Experts discussed some of the current and emerging issues in cybersecurity at the recent SC Congress in Chicago. Here are six of their most interesting cybersecurity insights.
Cyber Insurance Is No Panacea
A panel on cyber insurance for the most part panned the idea, saying that the legal wording of policies, exclusions and other factors tend to make it a pricey policy that may not even provide the expected benefits in the event of a data breach.
"I’ve never been a fan of insurance; getting the right coverage is always an uphill fight," said Winn Schwartau, CEO of The Security Awareness Company. “We’ve been at war, but acts of nation-states are excluded by insurance, as are acts of war and acts of God. Is ISIS a nation-state?”
Yet Jody Schwartz, direct of IT security and risk for the Rewards Network, pointed out that cyber insurance enabled Target to recover about 45 percent of its direct losses due to its high-profile breach. So cyber insurance does enable companies to recover some of their losses, even if there is some fighting over exclusions, the definition of what is covered and other issues.
In addition, the concept of insurance and risk prevention may lead to industry innovations that can better protect everyone, according to Nathan Smolenski, vice president and CISO of exexutive search consulting firm Spencer Stuart.
Lloyd’s started insuring ships when there was no way to see the coastline at night, Smolenski said. That danger gave rise to the lighthouses that dotted many coastal areas until later in the last century. To date, no such innovation has arisen in cybersecurity, he added.
Same Old Cybersecurity Threats
Though there are new, deeper threats, many cybersecurity vulnerabilities have existed for years in manufacturing, education, financial services and other industries are still there today.
In many ways, there is nothing new under the sun, according to Jeffery Ingalsbe, CISO of broker management firm Flexible Plan Investments. Hackers still attempt old attacks as well as new ones. Many phishing attempts are only slight variations on scams that have existed for many years.
Managing Security Patches Needs New Approach
While some attacks still target operating systems, programs and apps, others go much deeper, targeting the critical components of apps. So security protections need to protect these components as well as the apps themselves, said Richard Rushing, CISO of Motorola Mobility.
So companies need to reconsider how they manage security patches. Simply relying on Windows updates to manage the patch cycle or vendor patches is not enough. The vendors won’t patch a flaw until they are aware it exists, which may be too late to protect against an attack. So companies need to have their own defenses.
"The problem is that companies are continuing to patch the same way. They’ve had problems with organization and prioritization of patches. They need to understand how to patch and unpatch so as not to impact the users," Rushing said.
The code that companies are looking to protect from hackers is becoming more complex as well. According to Rushing, some of today’s connected cars contain more lines of computer code than a 787 Dreamliner. "The problem is that the bad guys only need to be right once," he said.
It used to be that a company could wait a month or two before patching a vulnerability, according to Rushing. But hackers today are ready to exploit a vulnerability almost as soon as they find it, so patches need to be completed in 24 hours or less to protect the organization. Every indication is that this time frame will continue to shrink, as hackers become ever more aggressive.
High Cybersecurity Standards
While a 95 percent will earn an A at any university in the country, when it comes to securing the network, companies need to score closer to 99.9999 percent in order to be considered safe, according to Ingalsbe.
Humans a Huge Cybersecurity Risk
As an experiment, audit and advisory firm Grant Thornton sent emails seeking personal information to 5,000 people. There were obvious clues that the email was from a hacker: The email came from the domain "pleasehackme.com" and there were misspelled words. Yet 200 people opened the e-mail and 20 provided their user names and passwords.
Other people-related security risks include people using their own devices in and out of the office, and using cloud-based apps such as Dropbox to transfer what should be secure information.
User education is important, as is offering the appropriate amount of data access for employees, contractors and partners. Travis Green, an identity solutions strategist at NetIQ, offered several tips for better securing insider access to data in an eSecurity Planet column published in September.
Test Security Software Prior to Purchase
Beyond simply testing that any security software will protect the company’s network as promised, also test to ensure that it will work in the organization’s environment, advised Richard Lafosse, CISO for Cook County, Ill. The county tested one security application that continued to crash the system. Upon examination of the network diagram, Lafosse discovered that downstream routers couldn’t support the solution.
Don’t try to integrate during proof of concept, or there could be other network issues, Lafosse added. "Evaluate more than one vendor and remember that the contract terms are king."
Lafosse offered additional tips on procuring security technology in an eSecurity Planet article published earlier this month.
Phillip J. Britt's work has appeared on technology, financial services and business websites and publications including BAI, Telephony, Connected Planet, Independent Banker, insideARM.com, Bank Systems & Technology, Mobile Marketing & Technology, Loyalty 360, CRM Magazine, KM World and Information Today.