According to a recently released report by the Florida Center for Cybersecurity, 41 percent of Florida businesses reported having suffered a security breach recently, and only 32 percent of companies surveyed are confident they are prepared for a cyberattack. Crain's Orlando and Crain's Tampa Bay asked six of the area's most knowledgeable experts to weigh in on cybersecurity issues affecting the state's businesses big and small over the next year.
Perry Carpenter is chief strategy officer at KnowBe4, a Tampa Bay-area provider of integrated security awareness training that helps businesses address the human element of security by addressing social engineering tactics.
Jon Edelstein is head of product at Orlando-based Finexio, a B2B payment network that recently completed a $4 million round of financing from existing and new investors, including Tampa-based Florida Funders.
Clay Posey is an associate professor in the Department of Management within the College of Business and a member of the Cyber Security and Privacy Cluster at the University of Central Florida.
Jeremy Rasmussen is chief technology officer and cyber director at Abacode, a cybersecurity products and services firm headquartered in Tampa Bay.
Adam Sheffield is campus director at the Tampa Bay headquarters of SecureSet, where he oversees its hands-on cybersecurity training program, and the former associate director of the Florida Center for Cybersecurity.
Sri Sridharan is director of the Florida Center for Cybersecurity, a state government entity located at the University of South Florida that works to position Florida as a national leader in cybersecurity through education, workforce development, research and engagement.
Crain's: What’s the No. 1 issue that companies should be thinking about when addressing cybersecurity in 2018?
Edelstein (Finexio): The number one issue is the security of their vendors and partners. The most well-known breaches over the last five years occurred as a result of oversight, not directly on the part of the company in question, but as a result of the lesser oversight exercised by the companies they do business with. Copier machine companies, postage machine providers, and even your telephone and IT service providers all often have remote access to a company’s environments, and hackers know that compromising these suppliers is often a much easier way to gain access to your company’s networks. Businesses need to ensure that all of their efforts are mirrored by their partners and that any third-party remote access is very limited and cut off from access to much more sensitive information.
Carpenter (KnowBe4): The number one issue is the fact that [businesses] are immensely vulnerable to social-engineering-based attacks, which rely on human interaction and involve tricking people into doing something they ordinarily would not do or is not in their best interest, such as clicking a phishing link, [accessing] a USB from an unknown source or wiring funds to someone new outside of routine security procedures or policy.
The human vector is the path that attackers will continue to exploit in order to deliver whatever the threat de jour is. If not addressed, organizations will be affected by threats such as ransomware and CEO fraud.
Posey (UCF): Employees. Treat them well. Listen to them. Training is more than having them sit in front of a computer watching videos on actions they shouldn’t do in the workplace with technology. Employees can be a significant line of defense. Change your management perspective and influence from one where you expect your employees to want to harm organizational systems to one where promoting positive motivations is the norm. If you keep telling me I’m a dog, I might end up believing it myself, and when put into a corner, I could bite.
Sheffield (SecureSet): Easy answer: Education. We need to educate everyone, from administrative assistant to CEO. We need to create a culture of skepticism as it applies to information flow across platforms. We should all be afraid.
Sridharan (FC2): According to Phishme.com, last year saw a 2,370 percent increase in financial losses at the cost of more than $5 billion due to business email compromise. Cybercriminals target employees with phishing emails with the goal of accessing corporate data. The best thing a business owner can do is invest in cybersecurity training for all personnel and encourage a culture of cyber awareness across the company.
Rasmussen (Abacode): Unfortunately, I believe the new normal is the assumption of a breach. Modern systems are so complex and interconnected with so many points of entry, it’s almost impossible to plug every hole. So, I believe that having visibility, performing threat hunting, and continuously monitoring for indicators of compromise is the only way to deal with it. This is the most important thing for companies of any size.
Crain's: What’s the best way to bring your employees up to speed on cyberthreats and cybersecurity practices?
Carpenter: I always recommend a combination of security learning modules that cover the basic topics that an organization needs its employees to be aware of along with a strong program of simulated social engineering. The security-related information covers the bases when it comes to exposing employees to information needed for regulatory compliance, as well as some of the principles that you hope they will hold onto. The simulated social engineering is all about measuring and shaping security-related behavior. You want to tie the techniques together with the results so employees can make better security decisions, then practice spotting them within different contexts.
Edelstein: During the onboarding process, we educate our employees on a number of basic yet critical security practices, including strong passwords, two-factor authentication, excellent virus and malware protections, file encryption, VPNs, and more. But with the ever-increasing number of mobile, remote, and satellite workers, we go to great efforts to focus on the importance of securing those physical environments as well.
We often encounter businesses that have implemented excellent digital security measures, yet their workers routinely travel with or work from home with bank statements, checkbooks, and other sensitive physical materials. We once encountered a business whose [accounts payable] manager carried stacks of checks and remittances home every weekend to review them prior to mailing on Monday morning. We recommend that businesses pay close attention to the risks affecting their entire environment, and that includes those when workers travel or work from home.
