Mar 02 2020

RSA 2020: Attendees Learn to Protect Their Organizations from Emerging Threats

Businesses are focusing more on their human workers as they seek to get an edge on threat actors.

RSA 2020 has come to an end, but IT security professionals will spend the rest of the year, and perhaps several years to come, striving to build on what they learned at the event to protect their networks with better defense systems and smarter security policies.

Here some of the key themes that emerged in San Francisco at one of the biggest cybersecurity events of the year:

Keeping Employees Safe Is a Top Cybersecurity Priority

Businesses are clearly spending more time thinking about the security implications of their human workers, who simultaneously represent every business’s greatest security vulnerability and strongest untapped defense asset.

Building on the RSA 2020 theme of “The Human Element,” speakers took a deep dive into their tactics for gaining employee compliance with security protocols. For example, with its own workforce of more than 148,000, Microsoft deploys a variety of strategies, from gamification and documentation to redundant training, to ensure employees understand the company’s policies, are equipped to recognize and manage hackers’ phishing attempts, and are genuinely excited about helping the company stay safe.

“We have to get people interested in and motivated to do things differently,” said Ken Sexsmith, Microsoft’s director of security education, awareness and training. “And that’s what we’re doing at Microsoft. We’ve kind of changed the game when it comes to employee training.”

Data Security Compliance Is Getting Complex and Scary

As policymakers and plaintiffs’ lawyers take a greater interest in cybersecurity risk within businesses, the stakes keep rising for the professionals charged with protecting networks. For one thing, new laws around data privacy — first the European Union’s General Data Protection Regulation, and now the California Consumer Privacy Act, meant to be a U.S. answer to the GDPR — are affecting companies around the world. At RSA 2020, attendees, who numbered about 40,000, learned about how the GDPR and CCPA overlap and where they differ. Those violating either regulation could face steep fines.

Attendees were also admonished about their own personal liability in the event of a breach inside their organizations. It’s not unheard of for cybersecurity leaders to be fired, sued personally or even subjected to criminal penalties in the wake of a serious breach, said Aravind Swaminathan, global co-chair of the cyber, privacy and data innovation practice at Orrick, an international business law firm.

“The last place I want to visit you is a federal penitentiary,” Swaminathan said. “We are not talking about a theoretical possibility; we’re talking about a real possibility.” He said that CISOs and others at a similar corporate level “are taking a ton of risk” and need to work carefully through their potential personal exposure with their employers, with the goal of having their companies indemnify them against legal exposure to the extent possible and write them into insurance policies most companies maintain to protect senior executives.

MORE FROM BIZTECH AT RSA: How Equifax is changing its security culture in the wake of a massive data breach.

Aravind Swaminathan
The last place I want to visit you is a federal penitentiary.

Aravind Swaminathan Global Co-chair of the Cyber, Privacy and Data Innovation Practice, Orrick

Emerging Cyberthreats Demand More Comprehensive Security

Threat actors are getting more sophisticated at the same time that the threat surface — the number of hackable internet-exposed things — is growing. The result is a minefield of emerging technically complex risks mixed with hackers’ reliable old bag of tricks.

Voice fraud, for example, is an emerging threat for businesses that makes use of artificial intelligence to mimic the voices of senior executives and customers in order to gain access to accounts and to fool employees into taking unsafe actions. Several businesses in the U.K. were robbed of millions last year by fraudsters who convinced financial executives to release funds to the criminals, according to Vijay Balasubramaniyan, CEO of Pindrop, a voice authentication and anti-fraud solutions company.

“We’ve seen as much as $17 million go out the door this way,” he told attendees, who wondered about the implications for their own efforts with voiceprint biometric security technology, which authenticates identity using voice. Balasubramaniyan argued that, used alongside other solutions, voiceprint solutions remain a viable option for businesses.

No wonder companies are taking greater interest in comprehensive cybersecurity frameworks like zero trust, in which people and devices are required to authenticate themselves repeatedly when they seek access to network services, even if they’re already on the network.

Microsoft CISO Bret Arsenault told a packed audience about the company’s zero-trust journey, which is ongoing. Key elements, he said, were its transition to multifactor authentication, something he said every business should pursue, and its requirement that all employee-used devices be managed by the company.

The latter required some careful communication, as not all employees are enthusiastic about providing employers with access to their personal devices. Microsoft offered to equip such workers with company devices, but only a handful took them; they didn’t want to carry around two phones, especially after the company explained exactly how it would use its access to employees’ own devices.

Still, Arsenault said, the company’s transition to zero trust has been as much a cultural shift as a technical one: “I can’t overestimate how much I underestimated that part of the job.”

Be sure to check out all our articles and videos from RSA 2020 here and join the conversation on Twitter @BizTechMagazine.