Rawpixel - Fotolia
Threats to corporate information have become commonplace, and in recent years companies have turned to analytics data to help prevent information breaches. Analytics can help determine what corporate information is most vulnerable, where there are holes in security processes and how employee data protection training is lacking.
But despite this wealth of data, many companies still struggle with cybersecurity simply because executives don't take advantage of it, said Reg Harnish, CEO at GreyCastle Security. In this Q&A, Harnish discusses why the biggest cybersecurity risk facing companies may be business leaders who ignore analytical information regarding potential data threats.
What do you think are the big corporate cybersecurity risks facing businesses today, and are there any new or cutting edge tactics that are proving effective to help protect company data?
Reg Harnish: We understand our threats in a very general sense, but the vast majority of business leaders, executives and managers haven't been very accepting of the data that's been put in front of them. From a cybersecurity standpoint, we struggle to find good data about what's going on, where the attacks come from, what they were going after, what they stole. But even when you have that data and you put it in front of business decision makers, because of their own psychology, their cognitive biases, their own emotions, they are not making very good cybersecurity decisions.
I'll answer your question two ways: One, external threats to an organization are becoming more sophisticated, and certainly they are multiplying very quickly. On the inside of the organization, if you are the CEO of an organization and I ask you "what is your greatest cybersecurity risk" and you tell me you think it's people -- people you can't prevent from clicking links, going to infected websites, bringing in their own flash drives -- all of these problems that we experience with our employees. Then I ask you what you are doing about it, and you tell me "buying firewalls?" Well guess what, you just went from CEO to ignorant CEO. In many ways, the biggest risk to an organization is its people, but it's the decision makers.
What is the state of mobile data threats, are they as big a problem as in the past now that companies have had time to adjust to them? Also, how have mobile data threats evolved in recent years as tech such as the Internet of Things has started to proliferate?
Harnish: We are not seeing as many exploits or attacks in the wild on mobile devices specifically, namely iOS and Android. But they are happening more and more, the frequency is increasing. The sophistication is increasing, but I think the real story is in the potential and the opportunity. Experts estimate there are between 5 and 10 billion devices connected to the Internet. By 2020, there will be 50 billion. That's seven mobile devices for every human being on the planet, including babies and the elderly. Now imagine that every one of these devices carries around our personal data: our social security numbers, maybe even credit card numbers, maybe it has medical records or maybe it has connections to all of my other devices. Every one of these devices is vulnerable.
Reg HarnishCEO, GreyCastle Security
What people tend to overlook is that the iPhone is nothing but software. The hardware is no better or no worse than any other piece of hardware. Really, you are interacting with the software, and software is everywhere these days, from a drive-through pharmacy to the heating and air conditioning system in your building, they are all controlled by computers. The convenience of being connected to the Internet is powerful and it's motivating, and because we are in this mad rush to connect devices to the Internet and the Internet of things, we tend to overlook the cybersecurity risks. If I'm putting my refrigerator online, what are the problems with that? We are not asking those questions until they become issues. Internet of Things doesn't necessarily change the overall threat landscape, but it increases the opportunity for cybercrime.
Can companies use information gathered from compliance audit findings to shore up corporate cybersecurity processes? Why or why not?
Harnish: The only thing scarier than a hacker today is an auditor. Businesses need to recognize that cybersecurity risks come from different places, and they have to understand compliance-related risks. If you are a hospital and CMS or OCR show up at your door because you are not doing the right things to protect health information, that can be a really expensive headache. Perhaps even more expensive is if some cybercriminal gang got access to their EMR. This process of managing risk has become a fundamental need for organizations because there are so many threats, there are lots of vulnerabilities, and we can't fix all of them.
If I'm responsible for security at that hospital, I have a thousand things that I could do in cybersecurity, but the question is what I should be doing, in what order, and how much of it I should be doing. We just don't ask these questions enough. If we really don't understand the problem, we tend to throw technology at it -- antivirus, firewall, intrusion detection systems. Those technologies are doing a fine job for what they are designed to do, but they don't solve all cybersecurity problems. I estimate that 75% of all cybersecurity risks are non-technology related.
What type of employee education and training techniques are beneficial to protecting corporate cybersecurity?
Harnish: We know what doesn't work: Not educating employees is bad. We know that forcing your employees to go through crappy training is bad. It's difficult, fighting the human brain is not easy, especially if the culture was not designed around cybersecurity. You take these manufacturers, or insurance companies, or banks, organizations that have been around for a long time, they never thought about cybersecurity. If you expect to come in and think employees are going to be perfect after one training class, it's not realistic.
If you understand the human brain and how it works, how we learn and absorb information, why we retain it, you can incorporate that in your education, combine that with testing to make sure the education and training worked, and repeat that on a regularly occurring basis, that's what we're asking companies to think about today. The people problem in cybersecurity is massive and it's growing. If you don't at least attempt to solve that, then it's truly negligent. The data is out there, we know why organizations' breaches started: A human being failed. We need to spend more time on that. There are ways to change behaviors, but you have to be in it for the long term. It's not an overnight solution.
Learn how cybersecurity strategy spending can benefit the bottom line, and get a step-by-step tutorial on cybersecurity incident response. Then, catch a two-minute video to hear a CIO discuss big data as a double-edged sword in his cyber strategy.