From a U.S. college assisting another country with their cybersecurity, the issue of wealth management firms being targeted by cybercriminals and companies hiring cybersecurity employees without traditional experience, there’s a lot going on in the world of cybersecurity. Here is a look at a few items making news recently.
Boston College is working to promote transatlantic cybersecurity. Ireland is an emerging digital superpower and is partnering with Boston College to promote cybersecurity efforts. Boston College’s Global Leadership Institute (GLI) is playing a key role in doing just that, by taking part in exchange programs with Irish and Northern Irish leaders in cybersecurity; this spring they’ve expanded the initiative to include NATO and the European Union. This month, the GLI also co-sponsored a Cyber Security Transatlantic Policy Forum at Ireland’s Killarney Economic Conference. Politicians, policymakers, and leaders in the cyber industry gathered to discuss corporate/law enforcement partnerships in cybersecurity. One of the people taking part was Kevin Powers, who directs the M.S. in Cybersecurity Policy and Governance program in Boston College's Woods College of Advancing Studies. Powers is also on the faculty of Boston College’s Carroll School of Management and Law School. This latest foray into cyber issues is the latest reflection of GLI’s efforts to adapt resources to reflect a world where geopolitical and social realities are constantly shifting. Beginning as the Irish Institute in 1997, and building on its foundation of work done by the Center for Irish Management, it developed programs and initiatives aimed at building reconciliation between Northern Ireland and Ireland.
“When you have a global perspective, being part of the conversation addressing issues and concerns that have become global is vital. There is a lot of uncertainty about how Brexit will play out, and what its economic, social, and political effects will be,” said Robert Mauro, Executive Director of Boston College’s Global Leadership Institute. “But where Ireland — and its potential role in the future of cybersecurity — is concerned, Boston College is definitely part of that conversation,” he added.
“The U.S. Department of State sees Ireland as the frontline of cybersecurity defense for the U.S. in Europe,” Mauro also said, adding, “The reason for this is two-fold: First, Brexit has upset the role the UK can play in Europe. While the Brexit process has only started, the EU has already struck out on its own with new legislation such as General Data Protection Regulation, which governs data protection and privacy. Ireland has been very transparent about how they will seek to implement GDPR. And this has meant that they serve as a vital point of contact.”
Ireland has a high knowledge base and skill sets in digital infrastructure. These are just a few of the things it brings to the table when it comes to tackling cybersecurity, according to Mauro. That said, he thinks Ireland doesn’t have an integrated national security policy that would allow the country to take on a leadership role in international and transatlantic cybersecurity. “Second, Ireland is home to a large number of U.S. multinationals that based their headquarters in Dublin. The U.S. is concerned about how Ireland responds to a full-on cyber attack from a rogue state and what the implications of that would be for U.S. multinationals and the American economy,” Mauro adds.
This fall, Boston College will host an Irish cyber industry expert for four months of study, thanks to a Tech Impact Award from Fulbright Ireland. According to Mauro, world events are having an impact on how the world deals with several pressing issues, including cybersecurity. “Not being part of NATO is an obstacle for Ireland,” he explains, adding, “There is no efficient framework for Ireland to share information with the other NATO powers, and it can’t take part in important defense exercises. So Ireland needs to strengthen its lines of communication with the U.S., the UK, and Europe, especially as Brexit unfolds.”
There are several questions the issue of cybersecurity raises. “How do you approach cybersecurity as a priority? How do you plan, and align manpower and resources? What are the ethical considerations in formulating policies and practices? How do you build the kind of partnerships between private industry, government, and academia that offer the promise of success? These are the kinds of questions we explore in our cybersecurity program, and they have great relevance for Ireland,” according to Kevin Powers, of Boston College’s Master’s program in Cybersecurity and Governance.
Wealth management firms aren’t paying attention to a critical component of cybersecurity. According to the head of a Denver-based data security think tank, Sileo Group, wealth management firms are ignoring their own employees.
