Cybersecurity investments are set to soar in the next few years, and there are plenty of reasons why. As smart cities evolve and more devices get connected to the Internet of Things, the threat vectors across the country multiply.
According to IDC, worldwide revenues for security-related hardware, software and services will grow to $101.6 billion in 2020, up from $73.7 billion in 2016. That’s in line with a similar forecast from Gartner, which expects spending on information security products and services to reach $86.4 billion in 2017 and $93 billion in 2018.
Speakers at a recent panel discussion held during the Chicago Ideas Week festival, “Hacking our Defenses: The Future of Cybersecurity,” laid out four things organizations can do to enhance their cybersecurity posture. To stay ahead of malicious actors, the panelists said, organizations should practice better cyber hygiene, work with outside experts to test their vulnerabilities, think about threats from emerging technologies and hire more IT security talent.
Sometimes, organizations unintentionally make themselves less secure. For example, in February 2016, Hollywood Presbyterian Medical Center was hit with a ransomware attack that took down the hospital’s computer systems for a week and reportedly forced ambulances to be diverted to other hospitals. The hospital eventually paid $17,000 worth of bitcoin and got access to its systems, which may have been compromised by an employee who clicked on an email link.
“Even without malicious intent, we are on borrowed time,” said Joshua Corman, co-founder of I Am The Cavalry, a grassroots organization focused on where computer security intersects with medical devices, automobiles, home electronics and public infrastructure.
Yet the future isn’t all bleak. “For every one nefarious bad guy, there are hundreds of individuals who spend every moment of their day to maintain safety and security,” said Natalie Vanatta, a cyber research scientist and assistant professor at the Army Cyber Institute.
Here are the four keys the panelists laid out to improve cybersecurity:
1. Practice Basic Cybersecurity Hygiene
Most hacks don’t require sophisticated tools and skills, said Nicholas Percoco, CISO of data analytics startup Uptake. Often, they result from weak password security and poor software patch management.
“Every time there is a security update it is vitally important that you update your phones and computers to maintain your safety and security,” said Percoco, who also founded THOTCON, the annual hacking and security conference.
Panelists said users should consider using multi-factor authentication for the most important data and apps as well as a password manager. Organizations should never buy an IoT device that isn’t patchable, Corman said, since any connected device is potentially exposed to hackers.
Finally, the panelists said users should be careful what they share on social media, as that information can be used to target those in your digital network. Vanatta said organizations should teach younger generations to understand the consequences of risky online behavior, just as they do for the physical world.
2. Recruit a Cyber Red Team
Organizations need to employ more red teams, which are independent groups that challenge an organization to improve its effectiveness, often by providing “alternative analysis” that questions an organization’s assumptions and policies. Every senior leader likes to say their members are encouraged to think divergently and critically about the organization and voice dissent, explained panelist Micah Zenko, a senior fellow at Chatham House. Yet Zenko noted that mavericks are often hunted down and killed. People know this, which is why groupthink is so pervasive.
“You can't grade your own homework,” said Zenko, author of Red Team: How to Succeed by Thinking Like the Enemy. “There are systemic risks that you face. You have no idea what they are, and on your own you will not find them.”
Therefore, every organization should recruit a red team that will counteract its command climate (i.e., management in the corner office), challenge conventions and assume the adversarial perspective. In other words, because organizations can’t abolish their cognitive biases and can’t see their security blind spots, they should hire outside people who can.
3. Think About Future Tech Trends
In the future, a host of devices and machines will continuously influence each other, explained Vanatta, who examines technology in society today to determine how it will evolve and affect us in the future. Vanatta said organizations should ask how they will want to use technology in the future and what kinds of threats will manifest themselves as a result. Her team envisions the steps an organization can take now to prevent those kinds of vulnerabilities.
For example, supply chain management departments should explore risk management strategies as they automate systems, and should consider what kinds of opportunities hackers will have as they rely on fewer human controls.
Cisco Systems has taken some of what Vanatta’s team does and incorporated it into its Hyperinnovation Living Labs. Forecasting threats will require academia, industry, nonprofit think tanks and governments to work together to craft a body of knowledge to thwart malicious cybercrime.
4. Be the Calvary by Hiring Cybersecurity Talent
In the wake of a cyberattack, “if the calvary isn't coming, that is both demoralizing and empowering,” Corman said. “If you know there is no one to save you, it falls to you.”
Organizations should hire more qualified IT security personnel. “Our dependence on connected technology has grown a lot faster than our ability to secure it,” Corman said. “There are more janitors than full-time qualified IT security personnel employed in hospitals.”
Organizations need to learn from failures, assume vulnerability and take preventative action, the group recommends.
And don’t forget, Corman adds, “With great connectivity comes great responsibilities.”