During the past 12 months, major security breaches at ATMs, in email systems and in Twitter accounts have filled the news. The crimes have touched banks around the world, The New York Times and a variety of corporations, including Jeep and Best Buy.
At this year's Fusion CEO-CIO Symposium in Madison, Wis., former White House CIO Theresa Payton and former federal Cybersecurity Coordinator Howard Schmidt offered advice for reducing security vulnerability and managing risk.
Protect what's most important
One of the biggest misconceptions CIOs and CISOs have about cybersecurity is that all assets can be protected at all times, Payton said. Covering all bases at all times is impossible, and the focus, therefore, should be on protecting a company's most important assets. Think of this approach as akin to what the Secret Service does, said Payton. An agent's job is to protect and potentially take a bullet for the president and vice president. The protection of the two top office holders is the top priority because it ensures the continuity of government. Everyone in the proximity of their circle of protection benefits, but keeping them safe is the goal.
"Everything we did was focused on those two physical assets and how we protected the digital assets that made up those two individuals," Payton said. "You can't protect it all; a memo and staff meeting minutes are not the same as your intellectual property, so when you look at cybersecurity, always start off asking this question: How are we protecting the president and vice president of our assets?
In her current role as CEO of cybersecurity consulting firm Fortalice LLC, Payton's first question for clients is to name the two assets that would cause the company to cease to exist if they were compromised. Often she gets different answers form different employees. "The first step is you have to decide what those assets are. The second step is you have to focus on them."
Cybercrime stats: Payton runs the numbers
416 days: Average number of days a hacker goes undetected in a network
90 to 120 days: Average length of time security teams keep logs
90 seconds: How often a new variation of malware is created
12%: Research consult Gartner's suggested percentage of employees focused on security
3%: Actual average percentage of employees focused on security
Companies most at risk for security breaches are those where cybersecurity is seen as concern strictly for the IT organization, Schmidt said. "The companies we see on the news are ones that have effectively not had these conversations in the C-suite: Cybersecurity is not in the boardroom; it's relegated to a technology issue -- install a patch and make it go away," he said.
It's vital that C-suite and the boardroom members understand that when breaches happen, business processes fail.
"You have to educate them, you have to constantly be feeding them information," Payton said, suggesting that CIOs and CISOs use breached companies as learning guides. "Just do a few cases that hit the news with a couple of talking points: 'This is why we've been doing XYZ -- to avoid being like that company in the news.' It's things as simple as that."
Money, by the way, is rarely the main issue in security failures, in Schmidt's experience. And those looking for some kind of security spending benchmark are wasting their time: You can hope that assigning a certain percent of the IT budget will have a corresponding effect on risk reduction, he said, but it doesn't work out that way. Risk mitigation depends on what protection you already have and how the threat landscape is evolving. It requires constant vigilance.
Train employees by appealing to their hearts and minds
Citing two years' worth of documents from her company's work with clients who had experienced breaches, Payton said that in 90% of the cases, the hacker didn't need to be very sophisticated: An unwitting employee had allowed them in by clicking on a link or opening an email. This percentage also lines up with figures Schmidt has seen in every sector, including the government. About 85% to 90% of the time, successful intrusions into systems are based on internal human error.
"You may have heard the term APT -- advanced persistent threat -- a sort of code word when people talk about China and other parts of the world," Schmidt said. "Well, in most of these cases I agree with the P and the T, but the advanced piece? No, it's hacking 101."
Really think about how to train your employees by reaching their minds and hearts to be safe in their personal lives and to be safe in protecting your most important assets.
former White House CIO
Studies also show that the most successful cybersecurity defense is education and training. That doesn't mean antivirus software isn't important and necessary, but it can give a false sense of security to employees, Payton warned. People are not as apt to click on a link or open an email once they learn that antivirus software only catches one out of three "bad guys."
Many companies are hip to the idea that training improves cybersecurity, and yet they still fail to have a positive effect, because they're doing it wrong, Payton said. Computer-based training and informational email are the most common approaches Payton sees, and they're also the least effective. When social engineering comes into play, even when employees know they're going to be tested on what they were told -- that, for example, they'll be getting email designed to trick them -- they still fall for it. One government agency tried this tactic and realized a 70% failure rate. The following year it went down to 60%; another year passed and it was still 40%.
"You can tell them, 'I'm going to trick you into giving me the corporate jewels,' and they'll do it, because educational awareness doesn't work," Payton said. "You're not getting at the mind and the heart; you have to start with them as a person."
This is where innovation and creativity in the IT organization can make a difference, Payton said. She recalled an example from her days as White House CIO. The problem: When employees would lose or misplace government-issued BlackBerry devices, on average they would wait 18 hours before making a report to IT. It was an unthinkable amount of time for a device toting government data to be AWOL. Payton tasked her team with slashing that time -- cost and politics be damned.
It didn't take them long to figure out why employees balked and endlessly retraced steps, Payton said. It was because they feared being in violation of the long, sternly written security policy they'd signed. That was the problem. And the way to solve it, her team decided, was a White House version of a McDonald's Happy Meal. Rather than a lengthy security spiel that ended with signing the foreboding contract, employees would be handed a bag with their BlackBerry, filled with assorted White House swag and a laminated card asking them to please contact IT if the BlackBerry was lost so they could wipe the data clean and issue a new one.
Read more about cybersecurity
The role of the CIO in cybersecurity
Cybercrime makes boardroom agendas, CIOs and CISOs rejoice
Cybersecurity education and training are both important endeavors
The swag bag was fun and unexpected, the security briefing was actually brief and the message on the laminated card was unintimidating. The average reporting time for a missing BlackBerry dropped to two hours. And there was an unintended bonus as well. Once word got around about the "Happy Meals," more and more departments started demanding the security briefings.
"Really think about how to train your employees by reaching their minds and hearts to be safe in their personal lives and to be safe in protecting your most important assets," Payton said.
Let us know what you think about the story; email Karen Goulart, Features Writer.