Cyber attacks can happen to anyone — even the National Security Agency. U.S. contractor Edward Snowden’s historic data breach and subsequent disclosure of thousands of classified NSA documents to The Guardian and then The Washington Post led to more than six months’ worth of revelations on NSA surveillance programs. But government agencies and big companies like Target and Facebook are not the only targets for hackers. Every day, millions of viruses, email scams, and other cyber threats swarm our hyper-connected world.
Anyone who works in accounting, banking, financial services, or healthcare is especially vulnerable, speaker Art Jacoby told a conference room of executives and professionals at a recent PSA Partnership seminar, “The CEO’s Plain-English Guide to Cyber Security.” A Baltimore Business Journal columnist, founder and Chairman of the Cybersecurity Association of Maryland, Inc. (CAMI), and sponsor of Buy Maryland Cyber, MDcyber.com, Jacoby kicked off his presentation by emphasizing just how prevalent cyber attacks are, and how much emotional and financial pain they can cause businesses.
U.S. intellectual property, stolen funds, and other financial damages are estimated at $250 to $400 billion a year. We are up against formidable adversaries — criminals, terrorists, hacktivists, and global “darknets” with strong economic and political incentives, who are increasingly adept at using readily available tools to launch limitless cyber attacks, he said. And hackers have the cost advantage since it is less expensive to attack than defend. “I really consider this a war,” said Jacoby. So much so that he trademarked the phrase “World War C.®”
What does ‘cyber security’ really mean?
Finding no consensus on how to define cyber security, Jacoby wrote his own definition: “digital systems risk management.” Anything that is programmable is at risk for attack. Consider the hackers who took over the dashboards of Ford and Toyota cars, disabling the brakes and power steering. And the really scary thing about cyber attacks is that you can’t see them coming, said Jacoby. “When you think about cyber security, think of ‘digital carbon monoxide.’” Often, by the time you suspect a problem, the damage is done.
One of Jacoby’s goals for the seminar was to educate and motivate attendees to raise their company’s cQ — that is, “cyber intelligence” — and learn how to fight back against attackers. Research from the Pew Institute found that 70 percent of us think we’re secure enough online. We’re not. Vulnerabilities where the “bad guys” can get in are everywhere. Our software is insecure; a review of 2,289 enterprise software products from 539 vendors last year detected more than 2,000 highly critical vulnerabilities and 13,073 total vulnerabilities. There were 377 vulnerabilities discovered for iPhones alone.
And human behavior is inherently insecure. Most of us use the same password for everything, rarely change it, and don’t think twice about clicking a link in an email that appears to have been sent by our bank or similar vendor. (This is called “phishing,” and an even more targeted form of this attack is known as “spear phishing.”) In 2013, hackers stole usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo, and other social networks. Jacoby warned that social media is one of biggest distribution channels for malware, with a 70 percent better chance of a hacker getting to you through social media than email. He urged businesses to have a documented social media policy and monitor social networks for fraudulent accounts posing as your brand or executives.
What you can do to protect your information and your company
Finally, Jacoby shared some good news with the crowd: a Verizon study found that most cyber attacks (78 percent) use low or very low difficulty tactics. This means that it’s relatively easy to protect yourself from these types of attacks with the right awareness, tools, and training. A seminar handout gave attendees a guide to the top 20 critical security controls that companies can use as a checklist. You can download Jacoby’s guide to industry best practices for your own use.
Jacoby invited Chris Ensey, COO of Dunbar Cybersecurity, to share insight from a subject matter expert’s point of view. Ensey has more than 15 years of experience in the cyber security field, including positions with the federal government, at IBM, SafeNet, and SAIC. He started by telling the audience, “Cyber security is not a technology issue at its core. It is a people and process issue, predominantly.” And cyber risk management is important for businesses that want to stay ahead of the competition. “The better you are at it, the more competitive you’re going to be against your peers,” he said. To start thinking about cyber security, Ensey suggested that companies “put a target on their own back.” Consider the potentially valuable information your business is responsible for — which may be customers’ data or your own employees’ data — and whether it’s protected. According to Ensey, a good place to start improving your cyber security is by enforcing better password and authentication policies and making sure you regularly download and install all of the updates and fixes for your software. However, Ensey cautioned, products do not equal security — “it’s about how you use those tools.” Thus, other practical steps you can take include creating a support team, training personnel about risks, and developing best practices regarding access to company assets as well as the use of social media and mobile devices. He also noted that since most of us are not cyber security experts, we’re wise to hire people who are. While just 2 percent of tech spending was on cyber security last year, it’s projected that spending will climb to 10 percent in the next couple of years.
The seminar concluded with a call to action: create and execute a cyber risk management plan for your company, urged Jacoby. Businesses in Maryland have the advantage of being located in one of the major centers of cyber security expertise, with many commercial providers having intelligence community and Department of Defense experience. “There isn’t a lot of that in other parts of the country, so we have a competitive advantage,” said Jacoby. “We have the best folks in the world to help you right here.” In the audience, in fact, were representatives from a number of local cyber security companies, including Alliance InfoSystems, CyberPoint International, NACON Consulting, and SilverRhino.
To learn more about protecting your company from cyber threats, read our post about protecting your data with cyber insurance and visit MDcyber.com, Jacoby’s free online directory of 80 world-class cyber security firms in Maryland. “Let’s engage these incredible experts we have right here to help us do what we need to do,” said Jacoby. In the process, he estimates, we will create 10,000 new jobs within three years, benefiting our local economy to the tune of $3 billion a year.
Don’t miss our next PSA Partnership event, “How to Land a Whale: Get an Audience with Absolutely Anyone You Want,” with veteran broadcaster Steve Davis the evening of September 30th.