Earlier this month, Merritt Groupers Laura Asendio and Melanie Ford joined business executives, leading cybersecurity experts and privacy advocates at The Washington Post headquarters in Washington, D.C., for its Cybersecurity Summit.
Seven guest speakers took the floor to share insights on the cyberthreat landscape and what it will look like during 2018 with regards to government, enterprise and personal data protection. The speakers discussed cross-sector cyber collaboration, trends in detection and prevention and best practices for cyber hygiene. The following are their top five takeaways from the event:
1. Consumers oftentimes don’t realize that they’re already involved in the cyber fight.
Why are people not rioting in the streets over Equifax, when almost half of American citizens’ credit card and social security data was compromised?
While Europe is advancing General Data Protection Regulation (GDPR) legislation, there is no equivalent U.S. effort for data protection, particularly when it comes to private enterprises’ free rein on data collection. In spite of this legislative discrepancy, consumers can take conscious steps to protect their data by implementing two-factor authentication; strengthening password practices; and using password managers such as LastPass, Dashlane or others. They can also limit online banking functions to one device instead of multiple.
“We need to continue to educate folks on how they can be part of the solution instead of the problem,” said Eva Velasquez, president and CEO at the Identity Theft Resource Center.
2. CISOs need to rethink their strategy for longer company tenure.
One of the big problems in cyber is lack of alignment within organizations, which results in short company tenures of many chief information security officers. While their roles are often esoteric, CISOs are looked upon to provide vision and strategy to the C-suite to ensure information assets and technologies are adequately protected. CISOs need to communicate more effectively by appealing to big picture aspects of the company, such as revenue, cost margins and customer satisfaction.
“CISOs don’t typically last more than 13 months,” said Sam Curry, chief product and security officer at Cybereason. “If they want to change this, they need to show that they understand the core business and align with strategic initiative.”
3. The market can learn from massive cyberattacks.
While often very devastating, major cyberattacks challenge the way cybersecurity is prioritized and showcase the need for government standards, laws and regulations, such as GDPR. The market and enterprises are still stuck in a reactive state when dealing with breaches and attacks, which was made blatantly clear with Equifax.
“Equifax didn’t value the data sufficiently,” explained Rob Knake, a senior fellow at the Council on Foreign Relations and a senior research scientist at Northeastern University’s Global Resilience Institute. “If they had understood the societal cost and level of consequence to losing the data, they would have never let it happen. With an oil spill, if one drop spills in the ocean, the responsible party must clean it up and prove they have the resources to handle it. … As of yet, no one can write security policies in a way that proves they can clean up breaches sufficiently.”
4. Cyber defense must be a global effort.
On the first Friday night after the WannaCry attacks, 45 private organizations and government agencies joined a late-night Department of Homeland Security call to exchange knowledge. The group worked overnight to address the attacks as they quickly spread globally.
“I really believe that this is the model for the future,” said Jeanette Manfra, National Protection and Programs Directorate Assistant Secretary for the Office of Cybersecurity and Communications. “We’re all in this together. We have to be able to share things that maybe aren’t perfect yet.”
This WannaCry response model demonstrated how private organizations and government agencies from across the world can join communities to share information and effectively respond to cybersecurity attacks.
5. Privacy in the digital age continues to rapidly evolve.
The final panel of the morning centered on best practices for cyber hygiene and discussed what options consumers have to protect personal and financial data, particularly as the holidays approach. The panel concluded that social security numbers are good identifiers, but not good authenticators.
Furthermore, while many are first exposed to cryptocurrencies like bitcoin during a ransomware attack, panelists were adamant that leaving a digital crumb makes it harder for criminals to disappear without a trace. Following this rationale, Mischel Kwon, former deputy CISO for the Department of Justice and current founder and CEO of MKACyber, predicted that consumers may opt to pay higher credit card rates as they increasingly prioritize the provider’s fraud protection offerings.
Dante Disparte, founder and CEO of Risk Cooperative, elaborated, saying bitcoin is leaving a digital trail that is much much harder for criminals to escape with than regular currency. Regular currency is harder to trace than digital wallets.
The event was moderated by Post political reporter Amber Phillips, technology columnist Geoffrey Fowler, and technology reporter Brian Fung. It is available via recorded livestream here.