As companies increasingly explore how to improve their cybersecurity and protect their technology, proprietary secrets, and personal data of their executives and employees from bad actors, they must take steps to fix a workplace culture that still resists better habits and practices to ensure online security, not to mention staffing shortages. Experienced in cyber issues.
These points appeared in a Feb. 13 panel discussion, “Top Cybersecurity Risks for 2023,” sponsored by the Bipartisan Policy Center (BPC), a Washington-based think tank, in partnership with Equifax, an Atlanta-based consumer credit agency. reports. The Washington Post journalist Tim Starks moderated the session, and included Jamil Farchichi, Equifax Executive Vice President and Chief Information Security Officer; Tom Romanoff, technology project director for the Bipartisan Policy Center; Noopur Davis, Executive Vice President, Chief Information Security Officer, and Product Privacy Officer at Comcast; Jerry Davis, founder of Gryphon X; and Christopher Painter, former chief of cybersecurity at the State Department, Justice Department and White House.
The catalyst for the panel discussion was BPC’s new report on cyber security issues and problems and steps companies can take to educate their employees about the threat of cyber breaches and avoid risky habits and practices.
While Romanoff and others have long thought of cybersecurity as largely a local issue, the reality these days is that company systems can be attacked by bad actors anytime, anywhere. “In the evolving world of cybersecurity, these days you have to take into account foreign people trying to take advantage of our systems. That was the first kind of waking moment when I was trying to do this report,” Romanov recalls.
But while cyber thieves and other bad actors may become increasingly widespread around the world, and more sophisticated, the good news is that some technological advances have greatly helped companies try to strengthen their defenses. Noopur Davis has made a strong case for multi-factor authentication (MFA), which uses unique attributes of individuals in order to screen users and protect data, as one of the best means of ensuring the integrity and integrity of corporate data. But she cautioned that the MFA is not a panacea in a world where some employees get stuck in the habits and practices of the office culture of the past and where cyber breaches are not the constant threat they are today.
An ongoing topic of discussion has been the lack of sufficient numbers of qualified professionals to oversee corporate cybersecurity. Too often, employers have focused on finding professionals with ideal qualifications rather than training people who, over time, can move into the job.
“You don’t just need to have those technical skills, those hard skills. I think we need to continue to build those. But the question for me is, are they curious? Can they learn? There are so many aspects of security, whether you’re on the risk management side, whether you’re On the technology side or the strategic side, I think talent is there; we just have to look at new ways of identifying talent, not just by their background, whether they have a degree in IT or coding and that sort of thing. There are other markers,” said Jerry Davis. It shows that anyone can learn and be very good at security.”
Lack of experts
In fact, one of the most troubling issues identified by panelists is the massive shortage of personnel in companies, banks and financial institutions who have high-level training in installing, maintaining, upgrading, and broadly enforcing cybersecurity practices and protocols.
In al-Farshi’s view, part of the problem here is cultural. Schools and universities may not focus enough on providing this type of technical and vocational training.
Unfortunately, the layoffs that have rocked the tech sector in recent weeks — with many thousands of job cuts likely in the coming months as tech platforms adjust to changes in advertising revenue and cultural backlash against social media — cannot be said to have provided companies with a new batch. Potential employees are well-versed in Internet issues, Verschi believes.
“So far, the layoffs haven’t provided any relief on the talent front in terms of security. I think the last numbers I’ve seen [indicated] Hundreds of thousands of open security jobs in the United States alone. So it hasn’t actually been proven yet,” he said.
Freshchi emphasized that those who view artificial intelligence as a panacea for the lack of human talent do not have a realistic understanding of the situation.
Artificial intelligence can provide some relief. It has potential, but it’s too early to be able to tell how that will happen. I think what we need is more systemic, we need more focus and more investment in building that broader pipeline. We just don’t get enough kids in school getting an online education, so when they’re out, it’s easy to be able to take advantage of them.”
He suggested that this lack is unnecessary, because while cybersecurity is a specialized field, it is not too complex and cumbersome to master for those with tangentially related backgrounds, for example in information technology (IT).
But cultural issues, namely the tendency to look only for talent within the field, have so far prevented the recruitment and retention of potentially highly useful employees.
“I also think that organizationally, within our industry, we’ve historically had a reticence to bring in people who don’t have cyber expertise specifically. We need to broaden that horizon, there are a lot of skill sets, and you can teach them the components of security and that can be extraordinarily valuable.” Varchichi said.
Get up to speed
Pinter agreed on the need to expand efforts to bring in people who can quickly speed up cybersecurity issues and foster internal compliance cultures, though he acknowledged the fact that some will have a learning curve.
For some organizations, some of the people who are laid off are the security people. that it [a matter of] Attract more people who are interested in this. It’s building that pipeline and maybe retraining some of the people who’ve been laid off. Maybe they have some basic understanding of the technology, but they have to understand the security element, which is a different field.
Along with increasing the investment in the human resources needed to oversee cybersecurity, companies must confront the fact that what may seem simple and obvious protocols sometimes go unnoticed, Nupur-Davis noted.
“It’s a simple set of rules, I think. You have to be careful, and be aware of social engineering which is still the number one way, even for organizations, that bad actors can get access to.”
Some employees need to expedite practices such as phishing, where hackers falsely identify themselves as representatives of respected banks, companies or government organizations by contacting employees and trying to get them to divulge sensitive information or send money under a false pretense.
Nupur Davis also warned about the dangers of employees using public WiFi.
Have strong passwords, don’t use any public WiFi even if it says ‘I’m very safe call me’, it probably isn’t. So just follow these basic hygiene rules, just know the impact of social engineering, and make sure Ensure that you do not join unsecured and insecure WiFi to do your high level security work.
Better safe than sorry
In a company culture where people are trying to get as much work done as quickly as possible, it’s all too easy for employees or executives to cut corners and ignore very basic safe practices.
These may be simple things, but they are not easy. “Simple does not mean easy,” Nupur Davis added.
This is particularly the case when it comes to MFAs, which some people may simply consider too much of a hassle to make use of, even though they are essential to online security.
“I wish it was seamless, but security is often that balance between ease of use and security, and it can feel like the MFA gets in the way,” she said.
It commended the developments that have made MFA more attractive to some users by incorporating facial and/or voice verification into the security protocol.
“It’s getting better and better, especially on devices. When your biometrics become your factor, it’s easy when it’s your face or your voice. But without that, yes, it can sound intrusive,” said Nupur-Davis.
Another concern is that some employees lack clarity about protocols and an ideal timeline for reporting phishing and other suspicious activity.
“Report a problem within 72 hours – The question in your mind is 72 hours from when?” She said.
Painter agreed that even people who are not familiar with such issues sometimes fail to follow all protocols and safeguards that could avoid or minimize the harm caused by a cyber breach.
“Even people who work in security don’t always have the security habits they should. It’s a sad truth, but we are human,” said the painter.
In the past, people didn’t value security enough to pay more for it, at least in the United States. In some countries, they do. How can that be integrated into the overall infrastructure, so that the average granny doesn’t have to worry about it? ” Asked.
