Cybersecurity professionals get no relief. For every threat they counter, there are hundreds more waiting to strike, or some new point of vulnerability to consider. With the IP-enabling of every manner of device, machine, and facility, physical security managers are in the same pressure cooker as their IT counterparts. We’ve entered the era of cyber convergence, where both groups will have to join forces to protect their organizations as the battle escalates.
In fact, Sage chose “Cyber Convergence” as the theme of its 2016 CyberCrime Symposium as “an acknowledgement that we have truly entered a new period in human history,” said Sari Greene, Sage founder, in her opening statement to attendees. "We’re at a point in time," she said, “when technology advancements have given us unprecedented capabilities to globally communicate, educate, innovate, conduct commerce — and to harm.”
These advances have created a cyber-attack surface that’s becoming more and more difficult to cover. The number of business users and consumers armed with smartphones and other portable devices grows daily. They’re a population in motion, always requesting access to networks, websites, applications, and data. Meanwhile, vendors are IP-enabling every manner of device so they can connect to the Internet of Things (IoT) ecosystem, crank out data, and become yet another point of vulnerability.
With stakes already sky-high in a nascent cyber-age, “we can’t and shouldn’t be bystanders,” Greene said. “It portends great promise, as well as presenting a grave danger to our political institutions, economic stability, and personal liberties.” She asked attendees to heed the power they have to help destroy silos that have long prevented entities from working together to address security — those separating technology and business leaders, public and private institutions, and personal and national security.
Be sure to tune in weekly for upcoming installments, which will take an in-depth look at select presentations. In the meantime, check out a few of the key takeaways from the 2016 symposium.
Failure is an Option, so Ready Your Response
There’s a reason that media outlets are ceaselessly trumpeting news of the latest cyber-breaches, which regularly set new records for attack size and scope. Actors are getting better at their jobs and targets aren’t prepared for contingencies. As cyber-incidents take their place among the top challenges impacting crisis management and business continuity, smart organizations do everything they can to prevent incidents, but accept the likelihood of a breach and prepare for the aftermath.
Here’s where cyber-incident exercises come in. In her session, Regina Phelps, founder of consultancy Emergency Management & Safety Solutions (EMSS), said the reason so many cybersecurity strategies aren’t effective is that they’re so hyper-focused on prevention that they’re paralyzed when they’re breached. They need to conduct real-world exercises to identify weak spots, raise awareness organization-wide, and get in shape for the real thing.
"Forget holding IT leaders responsible for security — everyone owns a stake," said Phelps. A best-in-class response plan relies on conducting incident exercises at least once a year and not holding back. Put every department to the test, hold them accountable, and conduct thorough follow-up to ensure they understand their role. It’s not about creating fear in the organization, said Phelps, but proving that they can execute when the heat is on for business continuity.
Inside Jobs and Outside Armies
Outside the confines of data centers and facilities, cybercriminals, state-sponsored groups, and hacktivists work relentlessly to breach defenses and get inside. Inside, employees, contractors, and third-party vendors, with ready access to an array of useful and critical systems, abuse their privileges to steal assets they can spirit out in various ways.
In his session on insider threats, Don Ulsch, senior managing director at PwC, used case studies to highlight what businesses risk when they assume employees and partners are trustworthy. Cyber-incidents are regularly launched by everyone from careless CEOs to calculating programmers. Security leaders should develop strategies based on the human-as-wild-card factor and invest accordingly, starting with better background checks and including continuous monitoring of employee activity.
"Management has to stop looking at security measures, like monitoring, as interference and view it as a business-enabler," said Ulsch. With SEC pressuring public companies to secure their supply and vendor chains to reduce risk, they’ll either invest in insider threat protection now or find themselves part of class actions down the road.
Still, according to data collected by the Open Security Foundation (OSF), nearly 78% of the data breaches in 2015 were the work of outside sources. The message: Both groups must be closely monitored.
“Because insiders know where the crown jewels are, they can potentially cause more damage, but outside actors are far ahead in terms of cyber-attack likelihood and frequency,” said Jake Kouns, OSF CEO, in his session on the organization’s arrest tracker project.
Internet of Things = Internet of Threats
"There’s no stopping the IoT tidal wave, so IT leaders should start deciding how they’ll handle devices from a cybersecurity perspective," said Chris Poulin, a research Strategist at IBM, in his session on IoT’s potential infosec impact.
Start by segmenting systems based on risk, and use network segmentation tools to isolate IoT devices from data networks where possible. As they flesh-out their new security strategy, they’ll want to consider ways to collect and review IoT event logs, for instance, just as do logs for their IT systems.
This week, we kick-off our series presenting key takeaways from our 2016 CyberCrime Symposium, held November 3-4, 2016. If you couldn’t get a seat at the event — centered on Cyber Convergence — or want a refresher on its informative sessions, check-in weekly for the latest installment featuring insight from select presentations.