A Former CTO of the FBI Cyber Division on the State of Cybersecurity
Part 3 of a three-part series
Milan Patel, current chief client officer at BlueVoyant and former CTO of the FBI Cyber Division, keeps up with the latest in cybercrime and cybersecurity. (If you missed his great tale of his first FBI vehicle—not to mention, tales of his time working on global cyber investigations including Anonymous, Rove Digital, and Silk Road—check out part 1 of our series.)
This article will wrap up our three-part series. Read on for Milan’s take on the state of cyber security!
How should employees and vendors factor into a business’ security plan?
Two things to consider are training and third-party risk (including vendor risk management), which is now becoming a pretty powerful buzzword in industry.
Employee training is critical to your cyber resiliency plan. Some organizations now hold their employees accountable for security breaches, which forces them to be smarter and pay attention to what they're clicking on. The good news is that training is becoming a priority. Many of our customers want to train their entire team annually because the board or regulatory control is requiring them to conduct cybersecurity awareness training. This is an important first step, but cyber criminals are sophisticated and training, while it helps, will not solve all of an organization’s potential problems.
On the vendor side, there needs to be a mature process to understand who your vendors are, what they provide you, what if any data they have access to, and if they have implemented strong cyber security controls. A threat coming from the vendor is more likely to land in the network since the person sending you an email is “white-listed” in your security tools – meaning your email protection tools are less likely to stop their emails and attachments.
Can you share a vendor story?
We were helping an organization recover from a ransomware attack. It turns out that the vendor they used for IT outsourcing was compromised. The bad guys got access to a specific and legitimate IT management tool that allows the outsourcer to deploy updates and patches to the customer's environment. We found the bad guys put malware, disguised as a legitimate software update into the IT management software. When the software pushed the update, it actually pushed the malware to all the machines on the network. Those are the sort of real-life issues that companies are dealing with when they're talking about vendor-risk management or third-party risk. An after action revealed our customer never asked the outsourcer to produce any documentation on its cyber security posture.
How could have this breach been prevented or stopped?
The obvious one is a better assessment of the outsourcer’s access to the customer’s environment and proper understanding how the how patching and updates are performed and what checks are in place to ensure reviews are done beforehand. Moreover, in that particular case, if they had a next-generation antivirus platform designed to record and review all activity on the end point, the behavior would have been detected when it was first observed. Also, a security analyst trained in using the security tool could have investigated and manually stopped the attack if necessary.
Hacks get a lot of press, but most breaches occur because of phishing or poor password management. Do you have thoughts about the best way to tackle education for employees and compliance? You said they were being held liable. Does that mean they’ll get fired if they’re responsible?
There are companies beginning to employ such practices. I think making an employee responsible for their own “cyber-hygiene” is critical to the health and safety of a network. It's both scary and troubling we have to start thinking of these types of measures. On a positive note, the industry is doing a better job training employees, in part by utilizing a wave of new training tools and platforms available in the marketplace and mandatory cybersecurity training.
With respect to compliance, I think adoption for compliance is sadly, again, probably due more to potential regulatory enforcement versus proactively embracing new cyber security requirements. For example New York State Department of Financial Services (NYDFS) has made specific cybersecurity controls mandatory within their regulatory framework. If you are out of compliance, you could be fined or sanctioned.
So, you’re saying the C-suite is just starting to get more engaged and interested in preventing this?
In addition to compliance, there are probably a few reasons for this. First, “I don’t want to be next.” For example, there was a breach at a manufacturing company and their competitor called us. They were really scared about ransomware because they heard their competitor was hit and was shut down. They didn’t want to be next. In addition, we are seeing boards and c-suites be more engaged because they realize cyber-attacks can have a material impact to the bottom line and can compromise brand and reputation.
Lastly, cyberattacks have become prime time news. This wasn’t the case five or six years ago. As a result, people who normally would not be paying attention are beginning to understand the importance of cybersecurity.
What’s your approach on balancing the desire for flexibility and low friction with the need for security?
That's a good question. For years it was the opposite; security was an afterthought to driving business. We’re starting to see a change where companies are evaluating cyber risk as a part of their go-to market strategy. I wouldn’t necessarily say it is security first, but we are witnessing a real-world shift in priorities to ensure proper security strategy is being integrated into the business. Cyber attacks are an existential threat to businesses. Personally speaking, companies have to recognize real cyber security resiliency is difficult to make completely transparent. Employees have to recognize strong security controls will hamper some speed. This is the new norm. The alternative is now too costly.