From social media manipulation capable of impacting national political outcomes to systemic phishing attacks with catastrophic financial and personal data implications, individuals and institutions have never been more vulnerable to security breaches.
Despite the alarming and unprecedented nature of recent compromises, however, the greatest risks posed to institutions aren’t necessarily what you might think. To effectively fortify an institution and its stakeholders against security vulnerabilities today requires a strategic mix of high-tech safeguards and low-tech operational solutions. Three experts from the cybersecurity, cloud management and CIO corner office reveal that adequately safeguarding yourself today isn’t about buying a single tool to solve security issues, but drawing on a combination of solutions.
Security risk one: people
“Everything starts with people,” says Chris Carter, VP of channels, Americas at FireEye, an intelligence-based cybersecurity solutions company that works to detect and respond to cyberthreats in real time. “Most attacks and hacks begin with a human at the company making a mistake. Employees need to be trained to understand the critical nature of threats and the role they perform in cybersecurity. For example, training employees to be more security-aware and suspicious of things like emails they weren’t expecting is imperative. Receiving branded communications out of the blue from otherwise trustworthy sources like the IRS or their bank should give employees cause for pause. Despite the appearance of legitimacy, end users should trust but verify when something comes to them randomly. If it comes from a trustworthy source, call them to confirm it’s legitimate before clicking any links within the email.”
Element Solutions founder and CEO Venkatesh Korla agrees. “I personally think the largest security vulnerability is people. We all think we’re invincible. Whether it is an airplane safety demonstration detailing what to do in the event of a crash, or the posted fire evacuation instructions in your hotel room — we don’t pay attention. Cybersecurity is no different. The hardest thing to do is train people in all the ways they could inadvertently release information.”
Working in the eye of the cyber risk storm as the cloud management and digital innovation right arm for large enterprises around the world, Korla spends his days taking into account all the different ways that would-be attackers can hack into systems. Drawing on these insights to resolve the very real attention deficit challenge around cybersecurity, he suggests employing gamification to increase employee security awareness company-wide.
“Many companies hold a two- to three-hour security training and test employees immediately following the session. As soon as they leave the room, they forget the content. A better solution is conducting ongoing security training in an engaging game format with random survey questions that delivers bite-sized information for easy consumption. Far more impactful than saying you shouldn’t do this or that related to cybersecurity, gamified lessons highlighting the business and personal impact of security breaches with built-in tips and feedback help people remember.”
The leading elements of Korla’s suggested employee security training program include an ever-present awareness of where employee devices are, laptop and password keychain encryption, and two-factor authentication for cloud services.
Security risk two: cloud security
“Security of the cloud is another major vulnerability,” shares Carter. “Cloud computing is still relatively new. You’re going outside your domain, working with cloud vendors, and there are inherent challenges securing that environment. The big focus of a lot of our customers has therefore been securing their cloud applications.”
Beyond the limitations of nascent stage cloud security, how might companies be leaving themselves open to this vulnerability? “Outdated network applications are something we frequently see during client site security investigations,” shares Carter. “Substantial vulnerability stems from companies not keeping their applications up to date by applying vendor software updates. Hackers directly focus on exploiting the vulnerabilities of outdated apps as an easy “in” to accessing larger networks. While it seems like a very simple practice that should be part of the normal operating rhythm of an IT organization, these updates fall through the cracks because IT teams are frequently shorthanded and distracted by competing priorities.”
Thankfully, technology alignment can go a long way in resolving the myriad vital IT updates that can easily — and often do — fall through the cracks.
“Effectively filling every gap of vulnerability across each segment of a company’s technology operations is a tall order,” says Carter. “As companies strive to shore up their defenses, many opt to consolidate their toolsets in order to make their technology ecosystem easier to manage. In lockstep with this consolidation, it’s vital to align yourself with the right vendors and the right solutions for your company’s specific ecosystem security needs. Among the ecosystem components prime for alignment are an email security solution, a solid endpoint connection to Local or Wide Area Networks (LAN or WAN, respectively), strong Virtual Private Networks (VPNs) to enable safe connections to the primary managed network and firewall, and companion network component solutions to fortify security.”
Highlighting the growing number of devices to protect in the workplace, Korla shares, “While cloud-based Mobile Device Management (MDM) platforms exist from various vendors, most companies don’t use them, which is a missed opportunity. As the world moves to a BYOD (Bring Your Own Device) model of mobile technology in the workplace, they should also focus on controlling the data that lives on those devices to protect themselves. Adding these devices to an MDM solution and managing them remotely in the event of device theft or loss is a solid strategy.”
Mitigating Big Brother concerns among employees and towing the fine line of exerting control over personal devices, he adds that management segmentation is an option. “It’s possible to segment the controls of only the applications and data related to company business from personal apps and data, empowering you to erase proprietary business emails and shared files only in the event of device compromise.”
Security risk three: overt hacking attacks from home and abroad
Evidenced by the growing interest in the U.S. digital grid by various international hacker communities, cyberattacks by foreign concerns are a real, looming threat. Most eye-opening, however, is that this grade of criminal activity is carried out through rather simple means — from manipulative social media messaging to phishing emails.
“Email has become the leading criminal attack vector,” says Rick Merrick, the CIO responsible for five colleges and a 150-person system office at TCS Education System. “The Hollywood version of cybercrimes, with a team of hacking nerds banging away behind PCs in the middle of the night, finding system vulnerabilities and secret corporate databases is not how it typically happens.
