Most organizations could eliminate more than 75 percent of their risk of cyber intrusions if they just did the online version of locking their doors and windows.
That was one of the main takeaways from a panel discussion on cyber risks at Wednesday’s 2017 Boston Conference on Cyber Security, cosponsored by the FBI and Boston College’s Woods College of Advancing Studies.
The session, titled “Are You Managing Your Cyber Risks? Challenges from the Legal and CISO Perspectives,” was moderated by Cynthia J. Larose, partner and chair of the Privacy & Security Practice at the Mintz Levin law firm, and featured panelists from multiple industry sectors, education and government.
And there was general agreement that while there is much greater awareness of cyber risks in the workplace, the combined challenges of complex technology and human weakness means that far too many organizations still amount to “low-hanging fruit” for attackers.
E.J. Yerzak, a partner at Ascendant Compliance Management, who works with firms in the financial sector including investment advisers, said he regularly encounters firms that are, “behind the curve.”
“They have nothing in writing when it comes to cybersecurity policies and plans,” he said. “That’s a big problem, because there’s a disconnect between what the C suite thinks is happening and what is actually happening.”
He said the CEO at one firm confidently told him his firm was not using cloud services at all. “But I talked to other departments, and they were using just about all the cloud-based services on the planet – Dropbox and everything else,” he said.
Sara Cable, an assistant Massachusetts attorney general who works in consumer protection, called that story, “mind-blowing,” and said it would not only likely violate Massachusetts law, but was also profoundly lacking in business sense.
“Our tolerance for ignorance of the law is rapidly declining,” she said, “but we’re also talking about business assets. A lot of attacks aren’t sophisticated – it’s easy to prevent them. It’s like people pushing on doors to see which ones are unlocked, and they are finding a lot of wide open doors.”
Lorna Koppel, director of information security and CISO at Tufts University, said the most intractable problem for her is the human element, in part because there are different constituencies – students, administration, staff and faculty – all with different priorities and levels of awareness.
“Many of them don’t understand the risks,” she said. “They think, ‘nobody cares about my email.’ People want to do the right thing, but the challenge is getting them there.”
Yerzak said that kind of human weakness is responsible for most of the insider threats he sees – from “well-intentioned” employees who may work after hours and are “trying to help” attackers posing as customers with urgent requests.
“They click a link, open an attachment and malware gets on system,” he said. “We’re seeing the rampant spread of ransomware. All the controls, policies and procedures can’t overcome human factor.”
Cable wondered, “why we can’t build in little pauses – something that pops up and asks if you’re sure you want to click on this.” Or why top management couldn’t regularly send out policy statements along the lines of, “I will never email and ask for X information.
“There are simple little tricks that could help,” she said.
Larose suggested that, “more regular reminders instead of the annual security awareness training session,” would keep employees more aware, and focused, on security.
Cable said in her view, the most important thing for enterprises is not to let fear of sophisticated attacks paralyze them. “Sophisticated attacks are very rare,” she said. “The accidental are much more common, and all preventable if you take a moment as an enterprise to do things like see what sensitive information you have, where it is, where’s it moving, and then take steps to protect it.
“The law requires reasonable efforts, not perfection,” she said. “And that’s possible. I think we should empower people by not making it too complicated.”