In today’s cyber world, the likelihood of a breach has shifted. It’s no longer if you’ll be attacked, but when. All organizations, no matter the size, are vulnerable to data loss from a cyber attack. In fact, 38 percent of companies are attacked again after a first attack. A skilled attacker has access to a compromised network for a median of 243 days as they ravage systems, flying under the radar, stealing customer information, trade secrets, and financials.
To discuss how companies can prevent breaches, an Enlightened Speaker Series event was held in Houston. It included Art Conklin, the director of the Center for Information Security Research & Education at the University of Houston; Michael Farnum, a practice principal at Hewlett Packard; and Vid Sista, the Security Practice Director at Accudata Systems.
The most important part of cyber security? The people. “When you hire a Chief Information Security Officer, they will look at the organization, look at your goals, review business units, and review risks” Farnum said. “You don’t know what your goals are until you put somebody in place.”
Conklin cited Target’s well-publicized security breach. “What was the CIO’s experience?” he asked. “It was marketing, not IT or information or how information could better run their business.” In the case of the CISO – Chief Information Security Officer, whose job it is to protect information – “They didn’t have one,” Conklin said.
A CISO will help determine what you want to protect, Sista said. He used BYOD (Bring Your Own Device) as an example. The first thing to do, he said, is determine who should be able to access the product, what data is most essential, who should be allowed to access the data, and where it should go.
“There are some of those three letter agencies that I work for where I can’t even bring in my Fitbit into a building,” Conklin said. “A Fitbit is a pedometer, but it’s electronic and their policy is nothing electronic comes into the building.”
In other cases, some employees must have open access to information. Sales people, for example, might need to see sensitive information in real time. In fact, the sales person might need broader access rights than the company’s CEO.
“Once you define those things, there will be a technology out there that will get you to where you need to be,” he said. “Without the policy and a CISO that will help define that security policy, you won’t be able to find the right technology.”
The right person will have knowledge of your industry, too. A CISO in the banking industry will have a different skill set than the one who is right for manufacturing, or health care.
“The bad guys out there are trying to steal your intellectual property, and the CISO needs to understand what that is,” Conklin said. “You won’t hire a CFO who knows nothing about your industry, would you?” He said the person in information security needs to have some information and experience about the industry.
But information security officers with that kind of industry-specific knowledge come at a premium. “The CISO for Chase has a seven-figure income and that doesn’t count bonuses,” Conklin said. “Target is paying $450,000-$500,000 for their CISO.” For most companies, the salary of a CISO will be in line with that of a CFO. “It’s technology skills versus finance with the same level of responsibility,” said Conklin.
“I would add you should ask the people on the line about the value of the data they use,” Farnum said. “IT doesn’t own all the data – the legal department owns the legal data, and they are in charge of telling me who has access. I don’t determine that, they do.”
Farnum also noted that a CISO who is nothing more than a figurehead can easily get a company into trouble. A figurehead would do “security by compliance,” checking boxes to indicate certain measures have been taken. But in the case of PCI DSS – the credit card security standard – if one breach happens, that company is out of compliance. And a company out of compliance is automatically held to a “Tier One” standard – the same as a large company. “If you start focusing on compliance only, you’ll get into trouble,” Farnum said.
Keeping up with what’s happening in the world of threats is not realistic, Sista said. What can be done is to “shrink the world.” Concentrate on the critical data within the company. “You don’t have to be the fastest guy, you just have to be faster than the bad guys,” he said.
It’s also important to look at just how much risk is acceptable. If something costs a million dollars to protect, it might be worth it. Not so much for an asset worth only $100, Sista said.
A simple way to start approaching security is to consider the kinds of programs computers are allowed to run, and websites employees are allowed to visit. Many companies “whitelist” programs and sites. If blacklisting is the blocking of certain things, whitelisting is approving ahead of time what will be allowed. It’s tempting to whitelist everything, Sista said, but that might not be a wise course of action.
“If you are in the oil and gas business and you’ve got process control systems,” Sista said, “and there is a very specific function for this computer and you should only run one application on this PC, whitelisting is a great idea, because that device should not be able to surf the web.”
Another simple measure is to patch the system. “Patching” is a security update that fixes vulnerabilities. Conklin said systems can be set up to stay patched automatically. “Have a process in place to patch your system via upgrades will improve your system,” he said, “and that’s as easy as locking your door.”
Network segmentation is a low-cost way to improve security, Sista said. Only the minimum amount of access should be allowed for a person to do their job. He suggests a “hard shell” be put around critical data, then the company can decide which users can access which databases based on what they need to do their jobs.
“We also need to spend money on educating people,” Sista added. “If you educate your users on moving a mouse over the URL and the address is not a match, they need to send that email to the IT department.” If employees understand the data they are protecting is sensitive data, they will be less likely to circumvent security controls, he said.
Sometimes systems are breached through “social engineering,” or fooling someone. If someone calls up at tax time and claims to be from the IRS and is looking for money the company owes, they might really be trying to get bank account information. Or if someone sends an email to the CEO and gets an out of office message, they might know there is an open window for fraud.
But even tricks like “tailgating” can be effective, said Farnum. That’s when a badge is needed to enter a building, and someone follows a person in without having a badge. “If you see someone in the hall and you don’t recognize them, walk up and ask if you can help them and find out where they are going,” Sista said. “Should they really be there?”
Their final piece of advice? “Everyone who runs a company is not unfamiliar with risk – don’t look at IT security any differently,” Farnum said.
Conklin agreed. “Cyber-security is just like every other risk in your business – have a professional organization built around that set of risks.”
And from Sista: “There’s an IT security shortage in terms of technical talent, so if you don’t have the talent in house, hire external talent.”
Episode 3 of our podcast, #AskaCEO, is out now! What, exactly, is leadership? And how do you master it? @TheAmericanCEO has three factors for getting there. podcasts.apple.com/us/podcast… pic.twitter.com/gNbN0UD6gi
San Antonio #CEOs and leaders: Join us tomorrow at @Geekdom for lunch with 4 local civic- and safety-minded entrepreneurs! (feat. CEO/founders of @cityflag_, @RubrixAID, @Mach1Services & RMS Innovations) Start time: 11am eventbrite.com/e/the-frontlin…