Cybersecurity is an ever-present threat, and Shark Tank investor and CEO of Herjavec Group Robert Herjavec can’t stress the importance of protecting your crown jewels enough.
CEO, Herjavec Group
Phishing emails are the most common way that hackers can gain access to your company’s network. It’s unlikely that the Prince of Nigeria is messaging you to give you part of his fortune or your CEO messages you out of the blue asking you to download a file. Every member of your organization must be trained on what to look out for because your people really are the weakest link.
Some quick tips are:
- Be aware of who the email is coming from — is the “reply to” email different from the sender’s email?
- Does the message seem odd or out of context?
- Is there poor grammar and punctuation?
- Are there any attachments, and are there any links? Either way, don’t open attachments or click on any links if you’re unsure. Send it off to your IT team promptly. Always proceed with caution.
My team and I get phishing emails daily, and it’s scary stuff. This is why we have certain protocols in place to mitigate the risks associated with phishing scams. We also use external email monitoring to indicate when a communication is external even if it’s coming from a name you may recognize as a colleague. At the end of the day, the onus is on the company to train its employees. We do seminars, web sessions, and social engineering tests across our team. We are sure to share the results so our team learns what the gaps are — and we all get better.
How can businesses ensure that employees who bring their own device don’t compromise sensitive data/information by doing so?
The world is changing. Employees want to be able to use their own devices at work and companies want to ensure that their employees have the necessary tools in place for them to do their job. So, it’s important for organizations to have a device management policy and a set of tools to help manage both corporate assets and employee personal assets. You have to take a data-centric view of security, not a device-centric view of security.
If an employee leaves, or if an adversary gets a hold of a device, can your IT team provision the data on the device? Businesses need to be very focused on controlling the data by answering some key questions: Who has access to what? Why do they have access to it? What can they do with it? Can we easily remove this data?
Ensuring remote access to wipe or contain a device is critical.
What are the major benefits of using Privileged Access Management (PAM) solutions for a business?
Here’s the thing — almost all security breaches by outside attackers (versus insider threat) involve a form of escalating access management. Hackers get in through a back channel, find the vulnerability that allows them to escalate their privilege into your network, and then start moving their way laterally through the organization until they find something specific about you. That’s how it almost always works.
We need to prevent this chain of events from happening. A hacker might be able to “upgrade” a normal user role to a system administrator, but without a PAM capability, they will not be able to gain access to the actual data — or the “crown jewels”. Having the ability to prevent this chain of events is why a PAM solution is critical.
The future of critical security controls will all be centred around Identity. Think about it: We don’t keep data in our own little network anymore. Data is everywhere, and in order to protect the data, we need to be able to map out PAM policies, and tool deployment to support. A strong identity practice is the foundation of security control.
What digital security risks are small- or medium-sized businesses more at risk for than their larger counterparts?
First of all, cyber threats don’t discriminate based on the size of a business. However, what does differ is the organization’s ability to respond to the threat. It’s much harder for small/medium-sized businesses to prevent, detect, and respond to a cyber attack. Just like in the physical world, the enemy will typically go after the softest target first. This is in part because small/medium-sized businesses generally don’t have the sophisticated technologies that enterprise businesses have. Look at ransomware: We have seen attacks in smaller individual hospitals across the nation that have disrupted hospital operations. It all comes down to response: how is a small/medium-sized business responding to threats, and, more importantly, how much are they preparing for a possible threat? Can they keep up with compliance requirements? Hire staff? Engage experts? Smaller organizations often think they’re immune to cyber attacks because there’s bigger fish to fry but they couldn’t be more wrong. Small/medium-sized businesses need to cover the basics in terms of security control, and engage a partner suited to their size and maturity to help outsource the coverage.
How can small businesses using cloud computing solutions ensure their data is secure?
One of my colleagues always says when using cloud solutions, you need to BYOC – Bring Your Own Controls. It’s important to know that the cloud is just someone else’s computer and that you are still responsible for securing your own data. Full stop.
No matter the size of business, you need to make sure that your security defences are in place. Moving to the cloud does not eliminate the need for good security practices.
