The 10th annual SecureWorld Houston conference was met with rapid fire discussions about the recent WannaCry attack, various insider threats, cyber intelligence, and more.
While cybersecurity was the raison d'être at the conference, Chief Digital Forensic Investigator Ted Swailes pointed out that "cyber" isn't approachable for a lot of people. It sounds more like a new drug or something from Star Wars.
Furthermore, security is an afterthought for most consumers. When a new technology comes out, they are most interested in learning about all of the new features to streamline or further interconnect their lives; customers just don't care about what new security features have been added.
People often ask what's a greater threat to a business, weak cybersecurity or insider threats. But for Swailes, they are two sides of the same coin.
And insider threats often stem from negligent or careless behavior on behalf of an employee or third-party vendor (we all remember the Target breach).
Colonel Cedric Leighton, of Cedric Leighton Associates, explained that cybersecurity can be strengthened through a better private/public partnership—also reducing the risk of insider threat.
The current cyber environment is all about data. Data this, big data that. Yet the current cyber environment is also being pummeled daily by hacktivists, cyber criminals, state-sponsored attacks, and bored teenagers.
In the U.S. alone, hacking costs businesses at least $500 billion every year.
However, Leighton pointed out that strengthening our intelligence community (not the NSA), can help secure the web. By having a group of cyber experts who have access to the latest technologies and focus on "actionable" intelligence, we have a much better chance at securing our environments and then sharing information on how to do so.
Security awareness was also a hot topic for Dr. Paul Berryman, Security Compliance Manager for Andrews Kurth Kenyon LLP. He pointed out that 91% of cyber attacks begin with a phishing email, often clicked upon by users with poor training or a lack of awareness.
His afternoon session focused on developing a solid security awareness program for organizations, one which includes a yearly presentation and monthly or quarterly newsletters.
However, Berryman pointed out, "If people aren't paying attention to it, then don't do it." It's not enough to check the security boxes if your methods are ineffective.
Posters in the breakroom might work better for companies whose employees don't spend enough time on a computer to read a monthly security newsletter.
And his advice on passwords? Picture your password like a toothbrush. Choose a good one, don't share it with anyone else, and don't forget to change it once in a while!
