Protecting your organization from cyberthreats has never been more important—or more difficult.
IT pros have many tactics to choose from, but time (and budgets!) are not unlimited. The key is prioritizing risks and identifying the most effective ways to mitigate the danger.
In 2018, HelpSystems surveyed more than 600 IT and cybersecurity professionals to find out what security exploits loom largest and what strategies they’re turning to for protection.
In this on-demand webinar, our team of cybersecurity security experts analyzes results. You’ll learn about:
- Security strategies your peers are most interested in implementing
- How managers and executives prioritize security
- Who is responsible for cybersecurity at organizations around the world
- Where IT pros turn for assistance with security
You'll also get practical tips for using this data to drive cybersecurity conversations at your organization.
Robin Tatam: Well, hi everybody welcome to our session today on the survey results out of our 2018 cybersecurity risks and mitigation strategies survey. A bit of a mouthful there, but lots of valuable information that we'd like to share with you today. My name is Robin Tatam. I'm the director of Security Technologies here at HelpSystems and I'm going to be the moderator on today's session. It's certainly my distinct pleasure to be joined by a number of panelists here which I'm going to hand over to you guys. We can do a quick introduction, let everybody know who you are, what you do. I'll try to get Dan added back in here and then now we'll jump into some of the results and information about the survey. Bob let's start with you.
Bob Erdman: Thanks Robin. My name is Bob Erdman. I am the security product manager here at HelpSystems. In that role, I am the interface between our customers and our developers to try and make products that help their businesses function better that they love. I'm heavily involved in our Linux, UNIX, and AIX security business as well as some IBM i Power Systems. I've been doing this for about 20 years, very focused on actually healthcare and Department of Defense Federal Government.
Robin Tatam: Yeah, very distinct areas, but challenged nonetheless with most lot of security threats. Thanks Bob and David say hi here.
David Dingwall: Hi, I'm David Dingwall. I've been in the cybersecurity business now for more than 30 years. My area of focus is primarily these days around trends and strategy working with our larger customers, our partners, and the analysts who measure the cybersecurity space. I actually spend a lot of time talking to the business side of our customers rather than just the technologists because their pressures and challenges are a little different and at the moment, my responsibility areas is very much like Bob's around the UNIX, Linux, and windows flat film space with various cybersecurity for solutions.
Robin Tatam: Sounds good and certainly we're happy to have you here David and appreciate you joining us. I know you're a few hours ahead of us here, but I think your expertise is going to be invaluable as we dive into some of the conversation here, and I don't see them on yet, but Dan is going to hopefully be joining us here in the next few minutes. He's a senior solutions consultant for HelpSystems and also has a number of years of expertise that I think would provide some value here. We wanted to get him included and we'll continue to try to do that.
Robin Tatam: My agenda listed here today is to talk just a moment about the methodology that we used with regards to collecting the data that we're going to talk about, and then of course we want to get into some of the risks especially the top risk, the top challenges as well as the top mitigation strategies. We're going to focus on just a smaller portion of the overall survey, so that you can get some insight into some of the discussion areas that we engaged in and if you would like to weigh in as well, we're going to have a few polls as we go through. That gives you an opportunity if you would like to give us, so be back about whether you agree or disagree with the challenges that we're talking about based on the survey results.
Robin Tatam: That's also a way that you can post questions to us that we'll answer at the end. We're going to talk about some of the implications of these things in terms of compliance and then we're just going to wrap up with just some simple information about HelpSystems and how we're helping our customer base work through both the challenges in the mitigation process in order to make sure that they have good security practices in play. The survey itself was conducted through the first quarter of 2018. It was just very recently published and it involves 670 responses provided by an online survey. This has been compiled into a report.
Robin Tatam: You're welcome to take back us to that, but we're going to talk as I said about the top key takeaways from that report and give some insight because of course nothing is right or wrong in this conversation. This is simply people's opinion and their experiences within their own organizations, their own industries, their own geographies, and certainly we want to understand what you guys are doing, but also provide that feedback about what's happening in the greater world picture. From a demographic perspective, Bob we certainly saw a lot of variance here across the different industries. Any takeaways that you have here?
