This summer, the team at ffVC hosted our Insight Forum: Spotlight on Cybersecurity, a panel event gathering top cyber experts for a wide-ranging discussion on the current and future states of cybersecurity. Topics ranged from how organizations and consumers can mitigate vulnerability to the future of attacks related to IoT devices, blockchain and cryptocurrency, autonomous vehicles, and more.
Here we’ve distilled the discussion into six key insights for your organization as you consider ramping up cybersecurity-preparedness. Check out the video above or here to see the panel discussion in full.
1. Basic Education | Educate everyone within your organization about the risks and best practices for computing in the age of near-constant cyber attacks.
Because of the fast-changing and complex nature of attacks, it can be quite difficult to keep a team of tens, hundreds, or thousands up-to-date and educated on proper security measures. Our panel agreed that one of the most glaring threats to an organization of any size and in any industry is a simple lack of basic cybersecurity education. We’re not talking about a detailed knowledge of technical concepts; many don’t even know how to create a secure password.
The Takeaway: Cyber attackers look for a way into your systems. You, and even the majority of your employees, might be proficient in protecting your data from hackers, but how about that new hire? It’s important to ensure that every person with access to sensitive company data be educated. What kind of education is necessary? Ideally, a solid understanding of risks/threats/protective measures, but where organizations are widely and drastically underprepared, even a basic knowledge is better than nothing. Proper encryption, two-factor authentication, and timely software updating are some of the easiest things to stress to employees. At the end of the day, company management needs to buy into these efforts before they can reasonably expect their employees to follow suit.
2. Testing Your Systems | Implement penetrative (“pen”) testing and hire the right talent to catch vulnerabilities early.
Penetrative testing is a form of ethical hacking: essentially paying hackers to intentionally attempt to infiltrate your systems. When they succeed, your coders note the flaw and patch it. Over time, this practice is one of the most effective ways of preventing attacks on your network. Simply trusting your engineers to find and fix their errors is not enough, panelist Michelangelo Sidagni (CTO, NopSec) noted, as most “don’t even know the basics” of cybersecurity. We’ve all heard the stories of companies like Apple hiring hackers with a history of successfully attacking their systems, and this is the reason. Coders who can pen-test your system, or at least those with a knowledge of cybersecurity are most valuable. Explains Michelangelo, “making mistakes is part of being human, but the proper practice of companies is to set up procedures so that when mistakes are made, they’re caught and fixed.”
The Takeaway: Pen-testing is much less expensive than most are aware of, and it is incredibly effective. We’ve seen a massive rise in the demand for engineers over the last decade, but coders with security expertise are especially in-demand ( Frost & Sullivan expects a shortage of 1.5 million cybersecurity professionals by 2020). Seek out and hire these engineers.
3. Organizational Design | Implement strategic policies in the physical world that reduce the risks of an attack.
Panelist Jessica Robinson (CEO, PurePoint International) stressed the importance and effectiveness of non-tech security measures. Reducing online communication can mitigate the effects of an attack by decreasing the sensitive material being shared with hackers. With so much of our lives being taken online, we often don’t realize that the massive increase in shared online data has contributed to the rise in cyberattacks; get creative in finding ways to minimize the information you’re putting out there.
The Takeaway: Seat employees who have significant communication closest to each other so they can “take it offline” more often. Encourage them to get up and talk to employees ten feet away rather than send a message. Designate email-free hours, where you and your employees commit to communicating in person. Institute a bring-your-own-device policy to reduce the number of access points on your network. The less room for vulnerability, the better.
4. The Cyber Gap | Bridge the gap between IT and cybersecurity.
Our panel noted that oftentimes, IT professionals and cybersecurity professionals are not the same people and do not have the same skillsets. This should not be the case. The employees who are responsible for constructing and maintaining your network should also know how to keep it secure. Unless your organization has a dedicated team of security professionals, who else is going to keep your systems safe?
The Takeaway: Make sure your IT employees are well-versed in cybersecurity. If you don’t have the budget to educate every employee (which should be a major priority), at least invest in education for these specific employees.
5. Update, Update, UPDATE | Make sure you take advantage of free security updates.
The Microsofts and Apples of the world don’t release security updates just for the fun of it. Most companies will, on average, only do what’s minimally required of them from a security standpoint. If a developer releases a security patch for your software, install it immediately.
In certain cases, an update is not feasible. For example, many hospitals were unable to install the patches released by Microsoft that would mitigate the WannaCry attack because the patch could interfere with their hardware systems (which are usually pretty old as it is). A bug that causes problems with their equipment could be the difference between life and death for patients, which poses a specific challenge for the healthcare industry.
The Takeaway: Short of a life-and-death situation, cybersecurity should be a top priority. Panelist Tad Mielnicki (Partner, Access Advisory Group) noted that not installing a security update for reasons like “it might mess up my calendar” is not an excuse to forego an important update.
6. The Cost of Doing Business | Invest in cybersecurity now or it will come back to haunt you.
It’s considered highly irresponsible not to invest in cybersecurity in 2017, not simply because it could hurt you, but because it could also hurt your customers. Attacks like the ones we’ve seen in the past few years will only become more prevalent. The cost of not investing in cybersecurity is your data — and your customers’. Michelangelo used the example of children’s toys: parents and companies are constantly concerned with small pieces that may easily break off or contain hazardous materials, but what about the technology inside being hacked? Especially as IoT devices become increasingly popular in our homes and our cars, the companies that manufacture these devices need to do a far better job of securing them.
The Takeaway: Beyond protecting your organization, the panel agreed that we as consumers need to become better educated. With the rise of autonomous vehicles and invasive technologies like wearables, IoT devices, and under-the-skin computers , cyber threats are coming more and more likely to affect our physical as well as our digital lives. As much as organizations need to secure their products and internal infrastructures, we need to be more informed internet users and consumers as more and more of our lives are taken online, and especially when we purchase connected products that may pose security threats.
Cyber threats will only become more pervasive and more advanced, and our panel concluded it’s clear that as a society, we need to become smarter about how we handle our data.