Chris Pierson (right), Founder and CEO of BlackCloak, and Roland Cloutier (left), former Chief Security Officer of TikTok, present together at GSX 2023.

Sep 12 2023

GSX 2023: Experts Share How to Overcome Security's Weakest Links

Businesses are susceptible to cyberattacks and intrusions at the hands of people. From vulnerable personal accounts to social engineering schemes, here’s how organizations can thwart threats.

Security technologies are evolving as quickly as other subsects of tech, if not more so. Cybersecurity is rising to the challenges posed by threat actors, while new physical security systems incorporate cloud storage, artificial intelligence, automation and more emerging capabilities.

Yet, an organization can implement all of these new protections and still find itself vulnerable to attack. This is because a business’s security posture is only as strong as its people.

Speakers at GSX 2023 in Dallas shared the many ways that human behavior leaves organizations vulnerable. From an absence of communication to social engineering and poor personal cyber hygiene, businesses must find ways to manage their employees at every level to avoid breaches. 

Click the banner below to become an Insider and gain exclusive insights after GSX 2023.

Communicate Tech Changes with the IT Department

CEO Mike Saylor of Blackswan Cybersecurity shared clips Monday from the British sitcom The IT Crowd to highlight society’s view of IT professionals and the importance of communicating with that team. In his session, titled “Cybersecurity is Not Just an IT Problem,” Saylor stressed that the IT department should be kept in the loop about new technologies.

In talking specifically about the Internet of Things devices a company might use, whether for its HVAC system or automatic fish feeder, Saylor said, “Very rarely does the person who bought that to plug it in and make their job better think, ‘What risks did I just introduce? I just put that on our network. I should go talk to the IT guys.’”

All of these IoT technologies are collecting data, and many of them invite vulnerabilities into a business’s network. If the IT department doesn’t know about a new technology, they can’t manage and maintain it, patch it or configure it.

“We only call IT when things are broken and rarely look at them as forward-thinking,” Saylor said.

Not only do teams need to communicate with the IT department, they need processes in place for companywide communication to ensure companywide security. These processes and policies should come from the top down and, while they should start with training, Saylor shared a case study in his presentation that proved training alone isn’t enough.

LEARN MORE: Help employees defend against social engineering attacks.

Why Training Alone Does Not Prevent Effective Social Engineering

An East Coast-based healthcare organization had myriad security controls in place when a two-person crew compromised its physical facility and network. The company had IT controls such as network firewalls, vendor management and secured server rooms, as well as facilities controls that included badge access and monitoring, security guards, cameras, and guest escort requirements. It even required its employees to undergo regular security training.

Yet, in just days, 15,000 hard-copy patient records and 30,000 digital employee and patient records were stolen from the organization.

Video clips recorded by the perpetrators show how they were able to engineer a situation in which one individual was given a master key and a key fob to the building. Although safety measures were in place, processes weren’t followed in the face of the criminals’ lies and manipulation.

Click the banner below to learn how organizations are implementing zero trust architecture.

“Good best practices were not employed here that could have helped,” Saylor said. “So, how do you become proactive? You put somebody in that role who has good governance oversight capabilities. Talk to management about enterprise risk. Collaborate with IT.”

Working proactively, and reinforcing processes and their importance, is the only way to stay ahead of bad actors. These individuals prey on employees’ kindness, sense of urgency and any other vulnerability they can find.

Secure the Devices in Executives’ Personal Lives

Cybercriminals rarely take morals into consideration when looking for a payday. Roland Cloutier, the former chief security officer of TikTok, and Chris Pierson, the founder and CEO of BlackCloak, made this point repeatedly in their session “Attacking the Soft Spot at Companies —Your Executives' Personal Lives” on Monday.

The pair noted that bad actors are increasingly targeting executives in the home and on their personal accounts and devices. This is possible because of the massive amount of information available through social media and other avenues on the internet. Personal details can first be pulled from a company’s about us page biographies; real estate websites may still contain interior photos of executives’ homes; family members can be found through tags in online photographs.

The speakers noted that attacks against executives’ home networks are also becoming more common because “you have $500 million in cybersecurity at work, but you have $5 cybersecurity at home,” as Pierson explained it.

“The attack surface extends beyond the four walls of the company, beyond the computer networking company, beyond the corporate email and the company devices that go home,” he said. “This is why they’re targeted in their personal life.”

DIVE DEEPER: These services can help organizations implement zero trust.

Citing examples from their personal lives, Cloutier and Pierson spoke on how easily an IoT device connected to an executive’s home network can be compromised. Cloutier, who added that he has so many IP addresses that his home was reclassified from Class C to Class B, specifically called out his own pet feeder and smart refrigerator, among other common home technologies. These technologies, that work to make families’ lives easier, are also putting them at the most risk.

They encouraged IT administrators to work with executives to better secure their home networks. They mentioned reducing executives’ public exposure, implementing dual-factor authentication for important accounts, protecting all personal accounts with anti-malware and OS updates, and protecting their home networks and systems with frequent updates and vulnerability scans.

Photography by Rebecca Torchia, Courtesy of GSX

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT