Cybersecurity challenges: A Q&A with cybersecurity leaders

Mike Del Giudice: Cybersecurity has been a top risk in the public sector for a long time. The biggest change over the past four or five years has been the emergence of ransomware. That type of activity has proliferated significantly because threat actors can now automate and monetize attacks and because ransomware as a service is available on the dark web. Ransomware attacks are continually evolving, and many attackers now attempt to exfiltrate and hold data for ransom – not just network access. Looking to the future, security specialists have concerns that attackers could expand ransomware targets to include industrial systems, such as utilities, water treatment plants, and power distribution centers. As threat actors figure out how to weaponize vulnerabilities against industrial systems, it will be a new ballgame for some public sector organizations. Given the continued challenges with recruiting and retaining cybersecurity talent, public sector organizations are having trouble keeping up with these evolving threats.

Dave McKnight: It’s the same thing in banking, which experiences a perpetual shortage of talent that understands those risks and how to manage them. Since the COVID-19 pandemic, many businesses have been focused on resilience, building a layered security program to mitigate the impact and likelihood of cybersecurity risks. Organizations now see that cyber resilience not only includes their own operations but also their third-party risk and exposure, which can affect their data and their customers’ data.

Chris Wilkinson: Because ransomware has become so lucrative, criminals treat ransomware as a business. Attackers are not just targeting credit card data or personally identifiable information (PII) but any data of value. Protecting intellectual property against ransomware is critical. Ransomware attacks do not just happen to large organizations. We all hear about the high-profile data breaches that have happened over the years, but more often than not, smaller to midsized clients experience breaches because they’re not as sophisticated. Such organizations typically are more vulnerable to ransomware attacks because they do not have large internal IT security teams or complex security controls, and obtaining resources is difficult.

Dave McKnight: We find that smaller companies have some controls, but those controls are often rudimentary. That’s why it’s imperative that they prepare for security events even when they don’t have the latest security tools. Organizations – no matter the size – can take proactive steps by establishing solid security awareness training, formal communications plans, and procedures for responding to ransomware threats.

Michael Lucas: Over the years, we have helped our clients implement security controls protecting intellectual property, financial data, and PII. However, we have seen the attack surface grow. Hackers are focused not just on the corporate assets but also on the products the clients sell. For example, organizations that offer or use medical devices or applications that support medicine dosage now need to take specific steps to increase medical device security. They also need to consider security during the development and management of these technologies.

Chris Wilkinson: In the past couple of years, we’ve seen AI used on the defensive control front with the ability to aggregate and correlate log activities from a variety of systems to make sense of what is happening in a network. AI has done a tremendous job of increasing visibility and awareness of network activity and improving organizational detection and response programs.

Mike Del Giudice: I’ve seen clients use AI tools for things like pen testing and more automated and advanced vulnerability scanning. There are a lot of platforms out there. AI can automate some things, but I don’t necessarily think it will replace what a person can do. What often provides the best outcome is to work collaboratively by using AI and manual pen testing side by side rather than just one or the other.

Dave McKnight: I think AI creates a new risk for companies that might rely too heavily on automation without having the capability to troubleshoot problems manually. There’s also some snake oil in the space, as many tools claim they use AI even when the AI might be very basic. Automated tools can detect abnormalities and conduct vulnerability scans to see if something needs to be tested further, but they’re not a replacement for individual expertise yet. Additionally, AI has also become an enabler for criminals. Threat actors can write better malicious code that doesn’t get caught by filters. Through the power of different AI and machine learning techniques, attackers can use AI to support new attack techniques. It’s definitely an accelerant for cybercrime.

Dave McKnight: Human error will always be a factor, and in the financial services sector, the key is knowing that eventually something will happen and putting mitigating controls in place. At some point, someone will click on a link or accidentally email data somewhere. While it’s important to focus on preventing employees from falling victim to phishing or other scams, we also want to minimize the impact when it happens. Organizations need to build a layered security model and focus on faster response when an incident occurs.

Chris Wilkinson: We have been conducting phishing testing for our clients for 20 years now. Anytime we have had a client that had a lower click rate on phishing messages, the reason was because of culture. Resilient organizations build a culture that educates employees to look for suspicious messages. They also assure employees that it’s okay to speak up when something doesn’t look right or to come forward when they might have clicked on something they shouldn’t have. Many organizations now internally test employees, rewarding positive responses with mentions in the company newsletter or gift cards.

Mike Del Giudice: At some point, someone’s going to do the wrong thing – not maliciously, but accidentally. It’s important to have a layered model to minimize the impact of security events. That’s why zero-trust models and multifactor endpoint protection are becoming more prevalent. We work with our clients to figure out what the sweet spot is with technology and training to reduce the likelihood of a security event and minimize the impact when a security event does occur.

Dave McKnight: I agree. It’s important for companies to identify what works best for them, including what might be the right mix of controls, training, awareness building, testing, and monitoring.

Mike Del Giudice: Yes, and many need to be replaced. Too many public sector organizations have legacy technologies they won’t update because it has – so far – worked for them. But over the years, a hodgepodge of outdated technologies has created an unsupported, insecure environment. The public sector seems to be a little more antiquated and a little less prepared than what we see in other industries. But because of the emerging risks, such as the proliferation of ransomware and the criticality of the services public sector organizations provide to our citizens, I think we’re going to see more attention paid to replacing some of these outdated technologies out of necessity. It’s not an overnight thing, though. Updating systems involves years and years of work and probably multiple administrations agreeing that these improvements are important enough to provide the right resources.

Dave McKnight: It’s the same for the financial services industry, which includes many outdated systems that have to be protected or isolated to mitigate risk. Another issue is an overreliance on using only passwords for accessing legacy technology. We are starting to see multifactor authentication required by new regulations, especially in banking, and the National Institute of Standards and Technology is revising some of its password guidance to consider authentication mechanisms that protect against the latest threats.

As cybersecurity leaders, how are you helping clients in this environment?

Michael Lucas: We’ve been helping our clients with some of the nontechnical aspects of cybersecurity, such as building and implementing cybersecurity frameworks, reporting, and gaining support of organizational leadership by painting the true picture of a company’s cyber risk and exposure. Organizations should complement their technical capabilities with strong reporting and communication, set the risk tone at the top, and help secure resources necessary to manage risks.

Dave McKnight: To drive that point home, leveraging cybersecurity frameworks to identify a company’s capabilities and gaps is really valuable. Such frameworks allow organizations to define corrective measures, whether it’s buying a new tool or obtaining more insurance. It’s imperative that organizations – especially those that aspire to be high functioning – can respond quickly and effectively to cybersecurity risks. This ability often comes down to proactively evaluating risks and capabilities and helping define where the organization invests its resources.

Confronting cybersecurity challenges head on

As criminals continually exploit new vulnerabilities, organizations and cybersecurity leaders across industries need to design a cyber resilient program, stay abreast of emerging regulations, and remain vigilant in responding to threat actors’ new attack strategies. By confronting cybersecurity challenges head on, organizations can design a layered security model to foster a strong cybersecurity culture to proactively prepare for the latest risks and threats.