Don’t Ignore the Human Element in Cybersecurity, say Professionals
Salt Lake City—Cybersecurity threats have become just a part of doing business. There’s no magical salve or solution that will keep your business 100 percent in the clear from any sort of cybersecurity threat—and those threats are becoming more sophisticated every year. How can you keep your company safe?
One of the first steps is to not ignore the human element. That was part of the advice given at the first Utah Business Cybersecurity and Digital Privacy roundtable, held Thursday morning at Holland and Hart’s downtown Salt Lake City offices. A group of 14 cybersecurity professionals from a wide array of industries—from tech, law, education, government and private industry—discussed cybersecurity trends, breach fallout, and what business can do to keep themselves as safe as possible.
One common cybersecurity breach is when an individual computer is compromised, which can then lead to theft of that individual’s username and password for their email login. This can then translate into phishing emails being sent to their entire contact list—even sending Word document or .PDF attachments—and thus infecting any other contact that might accidentally open what looked to be a legitimate email from a known contact. This can translate into huge losses for a company.
“That’s what we’re seeing very, very frequently, where your CEO or accounts payable individuals in the organizations are exchanging wire transfer information and it’s fraudulent,” said Dean Sapp, CISO at BrainTrace. “Over the course of a long weekend, large amounts of money get wired and approved because companies don’t have very strong dual controls over movement of money, the changing of wiring instructions and bank account information. They’re realizing large losses. If I were to average in the valley, recently, the breaches we’ve responded to are in the neighborhood of $2-300,000. So, significant amounts of money.”
Multi-factor authentication is a process that can keep email accounts safe—a user is only granted access to their accounts after they establish separate pieces of evidence to authenticate their legitimacy. You may enter a password, but you won’t get into your account until your phone dings with a separate code, or until you answer a question only you would have knowledge of, etc. Multi-factor authentication is the first line of defense against simply losing your password (and thus, your entire account) to hackers.
“Rarely are there clients calling us that have had a breach that have deployed multifactor authentication,” said Sapp. “Usually that’s one, in my opinion, of the best controls, for the least amount of money, that can reduce the likelihood of that breach.”
So why isn’t everyone using it? Bad “cybersecurity hygiene,” said Matt Sorensen, CISO for Secuvant. While hackers are quickly learning how to spread phishing scams to your LinkedIn or Facebook feed, the average person isn’t keeping abreast of developments, clicking on links and downloading attachments they shouldn’t. Companies need to make sure they educate their staff, especially if they want company-wide buy-in on something like multifactor authentication. As multi-factor authentication adds a step to login, some employees may simply not want to use it, regardless of the extra layer of security it provides.
Some companies, for instance, might make multifactor authentication available to their staff—but not mandatory. That opens the company up to liability should they be breached via a user that didn’t make use of the new tech.
“From a liability perspective, one of the things that we advise our clients about now is if they’re going to offer multi-factor authentication, are you going to require it for that user to use the system, or is it going to be optional?” said Elaina Maragakis, attorney and chair of the cybersecurity section at Ray Qiunney & Nebeker. When a breach occurs, finger pointing can ensue—is it the fault of the employee that didn’t use the multi-factor authentication, or the company that didn’t make it mandatory?
So, when enrolling new tech like multi-factor authentication, expect pushback—even from the c-suite that’s requesting it. Robert Jorgensen, cybersecurity program director and assistant professor at Utah Valley University, said when his university rolled out mandatory multi-factor authentication, there was much “wailing and gnashing of teeth” from the faculty.
“Faculty is probably one of the worst user groups to deal with, up there with executives and others, as far as user acceptance,” said Jorgensen, who added that the university then embarked on an education push to make people understand why multi-factor authentication was necessary. “It really adds seconds to the login at most. And we have it set up that you only have to do it once a day on a particular browser. … You’re talking an extra three seconds in the morning to essentially put your account on lockdown.”
Making your company—and its data—safer can be as easy as making sure everyone in the company understands and complies with new safety measures.
“When we talk about how user groups are apprehensive about implementing a security policy, there’s an important thing to be had hand-in-hand with your IT and security solutions in making sure that, from an administration standpoint, you have strong procedures and buy-in from executives from the top of the company so whenever you implement something like this, it’s not seen as a waste of time,” said Tsutomu Johnson, attorney at Parsons Behle & Latimer.
The discussion was moderated by Romaine Marshall, attorney at Holland and Hart. Read the full conversation in the March issue of Utah Business.