Corridor experts offer advice for bolstering digital defenses at annual CBJ cyber event
By Katharine Carlon
Having the right technology and processes in place is all well and good, but when it comes to beating back cybersecurity threats, businesses do best by investing in their most important resource: people.
“When you look at the cybersecurity challenge, whether it’s looking at the bad guys and what their motivations are, or looking at the people in the organization who can expose you to risk whether they mean to or not, or the people who are trying to defend the walls – the blue team, the IT teams and the cybersecurity professionals – it’s all a people thing,” said Aaron Warner, CEO of Coralville-based ProCircular, speaking on the “Current Cybersecurity Threat Landscape” at the CBJ’s Cyber Security Breakfast on Sept. 5.
“At the end of the day, if there’s one thing I can leave you with, its that this cybersecurity thing is about people and working with people is the way to get this problem solved,” he added.
In his remarks, Mr. Warner outlined the four main categories of cyber risk – financial, operational, strategic and reputational – and went into depth on the types of information threat actors hope to steal. But he returned to the idea that with limited resources to throw at the growing menace of cyber crime, human effort is the first and best line of defense, and offered up these three tips to start.
Complete a risk profile
Companies need to think in terms of likelihood versus impact, Mr. Warner said, drawing up a list of potential threats and challenges and assessing the realistic probability they might arise.
“What’s the likelihood that a meteorite is going to slam into one production facility? Well, the likelihood is relatively low, but the impact of that is very high,” he explained. “Whereas if you look at more minor challenges, perhaps somebody at the front desk offering up passwords, it’s relatively high impact if they get into your network and void millions of dollars in border security. That individual can cause a multi-day outage in your organization.”
Mr. Warner said clients often approach him asking for pricey technological solutions without having compiled a risk register to ensure they’re addressing their most obvious and likely vulnerabilities.
“A lot of times our conversation will be, ‘well, we’d love to sell that to you, but how do you know that’s your biggest risk? How do you know that’s the thing that’s most likely to cause your problem?’” he said. “And typically, it’s not a thing that’s sort of a shiny object.”
Communicate priorities from the top down
Mr. Warner said executive buy-in is key to ensuring cybersecurity issues get the attention they deserve.
“If it looks like just an IT thing, you’re just going to solve the technology problems and that’s only maybe a third of the challenges you have,” he said. “The IT department can’t set policy for HR and oftentimes, that’s where change needs to begin. And the IT department doesn’t have the authority to tell finance how to do what they do, but that’s a place where there is a ton of risk. The executive or CEO or president of a company can help to make those changes.”
Convene a senior cybersecurity council
A council of representatives from IT, HR, finance and legal departments ensures “everyone has a little bit of skin in the game,” Mr. Warner said. “It helps move projects along, and with finding creative solutions that aren’t just about writing checks.”
Mr. Warner said the companies his firm sees doing cybersecurity right are putting people on the front lines and following these three steps rather than “throwing technology at the problem.” Understanding that they “don’t know what they don’t know” and approaching challenges with an open mind are other hallmarks of companies who create strong cybersecurity programs.
“Organizations that don’t do it right are pretty easy for us to spot,” he added. “It’s when IT is really super defensive, when you go into an organization and they tell you, ‘yeah, I got this figured out, we just need you guys come in and check a box for us’…that’s usually a red flag for us.”
SIDEBAR: What are cyber criminals after?
Knowing what data needs to be protected can be difficult. Aaron Warner, CEO of ProCircular, breaks it down into several broad categories:
Bill of Materials: The Bill of Materials or BOM is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components – as well as the quantities of each – needed to manufacture a product residing in a company’s enterprise resource planning software.
“It’s kind of an esoteric thing, but to the right person, it is extraordinarily valuable,” Mr. Warner said. “A hacker can get into your ERP system and steal your intellectual property, it’s essentially the recipe. So, if you’re making a chemical, it can be the recipe for that chemical. It also tends to have pricing information, so you get a really nice look at what an organization has been paying for this chemical, who else has been buying that chemical or the sources for it. This kind of information to an intellectual property thief is pure gold…It’s a lot easier to get someone else to do your R & D for you. A lot cheaper. And this enables them to put whatever it is right into production.”
Customer information: Payment and financial information, ordering information and intellectual property and designs.
“Most of the time, [cyber criminals] don’t care about the organization that they’re hacking; they’re more interested in using that organization to do bad things,” Mr. Warner said. “They’ll get your list of customers and go attack them…It’s often not about you or your organization at all, they’re just using you to get to somebody else.”
Medical information and law firms: Mr. Warner said health records are incredibly valuable on the black market, selling for between $200 and $300 each versus just $5-$10 per credit card number.
“They contain all of the information necessary to establish a fake ID, so you can steal someone’s identity very easily with a medical record,” he said, adding such records can also be used for prescription fraud, as a gateway into other hospital systems and to obtain access to health care. “Politics aside, health care is screwed up and people will use somebody else’s medical identity to get health care for themselves or for their family members. You see people pretending to be somebody else to go get a procedure done.”
For similar reason, data thieves also target law offices, he said, hoping to get their hands on both medical data and financial data.