National Cybersecurity Awareness Month may be over, but its messaging and call-to-action is not.
National Cybersecurity Awareness Month was launched by the National Cyber Security Alliance and the U.S. Department of Homeland Security as a concerted effort to help Americans stay safer and more secure online.
Former (and the first female) White House CIO, securities expert Theresa Payton was the keynote speaker at a recent ASCII conference attended by WCA Technologies. She gave the audience members invaluable insights on the businesses most susceptible to cyberattacks, the catastrophic threats our country could face, and enticed the nation’s youth to pursue a career in cybersecurity.
According to Payton…
…more than half the victims of malware attacks are small businesses, a rate first reported in 2017 and projected to continue through 2018.
…over 90% of malware is received through email. Although technology jobs have evolved during the past 14 years, security remains a problem because the security system is broken.
ASCII Audience Member:
We can’t expect customers to be completely trained on all the security software that’s out there. Instead of blaming the end-users, shouldn’t we focus on making the products we offer our clients better?
Agreed. Instead of saying the human is the weakest link, the industry should adapt and integrate new technologies with the understanding that the technology by design is open and processes humans use are flawed, and therefore significantly vulnerable to breaches. Some data breaches are worse than others. We applied a segmentation strategy at the White House to avoid breaches and to ensure, that if one happened, we could recover. While I had to track data ranging from the seemingly mundane such as the number of chicken breasts consumed at an event to the mission critical, such as the president’s schedule, each digital asset had to be treated differently; chicken breasts were not as critical as the president’s schedule. I created zones of levels of trust. The zones could range from open trust, to some trust (such as for the chicken breasts), to zero trust (such as the President’s schedule). For the President’s schedule, we highly segmented it so that it was operationally unfriendly for us in our back office, not for the President of course! We did so to ensure that we could protect the data if it were attacked.
A simple way small business can use segmentation is by setting up different domain names: one domain for your company name so people can find the business and its products and services easily; a second domain that you do not promote publicly, for transferring money, leasing or buying equipment, or intellectual property; and a third domain with a different set of credentials that would be used for more sensitive and critical assets; i.e., bank accounts for payroll.
Creating a segmentation strategy helps create a safety net for your customers / employees and the cost to set up a new domain name is minimal compared to the damage ransomware and other data breaches impose. One of the largest under-reported crimes right now is business email compromise that typically turns into wire-transfer fraud. Second under-reported crime is ransomware. Segmentation will assist businesses large and small in preventing both of those instances.
ASCII Audience Member:
What are the odds that we can reduce the value of what is stolen?
Using credit cards as an example — there is the actual credit card number, the expiration date, and the code on the back. A few ways to make that information less valuable are:
- Do not store all these data elements in the same place
- Possibly use tokenization for payments. With tokenization, the customer does not send the number on the card instead it generates a random number associated with the card for a one-time use; once used it cannot be used again
- With commercial banks you can ask for a deposit only account number that links back to the main corporate bank account. This would ensure that monies could not be withdrawn for that account
- Tokenization of the social security number to check IRS tax returns. A unique number is generated to check the IRS returns. Once used it cannot be used again
The technology already exists and can be used in many instances.
ASCII Audience Member:
With so many data breaches happening, we use fear to entice clients to use and buy our security services — vendors use these same tactics to sell to us. How can we go beyond this method to generate new business and get new clients?
That poses a great point — there is databreach fatigue. First, it was compliance, then it was risk, then fear, uncertainty, and doubt. The way to go beyond the fear tactics is to focus on operational resiliency. Specifically, how to prepare for, and survive natural and man-made disasters. Request that clients practice becoming a victim of ransomware; have the IT team do a real restore. Practice some type of data breach incident, faux business email compromise. Focus not on the scare, but how operationally successful they will handle those instances.
ASCII Audience Member:
When 9/11 happened, in all honesty, nobody expected it. We weren’t prepared. What is the country’s disaster continuity plan? What are your thoughts on that, because that tsunami is coming?
National and international groups such as the FAA and the Energy Industry all practice for and prepare as best they can for these types of disasters. Those exercises happen nationally and internationally, twice a year, and are taken very seriously and are very plausible. Should something happen, we are not going to have instantaneous recovery, but each year we learn something new and close gaps.
Theresa Payton keeps cybercriminals up at night, and most of her colleagues are convinced she never sleeps. She leads a team of some of the world’s best white hat hackers and intelligence analysts who have dedicated their lives to avenging the crimes committed by the most notorious of cyber criminals. We can find solace in knowing that Theresa Payton and her team are relentless in fighting criminals.
A technology wizard, Payton is a graduate of UVA’s Master of Science program in Information Systems, graduating Cum Laude on scholarship from Immaculata University, earning two degrees and a certification in computers. Payton was hand-picked to serve as the first female Chief Information Officer under former President George W. Bush’s administration.
At the White House, Payton ushered in a new age of digital innovation and security for our nation’s crown jewel. Theresa Payton is sought out by national and international executives and media news outlets to explain complex security issues and was named 4th by IFSEC Global among the top 50 cybersecurity professionals in the world, and by Security Magazine as one of the top 25 Most Influential People in Security.
Payton has won numerous awards and accolades for her crime fighting, from the 2018 FBI Director’s Community Service Award to being named a President Clinton Distinguished Lecturer from Public Service. As the Deputy Commander for the CBS show “Hunted”, she has the chops to lead teams both on-and-off screen. When someone wants to hide from Theresa, they can’t — she literally wrote the book on hiding. Payton co-authored two best-selling books, Protecting Your Internet Identity: Are You Naked Online? and Privacy in the Age of Big Data.