“Criminals will always go for the humans first, and we as businesses tend to fund the training of our humans last,” said John Sileo, CEO of Sileo Group, who added, “We’ve got to train our people to have a moment of skepticism — when they slow down, ask some questions and think through this.” Speaking at the Investments & Wealth Institute’s annual conference in Las Vegas,
Sielo stressed the importance of educating employees on the importance of not falling prey to hackers who use “spear-phishing” tactics to perpetuate their scams. He talked about a 2015 attack that targeted Ubiquiti Networks, in which hackers impersonated an employee, leading to Ubiquiti’s finance department transferring $46.7 million out of its accounts. Stories like this one spotlight the importance of firms investing in training so that employees are immediately skeptical, and always on the lookout for employee impersonation or any other type of fraudulent request. “Ninety-nine percent of the people inside your organization don’t know the simplest tool of detecting phishing,” Sileo said, adding that most employees neglect to hover their mouse over links inside an email, which would point out suspicious links or web addresses from other countries. He also recommends that wealth management firms make the extra effort to institute two-factor authentication, saying that when firms do so, “that takes cloud and account hacking so low it becomes almost insignificant.” He also said that in order to train employees, firms need to be strategic, because, “when you teach your employees in terms of layered security they fall asleep,” and recommends utilizing Sileo real-life scenarios and incentives to get the point across. “Reward your staff for not having a phishing incident,” Sileo also said, adding, “you’ve got to have it tied to positive metrics.
Sileo also thinks wealth management firms need to remain vigilant, saying, “You should not be ignoring [cybersecurity], even if you spent the whole last year thinking about it. You have to constantly be thinking about what you are doing.” The heightened awareness of cybercrime is also a great chance to add value to advisor/client relationships, because clients face their own cybersecurity issues. “Using this information to deepen client relationships is one of the best practices I have seen,” he said, adding that security is one of the most-requested education topics in the financial services industry. “They trust you more than they do their bankers, their credit cards and so forth. It’s a better source when it comes from you.” Even if advisors don't broach this topic with their clients, the should at least acknowledge what could be at stake. “When you are handling that wealth and personal information of your clients, you have to treat it like it’s your own and take it personally,” Sileo said.
More companies are hiring people without traditional experience for cybersecurity positions. There are currently about 300,000 jobs open in the cybersecurity sector, and The Wall Street Journal reports more companies are hiring people who don’t have traditional four-year degrees or experience to fill those positions. Schools such as Rochester Institute of Technology and SUNY Polytechnic Institute are establishing degree programs to better meet cybersecurity needs. Employers like Palo Alto Networks and IBM are also working with universities, cybersecurity competitions, and training programs to develop the talent needed for their cyber teams. Charles Henderson, Global Managing Partner and Head of X-Force Red at IBM, said his team of corporate hackers contains more music majors than people with degrees in cybersecurity.
In Idaho, more hospital employees are reporting phishing emails that are impersonating C-suite executives and fellow staff. A report by TV station KIDK call these phishing attempts “CEO scams” and said that Mountain View Hospital in Idaho Falls is among healthcare organizations that are training their staff to be able to detect when an email that appears to be coming from a CEO is actually a hacker.
“Just this last couple of weeks we've had some people try to connect into different areas of the company," said Shane Paynter, the director of information and security for Mountain View Hospital. He also said that hospitals and other health care locations have to be careful about protecting financial information but also health records and charting software on patients. "We have to be compliant with HIPAA (Health Insurance Portability and Accountability Act) and other compliance standards to make sure that we're in line," Paynter said. He stressed that hospitals, like Mountain View, need to work to ensure their IT departments are strong enough to handle the ransomware. "We have a lot of systems that detect good things from bad things, basically," Paynter said. "Then we encrypt our data so that it is locked."
Paynter reiterated that the most effective security system a hospital can rely on is its people. "You can have the best security systems there are but there is still a person involved that can be talked into helping these attackers do what they want you to do," he said. Training begins when an employee is hired and is ongoing. To keep training top of mind for employees, the hospital sends out occasional emails and puts up posters throughout buildings. Paynter has some solid advice for employees. "If you get an email, look at it and if it doesn't make sense, delete it. If it is legit, it can be sent again. If it's not, then you just saved yourself from a possible problem. His ultimate advice applies to any company or business, not just his hospital. "If it's already gotten past the email filters and the antivirus and everything else, the last line of defense is you," Paynter said.
You can’t afford to ignore your company’s cybersecurity. Contact Kobargo today to arrange a no-obligation consultation to delve into your IT system security and discuss ways to safeguard your organization in today’s increasingly dangerous digital world. Let our team show you how we can help increase productivity, decrease downtime and keep your customers and employees safe and happy.