BOSTON -- You may be the victim of a data breach.
Even if you work in an old-school office, where records are still on paper, sensitive data can be picked up by a cleaning crew or accidentally recycled instead of shredded.
"We're talking about information security," said Candy Alexander, a former CISO and independent consultant. "You can remove the technology piece out of it and go back to paper, but you're still vulnerable. You still have vulnerabilities."
With public leaks of data happening with disturbing regularity -- electronic files of the Democratic National Committee, Olympians' medical records, former Secretary of State Colin Powell's private emails -- data breaches are a force to be reckoned with, said Alexander, who moderated a discussion Thursday about cybersecurity. A panel comprising vendors and technology execs detailed steps organizations need to take to protect their data from cyberattacks today, including promoting security awareness among business users and implementing the right technologies.
The talk was sponsored by the Boston chapter of Women in Technology International and held at the downtown office of online video platform provider Brightcove.
The average cost of a data breach, according to a 2016 Ponemon Institute study, is $4 million, Alexander said, a sum that has increased 29% from 2013. That's because 48% of attacks are caused by malicious attacks -- as opposed to, say, negligence -- which hit more areas of a business and cost more to investigate and remedy. And the likelihood of an organization being hit by a breach over 24 months is an eye-opening 26%.
Source of cyberattacks today: People
CIO Patty Patria said the majority of breaches stem from someone doing something wrong.
"It's somebody being malicious, it's an employee that's not happy -- there's always a human component," said Patria, who leads IT at Becker College, in Worcester, Mass. "So you have to start there. You want to make sure you have good education programs in place."
People also make honest mistakes -- they click on an enticing, infected link, for example. Training can help there, too, said Michelle Drolet, CEO at data security company Towerwall.
She talked about organizations' need to communicate to employees the seriousness of cyberthreats -- and they should do it in a way that reaches every demographic, from fresh-out-of-college Generation Z to their Millennial elders to 30-year veterans. That could mean putting the message out in tweets, instant messages, on posters and in newsletters.
Or it could mean some degree of social manipulation -- an organization doing phishing attacks on its own users, for example.
"I challenge everybody to do that and look at technology that does that," Drolet said, referring to tools that simulate the defrauding technique. "Because what a great way for somebody to go, 'Holy shoot -- I just clicked on that!'"
Know what to protect
Janet Levesque, CISO at security company RSA -- newly acquired along with its parent company, EMC, by Dell -- pointed to process as well as people as part of a cybersecurity strategy. She said it's important to realize from the get-go that organizations can't give everything the same level of protection. They should assess all their assets, measure the value each brings -- and act accordingly.
Organizations will likely pour more resources into safeguarding information such as payroll, employee-benefits records and customer data, Levesque said.
"Unless you have unlimited dollars and unlimited resources and unlimited time, you really have to be able to prioritize to be able to know what you're going to protect," she said. That is even more important today, as more and more internet-connected devices are plugging into companies' internal networks.
"It's exponential," she said. "We're talking billions of endpoints rather than hundreds."
Fire with fire
Technology was on the mind of panelist Gary Miliefsky, CEO at SnoopWall, which sells breach prevention technology. First on his list of must-have tools was encryption, an encoding technique needed to prevent common attacks such as spear phishing, which targets a specific organization. He cited cyberattacks at the U.S. Office of Personnel Management, which had as many as 18 million records compromised, and health insurance company Anthem, with nearly 80 million records.
"I could name breaches all day," Miliefsky said. "The data wasn't encrypted."
Some of the technologies Miliefsky said organizations needed to counter cyberattacks today were old standards: password management and multifactor authentication, which grants users access only after they provide two sets of credentials. Another is a newer technology called a honeypot, a decoy computer system that can detect and deflect hijacking attempts.
It fit into Miliefsky's advice for organizations, which have numerous points of entry for hackers, including mobile devices belonging to employees, the trend known as bring your own device.
"Go on the offense and stop reacting," he said. "Maybe you set up a honeypot. Maybe you trap the super hackers. Maybe you learn about BYOD before the next smartphone comes in the building."
Malware is common thread in data breaches at three Asian banks
Wisconsin officials: Cyberattack on the power grid is likely
To fight cyberattacks, stick to the basics