“Our goal today is not to scare you,” HunterMaclean partner Diana McKenzie told the group of 150 invited business and community leaders gathered in Savannah Technical College’s Eckburg Auditorium Thursday for the Savannah law firm’s 2017 Critical Issues Forum on cybersecurity.
But after throwing out a few statistics, McKenzie clearly had the audience’s rapt attention.
“Cybersecurity is an $80 billion industry,” McKenzie said, adding that the average cost of a data breach is currently estimated at around $4 million, according to a study by the Ponemon Institute in Michigan, the industry’s gold-standard research firm.
“Our goal this morning is to give you some practical ideas on what you can do to make your organization, regardless of its size, more immune to cybersecurity threats,” she said.
Panelists for the discussion were James Ainslie, chief executive officer of Cape Augusta Digital Properties, a wholesale data development company; Kevin Mooney, senior director of enterprise data governance at the Cleveland Clinic Foundation, the country’s second-largest hospital system; and Sheryl Bunton, chief information officer for Savannah-based Gulfstream Aerospace.
Asked what they saw as the current challenges in data protection, each panelist had a different take, based on their own perspectives.
Bunton talked about breaches that make more sophisticated tools available to hackers.
“We all know about the CIA breach,” she said. “But what we don’t think about is how that breach has put some pretty high-tech monitoring tools that were used by the CIA out there on the dark web for purchase.
“You used to have to build your own, but now young or small-time hackers with limited skills can go out and buy software that will execute maliciously against whomever they want to attack,” she said.
Ainslie agreed, adding that a major concern for him was the lack of human capital to mitigate cybersecurity threats.
More people needed
“As the bar is lowered on skills needed to hack, one of the biggest issues in the industry is that we don’t have enough people to address the growing threat,” he said.
Mooney said there are several concerns specific to the health care arena, including ransomware and hacked medical devices.
“Ransomware has really shone a light some glaring deficiencies in health care security,” he said. “There are certain hospital systems, for example, that actually still don’t back up their systems.
“When one of these systems is attacked by ransomware, they are going to get shut down and critical care is not going to happen,” he said. “This becomes a very dangerous thing.”
Medical devices – items such as pacemakers, insulin pumps and the like - have the potential to become security nightmares, as there are literally millions of such devices out there with connectivity and the ability to communicate,” Mooney said, adding that studies show as many as 70 percent of these devices don’t encrypt their communications.
“That makes them easy pickings.”
So, what can companies do to combat data breaches?
“The first thing we need to do is change the culture with a broad corporate education program,” Ainslie said. “We all know what cybersecurity is, but we can’t see it in the same way we see a physical security breach and so we tend to ignore it.”
“Everyone who touches data should be trained,” he said. “We need cyberdefenders at every level of the organization and that means proactive training on the front end and building out a comprehensive response plan, because breaches are not a matter of ‘if’ but ‘when.’
“Finally, when a breach does occur, you need to take those lessons learned and implement them into the next training module.”
Tips for small and medium-sized firms
You don’t have to be a big corporation to protect yourself from a cyberattack, Bunton said, adding that there are a lot of small, low-cost practices that will help keep data more secure.
“Even the smallest companies need to practice what I call good IT hygiene,” she said.
“Replace your equipment. Don’t wait until it is so end-of-life that there is no patching available.
“If you buy your routers and other network equipment from a Best Buy or other big retailer, don’t use the default password that it came with. Change your password.
“Have your people change their passwords on a regular basis and make sure those passwords are complex. One of the things we find is that people tend to go to the familiar when creating passwords.
“Don’t use your children’s names and/or birth dates, don’t use a known address or your phone number,” she said.
“A good password would be a short sentence with some numbers, using the number 2 for ‘to’ or 4 for ‘for.’
“The other thing is to make sure everyone who works for you practices good email protocol,” she said. “More than 80 percent of large-scale email breaches start with a single employee clicking on a payload from a single email.”
Bunton recalled that a large former employer had an active, persistent threat that her department traced back to an HR employee in Minnesota who had clicked on a $10 off coupon for Papa John’s Pizza.
“Trust me, it wasn’t a coupon for pizza,” she said.
For issues like that, having some sort of filter in place can help, but the most important thing is to concentrate on educating employees on managing their email, she said.
“If it seems too good to be true, it almost always is,” she said.