Robin Tatam: I know from myself obviously, we see a pretty disparate range here, but is there anything specific about any particular industry that we see or how do you feel about the spread of data here?
Bob Erdman: I think we've got some really good data having a large cross-section of different industries and different size companies as well that responded to our survey here. Definitely leading towards people that have regulatory impacts on their business, so government, public sector, banking financial healthcare. I think it was a great mix.
Robin Tatam: Yup, I agree. David any insight from a European perspective as to whether you are seeing more interest in different demographic areas than others or is this a pretty wide spread industry independent type of challenge? David you're still with us? All right. Well, we'll assume that it is a widespread challenge internationally. Certainly on the domestic side here in the US, this is something that we run into in virtually every industry vertical. When we do look at the demographics by job title and geography, you can see here the spread of the responses to the survey were certainly heaviest in North and Latin America.
Robin Tatam: That may comprise the vast majority of responses, but I think from in Asia and a European perspective, even the Caribbean, there was definitely good responses here and we'll continue to try to grow that and get the word out about people's feedback being valuable and hopefully as we move forward and do additional surveys, we'll continue to spread the love across the geographies as well. From a position perspective, administrators up through analysts, we did have of course a lot of IT managers and directors who were responding which is great. It's definitely interesting to sometimes see the differences between the folks that are in the trenches at the technology level and those that are the decision-makers.
Robin Tatam: Obviously the CISO is a relatively new type of position and it was good to have over 10% responses coming from those C level executives. Again, Bob anything that you feel here that stood out from a data perspective? It looks like more in the blue than the orange, but any takeaways from the breakdown?
Bob Erdman: I think it's great to see the number of responses we get from C level, director level type senior management within these organizations. If people have tried this before, they will know if you do not have buy-in from your executive levels when you go out to do a security project to implement things that generally are going to force controls upon people, it's really tough to get anything done within your companies.
Robin Tatam: Yeah, yeah, absolutely and it looks like there maybe Dan is with us now. Dan, I'm going to put you on the spot just for coming on late here and we're going to say from your effective when we look at the responses coming in from these surveys, any conversations you have with customers or any takeaways that you have with regards to the challenges? Are they the same at the trenches level as they are as the C-suite level? Is there a disconnect there in any degree?
Dan Freeman: Well, I definitely think the people that are in the trenches are the ones that are seeing the disparages where they definitely need the tools that they need to have to prevent certain types of breaches that do happen and having them trying to translate that up to the C level staff. Sometimes there is going to be that disconnect. I will say getting maybe a little head of ourselves on the GDPR, it was nice to see that they do put that as a requirement that they must have C level support because having that C level support is going to be make all the difference in the world because if you have that support and have that buy-in from the C level staff, it'll trickle on down probably most importantly at the financial level.
Robin Tatam: Yeah, absolutely. I agree one of the big challenges I think and like you say we'll talk more about this, but one of the challenges always when we talk to customers, especially at the administrator or analyst level is of course getting that buy-in from the C managers to be able to justify movement in this space. One of the questions we asked the survey participants was, which of the following security exploitation do you perceive as most concerning in 2018 and what we've done is ranked the top five here and you can see them listed of course. Bob why don't you talk to us a little bit about ransomware? This is the number one issue, at least the perceived issue for people. What's evolved here? What's going on in that space?
Bob Erdman: I don't think it's just the perceived number one issue. I really think this is the number one issue that people are having today. Ransomware, data breaches, they're continually in the news, they're on the top of everybody's mind and generally they make a pretty big splash where everybody's paying attention to them and phishing right behind it is no surprise because the majority of these attacks, the breaches begin with some type of phishing email that gets them a foothold in the organization when they can now go out and propagate their malware and it leads us into that fourth bullet as well as the system misconfigurations.
Bob Erdman: Once they make that entry point, if they don't have a good control of your systems and your processes and your network, it makes it a lot easier for these attackers to spread themselves around and get to that data that they're looking for. They all tie together as you implement your security program, but number one and number two, that's what we see the last few years now is phishing as an entry point into your systems and then they can spread that malware around.
