Cybersecurity challenges: A Q&A with cybersecurity leaders

| 10/16/2023
Cybersecurity challenges: A Q&A with cybersecurity leaders

October is Cybersecurity Awareness Month, sponsored by the Cybersecurity and Infrastructure Security Agency and the National Cybersecurity Alliance. In this Q&A, Crowe cybersecurity leaders offer industry-specific insights on the cybersecurity challenges they see in their work with clients.

Because new cybersecurity challenges emerge every day, it’s imperative to stay ahead of threats.

Cybersecurity awareness involves everyone, from individuals to organizations. Securing our world requires an effective strategy, organizational awareness, and diligence. For organizations large and small, the myriad considerations can be overwhelming.

Crowe offers cybersecurity services in several industries, including healthcare, financial services, technology, life sciences, and the public sector. In this Q&A, several Crowe cybersecurity leaders – Mike Del Giudice in public sector, Michael Lucas in life sciences, Dave McKnight in financial services, and Chris Wilkinson in technology, media, and telecommunications – share their unique perspectives on the cybersecurity challenges organizations face.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

What kinds of cybersecurity challenges and threats do you see in your industries today?

Mike Del Giudice: Cybersecurity has been a top risk in the public sector for a long time. The biggest change over the past four or five years has been the emergence of ransomware. That type of activity has proliferated significantly because threat actors can now automate and monetize attacks and because ransomware as a service is available on the dark web. Ransomware attacks are continually evolving, and many attackers now attempt to exfiltrate and hold data for ransom – not just network access. Looking to the future, security specialists have concerns that attackers could expand ransomware targets to include industrial systems, such as utilities, water treatment plants, and power distribution centers. As threat actors figure out how to weaponize vulnerabilities against industrial systems, it will be a new ballgame for some public sector organizations. Given the continued challenges with recruiting and retaining cybersecurity talent, public sector organizations are having trouble keeping up with these evolving threats.

Dave McKnight: It’s the same thing in banking, which experiences a perpetual shortage of talent that understands those risks and how to manage them. Since the COVID-19 pandemic, many businesses have been focused on resilience, building a layered security program to mitigate the impact and likelihood of cybersecurity risks. Organizations now see that cyber resilience not only includes their own operations but also their third-party risk and exposure, which can affect their data and their customers’ data.

Chris Wilkinson: Because ransomware has become so lucrative, criminals treat ransomware as a business. Attackers are not just targeting credit card data or personally identifiable information (PII) but any data of value. Protecting intellectual property against ransomware is critical. Ransomware attacks do not just happen to large organizations. We all hear about the high-profile data breaches that have happened over the years, but more often than not, smaller to midsized clients experience breaches because they’re not as sophisticated. Such organizations typically are more vulnerable to ransomware attacks because they do not have large internal IT security teams or complex security controls, and obtaining resources is difficult.

Dave McKnight: We find that smaller companies have some controls, but those controls are often rudimentary. That’s why it’s imperative that they prepare for security events even when they don’t have the latest security tools. Organizations – no matter the size – can take proactive steps by establishing solid security awareness training, formal communications plans, and procedures for responding to ransomware threats.

Michael Lucas: Over the years, we have helped our clients implement security controls protecting intellectual property, financial data, and PII. However, we have seen the attack surface grow. Hackers are focused not just on the corporate assets but also on the products the clients sell. For example, organizations that offer or use medical devices or applications that support medicine dosage now need to take specific steps to increase medical device security. They also need to consider security during the development and management of these technologies.

Mike Del Giudice
We work with our clients to figure out what the sweet spot is with technology and training to reduce the likelihood of a security event and minimize the impact when a security event does occur.
Mike Del Giudice
Mike Del Giudice
Principal
Public Sector Consulting

Since COVID-19, many organizations have moved more operations and applications to the cloud. What security considerations should organizations take when using cloud-based solutions? 

Michael Lucas: Whether in the cloud or on premises, the risks are similar. The biggest similarity is the way organizations have to approach managing the risks and protecting their data. When using cloud solutions, organizations need to harden system configurations and perform vulnerability scanning to make sure their systems are protected from the latest threats. If organizations don’t have expertise in securing cloud technologies, they should consider engaging third parties to review the security configuration of their cloud deployment.

Dave McKnight: The scale at which cloud technology has been adopted has made security risks much more pervasive across organizations. In the banking space, operational areas are often siloed. Because it’s so easy for anyone to spin up a cloud, many cloud environments are deployed without IT team knowledge, which can lead to cloud deployments that are not properly secured.

Chris Wilkinson: Our clients face a similar challenge. Younger, technologically advanced employees procure their own cloud resources and software as a service applications, in essence setting up shadow IT. That’s a big problem because a company can’t secure what it doesn’t know about. Regardless, most companies now use the cloud in some way. While major cloud providers have some built-in security, a different skill set is required to manage and administer those systems.

Mike Del Giudice: The cloud is a great resource, and everyone should consider it because of the advantages it can provide. However, using cloud solutions does not eliminate an organization’s responsibility for managing cybersecurity risks. Organizations need to make sure their cloud environments are configured properly. Resources are available to support proper configuration, including online checklists such as the Center for Internet Security configuration hardening guide.

Michael Lucas
Organizations should complement their technical capabilities with strong reporting and communication, set the risk tone at the top, and help secure resources necessary to manage risks.
Michael Lucas
Michael Lucas
Principal
Life Sciences Consulting

How might artificial intelligence (AI) and AI-based solutions affect the cybersecurity industry in the coming years? 

