PROVIDENCE – The massive data breach at Equifax earlier this year was a hot topic during Tuesday’s third annual Cybersecurity Summit hosted by Providence Business News at the Crowne Plaza Providence-Warwick.
A panel of insurance executives, academics and police with expertise in internet security faced a nearly white-knuckled audience of managers from private business and government dealing with the rigors of keeping data private and safe online.
The specialists’ advice ranged in simplicity from training employees to guard against hackers slipping into data bases by posing as legitimate persons, to deep vetting of the small print in cyber insurance policies and contracts with iCloud vendors.
Discussion during the three-and-a-half-hour summit covered two main areas. The first was preparation and protection, that is, using software, training, smart vendors and insurance to shield a company from the damages of a data breach.
The second area was responding to a breach of data, reporting it to proper authorities, and mitigating the damage.
The data breach at Equifax last spring – exposing personal financial information of 145 million Americans – was by far the most widespread of any such breach. Matt Cullina, CEO of CyberScout, called it a “game changer” in cybersecurity.
Jeff Ziplow, cybersecurity risk assessment partner with BlumShapiro, said a grave consequence of the Equifax breach was that it let out into the cyber universe two pieces of information that do not change: people’s birth date and Social Security number.
Latest trends in cybersecurity include a larger “attack surface,” meaning the number of routes that hackers can use to enter data banks and otherwise snatch information, said Mike Steinmetz, state cybersecurity officer.
The attack surface includes a growing panoply of the Internet of Things, or mechanisms that can be managed remotely, say, from your smartphone, over the internet. Examples include home heating and cooling systems and refrigerators.
“All of these things can be hacked,” said Steinmetz. “This can adversely affect our well-being, safety and privacy.”
Panel members offered advice about protecting oneself and business from attacks that include spear-phishing, when bad actors get into your system by posing as known persons and making requests or giving orders through email; or ransomware, when hackers lock up your records and demand a ransom to free them.
“If you don’t have backups, get them soon, said John Alfred, a captain with the R.I. State Police and head of the Joint Cyber Task Force. “Backups should be off the network.”
Another safeguard is to encrypt sensitive information before exposing it to the internet. A question from the audience about a company’s practice of placing personal information on a PDF and emailing it raised an immediate, visceral groan from Linn Foster Freedman, a partner with Robinson+Cole. “You never send personal information unencrypted through the internet,” she said.
Preparation before a hack also includes creating a crisis-management team ready to respond if an attack happens, said Jerry Alderman, president of New England region property & casualty, Marsh & McLennan Agency. That response is critical, and includes many elements, including when to report the attack and to whom, how to deal with insurers from whom you should have bought cybersecurity insurance already, and how to handle reporting to people whose information was exposed, and to the public.
Asked about resources companies can use to get informed and prepared to secure their information, panelist Francesca Spidalieri, a senior fellow for cyber leadership at the Pell Center at Salve Regina University, mentioned the Pell Center and the cyber studies departments of Rhode Island’s colleges.
Alfred also encouraged the audience to become involved in the work of the Joint Cyber Task Force, which meets twice a month and welcomes public participation.
Mary Lhowe is a PBN contributing writer.