Robin Tatam: It seems like the phishing attacks have certainly become more focused and more intelligent. I think we all laughed about the the option of getting a million dollars from some African prints and it just seemed so outlandish and crazy that you couldn't imagine anybody ever falling for that type of attack, but it seems to me that it's become much more focused to the grammatical errors that have disappeared for the most part that always pointed us to the idea that this was not a legitimate email, and the idea that we're actually now using information that is perhaps obtained during one breach to leverage in order to try to generate a secondary or additional breaches based on that intelligence that's been gathered.
Robin Tatam: From my perspective certainly, I think that's one of the takeaways in the phishing side is we have to be a lot smarter about this and a big part of that is really employees being educated in how these threats do come at them. I'm going to open up a poll here while we're talking. I'm just curious whether you guys internally have some type of formal security and privacy training program. I'm going to open this poll here. Feel free to want to jump in and give us your opinion. We'll share that with you. We'll just give you a few seconds here to answer that, but in the meantime, let's continue to talk here. What about unsecured file transfers, is that something that you guys are doing? Are you transferring data in the clear? Dan what do you see in that space?
Dan Freeman: Yeah. Well, we're looking at these five as being the most perceives concerns for 2018. If you actually look at like their Verizon data breach investigative report, it did show that four of the top five were due to user error or misconfiguration of processes, which I think ties into a lot of these, not only just the unsecured file transfers, but it's getting to the point where we really need to automate as much as possible to take the onus out of the employees or users' hands. It could really help reduce a lot of those breaches that are occurring each year in, year out.
Dan Freeman: Not only that, when we talk about the unsecured file transfers, maybe not using the appropriate or current strong cipher or algorithm technologies to transfer that data and leaving ourselves open to vulnerable or stolen passwords, which by the way according to the Verizon DVR, that was the number one reason or actor for breaches in 2017. Not just the file transfer process itself, but also where we landing these files when we do put them maybe in the DMZ or staging area or exposure can be even at a higher risk and potentially file is not being encrypted at rest. A lot of things to consider when building your processes and means for transferring this sensitive information.
Robin Tatam: Yeah, I would agree. I know I talked to a lot of customers about transfer of data and of course having data encrypted at rest is always arguably one of the best choices, but at least dating in flight being protected is important. I think many times I hear from customers, but the data we're transferring is not sensitive. We're not hung up on the fact that there's anything contained within that particular database that potentially would cause issues, but plenty instances they forget that the entire connection is visible and that may include those credentials, the all-important credentials to the server as well. I think that's a great point.
Dan Freeman: Yeah. You know what, another point. Just real quick action in that point. I think it's a good point to bring up when people think that information really isn't that important and I ask people maybe your Gmail account or something attacked and you don't really care because it's just a junk email account, but I also turn around asked the exact same question how many people rotate passwords. A lot of people use the exact same passwords they do for their Gmail account that's not important than for their banking account or their network login. Just again to your point, it might not seem like it's very important, but a lot of times I think people rotate passwords and it can be something very, very important when they're doing data guessing and getting control of those weak passwords.
Robin Tatam: Yeah, I couldn't agree more and infrequent or I should say perhaps frequent recycling of passwords using them in multiple sizes is definitely something that is accredited to many data breaches. When we think about Pinterest or Facebook or perhaps semi-innocuous websites that have been breached and we don't link a correlation to that to our online banking or our corporate VPN, and the reality is from those at least end-users, we find that that password it is unified across that entire infrastructure. Well, speaking of credentials, then I guess David talk to us a little bit about the interpretation of those credentials being stolen or of course the age-old argument about them simply not being strong enough. What is a strong credential and how is this being exploited in 2018?
David Dingwall: Well, it's surprisingly how little has changed for all the security surveys that been carried out in the last 20 years. Weakened stolen credentials has been in the top three consistently year in, year out and as a vendor or as a supplier side, to some extent it's a bit depressing that people don't actually take the effort or the organizations they operate with don't do more strict enforcement to make sure things like passwords or other credentials that people use are complex enough, the rules are in place to make sure that the credentials that people use to sign in to applications and systems aren't strong enough.
David Dingwall: It's not as if the technology doesn't exist to do that kind of basic enforcement with just a fair amount of ... Well, I think the UK word would be shoddy practice and a fair amount of laziness. Now what's interesting is of course there's been lots of changes with market regulations and data privacy laws all around the world that's going to force us all as individuals and as organizations to be more stringent to do password renewals, to make sure the other credentials that we use have life cycles and they are also renewed and refreshed. I'm very interested to see what the equivalent surveys over the next two or three years is going to look like because I think we're going to start to see some changes because our legislators are forcing us to make those changes.
David Dingwall: I think finally the shoe has finally dropped. Weak passwords, weak credentials is something that's just going to be seen as unacceptable from a business perspective, but we talked about that a little bit more further on in the session. I think though Bob has a couple of comments about maybe some of the other unintended consequences, but some of the tools that are IT operations and development teams are using at the moment. Bob?
Bob Erdman: Well, I definitely would certainly like to mention that not all of these credentials are really being stolen so much as sometimes that is being given away with a lot of these cloud enablement devops business enablement type of tools. We're seeing many times that people are simply inadvertently or on purpose uploading their credential that's right up to these tools and they're being discovered by people across the internet. We saw a flurry last year of GitHub issues where developers would erroneously upload a set of credentials into their cloud environments or their development systems right at the GitHub where people are finding them and using them to attack companies.
Bob Erdman: Lately we've seen that same type of effect happening inside of Trello, another popular project management development management tool where people are creating buckets essentially to share within their team's credential sets to make it easier to do business. It's hard for me to get around IT. I'm just going to create my own way to get around IT. We see it happen all the time with shadow IT, but then they're opening these things up to the public internet by mistake and people are again just going on google searching around, finding somebody's credential set, using it to compromise company systems. We have to be very careful about how we educate our users to do things in a secure manner, not to go around IT.
Bob Erdman: Let's make our processes work for a business rather than a business going around our processes.
Robin Tatam: Yeah, absolutely. All right. Well, I think one of the feedback items I've gotten from the poll is that the vast majority of people at least in this conversation do have some type of formalized security and privacy training program which is fantastic because many times that is the differentiator between users who are opting to do as little as humanly possible in order to support the best practices internally in the organization, but at least the savvy to the idea of an email comes in, you don't just immediately click the link or open the attachment and many of us I think take that for granted, but there are so many that do.
Robin Tatam: When it comes to those very spear phishing type attack, some of them are so convincing, it's easy to do and there are ways to teach your users to perhaps not open those doors and expose because ultimately, the human is the weak link in this chain and the technology is only as good as the people that are implementing it, maintaining it, and of course utilizing it. Next question, when it comes to securing the organization against these types of threats, what's the biggest challenge you're facing, and I think it's quite interesting here when we look on the left, we see that 65% of the respondents indicated that their biggest challenge was a balance between implementing good cybersecurity controls in an essence, not breaking stuff, right?
Robin Tatam: That seems to be the biggest fear. We're going to slow people down, we're going to prevent them from doing their job or we've got to make them jump through hoops in order to do what they need to do. I know in my interactions especially at the applications security layer, there is great concern that if we tighten the screws down too far, all of a sudden we're going to spend more time troubleshooting or the perceived threat of cybersecurity breaches or downtime that may come as a response to that, it is a maybe. You and I know that of course it's a pretty high probability, but it's still a maybe where if I break the application, it's an absolute given that that application now is not going to be doing what it needs to do.
Robin Tatam: We've got to find that balance and this aligns closely with a marketplace survey that HelpSystems did on the IBM I platform, the IBM Power Systems platform just recently as well where rolling security, the next greatest concern was this balancing act between the two here. Well, what do you guys think else wise here? We've got insufficient cybersecurity skills. Is that going to be a long-term problem? Is that something that's being addressed? Do we see this getting under control because we've been talking about a shortfall in skilled resources for a long time. Are we making any headway in that regard? Bob do you have any thoughts on that?
Bob Erdman: Well, we see more and more people joining that field from the college age and the coming out of high school and everything, but all the projections that I'm still seeing or that we are going to have a shortfall for at least a few years to come if not indefinitely because the challenges keep getting bigger. It's not a one-step process. I can go out and buy more storage, put in my storage rack and programs pretty much done now until I ran out of storage. Security is continuous process because the attackers are continually hitting us, so it's an ongoing operational thing that you have to deal with.
