GSX 2023: Experts Share How to Overcome Security's Weakest Links

Communicate Tech Changes with the IT Department

CEO Mike Saylor of Blackswan Cybersecurity shared clips Monday from the British sitcom The IT Crowd to highlight society’s view of IT professionals and the importance of communicating with that team. In his session, titled “Cybersecurity is Not Just an IT Problem,” Saylor stressed that the IT department should be kept in the loop about new technologies.

In talking specifically about the Internet of Things devices a company might use, whether for its HVAC system or automatic fish feeder, Saylor said, “Very rarely does the person who bought that to plug it in and make their job better think, ‘What risks did I just introduce? I just put that on our network. I should go talk to the IT guys.’”

All of these IoT technologies are collecting data, and many of them invite vulnerabilities into a business’s network. If the IT department doesn’t know about a new technology, they can’t manage and maintain it, patch it or configure it.

“We only call IT when things are broken and rarely look at them as forward-thinking,” Saylor said.

Not only do teams need to communicate with the IT department, they need processes in place for companywide communication to ensure companywide security. These processes and policies should come from the top down and, while they should start with training, Saylor shared a case study in his presentation that proved training alone isn’t enough.

LEARN MORE: Help employees defend against social engineering attacks.

Why Training Alone Does Not Prevent Effective Social Engineering

An East Coast-based healthcare organization had myriad security controls in place when a two-person crew compromised its physical facility and network. The company had IT controls such as network firewalls, vendor management and secured server rooms, as well as facilities controls that included badge access and monitoring, security guards, cameras, and guest escort requirements. It even required its employees to undergo regular security training.

Yet, in just days, 15,000 hard-copy patient records and 30,000 digital employee and patient records were stolen from the organization.

Video clips recorded by the perpetrators show how they were able to engineer a situation in which one individual was given a master key and a key fob to the building. Although safety measures were in place, processes weren’t followed in the face of the criminals’ lies and manipulation.

Click the banner below to learn how organizations are implementing zero trust architecture.

“Good best practices were not employed here that could have helped,” Saylor said. “So, how do you become proactive? You put somebody in that role who has good governance oversight capabilities. Talk to management about enterprise risk. Collaborate with IT.”

Working proactively, and reinforcing processes and their importance, is the only way to stay ahead of bad actors. These individuals prey on employees’ kindness, sense of urgency and any other vulnerability they can find.

Secure the Devices in Executives’ Personal Lives

Cybercriminals rarely take morals into consideration when looking for a payday. Roland Cloutier, the former chief security officer of TikTok, and Chris Pierson, the founder and CEO of BlackCloak, made this point repeatedly in their session “Attacking the Soft Spot at Companies —Your Executives' Personal Lives” on Monday.

The pair noted that bad actors are increasingly targeting executives in the home and on their personal accounts and devices. This is possible because of the massive amount of information available through social media and other avenues on the internet. Personal details can first be pulled from a company’s about us page biographies; real estate websites may still contain interior photos of executives’ homes; family members can be found through tags in online photographs.

The speakers noted that attacks against executives’ home networks are also becoming more common because “you have $500 million in cybersecurity at work, but you have $5 cybersecurity at home,” as Pierson explained it.

“The attack surface extends beyond the four walls of the company, beyond the computer networking company, beyond the corporate email and the company devices that go home,” he said. “This is why they’re targeted in their personal life.”

DIVE DEEPER: These services can help organizations implement zero trust.

Citing examples from their personal lives, Cloutier and Pierson spoke on how easily an IoT device connected to an executive’s home network can be compromised. Cloutier, who added that he has so many IP addresses that his home was reclassified from Class C to Class B, specifically called out his own pet feeder and smart refrigerator, among other common home technologies. These technologies, that work to make families’ lives easier, are also putting them at the most risk.

They encouraged IT administrators to work with executives to better secure their home networks. They mentioned reducing executives’ public exposure, implementing dual-factor authentication for important accounts, protecting all personal accounts with anti-malware and OS updates, and protecting their home networks and systems with frequent updates and vulnerability scans.