Cyberthreats are continuing to grow, despite the significant efforts made over the past year to educate both business sectors and the public about ways to protect important data from hackers, according to the panelists who participated in the 2018 PBN Cybersecurity Summit in front of 200-plus attendees at the Crowne Plaza Providence-Warwick.
Furthermore, panelists at the Oct. 11 event said most organizations, large and small, are still in a “reactive mode” in dealing with those threats.
In opening remarks, Nina A. Kollars, associate professor in the Strategic and Operational Research Department of the U.S. Naval War College in Newport, said the college is having similar issues as the U.S. Department of Defense and the U.S. Navy with regard to keeping the data flowing through machinery confidential.
Kollars cited a cybersecurity report bythe U.S. Government Accountability Office – released earlier this month – that said all Pentagon-based weapons are “hackable” after basic cyber-penetration testing was conducted for the report. The report’s summary cited the Department of Defense’s “late start in prioritizing weapons-systems cybersecurity.” The DOD is “still determining” best practices on addressing cybersecurity, according to the summary.
Kollars also mentioned the incident where Chinese hackers compromised computers at the Naval Undersea Warfare Center in Newport this past winter and stole significant data, including classified plans to create a new missile for use by 2020. Kollars said a contractor took the classified data from a secret system and “put it on a public system” that was breached by the hackers.
“We’re all equally having this challenge in dealing with security protocols,” Kollars said. “Everyone is having this same problem and we can all learn from each other.”
Francesca Spidalieri, senior fellow for cyber leadership at the Pell Center for International Relations and Public Policy at Salve Regina University, told attendees that people are becoming “increasingly more [dependent]” on communication technology by connecting more devices to the internet. With that increase in dependence comes an increase in the threat of cyberattacks, Spidalieri said.
There are three threat vectors that compromise data. Phishing is a spam-like message sent in a mass email to a large audience. Spear-phishing is a form of phishing, in which messages seem to appear from a reputable sender but target email recipients.
Then there’s ransomware, a software sent to block computer-system access until money is paid to unlock it. Jeffrey Ziplow, a cybersecurity risk assessment partner for BlumShapiro, which has a Cranston office, recalled a small business recently suffered a spear-phishing attack in which a vendor claimed it had an invoice for $150,000. The business, Ziplow said, sent the $150,000 to the bank account the vendor claimed to have opened, which could’ve been avoided by one simple step.
“If someone had picked up the phone and made a call to the vendor, then they would have realized something is not right,” Ziplow said.
Breaches, in general, are very costly. According to data Spidalieri provided, cybercrime costs the global economy as much as $600 billion annually and the average data breach in the U.S. costs $7.9 million. Breaches are also time-consuming, with the average organization taking 197 days to identify an incident having occurred and 69 days to contain it.
Additionally, small and midsized businesses are considered “prime” targets for hackers, Spidalieri said. In her data, 58 percent of malware victims last year were small businesses and more than two-thirds of small businesses would permanently close if they suffered a cyberattack.
“Small and medium-sized businesses have that attitude where they think ‘We’re too small; we’re not really a target,’ ” Spidalieri said. “That attitude is the biggest weakness they have because they don’t pay as much attention as they should.”
Spidalieri also said during the discussion’s Q&A portion that nonprofits are also very prone to cyberattacks, as they regularly seek donations and may not have proper funding to protect themselves. She suggested nonprofits should be “proactive” in being protected, and the organizations could seek free advice and cybersecurity services.
Among the ways to be more proactive in combatting cyberattacks is for companies to perform their own risk assessments, Ziplow said. He said companies should identify what vital information they are trying to protect and where it is stored, and more importantly, how it is being protected.
“Once we know where [the information] is and who has access to it, then we can protect it that much better,” Ziplow said.
Wade Chmielinski, assistant vice president and cybersecurity consultant for Johnston-based FM Global, said it is “critical” for a company to involve its executive team in building its cyber protection. He said establishing relationships between risk managers and information technology teams to bring “transparency and accountability” to those cyber-risks are “very important” for organizations to focus on.
Paul Dacey, the associate director for Bryant University’s Executive Development Center, said after the panel discussion the university currently does internal training for users on cybersecurity, creating a “first line of defense” against phishing attempts.
“While I may not be in a technology role, I understand what our tech team is dealing with on a regular basis,” Dacey said.
Panelists also suggested to take small steps on a regular basis to improve cybersecurity, such as having independent audits conducted, regularly backing up information, installing new antivirus software and choosing strong passwords. Marissa Izzo, a senior IT specialist for Providence-based Westminster IT who attended the summit, said it is very commonplace for businesses to keep the same login passwords at their work for extended periods of time.
“I have businesses [as clients] who have kept their passwords the same for the last 15 years,” Izzo said. “They won’t change them or don’t want to change them. People need to change their passwords more frequently or have different passwords for different logins.”