Robin Tatam: Yeah, and hitting us in different ways of course is an evolution. David do you have any thoughts in this space from a European perspective? Is there still a skill shortage there as well? I mean certainly in the US, we acknowledge there is, but is this a worldwide issue?
David Dingwall: It's definitely a worldwide issue. I think the Linux foundation started the analysis of what the shortfall was. Even for basic system administration skills, administrators, there's a worldwide shortage of something like 50%. Regardless of how many graduates the universities and colleges are turning out, there's double the demand. For people who have cybersecurity life cycle experience or something like an 80% shortfall worldwide, which means that throwing people at the problem and training people sadly is not going to solve the problem. We need to start thinking about doing something different, and that will come in to some of the discussions we have in a bit about the need and demand for policy in cybersecurity tools and frameworks that people set up in their infrastructure.
David Dingwall: Taking people out of the equation, I think it's fair to say the business teams in the past have seen cybersecurity as hugely people intensive. People setting up what they now call security operation centers, is still very much driven by a very specialized staff with a very deep security experience. If some of those people leave, they now put your whole business at risk. There needs to be some other way of capturing the security requirements, security policy, and keeping the operational business going at the same time. It swings back to the balance, the first number that we have on this slide as well.
Robin Tatam: Yeah, thank you. No conversation can ever be complete about any type of technology challenge where that has its own discussion around money, right? At the end of the day, nothing's free. It either comes with a cost associated with the resources, associated with some particular task or action or the cost of tools or technology in order to do that and it just simply seems like there's never enough money to go around and the 44% here that responded to that what is there their biggest challenge. Lack of budget is very interesting to me because as you're going to see in just a moment, this has a disconnect with another element that we're going to talk about.
Robin Tatam: I want to keep this in the back of your minds here as we move forward. Bob mentioned the constant changing of the threats that are coming at us, the evolution from the standard ransomware and into ransomware that has warm technology so it can spread was something that was really rammed home in 2017 when we still want to cry and another number of other variants that very efficiently and swiftly spread that infection around the world and quite honestly, we were very lucky that it was not more impactful than it was, but the evolution of those threats is something that we've got to be keeping an eye out for and it appears to be a challenge that you guys are struggling with as well.
Robin Tatam: No real big surprise there. Not only other threats evolving, but the technology is too. How many of us were looking at cloud 15 years ago, how many of us had mobile devices 20, 30 years ago? Next to none. Even in our own backyard, we have to look at how this technology is now being implemented or deployed in perhaps how even the modern technology has changed its MO over recent years. Of course cloud seems to be on everybody's mind. That's the technology that I think again has percolated up quickly, whether it's a public cloud or private cloud. That is definitely something that seems to be on the minds of the respondents here. Lack of buy in from management. Now this aligns to the budget side.
Robin Tatam: If I'm struggling with the idea that my management doesn't see the value in securing the environment, they're obviously not going to dedicate any type of funding to that, but again those two I want you to keep in mind now when we talk a little bit later as a perception that is related to that. Without regulations, you guys see? I mean certainly here in the US, we have what seems like an endless round of regulations that typically are born after some type of massive breach or mismanagement functions, so we try to make sure it never happens again. Obviously the EU was in the 11th hour here when it comes to adherence to the new GDPR on May 25th, and that's going to be extremely impactful not only in the EU, but also in other parts of the world and I'm very hopefully have asked in a play out.
Robin Tatam: A lot of folks seeming to struggle with staying on top of these regulations. Any anybody have any thoughts with regards to the particular, to the government regulation, industry regulation or is it just the idea of somebody looking over our shoulder that we're challenged with?
David Dingwall: I think most businesses operate in more than one geography, more than one country, more than one continent. I think the fact of our business lives now is we are operating our business against multiple concurrent regulatory environments. It's not just focusing on the hot one at the moment. You need to keep complying with SOX, you need to keep complying with PCI. They're now part of business as usual. Yes, we need to get GDPR up and running, but around the world, there's another 31 data protection laws that have been signed onto the books in the last three years. You need to be sure that you're being compliant in all the geographies and all the countries and under each legal system, especially from a reporting and feedback perspective if something goes wrong.
