Cybercriminals are getting ever more creative, flexible and greedy. To defend themselves, organizations of every kind and size must persuade employees and vendors of two things: these crimes affect every corner of the business, and everyone in the business is on guard duty at all times.
This was the message of a panel of experts at the Oct. 7 Cybersecurity Summit hosted by Providence Business News and the Tech Collective. The theme of one of the day’s two breakout panels was how to build a culture of shared responsibilities in your organization.
This panel discussion followed a keynote talk in which Dan O’Day, director of Unit 42, Palo Alto Networks, described how quickly and cleverly cybercriminals are ramping up their activities, taking advantage of businesses’ greater exposure caused by remote work and reliance on the cloud for data storage, along with the refining of their own criminal business models.
O’Day offered several statistics from his company’s publication, “Ransomware Threat Report 2021,” to illustrate the spectacular growth in cybercrime since the start of the COVID-19 pandemic alone. For example, in 2021, O’Day said, the average ransom paid out has been $570,000, which was 82% higher than the previous year.
The major form of cybercrime is ransomware, in which criminals enter an organization’s computer systems and lock down all data or present other threats until a ransom is paid. The gateway into the computer systems, including data in the cloud, is often through email or software.
The pandemic eroded good cyber-hygiene in some organizations, said panelist Jason Albuquerque, chief operating officer of Envision Technology Advisors LLC of Pawtucket. “Cybersecurity culture started to stagnate and decline when people were just trying to survive,” he said. “Organizations had to flip a switch and move to the cloud; they weren’t thinking about security.”
The first line of defense, the panelists emphasized, is a sense of shared responsibility by every person in the organization that cyber borders must be watched and defended.
“You need to have buy-in from the top down so that people are not afraid to report something suspicious,” said Providence-based Cindy Lepore, vice president and client adviser for the insurance firm Marsh McLennan Agency LLC and a specialist on cyber insurance.
‘You need to have buy-in from the top down.’
CINDY LEPORE, Marsh McLennan Agency LLC vice president and client adviser
“A strong cybersecurity culture has to be adopted across the organization,” Albuquerque said. This culture of knowing and applying security practices must turn into “muscle memory” for everyone who touches the organization.
Tony Faria, chief information security officer and security strategist for Consortium Networks in Boston, said workers must be trained in security practices and must know what is expected of them. And, he added, companies must find and use “the simplest way possible to embed security behaviors into day-to-day jobs.”
Outside influencers of various kinds can push and help organizations adopt cybersecurity practices.
Customers are a driver of security requirements, said Jon Fredrickson, certified information security manager, chief risk officer/corporate affairs at Blue Cross & Blue Shield of Rhode Island, as are state and federal regulations.
[caption id="attachment_384476" align="aligncenter" width="1024"]
ALL THE ANGLES: Dan O’Day, director of Unit 42 at Palo Alto Networks, speaks remotely at the Cybersecurity Summit on Oct. 7 about the ways hackers are extorting businesses globally. The summit, hosted by PBN and the Tech Collective, was a virtual event.[/caption]
Clients and customers also ask about a company’s vendor risk management policies and procedures, Albuquerque said.
The need for cyber insurance coverage is becoming a norm in business. Lepore said insurers require basic safeguards by their clients partly because “hackers are sophisticated and are working in different ways.”
Safety for businesses and other organizations may require encryptions of data, multifactor authentications and other safety features of routine cyber hygiene before insurers will renew cyber policies.
Businesses “must invest in security safeguards to be a better risk,” Lepore said. “Insurance carriers are educating organizations in what needs to be done.”
She encouraged businesses to reach out to cyber insurers for help in designing cybersecurity plans and teaching employees how to activate the plans. “Insurance carriers have procedures, sample incident [attack] responses. This is a whole new teaching for some organizations,” she said.
Albuquerque said businesses should not expect to handle this challenge alone. “Organizations cannot do this on their own,” he said. “They must make relationships with a village of insurers and security providers.”
Albuquerque noted that the U.S. Department of Homeland Security has said that no company or organization is immune from cybercrime. “Having insurance is no longer a choice,” he declared. “It is a business imperative.”
Fredrickson noted that all of this security planning and strategizing can be a heavy load on small companies that are doing their utmost simply to conduct their daily business. But, he added, small businesses generally would not have the resources to walk away whole from a cyberattack. He added that for small operations, “it doesn’t need to be a huge program; you don’t need 58 fire alarms.”
Faria agreed that small businesses still need to protect themselves, even if they feel that their size might keep them out of the line of fire. “Years ago, attackers were trying to find the biggest payday. Now it is opportunistic. Whether you are big or small, you should assume you are going to be attacked in some way,” he said.
Panelists were asked how business leaders can build an internal culture of cybersecurity.
Faria said most cybersecurity training is boring and “people hate it.” To turn this around, companies should “create training specific to the organization and … make training relatable to workers,” he said. “Explain why it is important. Make it a two-way dialogue. And management needs to carry the flag.”
Lepore said businesses should make sure that cybersecurity work touches every part of the business; it is not just the purview of the information technology department. For example, the human resources department could make cybersecurity part of the training for new hires. “Get finance, sales, and operations involved,” she added.
“Businesses can tailor messages so that they are relatable to the entire organization,” Lepore said.
Albuquerque suggested getting buy-in from workers by aligning this work to workers’ personal lives, such as protecting their families.
“Relate it to real life; relate it to home,” he said. “Start the conversation with learning and listening.”