Chris Wilkinson: In the past couple of years, we’ve seen AI used on the defensive control front with the ability to aggregate and correlate log activities from a variety of systems to make sense of what is happening in a network. AI has done a tremendous job of increasing visibility and awareness of network activity and improving organizational detection and response programs.

Mike Del Giudice: I’ve seen clients use AI tools for things like pen testing and more automated and advanced vulnerability scanning. There are a lot of platforms out there. AI can automate some things, but I don’t necessarily think it will replace what a person can do. What often provides the best outcome is to work collaboratively by using AI and manual pen testing side by side rather than just one or the other.

Dave McKnight: I think AI creates a new risk for companies that might rely too heavily on automation without having the capability to troubleshoot problems manually. There’s also some snake oil in the space, as many tools claim they use AI even when the AI might be very basic. Automated tools can detect abnormalities and conduct vulnerability scans to see if something needs to be tested further, but they’re not a replacement for individual expertise yet. Additionally, AI has also become an enabler for criminals. Threat actors can write better malicious code that doesn’t get caught by filters. Through the power of different AI and machine learning techniques, attackers can use AI to support new attack techniques. It’s definitely an accelerant for cybercrime.

David McKnight
It’s important for companies to identify what works best for them, including what might be the right mix of controls, training, awareness building, testing, and monitoring.
David McKnight
Dave McKnight
Principal
Financial Services Consulting

How critical is cybersecurity awareness and training?

Dave McKnight: Human error will always be a factor, and in the financial services sector, the key is knowing that eventually something will happen and putting mitigating controls in place. At some point, someone will click on a link or accidentally email data somewhere. While it’s important to focus on preventing employees from falling victim to phishing or other scams, we also want to minimize the impact when it happens. Organizations need to build a layered security model and focus on faster response when an incident occurs.

Chris Wilkinson: We have been conducting phishing testing for our clients for 20 years now. Anytime we have had a client that had a lower click rate on phishing messages, the reason was because of culture. Resilient organizations build a culture that educates employees to look for suspicious messages. They also assure employees that it’s okay to speak up when something doesn’t look right or to come forward when they might have clicked on something they shouldn’t have. Many organizations now internally test employees, rewarding positive responses with mentions in the company newsletter or gift cards.

Mike Del Giudice: At some point, someone’s going to do the wrong thing – not maliciously, but accidentally. It’s important to have a layered model to minimize the impact of security events. That’s why zero-trust models and multifactor endpoint protection are becoming more prevalent. We work with our clients to figure out what the sweet spot is with technology and training to reduce the likelihood of a security event and minimize the impact when a security event does occur.

Dave McKnight: I agree. It’s important for companies to identify what works best for them, including what might be the right mix of controls, training, awareness building, testing, and monitoring.

chris-wilkenson
AI has done a tremendous job of increasing visibility and awareness of network activity and improving organization detection and response programs.
chris-wilkenson
Chris Wilkinson
Principal
Technology, Media, and Telecommunications Consulting

Many companies still rely on legacy technologies. Do legacy technologies increase risk? 

Mike Del Giudice: Yes, and many need to be replaced. Too many public sector organizations have legacy technologies they won’t update because it has – so far – worked for them. But over the years, a hodgepodge of outdated technologies has created an unsupported, insecure environment. The public sector seems to be a little more antiquated and a little less prepared than what we see in other industries. But because of the emerging risks, such as the proliferation of ransomware and the criticality of the services public sector organizations provide to our citizens, I think we’re going to see more attention paid to replacing some of these outdated technologies out of necessity. It’s not an overnight thing, though. Updating systems involves years and years of work and probably multiple administrations agreeing that these improvements are important enough to provide the right resources.

Dave McKnight: It’s the same for the financial services industry, which includes many outdated systems that have to be protected or isolated to mitigate risk. Another issue is an overreliance on using only passwords for accessing legacy technology. We are starting to see multifactor authentication required by new regulations, especially in banking, and the National Institute of Standards and Technology is revising some of its password guidance to consider authentication mechanisms that protect against the latest threats.

As cybersecurity leaders, how are you helping clients in this environment?

Michael Lucas: We’ve been helping our clients with some of the nontechnical aspects of cybersecurity, such as building and implementing cybersecurity frameworks, reporting, and gaining support of organizational leadership by painting the true picture of a company’s cyber risk and exposure. Organizations should complement their technical capabilities with strong reporting and communication, set the risk tone at the top, and help secure resources necessary to manage risks.

Dave McKnight: To drive that point home, leveraging cybersecurity frameworks to identify a company’s capabilities and gaps is really valuable. Such frameworks allow organizations to define corrective measures, whether it’s buying a new tool or obtaining more insurance. It’s imperative that organizations – especially those that aspire to be high functioning – can respond quickly and effectively to cybersecurity risks. This ability often comes down to proactively evaluating risks and capabilities and helping define where the organization invests its resources.

Confronting cybersecurity challenges head on

As criminals continually exploit new vulnerabilities, organizations and cybersecurity leaders across industries need to design a cyber resilient program, stay abreast of emerging regulations, and remain vigilant in responding to threat actors’ new attack strategies. By confronting cybersecurity challenges head on, organizations can design a layered security model to foster a strong cybersecurity culture to proactively prepare for the latest risks and threats.

Manage risks. Monitor threats. Enhance digital security. Build cyber resilience.

Discover how Crowe cybersecurity specialists help organizations like yours update, expand, and reinforce protection and recovery systems.