Our panel discusses the biggest trends in cybersecurity, and what organizations and individuals can do to protect their data.
Chief Information Security Officer, Chipotle
What is the biggest challenge facing cybersecurity today and what advice would you provide to businesses struggling with it now?
The biggest challenge is the lack of available talent in the workforce. According to Microsoft, nearly 1 in 3 cybersecurity jobs in the United States is open, and more than 1 out of every 20 jobs require cybersecurity skills. To address the problem, security leaders should:
- Review hiring practices. Redefine what the term “qualified” means before seeking candidates. If a formal degree is desirable, ensure the scope is not too narrow (e.g., computer science only). I have found that alternative programs build the necessary skills to be effective. Economics, for example, trains individuals in pattern recognition that effectively translates to security operations and threat hunting.
- Recruit internal employees. The best talent is often already in your organization.
- Establish a mentoring program. Let people inside and outside your organization know you are interested and willing to grow motivated individuals into a role.
Which cybersecurity technology trends have you seen make the biggest impact in terms of improving data security in the last year?
Two trends of note over the last year are the increased utilization of and reliance on multi-factor authentication, and the increased attention and investment in API security.
What long-term changes do you foresee the ongoing pandemic having on cybersecurity?
Zero Trust principles will become a foundational element for cybersecurity programs, regardless of industry vertical.
What are some rudimentary security steps you can implement for any data you’re collecting from clients?
- Know where your data lives. Understand how and when you collect, transmit, store, and dispose of information.
- Protect the data you control. Define and identify the critical controls you employ for access and modification to these information assets.
- Develop a cyber third-party risk management program. For information that is shared and is outside of your direct control, ensure appropriate contractual language exists, is enforceable, and you have a monitoring program in place to identify material issues within their security posture.
Cyber threats are constantly changing. How is cybersecurity innovation able to keep pace?
While innovative solutions exist, the challenge companies face is there are so many alternatives to evaluate, and it takes considerable time to research, select, deploy, and then operationalize a capability.
What should business owners prioritize to build a culture of resilience within their company?
There are five activities to build cyber resilience, with the fifth being a direct result of the pandemic:
- Develop a comprehensive response plan. Take the approach that a cyber incident is not a matter of “if” but rather “when,” and ensure stakeholders and critical resources understand the collective response when an incident occurs.
- Build a cybersecurity roadmap. An organization must understand cybersecurity is a journey, not a destination. Cyber resilience relies on a program that continually seeks to improve and demonstrates an ability to adapt to change.
- Build detection, prevention, and response capabilities. The ability to identify malicious signals and proactively react is key.
- User awareness and education. Train your workforce to identify and respond to emerging threats — many attacks target employees.
- Secure remote work enablement. For many organizations, the pandemic fundamentally changed the way they work. As a result of rapid adoption, the potential for minimal and/or follow-on associated security controls increased. Now is the time to address any limitations as remote work becomes a mainstay.
How can cybersecurity teams ensure compliance that all cybersecurity software is active and running on all endpoints?
First, minimize the number of agents running on the endpoints. Recognizing that this may be a future state for most entities, placing critical corporate services behind a service edge is a potential initial step. This security service edge can interrogate the requesting endpoint for key services before determining the acceptable access method, if any.
Bob Carver, CISM, CISSP, MS
Manager of Network Security, Principal Network & Information Security, Verizon
What is the biggest challenge facing cybersecurity today and what advice would you give to businesses struggling with it now?
The biggest challenge facing cybersecurity today is that a decent cybersecurity risk management plan for one business may be next to worthless for another business. If it could only be as easy as reading a book or implementing a recipe of security controls where everyone could be secure. Unfortunately, it isn’t that easy.
You may need to hire someone like a virtual CISO (a part-time security expert) to come up with a plan to address your specific needs. Other businesses that may be larger may need to contract with an MSSP (management security service provider) to monitor security and provide incident response 24/7 in case of a breach or ransomware incident.
Developing a cybersecurity risk management program for companies is like making a custom suit or tailored dress; one size does not fit all.
Many factors need to be addressed according to the specific needs, risk tolerance, and budget availability of the business. There is also no “one-and-done” in risk management. It is a continual process of re-evaluating and updating your program accordingly.
Which cybersecurity technology trends have you seen make the biggest impact in improving data security in the past year?
From a basic level, implementing a secure, two-factor (2FA) or multi-factor (MFA) authentication to all systems that are considered critical. I would exclude SMS or text messaging as secure. This includes utilizing 2FA for remote work in connecting to company VPN systems. Cyber insurance companies are already starting to look for this from their insured parties.
If you don’t have this implemented on VPNs and critical systems, you will eventually see higher insurance rates and, at some point in the future, complete denial of claims if you fail to have this in place on systems that end up being compromised.
What long-term changes do you foresee the pandemic having on cybersecurity?
