CYBER SECURITY – SEE SOMETHING, SAY SOMETHING. Those were the words of advice from a panel of experts presenting on what you are doing that you shouldn’t be doing and what you are not doing that you should be doing related to cyber security.
The panel included experts in the field including JD Harris from Ascent Solutions, Brandon Liner from Nology Networks and Chad Boeckmann from Secure Digital Solutions. The moderator was Kristin Dean from Arctic Wolf Networks. The gracious host of the event was Stuart Shwiff of Insperity.
One of the initial discussion topics was around, how do companies get started with cyber security plans? The panelists agreed that it started with understanding the business as cyber security is not just an IT issue. They noted that there are at least five cyber security items boards must know about. As a board member, are you aware and asking the right questions around cyber security?
It was suggested that an Enterprise Risk Management (ERM) baseline assessment drives prioritization and next steps. As there are many new attackers out there and they recommended that if your employees see something, to be safe, they should say something. Machine learning and AI can also help identify some of the “bad actors” out there but there is a lot more to be done.
Another questions from the audience was, “What are bad guys looking for and what do they do with it?” The answer was, “pretty much anything that can be sold, for example credit card and security card number or intellectual property.” A specific example of the challenge of securing intellectual property was when Ford unveiled it’s new truck in China in 2015. A few blocks away and on the same day, China unveiled the exact same truck down to the bolt. I commented that my recent conversations with innovation directors in China confirmed that there is no expectation of protecting IP in China and that the advantage is to create the best business model.
And while it can sound down-right scary and depressing, as there is no bigger issue in IT than this, there is hope. There are new technologies. One in particular, blockchain, was mentioned as encouraging tech. Also, the panel was asked who was winning the war and beating cyber crime. It was noted that Israel was the epicenter of cyber security and a leader in cyber security innovation.
I recommended that one proactive approach organizations could take to reduce risk and also manage customer relationships would be to closely review their business contracts for their obligations and customer expectations. Those with small businesses also asked what the budget might be for cyber security for them? The recommendation was to invest in a day to have someone come in and do an assessment.
This brought up the topic of insurance. JD Harris shared that most have companies have cyber insurance. However, in his experience, zero have collected. He was clear that it is not that the insurance was bad, in fact he finds it quite reasonable, but that there are many caveats and companies must read their policies. He stressed that it is essential that companies understand and meet their obligations and not use cyber security insurance as their cyber security plan.
Even with the best precautions in place, the panel shared several examples of being involved in a cyber security recovery missions. The timing to fix was typically not in days or weeks but in months or years. The question was tossed out for owners or board members to consider, “how fast can you get your hands on $3-$5m to fix the recovery.”
Another panelist stated that, “you can’t outsource liability.”