David Dingwall: Feedback times and report requirements under different regulatory environments can be quite intensive and that's directly focused on the management and executive level, not the IT and operations security team.
Robin Tatam: Sure, absolutely and I think the other thing I know with the conversations I have, one of the big challenges at least from an IT level is most of these regulations are not IT centric. They're obviously built on frameworks that give us some more direction as to how we implement the controls, but a lot of times the struggle seems to be that it's a different language. It's talking about business process, it's talking high-level, and if it was just a matter of somebody saying this is how your system should be set, I think people would be able to follow it a lot more easily than they currently seem to be able to, and that seems to be a worldwide challenge as well.
Robin Tatam: It's just that them and us mindset and really no synergy between the two. Let's talk about cloud. Bob you spend a lot of time working with customers in cloud environments, what do we seeing here? First of all, are people using the cloud? Is this something that is being oversold as the next technology or is this something that is heavily utilized today and how many people are doing internal cloud versus public cloud? What do you see?
Bob Erdman: Well, I think as we can see from the survey, there's a large percentage of people that have now moved into some cloud access. What we've seen here was 70% of the people reported that they have some part of their business in the cloud, hybrid cloud model as we call it. You have on-premise equipment, you have cloud equipment. I suspect that number is actually quite a bit higher when you factor in the shadow IT that different people and departments are doing within their organizations. We see it quite often.
Bob Erdman: People have an Amazon account for example for their business and they think everything's under it, but as other departments have gone around and spun up their own little projects to do things, they split up their own little Amazon accounts and they're expensing them through and you may not see those in your IT infrastructure. Being able to discover and properly monitor and manage all of the cloud accesses to your systems is a big deal because if they're not following the controls that IT has set when they've done their own little projects, you've now opened to get hold into your environment that malicious attackers will find and utilize.
Robin Tatam: I sent them we keep questions until the end, but a question just popped off which I think is pertinent and maybe you can address it now which is, is the cloud secure and from my perspective, certainly it's like anything else. The cloud isn't one thing, so it doesn't mean that because I'm in the cloud, I'm not secure or I am secure. It's certainly the implementation of that technology. As a general statement, should there be concerns with going to the cloud or is it just that they're different concerns perhaps than if we're managing our technology on prem?
Bob Erdman: I think it would definitely stated that the cloud can be secure. Very often what happens is people just put things up in the cloud and they assume that the cloud provider is taking care of all the security, and generally that's not really the case. As you move across the different service models, things that are more infrastructure-as-a-service, so Amazon or Azure is just giving you a big platform to spin up compute nodes. That's mostly the users' responsibility to secure those nodes, so Amazon and Azure and everybody, they have great business security in their buildings.
Bob Erdman: They are protecting the edge of the network, but once it gets down to your resources, what they call the shared security model, you are responsible for what you've installed, how you've patched it, and what you've done to protect your data on it. That's where we see a lot of the breaches is people open things up to the world by accident. The tools exists, the OSs can be hardened, but they have to be hardened just like they were on premise.
Robin Tatam: Yeah, absolutely and accidental disclosure and misconfiguration continues to lead the way in causes of data breaches. and I'm sure that's no different regardless of where the server is located. Thanks for the question. Hopefully that addresses it, but really it ultimately comes down to it can be both and it is a different based on how that configuration is enacted. I open up a poll and I'll share that with you here. We'll just give you a few seconds to wrap that up, but it looks like the winner is misconfiguration, so the perception is actually true.
Robin Tatam: Misconfiguration of servers especially in the cloud but anywhere is responsible for a lot of accidental disclosures and malicious breaches of making sure that our systems also figured directly and that the users are given the appropriate amount of access is definitely ultimately going to make a big difference between whether you are as secure as you can be and whether you are open to abuse here. Let me post that out just for those of you. I appreciate the feedback and we want to share that with you. Here's the statistic I wanted to talk about and when I said let's hold off thinking about budget. Now what's interesting is 44% of top things that they have struggle with primarily the lack of funding.