For the longest time, many thought we were protected if we had a good firewall, had anti-virus on our endpoints, and kept all our assets behind that firewall perimeter. Unfortunately, times have changed.
The trend of moving to the cloud has accelerated to all time highs. This is in part due to the pandemic restricting the movement of “hands-on” personnel configuring new data center hardware in person. This has continued to expand the attack surface, moving the perimeter that needs to be defended further out and increasing the number of potentially vulnerable interfaces that can be compromised.
The pandemic has changed the attack surface where more people are doing remote or hybrid work, making it necessary to protect networks and company computers in remote environments.
Whether it’s behind consumer-grade equipment in the home or in a public network, such as a coffee shop or hotel, cyber risk needs to be addressed at every interface and juncture in your network, including:
- Endpoints/computers that may reside anywhere in the world
- Cloud connectivity for operational systems and SaaS (Software As A Service) subscriptions
- IoT peripherals that may be attached to various networks
- Vendors and supply chain that we have various full- or part-time connections or exposure to (e.g., Kaseya, Solarwinds and beyond)
The sophistication of hackers is requiring all businesses to up their game. If you are utilizing much of the same security you were using three to five years ago, you are most likely being outgunned by your adversaries.
Endpoint security needs to continue to evolve to the next level, and many should look at XDR (extended detection and response) offerings since detection may be seen from changes on the endpoints, as well as data flows going to and from those computers.
In addition, many companies will only be as secure as their entire supply chain that is integral to their business. This expertise will become a specialty of some cyber professionals, just as attorneys and doctors specialize in certain types of practice.
Cyber threats are constantly changing. How is cybersecurity innovation able to keep pace?
Your CISO, security leader, or MSSP will need to keep up with changes in cyber threats by reading journals, participating and listening to expert discussions, attending conferences, and networking with professionals that deal with cyber threats on a daily basis.
You should also choose vendors that are keeping abreast of the various threats. Some will subscribe to threat intelligence services that can be read, but also where millions of cyber threat data points can be ingested into a SIEM (security information event management system) and correlated against activity in your own networks.
What is the best practice for dealing with ransomware?
Dealing with ransomware requires a multi-pronged approach. There is no silver bullet to solve this current cybercriminal threat.
Email is the number one vector for compromises in most enterprises. Malicious links, attachments and phishing makes email security a top priority for most organizations. DMARC and DKIM testing of attachments and links for malware and ransomware are requirements. Many may need more than one layer of email protection services beyond DMARC and DKIM to be effective.
Many organizations should look at implementing endpoint security with a greater sophistication than they have utilized in the past. This is not a place to be penny-wise and pound foolish. It literally may end up costing you millions of dollars.
Many of the latest offerings in endpoint security will have XDR and machine learning. Don’t just look for marketing terms displayed on their websites— find those that can verify their effectiveness by talking to their clients.
Backups, cyber resilience, data continuity, and disaster recovery. You need multiple backups on- and off-site, and they need to be tested annually (if not quarterly) following a repeatable written process for verification to completely restore key systems from those backups.
Don’t forget your Linux system. They are now the second-most popular operating system to be compromised with ransomware.
Encrypting your computers may now be the least of your problems when it comes to ransomware. Cybercriminals are now exfiltrating proprietary company data, employee data, emails, proprietary formulas and intellectual property that may be held for ransom. Encrypting data at rest and in motion may be necessary for protecting data that could end up being exfiltrated by criminals.
Why is understanding the risk of phishing so important? What are the best practices for employee education when it comes to phishing?
According to Proofpoint’s Annual Report “The State of the Phish:”
- 96 percent of phishing attacks come from email
- 61 percent of companies deal with phishing attacks from their social media channels
- 65 percent of targeted attacks focused on spear phishing, aimed at stealing the credentials of top executives
- 3 percent of phishing attacks occur through fake websites
In these cyberattacks, the user is often the weakest link. Therefore regular training at least one to four times a year is recommended. This should be implemented so users are less likely to fall for the traps laid by cybercriminals.
We can now expand phishing to threats not only from emails, but text messages, voice messages, social media, websites, and telephone calls. Deepfakes of all types can be utilized in all threat vectors, and are becoming so sophisticated that it may require investigation by seasoned security professionals to not be fooled.
It is also considered best practice to give employees and contractors a specific email or portal to report suspicious phishing or other potential malicious activities.
Every new employee that has been onboarded to an organization should first have a basic overview on how to securely log into their computer and necessary systems. There should be a review of security policies. Their initial security education should also address phishing and related social engineering cyberattacks.
The important thing is to help the new employee understand that phishing and social engineering attacks can come not only from email, but also voicemail, social media websites, and deep fakes (digitally manipulated media of all types) can be utilized to manipulate an employee to do things that can be damaging to a company, even if activation comes from simply clicking on a malicious link or attachment.