Summit: Cyberthreats too costly to ignore

ENGAGED AUDIENCE: Linda Fish, left, director of information security at Blue Cross & Blue Shield of Rhode Island, listens to a panel discussion during last week's Cybersecurity Summit. / PBN PHOTO/ RUPERT  WHITELEY
ENGAGED AUDIENCE: Linda Fish, left, director of information security at Blue Cross & Blue Shield of Rhode Island, listens to a panel discussion during last week's Cybersecurity Summit. / PBN PHOTO/ RUPERT WHITELEY

The vast reach of cybercriminals and the vulnerability of networked systems threaten businesses big and small, say cybercrime specialists and others who participated in last week’s Cybersecurity Summit put on by Providence Business News.

The Oct. 27 gathering at the Crowne Plaza Providence-Warwick included a discussion by a panel of businesspeople, academics and government consultants, following a welcome by Gov. Gina M. Raimondo. The governor appointed a state Cybersecurity Commission this year to identify vulnerabilities in the state’s computer networks, propose ways to protect data and discuss development of a home-grown cybersecurity industry.

Warnings about the vulnerability of computerized data – business, government and personal – were daunting.

“The Internet was not built to be the backbone of our global economy, which it has become today,” said panelist Francesca Spidalieri, a senior fellow for cyberleadership at the Pell Center for International Relations and Public Policy at Salve Regina University. “The unsecured designs underpinning the Internet were built on the presumption of good intentions and not with … malevolent sabotage in mind.”

- Advertisement -

She said the Internet has 3.2 billion users worldwide, including 87 percent of all Americans.

Some monumental computer hacks over the past few years have chilled businesses and governments. They include the breach at Target two years ago, costing the company $67 million; the Chinese-flavored hack of Sony Pictures; and the hack of the U. S. Office of Personnel Management this year.

“It’s the Wild West out there,” said Ralph Coppola, a principal with Meridien Financial Group Inc., who was in the audience. “There’s no doubt in my mind that someone has my information. We have to protect our clients; we have to be one step ahead.”

Panelist Scott DePasquale is CEO of Providence-based Utilidata, which helps utilities modernize power grids and protect them from cyberthreats. He is chair of the new state Cybersecurity Commission. “Every year there is more data and there are more devices at risk,” DePasquale said. “Personal and professional networks are not de-linked anymore.” He noted that the director of the CIA has been hacked, adding, “Anybody is reachable.”

The increasing use of the Internet and the growth in use of electronic devices create ever more territory for hackers to penetrate. AT&T Cybersecurity Insights Report declared that security breaches increased by 48 percent from 2013 to 2014 and 43 million business-security incidents were reported in 2014.

One basic method of cybercrime is spear phishing, defined as an attempt to acquire sensitive information for malicious reasons by masquerading as a known and trustworthy entity, often through email. Another malicious software, called ransomware, restricts access to a computer system until the legitimate user pays a ransom.

Motives for cybercrime include outright theft, “hacktivism” to make a political statement, industrial espionage and disruption of services. Hackers can hide in a breached network, extracting information without detection for many weeks or months.

About 90 percent of security breaches, Spidalieri said, are caused by careless or untrained employees who unwittingly invite a virus into the network by, for instance, opening a malevolent email. According to the AT&T cybersecurity report, 78 percent of employees do not follow employers’ security policies.

What hope could the panel offer to worried businesspeople and government officials holding sensitive data? First, panelists said, use good basic practices, also called cyberhygiene.

Spidalieri suggested, “If you don’t need all the data you are collecting and you cannot protect it, don’t collect it.” Other good practices include changing passwords regularly; encrypting data before emailing it; backing up information; training employees to be watchful of malware; outsourcing cybersecurity to professionals; watching the language on liability in third-party contracts; and buying cyber-insurance.

Panelist Zach Scheublein is vice president for Aon Financial Services Group, with expertise in identifying client exposure to data breaches. He urged the audience to carefully evaluate relationships with vendors.

“Look at your contract” with your cloud provider, Scheublein told the audience. “You could be on the hook for large losses because one of your vendors had a breach. You need an avenue for indemnification.” He said contracts with cloud providers usually don’t take on liability or provide indemnification.

Scheublein and panelist Shiraz Saeed, who is a cyberliability specialist for the global insurer AIG Property and Casualty, emphasized the value of cyber-insurance.

Scheublein said he brokers cyber-insurance, and he noted that this product has been in existence for about 15 years, but only about 20 percent of organizations purchase it.

Saeed said when a security breach occurs in computers of a customer holding AIG cyber-insurance, AIG immediately assigns the case to the customer legal counsel, an investigator and specialist in public relations and brand-reputation management.

The summit included discussion of the new chip-and-PIN credit card technology that was required of all credit cards in the United States by October 2015. The technology, in use for decades in Europe, replaces the card’s magnetic stripe with a computer chip.

This technology helps block malware penetration of credit card systems. First, the transaction is encrypted, and, second, the transaction is assigned a one-time code that is invalid after it is completed. Some retailers object to the extra 20 to 30 seconds the chip cards add to transactions.

During discussion of rules on reporting data breaches to government authorities, panelists agreed that there is no clear answer, partly because there’s a patchwork of federal and state rules, with no central voice in charge. But Spidalieri said a new data-breach reporting law for Rhode Island will go into effect in June 2016.

Some speakers said consumers should demand better-designed electronic devices that are built to resist hacking from their inception. DePasquale voiced a different view: “If we expect vendors to solve these problems, we are going to fail. Vendors will never get ahead of where the threat is.”

Other speakers at the summit included Kevin Ricci, director of information technology at LGC+D/IT Solutions, and Timothy J. Edgar, a fellow at Brown University’s Watson Institute for International Public Affairs and a cybersecurity expert. •

No posts to display