WARWICK — While there is an increased awareness about hackers and cyber breaches from last year coinciding with educational efforts put forth to various sectors and the public on the matter, cyberthreats are continuing to grow and get worse, according to the panelists who participated in the 2018 PBN Cybersecurity Summit Thursday at the Crowne Plaza Providence-Warwick.
Furthermore, panelists said most organizations large and small are still in a “reactive mode” in dealing with those threats.
Across two discussions Thursday, the cybersecurity panelists touched on a wide array of subjects, from cyberthreats and trends, how to identify vulnerabilities and develop a strategy plan to handle breaches, to exploring insurance policies and safeguarding international relationships and transactions, among other topics. Participants also submitted written questions to the panelists for feedback.
Opening remarks were given to the nearly 200-person crowd by Nina A. Kollars, associate professor in the Strategic and Operational Research Department of the U.S. Naval War College.
The first panel, “Designing Cybersecurity’s Strategy: Moving from Detect and Defend to Predict and Prevent” featured four panelists, Wade Chmielinski, assistant vice president, cybersecurity consultant for FM Global; Jason Farmer, senior solution manager for Risk Sense; Francesca Spidalieri, senior fellow for cyber leadership at the Pell Center for International Relations and Public Policy at Salve Regina University; and Jeffrey Ziplow, cybersecurity risk assessment partner at BlumShapiro.
Spidalieri told attendees people are becoming “increasingly more dependable” on communication technology by connecting more devices to the internet. With that increased dependability comes an increased threat of cyberattacks, Spidalieri said.
Such breaches are also very costly. According to data Spidalieri provided, cybercrime costs the global economy as much as $600 billion annually and the average data breach in the U.S. costs $7.9 million. Breaches are also time-consuming, with the average organization taking 197 days to identify an incident having occurred and 69 days to contain it.
Among the ways to be more proactive in combating cyberattacks is for companies to perform their own risk assessments, said Ziplow. He said companies should identify what vital information they are trying to protect and where it is stored, and more importantly, how it is being protected.
“Once we know where [the information] is and who has access to it, then we can protect it that much better,” Ziplow said.
Chmielinski said it is “critical” for a company to involve its executive team in building its cyber protection. He said establishing relationships between risk managers and information technology teams to bring “transparency and accountability” to those cyber-risks are “very important” for organizations to focus on.
The second panel, “Cybersecurity Best Practices for Today & Beyond,” featured Colin Coleman, partner at Partridge Snow & Hahn; Cindy Lepore, client executive, business insurance for Marsh & McLennan Agency; Larry Selnick, director, treasury and payment solutions at Webster Bank; and Eric Shorr, president of Secure Future Tech Solutions.
The panel pressed that employees are often the first line of defense, and the first attacked when cyberthieves come calling.
“Our employees are our biggest threats. So it’s mission critical to make sure that from the top down, from the CEO to any computer user in the organization, gets appropriate cybersecurity training,” said Shorr.
That also goes for small businesses, he said.
Five key areas businesses should focus on, he said, include phishing attacks, where people are tricked into clicking on links in email that grants access to company machines and data; compromised passwords; malicious links on websites; and that unusual activity on your computer is a signal of a compromised system.
“Pick up the phone. The phone is a great tool.” Shorr said, when something doesn’t seem right, or you notice unusual activity on your computer, you should bring it to an IT department member immediately.
The dark web, Shorr said, is full of data reaped from people and businesses that failed to protect themselves in one of these areas.
Lepore pointed out the importance of maintaining an environment where speaking up is encouraged and the safe thing to do for employees. Businesses need to know the moment there’s a potential security breach.
“We’re all human,” Shorr agreed.
Lepore pointed out the risk of social media interactions, through networking sites like LinkedIn, where cyberthieves will work to manipulate C-level executives into giving away information that can be used to compromise a business’s data.
The panel also asserted that business leaders should reconcile themselves to the idea that some of their sensitive data is already compromised, that some of it will be, and plan accordingly.
Lepore said according to a survey by Marsh & McLennan Agency of about 1,140 companies’ C-level executives, 50 percent did not have a plan in place to handle data breaches. “Which is very alarming after everything that we heard, just from the panel,” she said.
Having such a plan, including how to alert customers and clients that their information has been compromised, is essential, panelists said.
“It is your liability,” Lepore pointed out, noting that policies can protect against damages from stolen personal information and intellectual property.
“Everyone’s nervous about it, for good reason,” said Coleman.
Without a plan or insurance protection against compromised personal data, Lepore said, businesses risk serious damage to their reputation, as well as significant financial loss.
“These policies have proven to be effective, paying out more than $200 million,” she said.
Coleman said a “playbook” for responding to cybersecurity breaches is essential for businesses. The playbook should be regularly tested with drills and reviewed often, he said.
“Make sure it works. Make sure people know their roles,” Coleman said.
Selnick spoke about the importance of staying on top of your business transactions, most of which are now conducted online. The average time between a breach of a business’s system and irretrievable loss of money is about two hours, he said.
“We can help, but we have to know about it very quickly,” Selnick said.
Being that responsive to breaches requires planning up front, setting up tiered security with your bank, he said.
Congressman James R. Langevin, D-R.I., praised the attendees for their attention to the threat of cybersecurity breaches, the importance of which he said he wasn’t himself convinced of until 2007, when he learned it was possible to use cyberattacks to cause generators in power plants to explode by taking over their controls.
But, he said, the problem is one that won’t be neutralized, given the nation’s reliance on the internet and its continuing innovation.
“Cybersecurity is not a problem to solve. We have to look at it as a threat that can be managed.”