Robin Tatam: We also see that 24% they have struggled with lack of management buy-in. When it comes to the importance that management is applying to cybersecurity initiatives within the organization, we see that literally everybody thinks it's important to some degree, whether we start with almost a third being moderately important, but the lion's share either very important or extremely important is really interesting to me because A, we have to think about the fact that C level managers and the board of directors, these cybersecurity of an extremely important if not very important threat against us and what we should be doing to resolve it, and yet the interpretation is almost half of the respondents indicated that lack of funding was their biggest struggle.
Robin Tatam: There's definitely a disconnect there and if you have thoughts on this, use the chat window. Let us know and of what you see in your organization if you're willing to share because to me, I don't have a great explanation for this. I don't know if any of the other panel members have thoughts as to why we see cybersecurity as such a critical initiative, but then the folks that are the ones with the boots on the ground are simply seeing insufficient funding to implement the necessary controls. Is it a struggle with the amount that needs to be done? Hey, we know it's important, but it just seems like it's an endless pit of money and resources. Any thoughts on why there's a disconnect might be going on?
Bob Erdman: I think it's just the prevalence of all the breaches that are in the news all the time. That's why you're seeing the responses of it being very important, but when it comes down to it, I think it's human nature that that's not really going to happen to me, maybe that's why they pull back and you don't see that ROI. It's not like it's a hard result when you put in millions of dollars to protect yourself from getting breached. You don't really see that ROI I guess physically and maybe that's what's going on. They just don't see themselves as being the victim or potentially being the victim.
Bob Erdman: They know it's important because they see it out there and they don't want to be on the front page, but yeah when it comes down to it and they see those dollars and how much it might be, and maybe they just don't put up the money until you get slapped in the face with something. I think that might be part of it.
Robin Tatam: Yeah, sure. It's that translation between security risk into financial risk. It's like insurance too. There's no reception I think, some type of breach fatigue as well as where do we dedicate these funds too, is if everybody tells us it's not a matter of if but when that we're going to get breached, and what we do is really not going to stop the criminals, do we reallocate that funding into breach response versus breach protection in the first place, and certainly that risk of fatigue in that regard is definitely challenging.
Bob Erdman: Mm-hmm (affirmative).
Robin Tatam: Let's talk about some mitigation strategies here. The question was asked which of the following cybersecurity strategies are most likely to see implementation within the respondent's organization over the next calendar year. Big one, multi-factor authentication, 33%, a third of you looking to implement some type of verification that the credentials being entered are actually being entered by the person who owns those credentials as opposed to somebody else. This is definitely a technology I know here at HelpSystems we've got a couple of solutions in the space and a lot of people very interested in.
Robin Tatam: PCI of course if you're familiar with the credit card mandate has now spoken in this regard and definitely something that they are now requiring at least for administrative or non-administrative access into anywhere other than the console. When we have privileged user accounts and they're connecting into the system, unless they've got a dedicated console that we have some physical security around, we have to ensure that they're the persons that is supposed to do the credentials. Dan what do we think about when we tell people that there's requirements multi-sector authentication, should we be implementing MFA in encryption? One of the conversations that you're having with the install base to help them with this.
Dan Freeman: Yeah. One of the things specifically talking to MFA and encryption, when we talk about and we look at the past I'd say five years of things like the Verizon DBI reports, seeing what seems to be the biggest causes or the biggest actors for breaches and it might have been mentioned a little earlier some security institutes like Ponemon Institute, they'll put 90% to 95% of all the initial breaches happen because of phishing. Phishing is going to be where the number one last year was you're pulling out weak or hacked and passwords. That's going to be one of the number one reasons why we get hacked.
Dan Freeman: Now implementing something like multi-factor authentication, that's going to reduce that not a 100% by any means, but that some people 90, 95% of all those different types of phishing attempts or just the hacking out weak passwords can be mitigated by that multi-factor authentication. The second thing you talked about encryption with data at rest is probably one of the big ones that I think a lot of people I'm not going to say forget about, but maybe don't pay attention to as much. I think in transit, most people are pretty cognizant of, whether you use an SSH or SSL, TLS type of encryption for that transmission, but it's that data at rest that we tend to sometimes forget about.
