Business and government battle cyberthreats
From left: Moderator Brooks Raiford, president and CEO, Raleigh-based NC Tech Association
Angelic Gibson, senior vice president, information technology, Charlotte office of TKXS
Sen. Jeff Tarte, N.C. Senate District 41, Mecklenburg County
Charles Marshall, attorney, Raleigh office of Brooks, Pierce, McLendon, Humphrey & Leonard LLP
Clay Harris, president and chief operating officer, Durham-based WorkSmart
Jillian Munro, senior vice president, enterprise security, Raleigh-Durham offices of Fidelity Investments Inc.
Emily Larkin, chief information security officer, Raleigh-based Sageworks
Tasha Swann Holsey, cybersecurity and compliance officer, IT department/IT security division, city of Greensboro
Tom Tollerton, senior manager, IT advisory, Charlotte office of Dixon Hughes Goodman LLP
Photo by Bryan Regan
Appeared as a sponsored section in the November 2018 issue of Business North Carolina
Cybersecurity has emerged as a dominant issue in the business world. In this month’s round table, our experts talked about the technology and training necessary to cope with today’s threats.
The round table was moderated by Brooks Raiford, president and CEO, NC Tech Association. Support was provided by Brooks, Pierce, McLendon, Humphrey & Leonard LLP, Dixon Hughes Goodman LLP and WorkSmart. Brooks Pierce hosted the event at its Raleigh office. The transcript was edited for brevity and clarity.
Are there particular industries or sectors that are more highly targeted for cybersecurity issues?
MARSHALL: It’s across the board. But I do think it’s worth noting that we see a good amount of breaches in the retail space, both malicious and human error. I think when you’re looking at industries like health care, you’re seeing a good number of breaches. Given the sensitive data and potential for exposure, that’s an industry where you’re always hearing about a lot about breaches.
MUNRO: We’re seeing adversaries going after higher value targets as opposed to focusing on a particular industry. They’re going after infrastructure targets or high net worth individuals so that their take-down is much larger than it had been in the past.
HARRIS: The biggest change over the last two years is the effectiveness of the spearphishing that happens to our clients. Bad actors have gotten much smarter about who to target and how to infiltrate the conversations of those people. It’s across all industries.
What are the vulnerabilities for the public sector?
HOLSEY: It’s the spearphishing. It’s the targeted phishing attacks.
TARTE: We see it both at the county and state level. We saw Mecklenburg County deal with ransomware not too long ago. The state is getting hacked multiple times a day across different departments. They’re going in through NCDOT and getting that kind of background information. At the Department of Revenue, people are trying to jump in front and determine whether you have a tax refund coming and have it sent to them before it’s sent to you. We’ve got sensitive data in two major data warehouses. We’re trying to do population health management and other things. We’ve got massive responsibility.
How can organizations help employees cope with cyberthreats?
LARKIN: Employees are our weakest link in an organization. We’re really big on awareness training. The day the employee comes on board, they spend an hour with my team to go through all of the expectations. Then we stick ourselves out in every staff meeting. You’ve got 400 people there, and that’s a captive audience.
MUNRO: Ninety-one percent of cyberattacks start with a phishing email. Having a good blocking attack at the perimeter is extremely important. Couple that with education. We phish every single person in the firm over and over and over again, all the way up to our president and CEO. It’s really important to do that. It’s not just one thing. You’ve got to check the perimeter. You’ve got to check the interior, and you’ve got to check the humans.
HARRIS: There’s good news, at least in the small-business world. Security awareness training has taken off. Nearly a third of our clients now do security awareness training. Our partners have seen 25% to 30% of employees are susceptible to phishing at first. After three months, you can cut that in half. After a year, that goes down to 10%.
How do you go about testing employees? when you have identified that small subset that are continually a problem, what do you do about it?
GIBSON: We’ve had repeat offenders, but we continue to take them through education. We’ve actually created policy inside of TKXS that when an email’s calling you to take action on behalf of the business and it’s coming even from the president of the organization, stop, pause, ask. If that person’s not available, seek out technical support to confirm. We’re very active in communicating and continuing to check up as a part of our onboarding process.
TOLLERTON: Security awareness goes beyond just threat awareness. It needs to speak to business process. There needs to be awareness of what the appropriate behavior is.
HOLSEY: When employees fail our phishing test, we invite those users to mandatory cybersecurity awareness training. What we do is tailor that session around all the tips that you need to look for when you receive a phishing email. We’ve taught our employees and customers that they’re our first line of defense, and we’ve made it a team effort. I think that’s worked well, because we want to help them help the whole organization. We’ve made them feel like they’re a part of that security team protecting the city of Greensboro.
What are some technologies that can be used to fight cyberattacks?
TARTE: We’re primarily getting hacked from outside the U.S. every day. One of the ways to potentially control it is to leverage two technologies, identity management and blockchain, that are becoming more mainstream. The idea would be that every North Carolinian, when they hit 16, would be issued a digital certificate. We know every transaction, and it’s a secure form of ID.
TOLLERTON: We’ve actually spun up a blockchain working group in our firm, have joined the Accounting Blockchain Coalition and we’re looking for use cases. I think the challenge is that the value of blockchain is having multiple parties involved before the transaction peaks. Obviously the use of a blockchain is to record a transaction to a ledger, and I think the challenge is going to be the adoption of those ledgers. I think government is going to have to probably be the leader on that, just because you have so many departments and areas that require transactions, but I think that’s a great point for identity management.
Is there a risk of lack of standardization in approaches to cybersecurity?
MUNRO: Technology diversity in your environment is the enemy, because you may have one small component that’s weak. Then you’ve got a place for adversaries to infiltrate, and you’ve just got so much more to protect. You’ve got to do it in different ways. Consistency really helps you know that you’ve got the right protections in place.
GIBSON: Every time you have a new introduction of technology, you’re increasing your risk profile. Not only should you do your own internal testing to make sure that you are secure, but have a third party try to break you. We say to all of our clients we want them to do a security test against us as well. You’re getting multiple viewpoints. You want a wide lens finding the break points.
LARKIN: You’ve got to do the foundational pieces and then layer further defenses. But if you’re not getting those foundational components done — awareness, patching, things like that — you’ll run into trouble.
How involved should executives be in cybersecurity?
MUNRO: You need your board and your senior executives to understand the threat, to be aware of it, to be monitoring it and watching it. It’s got to be a board-level topic. In terms of resources, we have a threat intelligence team that works with the organizations that are monitoring the environment so that we can try and get ahead of the bad guys.
The bad guys have a process. Some of them work nine-to-five workdays. They work banker’s hours. Some of them treat this as a complete job. If you have a vulnerability out there in the environment, they’ll start testing against that. Then you can start to see that activity, and they’ll start putting it into production just as a technologist would. Monitoring the environment and really understanding and appreciating what others are going through and what the government agencies are seeing is extremely important.
MARSHALL: It’s very easy to convince a company to invest in cyber compliance after they’ve finished responding to a data breach. What’s been more difficult is obviously convincing them to invest on the front end, because it’s often an unbudgeted expense and it seems speculative at the time. I also think that it’s almost impossible to get that level of investment or buy-in without the board. It usually takes a C-suite executive or board member to raise that flag before any breach occurs and to start asking those questions in order for the company to make the investments that they need.
What’s being done to protect consumer data and respond to privacy concerns?
MARSHALL: We’re finding that consumers are becoming more educated and better attuned about companies’ privacy policies. We encourage them to be truthful, to be transparent and to be accurate when they’re communicating with their consumers about their privacy policies. That means thinking about what is reasonable for the consumer to expect in terms of how their data is being handled and shared.
LARKIN: With our customers, third parties are a huge piece [of what] I deal with. We try to be very transparent. Users have to sign off on every third party we do business with. Our core application does not require any third party. But if you want to do a credit report, you’ve got to say, “Yes, I acknowledge.”
GIBSON: The way people manage passwords is a problem. If somebody gets your username and password at your favorite retail location, they can start to follow you and see where else you’re going on the web. Then they can just take over your entire life. At a corporate level, those passwords are coming into an organization, so now the organization’s at risk. There are going to be attacks.
So how do you minimize those attacks and how do you prevent them from spreading? For an individual, it begins with password management and protecting your home PCs. It’s that basic. People are not informed on protecting themselves, protecting their children. Even a child who is in elementary school is on the internet from your house opening up access. Just think of the different ways that hackers can now come in and invade a family. It’s just a different game, because children are certainly not educated on how to protect themselves. We’re focused on how do you protect your children from seeing particular content, but how do you actually protect your child from opening doors for identify theft for your family?
TARTE: When you sign up for your operating system upgrade, you’ve waived all your privacy rights. But there are vendors, Apple being one, that are paying real attention to the privacy aspects. But those that have a technical background realize you open up your laptop and with about three commands, you can get to your entire password history on every page that you access. The right technician can get all that. How you protect against that becomes very, very important.