What is the most important first step when you realize your computer has been infected with ransomware?
The most important step happens way before an infection happens. Making sure you have the necessary tools in place to get back to normal operations is the most critical action — starting with having good backups of your critical assets and having an incident response and remediation partner on retainer.
That being said, when you realize your computer has been infected with ransomware, the first step should be to immediately segregate that device from the rest of the corporate network so the infection doesn’t spread. Next step is to call your incident response partner so they can jumpstart the remediation process.
The risk of a business being shut down in operations as a result of a ransomware attack is very high especially for a small business and if you don’t have the necessary backups. Without a backup program in place it could be difficult to get back to normal operations.
What are the biggest trends in digital identity right now?
PAM for sure, but there is also a move towards two really interesting concepts: no passwords and zero-trust.
No passwords is the concept of identity authentication using biometrics or multi-factor authentication.
Let’s break it down into thre types of security measures:
- Something that you know, like a password,
- Something that you have, like a phone, or
- Something that you are, like a fingerprint or facial recognition — most commonly referred to as your biometrics.
Passwords can easily be compromised through sheer guesswork alone, but it can be much harder to steal a phone or crack through biometric security. Although there will always be a way to hack into an account, moving towards a no-password philosophy is a great starting point for securing digital identities.
We are also moving in the direction of organizations using zero-trust policies. Traditionally, organizations assumed that everything “inside” the network — including employees — can be trusted implicitly. So, if a cyber incident occurs, organizations only consider external threats, not internal. However, with the increasing rise of malicious insider threats, organizations can’t just implicitly trust the internal assets. By establishing zero-trust policies, organizations adopt a “never trust, always verify” nature so both external and internal threats are scrutinized. This works hand-in-hand with PAM solutions because a big part of PAM is that for any particular data asset, only employees that require access are able to do so.
What are the major ways in which you’ve seen digital security evolve throughout your career as a businessman? In this constantly evolving digital landscape, how can businesses ensure they are keeping up to date with their own digital security?
We’re consistently seeing that security decisions are no longer being driven solely by the IT team. Oftentimes, we are seeing business stakeholders, like board members and the c-suite, driving these security decisions. They realize how cybersecurity can impact everyone in the organization, so the accountability is on everyone, not just the IT team. This is why it’s always important to review your technology stack and see how it aligns and supports all functions of the business.
Secondly, identity as a service has become a hot topic for enterprises. This means extending identity management outside of the office walls by enabling employees to seamlessly use one identity to gain access to everything the company does, such as a single sign on for your company CRM, HR platform, file share service, etc. That not only improves efficiency in provisioning but helps the employee by simplifying their access experience.
Are there any industry blind spots people need to be directing their attention to?
IoT is still a big blind spot and the manufacturers are trying to catch up. We are used to thinking of IoT devices on a much smaller scale, such as home security systems, smart thermostats, or smart appliances. However, we need to think bigger. Consider all the small machines that are connected to a network as part of a big control system — like a power grid. If a threat actor can access any part of that network, they can essentially bring the whole control system down. We’ve already seen this happen a few times in the past and I have no doubt that we will continue to see cyber criminals target organizations that are a part of a nation’s critical infrastructure if these organizations don’t catch up.
Given your expertise in this space, what is the greatest piece of advice you have for a CEO looking to secure his/her company assets?
Focus on the data and understand that it’s not an infrastructure issue, but a data protection issue. CEOs and their security leaders need to align on what the company’s crown jewels are and then determine the best way to protect them. It’s shocking to me that many organizations still don’t know what their crown jewels are.
Often there is a disconnect between the security team and the organization’s overall business function. The most important thing a CEO can do is to ask their security leader some really simple questions:
- What are the crown jewels for the company?
- How are we protecting them?
- What would the impact be to the company if they were compromised?
- What is the company’s business strategy?
The last question is the most important because if the security leader does not know what the business strategy is then they can’t integrate their security plan with the overall business strategy to be successful. As a security practitioner, you have an obligation to the organization to connect the dots between each critical question and make sure it always leads back to protecting the crown jewels.