“Email attacks have become so pervasive because criminals have figured out that employees are the weak link in the chain,” he continues. “People simply don’t take the time to study every email to determine its legitimacy. They click links they shouldn’t, unintentionally giving criminals direct access to enterprise networks and all the IP and trade secrets they can handle. Add to that the fact that personal mobile devices aren’t as secure as they need to be, and it’s clear why the volume of email attacks is prolific.”
Conceding that there will always be a new way to get in, he reports the bar is at least higher now for breaches as most organizations have hardened their perimeters through firewalls and other protections. Beyond employee training in the form of test phishing emails to reduce human error underlying most breaches, Merrick recommends employing a series of protections for companies to up the ante of their cybersecurity pursuits.
“A third-party security assessment is critical as part of a multi-year cybersecurity strategy to lay out the right program for your specific company and the required investment,” he says. “Included as part of that strategy should be firewalls, end-point protection systems and software, next generation anti-malware tools that proactively assess network devices to lock down those that are vulnerable, and multi-factor authentication protocols.”
The reality is that the more reliant we become on technology as a society, the greater the risk we assume in a cyberattack. However, the solution to fortify ourselves against these attacks isn’t simply layering on more technology, explains Carter.
“Once you become infected by an attack, it will spread across your entire network if not stopped. If the entire network is compromised, the most dramatic way to stop the proverbial bleeding would be to remove your company from the internet altogether. Given that almost every company is using some internet or cloud-based platform to fuel their operations — from websites and online sales to email communications — it would be impossible to survive long-term as a company by responding that way. It just is not an option.”
Based on this, the response to this risk must be preemptive. Providing much better hacker detection through sophisticated intelligence with rich context around network security events, alerts with more prescriptive information provided to internal teams, and automated responses that offer quick problem isolation are the fastest track to more rapid remediation.
Hiring expert staff dedicated to cybersecurity concerns tops the list of preemptive solutions. But those experts are difficult to find, says Carter. “Access to the dedicated expertise you need is a difficult thing today. Based on current demand, there is somewhere in the neighborhood of 50,000 unfilled, full-time cybersecurity roles in the market right now. Where they can’t hire the expertise full-time, a lot of companies are turning to consulting firms and third parties to provide that expertise.”
Next in the preemptive solution list to mitigate hacking risk is advance insight to emerging threats. Carter shares, “You have to become much smarter about the current threat landscape to protect yourself. To be truly effective, the aligned technology you’ve onboarded needs to be constantly updated in real time to respond to the latest malware being utilized by hackers and their new entry modes of operation. For the most potentially debilitating cyberthreats, access to good, nation-state grade intelligence is critically important to building your security defenses.”
Firms of this caliber offer companies the chance to gain real-time updates on what’s going on in cyberspace to help them detect and thwart nation-state grade attacks.
Security risk four: supply chain integration
“An increasingly integrated supply chain continues to be a security risk for companies,” says Carter. “Because neither we as outside consultants, nor companies at the top of the supply chain, can pick every product solution and tool the rest of the chain adopts, or person they hire, we can’t entirely control the security strategy or practices of the integrated whole. The best we can do is work to influence it.”
Take a company that sells appliances, for example. As part of their standard operations, they outsource the manufacturing of individual components used to build the appliances they sell. In the course of this efficient outsourcing relationship, the component supplier shares systems access with the appliance company to ensure component supply will be there when needed, and avoid instances of oversupply.
With open access to systems that facilitate inventory tracking, vendor invoicing and electronic funds transfer, the appliance company is not only vulnerable to their own potential system breaches, but also the component manufacturer’s approaches to security. Risk continues to grow with the addition of the manufacturer’s subcontractors and their own operational systems. If anyone, by any means within the integrated supply chain becomes infected — from an uneducated employee clicking a phishing email link, to overt network hacking by a malicious third party — the entire integrated supply chain network becomes compromised.
The cost of these compromises can be substantial under any one of three common hacker objectives: stealing money by gaining access to your account controller system; accessing valuable intellectual property spanning proprietary product solutions, trade secrets and business plans; or obtaining personnel information to steal from employees, using their bank accounts and identities. To mitigate this potential damage against the risk-filled supply chain environment that offers little control, early detection remains the best defense. Employing the same strategies recommended for overt attacks, including a strategic installation of firewalls, software, anti-malware and third-party security consulting is advisable.
What’s the price tag for all this armor?
Against the backdrop of these looming cyber risks, does ensuring company and individual security have to be expensive? Not necessarily, say the experts.
While they’re certainly not free, the cost of cybersecurity platforms is nothing compared to the cost of a successful attack. No matter their size, all companies are at risk for losing significant time and money in the course of a cybersecurity event, ranging from several hundred thousand dollars to millions in illegal bank account transfers for larger companies.
“The level of investment in cybersecurity is really a question of risk that belongs in the same conversation as enterprise risk management,” says Merrick. “What are the risks and consequences of being hacked? For some companies, it may not be the end of the world. For those with classified information that could be leveraged to build weapons or inflict mass harm — like a military supplier or airplane manufacturer — it may be the difference between life and death. Most companies fall somewhere in the middle. How much to spend should be based on your understanding of risk, and be proportionate to your own.”
While those investments might not come at a discount, the value they offer can be tremendous against the rapidly evolving strata of risk in today’s cyber environment.