Cybersecurity Panel Boston 9/15/2016
On Thursday, September 15, 2016, the WITI Boston network welcomed a panel of speakers to discuss IT's most urgent challenge: cybersecurity. Cyber crime can affect its victims in a multitude of ways, including data theft, sabotage, disabled systems, denial of service, and extortion. It's estimated that cyber crime costs the global economy over $400 billion per year.
Thursday's discussion was facilitated by Candy Alexander, CISO and Cybersecurity Consultant, and included: Michelle Drolet, CEO and Co-founder of Towerwall; Janet Levesque, CISO at RSA, the Security Division of EMC; Gary Miliefsky, CEO of SnoopWall, Inc.; and Patty Patria, CIO of Becker College.
Panel members discussed the importance of prioritizing an organization's most critical assets and ensuring they are protected. While ideally one would like to protect all assets, the nature of cyber crime has become so insidious that most organizations will find it too expensive and resource-draining to do so. Therefore, organizations must at least identify their most critical infrastructure and put a plan in place for how they will mitigate risk, ensuring their plan encompasses the Four Ds: to detect, deter, defer, and defeat cyber crime.
A productive first step is to install data-encryption methodologies to protect important data, so that if it is intercepted by unauthorized parties, their ability to access the information is significantly reduced.
In addition, adoption of a framework such as the Cybersecurity Framework is vital to mitigating risk. The Cybersecurity Framework was created through collaboration between industry, academia, and government agencies headed by NIST (National Institute of Standards and Technology, U.S. Department of Commerce), and consists of standards, guidelines, and practices to institute protection of critical infrastructure.
In the United States, cybersecurity regulations have been put in place to encourage organizations to invest in measures to protect their systems and data from cyber-attacks. In addition, state governments have adopted measures to increase the public visibility of firms with weak security that have been breached. The intention is to incentivize organizations to install cybersecurity voluntarily, to avoid the potential loss of reputation - as well as the economic loss - that can result from a successful cyber-attack. Panel members noted that organizations with plans in place are generally not fined as heavily as those with no cybersecurity policies.
Perpetrators of cyber crime are both creative and persistent with their development of new methods of cyber-attack. Panel members talked about information released recently by the World Anti-Doping Agency revealing that a Russian government hacking group accessed a database containing confidential medical data and drug-test results from the recent Olympics event in Rio de Janeiro. The hackers used a "RAT" - a "remote access Trojan" - to penetrate the system, using a "spear-phishing" tactic, which is enabled by a user opening an email he or she believes is from a trusted source.
To that end, panel members stated that organizations need to become much more proactive in educating their users to the potential methods by which hackers can penetrate IT systems. Currently, organizations don't spend a lot of money in educating their users about such things as clicking on links that let hackers in, opening a large fissure in cybersecurity efforts.
In addition, many cyber-attacks obtain individuals' private information, allowing it to be used in nefarious ways that affect people personally. Helping users to realize that cyber crime can affect them, their parents, their kids, and other members of their family may raise awareness of the need for caution at all times, given that we're a society dependent on a computer infrastructure.