Forum Gives Small Businesses Tips to Combat Cybersecurity Threats

Might the recurring data breaches plaguing one large retailer after another be a dress rehearsal for a catastrophic attack that could cripple, if not destroy, the United States and its critical infrastructure? The doomsday rhetoric presented by cybersecurity experts at an issue forum Thursday, while not so calamitous, served as a wake-up call to the enduring cybersecurity vulnerabilities.

“Right now, we are in no man’s land, as far as I’m concerned. I did not feel this way a year ago,” said Lisa J. Sotto, an attorney at Hunton & Williams and chairwoman of the firm’s global privacy and cybersecurity practice. “I was much more optimistic a year ago, and I’ve quickly become much more pessimistic about the landscape. Yes, we will figure it out, but I think it might take a good long time, and we may be very significantly damaged before we figure it out.”

Three panelists painted a bleak present-day assessment of cybersecurity at a forum hosted by the Fairfax County Chamber of Commerce. October is also Cyber Security Awareness Month.

“Right now, we are not winning. The bad guys are winning,” said panelist Jacob Norwood, operations director for Cyber4Sight, the cyberthreat intelligence service of Booz Allen Hamilton. “But we now have a whole generation raised on this stuff, and we have people who are finally really taking a look at it and realizing how big this is. … We’re going to start seeing the entire security industry start reacting to this problem very, very differently.

“I don’t know what that is yet,” Norwood continued. “I’m waiting for a Steve Jobs of cybersecurity. I’m waiting for some kind of cybersecurity messiah to come along with a grand new, really neat idea that is going to completely revolutionize cybersecurity, not just incrementally improve it.”

While small businesses have fewer resources to spend on shoring up defenses against cyber attacks, there are a number of free options that can greatly help, including open source products, blogs or white papers, Norwood suggested. “Because it is in the best interest for everyone who deals in cyberspace—which is now everyone—these things tend to be fairly secure for people to understand what the threats are,” he said. “It costs time, but it doesn’t cost any money to get a hold of a lot of this information. A lot of the stuff that comes out from firms that spend their time penetration testing, spend their time looking for vulnerabilities, is eventually published in order to gain notoriety [or] press for that firm, but it also means you get free access to that information. So you really just need to be paying attention.”

But some money must be invested, as evading cybersecurity plans no longer is an option. “The big guys won’t let you … be lax,” Sotto warned. “They’re now sending security questionnaires like crazy and requiring certain levels of security. It ceases to become a voluntary activity if you want to stay in business. You have to have a certain security level, and you have to spend money on it.”

Business owners also should be as familiar with the bare basics of information technology and information security as they are with other business aspects, advised Shawn Duffy, director of security services for FusionX LLC. “Just being familiar with IT on a fundamental level is just as vital to your business as learning bookkeeping or marketing.” 

The experts placed cybermauraders into three categories: the hacktivists on loose ideological missions to embarrass their targets, traditional hackers after data for financial gain and the advanced persistent threat, or nation-state attackers going after systems for espionage purposes.

Some current safeguards are as simple as not opening malicious emails in phishing scams, the experts stated. “A lot of small companies are assuming ‘why would someone target me?’ … Truth is, some of it may be by chance,” Duffy said. “You might have a website that’s vulnerable to something and these guys will spend hours, countless hours, scanning the Internet and looking for something, for a foothold.”

Let common sense prevail, said Norwood, a veteran of the U.S. Army. While sending an email to a colleague in the next office might be easier, it might not be as smart as walking over and talking. “At the end of the day, the less stuff we’re trafficking back and forth across the Internet, the easier it is to know what it is that we are putting across the Internet.”

After spending years in the intelligence community working both in Eastern Europe and the Middle East, there is something to be said for doing things the old-fashioned way, he continued. “I would suspect that even now, if you work for the KGB or inside the Russian government, you carry everything by hand. You use wax seals on doors, ‘sneakernet’ to transfer information.

“To a certain degree, we almost need to go back to doing more stuff analog," Norwood said. "That sounds like a terribly inefficient way to do business after all of the progress we’ve made. But it’s really, really effective and part of the reason that the Russians, in particular, have owned us in the intelligence sphere. … They’re willing to play the long game like that.”

Cybersecurity insurance is a valuable advantage, but an expensive one and going to get more expensive, Sotto said.

“Post [the] Home Depot [security breach], the investigations that are going to be done on who is insurable are going to get much, much tougher,” she said. “This is, in fact, going to create an environment where companies are going to want to shore up their security efforts so that they can be insured for cybersecurity issues.”

Outsourcing some computing power to cloud-based services can be a viable option, but businesses must be smart about it, such as encrypting certain kinds of data and fully understanding contracts and provider protections, Duffy warned. “Make sure you’re comfortable giving that data over to them.”