There are two types of companies. Those that have been hacked, and those that will be hacked.
-Robert Mueller, Former Director of the FBI
That quote, shared by one of the three panels in front of more than 120 people at the Global Connections forum on cyber security, served as the backdrop for how business should handle cyber security moving forward, with an important update to Mueller’s 2016 quote.
“That’s outdated”, said panelist Lee Araujo, merchant specialized sales senior director for Latin America and the Caribbean for Visa. “I think today there are only two types of companies. Those that have been hacked, and those that don’t know they have been hacked.”
A dim sentiment but the reality of the global digital environment. However, WorldCity’s forum of three panels and seven speakers shared many insights on how to approach the immense challenge of cyber security.
Ransomware is growing as a cyber attack of choice
The old model for hackers was to steal data from companies and sell it, but that requires making a sale or resale on the black market. The new, simpler model for hackers to profit is via ransomware, an intrusion that disables a company’s system until the company makes a payment to the hackers.
“It’s easier to get money,” said panelist Keith Novak, director with Kroll’s cyber security and investigations practice. “It’s not one person sitting in their basement doing this. These are people that go to the office everyday, much like you and me. They have revenue requirements they have to make. It’s a business. It’s truly a business.”
Companies don’t even know they’ve been hacked
“The astonishing figure that you have is that it’s 140 days until people know they’ve been breached,” said panelist Henry Gutierrez, investigations lead for Microsoft’s Digital Crime Unit. “You could have a large enterprise…where you have some kid in some outer office download an illegal game that has now infected your entire system.”
Gutierrez said it could also be as simple as an employee clicking on a harmful e-mail and not alerting anybody or connecting a device from home that has been compromised and not secured to a work PC. When instances like this happen, it often takes a long time to discover the outside penetration into the network.
Consequences for lax cyber security executives
Gutierrez said he once had the pleasure of being in the same room as former Secretary of State and National Security Advisor Henry Kissinger, who said life is about rewards and consequences.
“The problem is right now it’s just rewards and almost no consequences,” said Gutierrez about the state of corporate cyber security accountability. “If you were in charge of the vault at a bank, and everybody walked about with the money, you would be fired. Right now, data is that money.”
The need for cyber hygiene
Phishing is the fraudulent practice of sending e-mails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
“Phishing is the start of 90 percent of successful cyber attacks,” said panelist Alex Crowther, senior research fellow and director of research at the Center for Technology and National Security Policy (CTNSP). “What we need is a universal cyber hygiene education…proper cyber hygiene can get rid of 85 percent of your problems.”
And it’s incredible how high up the food chain a lack of cyber hygiene can go. Crowther said the British just launched a new aircraft carrier, the largest its navy has ever made, and it is running on Windows XP.
“Organizations only do well what their leaders insist that they do well,” said Crowther.
The size of your company is irrelevant to hackers
“From this year’s (Verizon) Data Breach Investigations Report, 61 percent of break-ins that occurred across all organizations occurred in companies with less than 1,000 employees,” said panelist Bhavesh Chauhan, principal client partner and security evangelist within Verizon CTO organization. “The bad guys don’t really care who they steal from.”
Chauhan said organizational solutions include implementing a hybrid IT infrastructure model, whether the organization is doing that in-house or outsourcing.
The enormous demand to fill jobs in cyber security
“We’re looking at a 2 million person shortage in information security professionals by 2020,” said panelist Brian Fonseca, director of the Jack D. Gordon Institute for Public Policy at Florida International University.
Part of that challenge, Crowther said, is not only recruiting but retaining these high-demand positions. In the past, the U.S. military knew it would have a need for pilots when all of its current pilots’ contracts ended and many moved to the private sector as airline pilots. Why not do the same with cyber security professionals? Recruit twice as many now, for a need that is only growing in the next few years.
The 5th (and next) revolution in IT is security
Take an enterprise IT professional and a cyber security professional from 20 years ago and put them in a cave. If they came out today, the enterprise IT professional would not understand anything, but the cyber security professional would see the fundamental characteristics of his time, like firewalls and VPNs. That was the anecdote shared by panelist Manny Medina, chairman and CEO of Cyxtera Technologies, who was also CEO of Terremark Worldwide before it was acquired by Verizon in 2011 for $2 billion.
Medina is also the chairman and CEO of Medina Capital Partners, an investment firm focused on funding technology companies for the public and private sectors.
“The next revolution is security, because security hasn’t fundamentally changed,” said Medina, noting the firewall was invented in 1988, the VPN in 1998 and nextgen firewall in 2012.
Medina’s latest venture, Cyxtera, is in the midst of just that – fundamentally changing how cyber security as we know it functions.
Thanks to our sponsors: