I recently attended the National Cybersecurity Alliance and NASDAQ's joint Cybersecurity Summit, at which I asked several industry insiders for observations about the state of information security.
Here are some of the interesting points that emerged from our conversations:
Maureen Ohlhausen, Acting Chairman of the Federal Trade Commission
When it comes to cyber-risks, small businesses may be in even greater danger than large enterprises. A growing number of attacks target small businesses, and such firms often feel the impact of a breach more than do their larger counterparts. In fact, a significant number of small businesses that are cyber-breached fail within one year of the breach as a result of the fallout from it.
Jonathan Goldberger, Director of Security Services, Cisco
Sometimes, when it comes to cybersecurity, people seem to forget that "What is old is what is new" - many of the attacks inflicting damage today are the same kinds of attacks that we have seen for years. Spam is still an issue, and social engineering is still one of the primary ways criminals breach organizations. Security needs to be cumulative; defending against new attacks cannot come at the expense of neglecting older risks.
Todd Thibodeaux, President and CEO, CompTIA
1. The vast majority of breaches involve human error - enabled by poor systems and processes, people's lack of understanding of best practices, social engineering by criminals, etc. As such, one cannot solve security with only technology - we must better equip individuals to do their jobs without making security mistakes. As part of improving information security we need a societal attitude shift - people must recognize that cybersecurity is everyone's responsibility, not just the domain of cyber warriors. We must also eliminate the stigma of disclosing a breach.
2. Hackers will always be one step ahead - the goal of information-security professionals is to close that gap, or at least keep it from widening, but, today, the gap is growing, as there are millions of new entry points for attacks (computers, mobile devices, Internet of Things devices, smart cities, connected cars, etc.) and security is not keeping pace.
Eyal Goldwerger, CEO, BioCatch
People often forget that 100% of all fraudulent transactions occur in authenticated sessions - which means, clearly, that performing authentication checks when people begin online sessions is, in itself, severely inadequate from a security standpoint. We need to do more to ensure security throughout the time a user interacts with an online system.
Michael Visscuso, CIO, Carbon Black
The recent CIA cyberweapons leak showed that exploitable vulnerabilities still exist in the infrastructure of the internet (e.g., routers). Even if your own infrastructure were perfectly secure, because you rely on the external network for communication, you are vulnerable, and, in many cases, you do not even have a way to know when you are being attacked. Hackers can modify unencrypted communications to and from you as packets traverse the Internet - creating serious security risks. For example, malicious content could be added to web pages that you are browsing or that you are serving.
Lou Modano, CISO, NASDAQ
Please see my separate article about my conversation with CISO Modano.