Fighting cyberthreats is job of everyone on a keyboard

CYBER CHALLENGE: Panelists at the Cybersecurity Summit hosted by Providence Business News at the Crowne Plaza Providence-Warwick on Dec. 8. From left, Peter Nelson, co-founder of NetCenergy LLC; Francesca Spidalieri, senior fellow for cyber leadership at the Pell Center at Salve Regina University; Timothy J. Edgar, academic director, executive master in cybersecurity and fellow, Watson Institute for International & Public Affairs at Brown University; and Stephen Ucci, counsel from Adler Pollock & Sheehan PC and a member of the R.I. House. / PBN PHOTO/MIKE SKORSKI
CYBER CHALLENGE: Panelists at the Cybersecurity Summit hosted by Providence Business News at the Crowne Plaza Providence-Warwick on Dec. 8. From left, Peter Nelson, co-founder of NetCenergy LLC; Francesca Spidalieri, senior fellow for cyber leadership at the Pell Center at Salve Regina University; Timothy J. Edgar, academic director, executive master in cybersecurity and fellow, Watson Institute for International & Public Affairs at Brown University; and Stephen Ucci, counsel from Adler Pollock & Sheehan PC and a member of the R.I. House. / PBN PHOTO/MIKE SKORSKI

In the complex and shadowy world of cyberfraud, the employee sitting at a keyboard is both a company’s weakest link and first line of defense.

This person is a weakness because a single careless click in the daily tsunami of incoming mail can usher in a spy or bug, maybe leading to millions of dollars in liability and even the destruction of a company.

Employees are the strongest defense because – with training – they are more able than any machine to spot tiny nuances in communications that wave a red flag.

These were among the warnings by a panel of experts at the Providence Business News Cybersecurity Summit on Dec. 8 at the Crowne Plaza Providence-Warwick in Warwick.

- Advertisement -

One handout quoted Jeff Raynor, a national-caliber expert who has worked with the federal Department of Homeland Security: “Cyberspace is a single point of failure and we’ve hooked everything up to it.”

The destructive potential of malevolent actors who enter business or government computers to steal or disrupt is staggering. Every 60 seconds, a half-million attacks occur in cyberspace, according to NetCenergy LLC, whose co-founder, Peter Nelson, was on the panel.

The costs for a business to clean up a security breach are huge, amounting to hundreds of dollars an hour in legal fees, forensics work, crisis management, notification to victims and resolution of identity theft cases.

Experts on the summit panel said two pillars of defense are preparedness and vigilance. Equally important, panelists said, is for the C-suite to send out the message that cybersecurity is the responsibility of everyone in the company. It is a mistake to drop the job into the hands of the IT department and consider it done.

“The tone comes from the top,” said Jeffrey Ziplow, a risk assessment partner with BlumShapiro. “The C-level needs to address everyone in your company.”

Kevin Tracy, a marketing executive for Bank of America Corp., said, “Prevention requires security education and ongoing training. It is really about the company working together and collaborating. This is not an IT issue; it is across the board.”

Timothy J. Edgar, academic director and a fellow at the Watson Institute for International and Public Affairs at Brown University, noted that most people don’t have an intuitive understanding of cybersecurity, the way we automatically understand locks and keys and alarms.

Companies must have a plan in place to block cyberattacks and to mitigate the damage if they should happen.

Examples of common cyber malice include attacks by ransomware, a malicious software that blocks access to a computer system until a sum of money is paid. Another is phishing, when attackers send an email, for instance, in which they pose as a real person in authority and request a payment to be made.

Companies can institute defensive measures, and it all starts with planning. Important actions include: increasing cybersecurity awareness and education throughout the organization; refraining from collecting unneeded data and then disposing of data when it’s no longer needed; encrypting private personnel data; backing up all information for retrieval; and using strong passwords.

In addition, organizations should conduct risk assessments; know where the company’s most important assets are found; and monitor for early detection of problems, especially since cybercriminals now are entering systems and sitting there, invisible, for weeks or months.

Finally, enterprises should have a response and continuity plan if an attacker gets through, including public information messaging.

Much of our data now sits in the cloud, a network of remote servers hosted on the Internet to store, manage and process data – in contrast to a local server or a personal computer.

In answer to a question whether a cloud computer is secure, panelists leaned toward a positive view of the practice.

“Cloud computing is great for many organizations,” said Ziplow. “It can provide a boatload of security.”

Nelson, of NetCenergy, noted that even when a company’s data is stored in the cloud, the company still is liable in the case of a security breach.

It is important to carefully vet the server company that places your data in the cloud, and to validate the security practices of that company. This is the case for all vendors and subcontractors. (People still vividly remember the hack of Home Depot in November 2014; hackers got into the system by stealing a password from Home Depot’s HVAC vendor.)

Security also extends to the motivations of a company’s own employees. Among a preparation list by Tracy was doing background checks on new hires to block the Trojan horse.

Our country generally has a shortfall of trained professionals working on cybersecurity and that is a golden opportunity, said Francesca Spidalieri, senior fellow at the Pell Center for International Relations and Public Policy at Salve Regina University. She said 209,000 cybersecurity jobs are vacant now in the United States (out of 2 million nationwide). Further, 84 percent of organizations believe that half or fewer applicants are qualified for open security jobs.

Salve Regina University offers a graduate course on cybersecurity, as does Brown University. Spidalieri said the shortfall of specialists presents an opportunity for developing this industry in Rhode Island, where elected officials already strongly promote cybersecurity education.

“You don’t have to be a computer geek,” she said. “We also need legal and managerial expertise.”

Panelist Stephen Ucci, a lawyer with Adler Pollock & Sheehan P.C., said he had been talking earlier with a young man from The Metropolitan Regional Career and Technical Center. “The newer people in the workforce understand this,” Ucci said. “Don’t be afraid to expand your team.”

Where threats exist, insurance companies follow. To a question about the need for cyber insurance, Ucci seemed to lean toward specialization of insurance. “You need to have your insurance company as a partner to work on [cybersecurity] issues with you.”

Ucci said Europeans have a much more heightened sense of privacy than is the norm in the U.S. and he added, “If you breach someone’s personal privacy, [European authorities] will shut down your company’s data transmission.” •

No posts to display