need can award AIS a contract up to $950 million in a simple and expedited manner, he says.

“It enables very timely interactions between the federal government and AIS,” he notes, adding that it is critically important. “Particularly when you think about cyberspace and cybersecurity … you need the ability to not only respond rapidly but also to get out ahead of it.”

Since the work will all be done for the Air Force and partner organizations, the need for agility and quickness can be a matter of life and death, Kalil stresses. AIS is one of five companies to receive this contract award from AFRL.

The pact comes on the heels of the company celebrating 20 years since earning its first government contract. It was May 2002 when AIS, which was founded in June 2001, secured its first contract, which was also from AFRL.

“Starting AIS was one of the biggest risks I’ve ever taken and earning our first contract was a huge milestone that made it all worth it,” AIS CEO Charles Green said in a statement. “It gave us all the confidence we needed and set the trajectory for AIS for decades to come.”

Since that first deal, AIS has completed 376 contracts and is currently fulfilling another 44.

The company also holds 17 patents and has 11 more filed.

Looking back, Kalil contends that AIS was truly ahead of the industry that was supporting the AFRL at the time, and he attributes that to the company’s success.

“We were the generation that wanted to turn cyber into launch speed,” he says. It was all about novel, next generation, tomorrow capabilities but having them today.

The company is blessed to have such a strong relationship with the AFRL, he adds, and the ACT 3 contract is just another example of that great working relationship.

The contract is also symbolic of AIS as a company, he says. As a small and nimble organization, its motto has always been, “Just go do it.”

The motto has served the business well. Along with marking 20 years of government contracts, AIS has also grown to more than 200 employees and additional offices in Rochester and Syracuse in New York; Augusta, Georgia; Baltimore, Maryland; and Lorton, Virginia.

The plan for the next 20 years is to stay at the forefront of cyber technology and help customers stay agile, Kalil says. “The next 20 years are filled with innovation and agility.”

Just over a year ago, AIS launched AssuredTek, a cybersolutions company in the data-protection field. Before that, it acquired cybersecurity firm GreyCastle Security in 2016 as part of its initiative to grow its “ecosystem” into new areas.

Business cybersecurity often involves paying attention

Banks & Credit Unions, Insurance & Financial Services, Subscriber Only, Technology

DeWITT, N.Y. — Protecting your money takes a lot more than an alarm or guard at the bank or shielding your PIN when you enter it at the ATM. This is especially true for businesses as more financial transactions take place in cyberspace. Businesses often notice bad transactions weeks after the fact, says Daniel Cardi,

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Businesses often notice bad transactions weeks after the fact, says Daniel Cardi, AVP and corporate security officer for Community Bank, N.A. in DeWitt. The number-one thing business owners and managers can do to avoid the fallout from such transactions is to pay attention, he adds.

That means staying up to speed on account activity and recognizing things outside the usual pattern of activity. Scammers often try to mix things into normal transactions, so those in charge of finances should keep a close eye on unusual patterns, he adds. Paying attention means a business can lock down a credit card or bank account as soon it sees something out of the ordinary to prevent any further fraud or loss.

Businesses should also educate employees of the dangers of phishing, according to Cardi. “We’ve seen a lot of commercial customers [who] receive these scam emails,” he says. These emails present as things like a bill that’s due, but the email might note that the original payment method didn’t work and include a link for providing a new payment method. If an employee clicks the link and inputs the company credit-card information, the scammers now have that data, he says.

It’s important to scrutinize every email and look for clues that show it’s fake, including unusual fonts, misspelled words, or names that are slightly different, Cardi says. “If you don’t feel right about it, we’re happy to do the work and check it out,” he adds.

Businesses are often aware of some of the most basic protections such as creating difficult passwords to protect accounts, Cardi says, but may fall short on things like periodically updating those passwords or making sure the software on their computer is up to date. Good antivirus software is also important, as is making sure your bank has updated contact information for your business in the event it needs to reach you, he adds.

Another thing to remember is that not all points of vulnerability are at the end of a computer. Cardi urges customers not to write checks if they don’t have to, especially since they are vulnerable at three points — in the mailbox, during delivery, and at the final destination. Something as simple as tossing a check into the trash after mobile depositing it could open the door to criminals who can image the check and sell that image on the dark web, Cardi says.

If your business must use checks, he has a few recommendations. First, make sure to shred checks as soon as they aren’t physically needed anymore. Second, he recommends routinely changing out check stock.

“Change up the colors, switch the font,” he says. “Make it difficult for the bad guys.” Doing these things even just a few times a year makes it that much harder for fraud to happen.

Finally, Cardi says, don’t be afraid to reach out to your financial institution for help.

Headquartered in DeWitt, Community Bank was recently named one of Newsweek magazine’s most trusted companies and has more than $15 billion in assets with more than 220 branches across New York, Pennsylvania, Vermont, and Massachusetts. Parent company Community Bank System, Inc, (NYSE: CBU) also operates Benefit Plans Administrative Services, Inc. (BPAS); Community Bank Wealth Management; Nottingham Advisors, Inc.; and OneGroup NY, Inc.

