A brief digest from the SecureWorld New York 2019
New York, NY – With all the high-profile cyberattacks receiving coverage in the media as of late, cybersecurity is quickly becoming a topic of conversation among the tech-savvy and non-technical alike. I was privileged to attend the SecureWorld New York conference on September 25th in midtown Manhattan. SecureWorld hosts 17 annual events around North America in furtherance of its mission to connect, inform, and develop leaders in cybersecurity. At this particular conference, much of the focus was on small-to-medium enterprises (SME’s), the issues they are facing, and suggested measures to address them.
As always, a recurring theme was the correlation between end-user behavior and cyber-vulnerability. “There’s always going to be a threat when the ‘human factor’ is involved,” according to Tim Miller, a lead cybersecurity consultant at Trend Micro. However, several speakers conveyed a very different message – one of inspired confidence in the untapped potential of the end-users to be on the front lines of cyber defense. As David Sherry, CISO of Princeton University points out, “[The tired notion of] end-users being the weakest link is negative reinforcement. Instead, we should look to empower end-users to be the ‘guardians at the gate!’”
When it comes to SME’s, the security landscape has quickly become as complicated as it is critical. “’I.T. risk’ is indistinguishable from ‘business risk’,” says Nick Shelby, director of cyber intelligence & investigations at the NYPD. “Outsourcing of I.T. services will continue to accelerate, and the risks associated with that are often understated.” Shelby continues, “[The issue is] how do non-technical people see this stuff? We have to do a better job of communicating these concepts”
The issues surrounding information security for SME’s have exploded, as an increasing number of companies and organizations move from paper to digital, the demographics for ransomware attacks are expanding. At this time, a major contributing factor to the looming crisis is the lack of awareness in the SME community. Most business owners learn about cybercrime from the news media, but, as Kazbek Khumush from Trend Micro puts it, “If you’re changing behavior based on the news, you’re too late!” He continues, “[SME’s] must be proactive about their approach to cybersecurity practices.”
While the mass migration to digital has SME executives talking about concepts like cloud technology, a critical fact is either unknown or overlooked by business owners. As Shelby articulates, “The highest vulnerability is when a company moves along the continuum from ‘forklift and dump truck’ to ‘native cloud’, much more so than staying at the current state.” In other words, stakeholders who are concerned about their levels of vulnerability are seeking remedy by switching to the cloud, but the transition from paper to cloud-based operations is actually what exposes companies to the greatest risk. Shelby continues, “Moving to native cloud deployment requires abandoning old ‘best practices’, and adopting a new approach and a new way of thinking about how to do business.”
There even exists uncertainty in the law enforcement community about how to best define and assign cases of so-called cybercrimes. When asked what he views as the biggest challenge facing law enforcement with regard to cyber safety, Shelby replied, “There’s no standard definition for ‘cybercrime!’ What makes a crime ‘cyber’?” He goes on to distinguish between “cyber native” crimes (e.g., hacking into a bank account to steal funds) versus “cyber-enabled” crimes (e.g., sexual misconduct with a minor via smartphone communications.) “We need to stop classifying these as ‘cyber crimes’ and just view them as ‘crimes,’” Shelby posits. “These crimes span all departments of law enforcement, and should no longer be handled by one group of specialists. Every officer needs to do their part.”
So, what advice do these experts have for SME’s facing these myriad issues? Khumush suggests, “Develop a relationship with a security advisor who can give you the necessary tools to be protected.” He adds, “The focus should be on Multi-Factor Authentication, and also patching systems on a regular basis.” Of course, with SME’s, budget is always a significant concern. Marija Strazdas, the senior solution engineer at Alert Logic, offers the following reassurance, “Cybersecurity training is now more affordable and accessible to small-to-medium businesses.” And what about the individual employees? How can business owners empower their workforce to be the first line of defense? Michael Landewe, co-founder of Avanan Cloud Security advises tapping into their instincts, “Get people to report when something doesn’t feel right…” He adds, “Make end-users skeptical, so that they report potential phishing emails, and reward them for good behavior, rather than repeatedly punishing bad behavior!”
Ultimately, what it comes down to is that SME’s need to reimagine their operational approach to business. When asked for his view of what the “new best practices” for businesses should be, Shelby recommends, “Curation and maintenance of cloud environments, automation across business activities, and deployment that is known, tested, configured, and deployable at-scale, repeatedly.” One thing’s for certain: cyber threats are a burgeoning concern for SME owners and executives. They say it takes a village to raise a child… it may take the same group-effort mentality to secure a company.
Olivier Vallez, JD, MBA – Lead Writer/Cybersecurity Reporter
Olivier Vallez is a contributing writer for Cyber Defense Magazine, covering various cybersecurity topics and events. He is the Head of Business Development at The CyberHero Adventures: Defenders of the Digital Universe, a groundbreaking comic platform that distills complex cybersecurity information into a fun and engaging superhero stories and makes cyber hygiene easy-to-understand for non-technical people.