Lesson 4: Everything Has Value
Another challenge of cybersecurity is that criminals can find value in the most unexpected places, Elazari said.
In 2017, at a Starbucks in Argentina, for instance, when customers logged in to use the store’s free Wi-Fi, they unknowingly fell victim to a hacker who had installed a JavaScript that used their computers to mine for cryptocurrency, she said. Tesla suffered a similar attack on its public cloud.
Of note, she said, is that these types of attacks are often possible simply because someone made a mistake in a security configuration.
It’s just the type of weakness that makes up the OWASP Top 10 list, which compiles the most common application security risks — including issues such as broken access control and insufficient logging.
If audience members went back to their organizations and reviewed them against OWASP’s Top 10, Elazari said, “I’m absolutely certain … you will find some issues that correspond with this list.”
In addition to facing financial loss resulting from business impact, companies may be subject to regulatory fines, a trend that Elazari predicted is likely to continue.
“This is a new phenomenon,” she said. “When I say everything has value, security issues now have a new cost associated with them. Regulators are a lot more empowered to put on these incredibly big fines, so that is another type of value we have to think about when we think about data and how to protect it.”
California’s Consumer Privacy Act, for example, allows for statutory damages for consumers who are compromised as a result of a company’s “violation of the duty to implement and maintain reasonable security procedures and practices.”
Lesson 5: Automation and Innovation
Finally, said Elazari, IT leaders must be aware that hackers are just as focused on improving their game as companies are.
“Automation and innovation are not just big buzzwords,” she said. “They’re also the hackers’ best friends.”
With WannaMine, for example, a hacker repurposed existing ransomware to create a new cryptocurrency malware.
“That’s the type of innovation you can see in the criminal underground,” said Elazari.
Like every other industry, the hacking field finds new ways to use technology for its own ends, from more sophisticated social engineering scams to the use of deepfake voices to provide fraudulent verbal confirmation — turning an established security protocol on its head.
“If there is a clever app for a new technology, be assured a criminal will find it first,” said Elazari.
The race to fight these evolving threats is complicated by the limited pool of available talent with the necessary skill sets.
One antidote to these challenges is to empower staff at all levels to see themselves as the front lines of defense.
“We make hundreds of security decisions every day,” Elazari said: recycling a password, clicking a link, downloading an application or ignoring a security update. “The people who work for you make hundreds of security decisions every day … These decisions will shape our future.”
Read articles and check out videos from BizTech’s coverage of the CDW IT Leadership SummIT here.