Perhaps the most important takeaway from a School of Business cybersecurity event in October is that protecting your company — from thieves, hackers, enemy nations, even insiders — is a never-ending battle.
“Cybersecurity is a game of chess where you’ve taken the kings off the board. Sometimes you’re ahead, sometimes the attackers will be ahead,” said Mark Lobel, a principal at PricewaterhouseCoopers. “That’s why it’s so important to put your governance, your processes and your people in place before you invest in technology, so that your technology will actually be effective.”
Lobel, the U.S. and global practice leader for technology, information, communications and entertainment at PwC, headlined “Closing the Threat Gap: Executive Perspectives on the Cybersecurity Landscape” with Dr. Larry Ponemon, founder of the Ponemon Institute that produces some of the most respected data on global cybersecurity.
The event, which included a panel discussion with experienced practitioners, examined changing trends in how companies battle cyber attacks and considered the tone at the top of businesses of all sizes in safeguarding systems. This is an area of improving strength at the School of Business, which is able to leverage Stevens’ legacy of innovation in thinking about the challenges corporate leaders face today and tomorrow.
'A constant state of change'
“The cybersecurity landscape is in a constant state of change, as defenders constantly shift their strategies to meet the challenges posed by evolving attacks,” said Dr. Paul Rohmeyer, an industry associate professor at the School of Business who coordinated the event. “Employers are looking to the kind of expertise offered by Stevens to help combat attacks, and also to better understand how cybersecurity is a bottom-line issue for CEOs today — not just a back-office function.”
Among the topics examined by the speakers were the disconnect between the top and bottom of the organization on cybersecurity needs, the rise of attacks coming from nation states, and the poor internal controls at many companies — from employees opening malicious attachments to unsecured technologies, like printers and copiers, that can be hacked to steal trade secrets.
In his exhaustive survey of nearly 700 people in IT and security, Ponemon said the people battling attackers on a daily basis are crying out for resources that aren’t being delivered.
“The people in the trenches say they need more people, more tools, but the CFO says they’re overstaffed in IT,” Ponemon said.
Technology alone can’t solve these problems, Lobel said, as technology going head to head with attackers “will lose every time” as criminals change their methods and strategies to exploit new loopholes.
“People are just so wonderfully gullible, we are just so easy to fool,” Lobel said. “In every forensic incident we investigated, the problem started with phishing, with malware installation. End user training and awareness should be your first dollar spent, even before you’re doing external penetration tests.”
The surveys of both Ponemon and Lobel indicated that, to no surprise, attackers have been busier, but less successful at inflicting financial damages, at least at larger employers. Small and midsized companies, which lack the resources to dedicate people and systems to fighting cybercrime, are taking the hit.
A cultural challenge
In his audits, Ponemon said, nearly 70 percent of companies have pointed out deficiencies in security — “so they know, but aren’t doing anything about it,” he said. And given that most problems begin with rank-and-file employees falling victim to phishing schemes, it’s an issue of organizational culture: “You want to push that responsibility down through the business, but you also need a person who has that ultimate responsibility on security,” Ponemon said.
When the threats is external, it’s a much more serious game, Ponemon said. Nation state attacks are rising, according to his survey, and the more sophisticated technology in play makes them a dangerous threat. And counterattacking, which might work against certain attackers, could provoke a war against a hostile nation.
During the panel discussion — which included Mike Miracle, senior vice president of marketing and strategy for BlackRidge Technology, and Michael Frank, a Stevens adjunct professor and an experienced manager in the cybersecurity space — the speakers took audience questions about how to stay ahead of attackers and how to make the case for funding before the C-suite, among other topics.
Miracle said it’s a challenge for IT teams to get the attention of CFOs, who are “just concerned with compliance, they don’t want to be best in breed.” He called that attitude “corrupting,” and added that “we have to get CFOs to sleep less” when it comes to security.
The seminar was held as part of the U.S. Department of Homeland Security’s National Cybersecurity Awareness Month, and was co-sponsored by Fasoo and the New Jersey Technology Council.