VIEWPOINT: Good cyber hygiene is essential to your personal and business information

Business Mentors, Health Care, Subscriber Only, Technology

Early in the COVID-19 pandemic, sanitation and hygiene took center stage. We saw long and detailed news articles on proper handwashing techniques, accompanied by soap shortages across the country. With this still in our collective conscience, it may feel strange to think about cyber hygiene, but it’s a vitally important concept for both businesses and individuals.

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Learn More and Become a Subscriber

Cyber hygiene, also known as cybersecurity hygiene, is defined as a set of practices performed regularly to maintain the health of computer systems, devices, networks, and data. Like proper handwashing, cyber hygiene works best when it is practiced all the time.

Cyberthreats are increasing at a dizzying pace, and bad actors find ways to circumvent security protocols almost as fast as they can be developed. This can seem discouraging, but we all need to keep in mind that many tried and true steps are our best line of defense.

If I were forced to pick just one cyber- hygiene item to highlight, it would be multifactor authentication, or MFA for short. Every individual and business should enable MFA everywhere it is an option — as soon as possible. MFA is exactly what it sounds like — in order to access a system, program, or account, users must provide multiple authentication factors. An example of MFA is a login to an account that requires you to sign on using your username and password, but before you can access the data, you must provide a code that is sent to your mobile phone — a code that should never be shared with anyone, as that would allow for unauthorized access to any of your accounts.

In other words, cybercriminals would have to not only know your username and password, but they would also need to be in possession of your cell phone in order to get into your account. Although that scenario isn’t impossible, it is unlikely. This is why MFA is considered the gold standard in basic account security. The first thing you do after reading this article should be to investigate where across your digital profile you are able to activate MFA — and then do it.

For businesses, one of the biggest cybersecurity lapses we see is the sharing of usernames and passwords. This lapse is frequently paired with either a publicly displayed (post-it note on a monitor) or easily discovered (post-it note poorly hidden) disclosure of a username/password combination. This is horrible cyber hygiene and very risky behavior.

Businesses large and small engage in these sorts of risky practices in the name of speed and efficiency. Small businesses, where employees are asked to wear many hats, are particularly vulnerable. Criminals are aware of this and will exploit it when and where they can.

Every business should adopt what is known as “the principal of least privilege.” This is a formal way of saying that only those who need access to certain programs and systems should have that access. Do not spread access rights around to all employees. Assign specific roles to the people who need access — and enable MFA to ensure they can’t share that information with others.

It might seem time-consuming to assign separate usernames and passwords and require all employees to use MFA, but it is essential to shoring up your defenses. And it is increasingly required by business-insurance policies. Put another way, if you think setting up MFA is time-consuming, compare that to the headache of a repairing a cyber breach — notifying customers, the potential for having your company’s data held hostage via a ransomware attack, the loss of public trust, and the need to overhaul your entire data network following an attack. If MFA can prevent any of that, it’s worth the additional few seconds it takes to activate and use.

Just like handwashing, taking the time to set up practices that keep your data safe is a good idea, and can protect the health of your systems. Once you are in the habit of using these best practices, they’ll feel routine rather than invasive — and they’ll help to keep your personal and business information out of the hands of cybercriminals.

Terra Carnrike-Granata is senior VP and senior director of information security at NBT Bank, where she designs and implements sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyberthreats.

Rome Lab’s chief of protocol retires

Employee Benefits & Human Resources, New York News, Nonprofits, People on the Move, Regional News, Technology

ROME, N.Y. — James Ray, the U.S. Air Force Research Laboratory’s (AFRL) chief of protocol, retired on July 1, wrapping up three decades of service

Binghamton University Ross Fund awards $24K to support collaborations with local nonprofits

Health Care, New York News, Nonprofits, Regional News

VESTAL, N.Y. — Binghamton University’s Stephen David Ross University and Community Projects Fund has awarded $24,000 in three grants to support initiatives involving collaborations between

Operation Oswego County’s Treadwell to retire at year’s end

Employee Benefits & Human Resources, Law, Accounting & Taxes, Nonprofits, People on the Move, Regional News, Small Business, Sports, Entertainment & Tourism

OSWEGO, N.Y. — After nearly 40 years of leading Operation Oswego County, Inc., L. Michael Treadwell plans to retire as of Dec. 31 of this

Get our email updates

Stay up-to-date on the companies, people and issues that impact businesses in Syracuse, Central New York and beyond.

Get our email updates

What's New

Upcoming Events

Project Homecoming Job & Career Fair 2025

Annual Nonprofit Conference 2026

2026 CenterState CEO Economic Forecast Breakfast

CNYBJ Job Board

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get Instant Access to This Article

Get our email updates