Crain's: What technology will play the largest role in cybersecurity threats and protection going forward?
Sridharan: I think we have seen the beginning of the end for the password. Biometrics and multifactor authentication are more secure options and are rapidly replacing the humble password. We will start seeing the use of artificial intelligence to predict patterns of behavior in user interactions as another method of authentication. AI will also be used to help the tools that safeguard us online become smarter. As threats evolve, our safety measures will employ AI to learn to detect those threats earlier.
Posey: Like all technological advancements, artificial intelligence and biometrics can be used for both positive and negative purposes. While we might use AI to help drive our understanding of attack strategies, I don’t think it will be too long now that a number of external parties wanting to do harm also unleash AI to better understand how to infiltrate organizational networks.
With biometrics, there is a lot of hope in the area of authenticating users so that they can gain access to their organizations’ systems. Rather than passwords, you could soon be logging into your work systems using any combination of voice recognition, keystroke analysis, and iris recognition, among others. These options also raise issues of personal privacy, and how these data are stored to perform such a verification check becomes paramount. Losing your password is one thing; having your actual biometric data stolen is another. Passwords can be changed. It’s a bit more difficult to change your retinas or fingerprints.
Rasmussen: I have talked to a number of IT folks who believe that if they purchase an all-in-one tool that supposedly does everything for them — especially one of the shiny new ones that tout artificial intelligence and machine learning features — their networks will be secure. But the reality is that the solution must always be coupled with human interaction to maximize its effectiveness.
In 2016, the U.S. Defense Advanced Research Projects Agency created the Cyber Grand Challenge (CGC) to promote the development of autonomous computer systems that can discover, prove, and correct software flaws in real time. Among the lessons learned from the CGC was that machines are, as expected, very good at solving simple, repetitive and computationally intensive problems. However, more complex problems still require human ingenuity to recognize and address.
Crain's: What legislation will have/is having the biggest impact on cybersecurity threats and prevention?
Sheffield: We teach creativity out of our children and creativity is needed to confront this threat. The federal government recognizes this but needs to do more in terms of creating alternative pathways to this field. How do we create pathways for passionate individuals to enter this field? How do we provide pathways for continuing professional development? How do we build local communities around this effort? What we need is a community-driven, community-validated effort.
Posey: I firmly believe that a motivated hacker or organized cybercrime group will always find an entry point because we can never limit our risk completely. That said, while state and federal legislation are well-intentioned responses to threats, we also need a significant amount of cooperation among organizations in the public and private sectors as well as researchers and practitioners. We need to focus on ways that entities who have been affected by cyberthreats — especially those in the private sector — can share event information with similar organizations in a timely fashion to collaborate on appropriate responses.
One major step in this direction was issued a few years back from the White House as Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience. Here in Florida, we have the Florida Center for Cybersecurity, which was established by the Legislature and is sure to continue collaborative discussion locally.
Sridharan: Businesses around the world are already scrambling to prepare for the European Union’s adoption of the General Data Protection Regulation (GDPR) in May 2018. Designed to give people more control over how companies handle their personal information, it will affect any commercial enterprise that processes data about EU citizens, regardless of the location of the business itself. While this is a positive step toward better safeguarding people’s personal information, it also places a tremendous burden on businesses of all sizes to invest in the resources needed to comply with these new standards.
Rasmussen: May is coming very quickly. Companies need to get serious about compliance because organizations found in breach of the GDPR — for example, by having insufficient customer consent to process data or violating the core of privacy-by-design concepts — can be fined up to 4 percent of their annual global turnover or 20 million euros ($24.7 million) — whichever is greater.
To be clear, the GDPR is not a cybersecurity regulation; it's a privacy regulation. However, privacy gets its enforcement teeth via cybersecurity, so companies will need to put cybersecurity systems and processes in place to comply. The sense of urgency must come from executive leadership. This cannot be a grassroots effort of the IT department. Cyber preparedness must be budgeted for and implemented across the entire company.
Crain's: How do you recruit and retain skilled cybersecurity workers in today’s market?
Carpenter: KnowBe4 has worked hard to create a great culture within the organization. As a result, we have won numerous "best place to work" awards. Employees actively promote the company to their friends and associates and about 50 percent of staff come from employee referrals. For security staff, it is important for them to know they will not be micromanaged and can have fun doing their jobs.
Rasmussen: I think a better strategy is to partner with a cybersecurity company that has specific expertise and can provide the services a company needs to complement its internal or external IT. With any sizable organization, proper governance dictates that you have two accounting firms — one that does your taxes and another that provides audits. Those two are always distinct for obvious reasons: separation of duties, checks and balances. It’s the same way with IT and cybersecurity. In this model, IT is like your tax accountant, and cybersecurity is your audit. The two are separate, distinct, and never commingled.