iDiscovery Solutions’ Director of Cybersecurity Robert Kirtley warns organizations not to confuse “security theater” with the type of user awareness training that can change risky behaviors and foster a culture of security.
CCBJ: Technology is constantly evolving. Over the past 15 to 20 years, how has cybersecurity kept up with this pace of change?
Robert Kirtley: The biggest shift that we’ve seen is in mind-set. Fifteen years ago when you talked about security, people shrugged. Yes, people had heard about viruses and probably had a basic anti-virus tool on their computer, but they didn’t feel like it was an imminent threat for them or their organization. Business people are now aware of the risks and we read every day about attacks, but much of the time they don’t know what that means and what they have to do.
Traditionally, IT leaders have not had productive conversations with nontechnical people. Even as technology has become more pervasive in organizations, the ability to communicate continues to be an issue. One of the biggest trends for successful technology professionals generally and cybersecurity leaders specifically, has been the move to convert the language of technology into the language of business, focusing more on what we need to do, how it helps the business achieve its mission and how we can justify greater investments in security from a return on investment perspective.
The easiest pitch to make for more money for cybersecurity is if you are obligated because of regulations or if a peer has made the headlines for a breach. It’s much harder if you’re not in an industry that’s regulated. Then you have to make a business decision about accepting the risk, transferring it through cybersecurity insurance, or mitigating it by buying services, tools and/or hiring. Usually, it’s some combination of the three. The key to success is being able to have those conversations with the business leadership in a way that helps them understand the business reasons for cybersecurity.
What’s the difference between compliance and security?
Compliance is doing what you’re required to do, being able to say that your practices conform to a government (HIPAA or GDPR) or industry group (PCI-DSS) dictated framework that lays out a minimum level of acceptable security.
Security is part of that, but it goes further. It means compliance, of course, but it also means going beyond that to evaluate how you allocate resources in the context of the risks that you face. It means being proactive and monitoring for new threats. It means balancing the different elements of cybersecurity.
When nontechnical people think of security, they often only think of confidentiality: How do I protect and make sure that people who are not authorized to see this information can’t see it?
But security also involves two other dimensions – it’s actually called the CIA triad for Confidentiality, Integrity, and Availability. Integrity means that the data is unaltered. If someone could get into a bank account system, for example, and change the amounts in specific accounts, that is a breakdown of security integrity.
Availability used to be a more remote, but now it is a big deal. More and more, people are seeing data become encrypted because somebody clicked on a bad link. Ransomware, like the attack that impacted the City of Baltimore for weeks in May is a reminder that both governments and companies are at risk of availability attacks. Availability also includes situations like disaster recovery and business continuity after a natural disaster or a security incident.
What are some best practices for mitigating risk?
Assuming the basic infrastructure is in place – having a firewall and a tested backup process, secured accounts, etc. – the biggest thing is user awareness training. And I don’t mean what I call “security theater.” That’s when once a year, you run a training on cybersecurity, inundate employees with information, and then everybody leaves having learned nothing. But they’ve signed a form that says, “I have read and understood this information,” so the company then says, “We’ve trained everyone, and they understood it.” That’s security theater: doing it for the sake of checking a box. Good companies focus on changing behaviors and fostering a culture of security.
So first and foremost, focus on useful cybersecurity and security awareness training for your employees. The majority of security compromises are users clicking on a bad link or opening a phishing email that they shouldn’t have opened. It’s unfortunate but true, that even the best efforts around state-of-the-art cybersecurity infrastructure can often be circumvented by a user downloading a document or clicking a link that brings malware into their organization.
If you train people how to recognize these kinds of attacks, you can significantly reduce the likelihood that your organization will be compromised. A great opportunity to do this is around the winter holidays. Have a half-hour session on shopping safely on the internet. What we find is that when you teach people behaviors that benefit them personally, they bring those behaviors into work.
Second, ensure that you measure and monitor your security posture and that you understand it. Many organizations put security infrastructure in place but don’t understand how they can get the biggest return on investment. That stems from the fact that organizations often don’t know where they keep information, even their crown jewel information. Can users access it, for example, from home computers or mobile devices? Do you have off-site storage? Are you using third-party cloud providers? Understanding who can access what is a critical element of security, but you won’t have good access control if you don’t know what you have and where you keep it. This also needs to include paper – even in 2018, the majority of data breach notifications were for paper, not electronic documents.
Do BYOD policies create greater risk for companies?
In a word, yes, they create risk. But it is a risk, like all others, that can be anticipated, managed and mitigated. BYOD is a double-edged sword, in that it enhances employee satisfaction and productivity, but it also increases the threat surface, the landscape that we need to protect.
The key to reducing risk is to have good controls and management tools that allow you to manage what users can do and that monitor and protect the devices. Obviously, if people can access critical information from their phones but you do not have control over what they do with that, you can end up with protected information stored on someone’s personal iCloud account, for example. You could end up with financial information, credit card information, being transferred from a secure environment to a nonsecure environment. Those are some of the risks with opening your system to devices you do not own or control.
How can companies leverage basic technology to help secure against threats?
At a minimum, organizations need to have basic infrastructure – firewalls, proxy servers – and the ability to manage access to specific systems and information. You need to understand where the critical data is and concentrate your security spending on protecting the most critical elements of your environment. You can’t treat everything the same. You need to prioritize and triage how you concentrate your security spend.
Experts in this industry have talked about “not if, but when” – as in, it’s not about if a breach will occur, but when one will occur. With this in mind, how can companies best prepare for a possible breach?
Detect and remediate as soon as possible. People think of a data breach as someone being able to get in, but that’s not the case. They have to get in, they have to find the critical information, and they have to exfiltrate it. Just because they get in doesn’t mean they’ve found critical information, and just because they find it doesn’t mean they can get it out. If you detect an intrusion quickly, you can prevent bad actors from getting to critical information. If you can prevent them from getting to it or exfiltrating it, then you haven’t had a data breach. No one wants to be the next data breach headline!
Published July 11, 2019.