Cybersecurity Roundtable Recap: Discussion on Increasing Cyber Resilience
Three security and IT experts from a range of industries came together to help shed some light on industry trends for boosting cyber resilience as part of ProArch’s Cybersecurity Roundtable. Check out the recap below and download the recording for the full discussion.
Q: What are some ways to effectively educate and communicate risk posture to the board and top executives?
A: The cybersecurity and IT world can be a confusing and scary place for outsiders. Avoid techie jargon and find creative ways to get the executive team on the same page.
“What we have done is incorporate our cybersecurity program into our compliance program. This is helpful for two reasons: It’s not only the right thing to do when you want to protect your employees, but there’s already a lot of built-in structure in compliance programs,” Andrew Luna from IHI Power Services Corp shared.
“We took our cyber programs to our fleets across the country to help them understand it, giving them hands-on experience and comfort with these controls. That helps the board and top execs to look at these initiatives as line items that need to be completed.”
“When we present to boards, the discussion about vulnerabilities and assets becomes challenging,” said Ben Wilcox, CTO of Security and Cloud at ProArch. “We need to relate it back to something they value; changing the conversation to how these vulnerabilities can affect the business directly. Cybersecurity is here to protect confidentiality, integrity, and availability.”
Q: In terms of investment, what key areas of threat protection deliver the greatest return? What are the ‘biggest wins’ to prioritize in the budget that has the greatest impact on risk reduction?
A: Every business has different needs and vulnerabilities, so it’s important to map out your current state and where you want your security posture to be before deciding on solutions. That being said, there are a couple of ways organizations can approach threat protection: proactive controls and reactive controls.
“Businesses are experiencing more phishing attacks. There are a couple of main ways to defend against that: security awareness training for all employees (proactive) and endpoint detection (reactive). There has been a large increase in detection and response solutions due to their responsiveness to abnormal activity,” Wilcox said.
“All in all, the more telemetry you have, the better.”
For Peter Hotchkiss of Barclay Damon LLP, the key to risk reduction is layering protection solutions, paired with multi-factor authentication.
“A couple of big things we did was implementing Cisco Umbrella web filtering, which provides a great level of protection for web browsing. For us, it protects our devices whether they’re at home or traveling,” said Hotchkiss.
Whatever controls or programs are put in place, it’s important to avoid impeding employees’ ability to be productive while keeping them safe.
Q: Power plants reside predominantly in remote locations and have very few or no personnel on site. How can remote access be implemented in a secure way?
“Today, 90-95% of our people are using remote access. It happened basically overnight and without those key security controls in place.”
For many power plants, the answer was found in multi-factor authentication. It provides a secondary point of verification for users, making it more difficult for cyber threat actors to breach your system.
“Cybercriminals are like any other criminal: when they meet resistance, they’re going to move on. As soon as you put MFA into place, it’s too much work for them..”
Across all industries, MFA is essential.
“The Cybersecurity and Information Security Agency (CISA) recommends that organizations with any sort of external-facing system, it should be protected by MFA,” Wilcox said. “Also, making sure any remote access is limited strictly to the exact needs of each individual user.”
Q: Law firms handle an immense amount of sensitive client data and confidential information. What data protection controls are most important so that users can still do their work, but IT has the control and security they need?
A: “All our law documents are related to private client data. Our document management system organizes every document into a folder structure that is specific to the client and the matter that is being been working on. We’re able to limit access to only those who absolutely need it. Even documents that are more openly available are tracked and any changes are logged. We can even set specific rules that are time- or activity-based. It goes as far as allowing us to cut off access if needed,” Hotchkiss shared.
As for other industry trends being used to boost security and accessibility, Wilcox offered insight into the importance of data governance and protection.
“A governance plan around data will ultimately define how the strategy needs to be. There’s a lot of data within businesses and often multiple owners. Defining the governance team is the first step. Once that is done, you need to figure out if you have any contractual or regulatory requirements around your data. That may determine what sort of data you need to analyze, requirements, and ultimately what controls need to be addressed.”
Watch the remaining cybersecurity roundtable questions and the panelists’ answers.