Dan Freeman: Having that data at rest encrypted, that prevents things like even if you do get a breach, you're unfortunate that you do have a breach, at least you can prove due diligence that you did have the data at rest that was encrypted to where it can be unusable. This can prevent one probably most importantly that breach, that actual disclose, disclosure of information to unauthorized individuals, but from a business perspective, usually doing due diligence like that and proving that you did encrypt it, you can avoid those hefty fines when breaches do happen. Definitely encrypting your data as well as multi-factor authentication, those are two areas.
Dan Freeman: If you have to pick, those are two I think one of the biggest ones and one of the easier ones to implement because some of the other ones we look at, strong network security, penetration testing, some of those can be really daunting. Strong network security is quite an open door. I mean that could mean a lot of different things and I know I got on late, didn't get to introduce myself, but my former life, I was a security and privacy awareness trainer so I was pretty pumped to see the second one on there was educating the training for users because you can use those users as your front door, your first line of defense as opposed to the welcome mat for viruses and things to come in the door because as we know this last year according to the DBIR, four of the top five breaches were because of human error misconfiguration.
Dan Freeman: Those three I guess in summary to answer your question, MFA really gets rid of the weak passwords or hacking of passwords makes it very difficult. Encryption covers you in the case of if you do have a breach. You're doing due diligence to make it unreadable, unusable as well as maybe preventing fines from happening to your organization, and then making your users actually benefit to you and being that first line of defense by doing the education training.
Robin Tatam: Yeah, that's great thank you and one of the interesting things, maybe I look at this a little simpler, but one of the things I found quite interesting in the results in this regard was along the lines of the fact that there was such closeness in these answers, that maybe there's a lot of these technologies that people are hoping get implemented and maybe that's part of the reason we're struggling, not only from a resource perspective, but also a budget perspective because we're looking for so many different capabilities perhaps playing catch-up in that cat-mouse game with the folks that are coming at us in order to implement the necessary controls.
Robin Tatam: Let's face it, most of us don't sitting around in the IT data center with nothing to do. We're usually struggling to keep up with the tasks we've already been assigned and unless we have a dedicated security team and plenty of them, then this can certainly be a problem for people to be able to implement these types of technologies hopefully or ideally all at once get everything done. We've got to look at a maturity model, what should we do first. We've got to prioritize the rollout. We have that conversation day-in day-out with regards to yes, there's lots that needs to be done, but let's look at the high risk items first and then we'll work our way through the rest, and it's a matter of prioritizing.
Robin Tatam: Speaking of security teams, how many folks have a dedicated team that do nothing but cybersecurity, and we had a split here. Forty-one percent said yes they did, 13% said yes they had a CISO. A lot of times that's being motivated by some type of regulatory compliance that says that we have no choice, we've got to get some type of leadership in there. Even without that mandate, having somebody who is ultimately responsible to this typically reporting directly to the CEO, it is going to be the in wrote in to the board of directors and that C suite in order to gain that necessary funding. Interestingly though, we see that there's a significant portion that don't have a team that is dedicated towards cybersecurity.
Robin Tatam: This is certainly an area that struggles. They maybe the ones that are unable to obtain the necessary funding and really many instances, they have no intention of creating a cybersecurity team because it really comes down to the fact maybe that they don't perceive that they are at risk. There's still many organizations to say hey we don't have any data that is of interest to anybody, so I don't really sense a need to create such a dedicated role. I did see that there was a portion or a subset of the respondents that were looking into the process of forming one, and I think it can be as simple as having some employees maybe even on a security committee that are making some decisions that are more at an organizational level versus just everybody heads down doing their business functions.
Robin Tatam: There's got to be decisions making or decision-making going on. I know in my conversations and in some of the work I do with the power system servers, we're still seeing shops that are leveraging the same security controls that they did 20 years ago simply because nobody's making any decisions or taking the helm of what should be done. The idea of at least discussing it or forming it initially at least a committee, even if you don't have a dedicated cybersecurity team if you're a smaller shop, then that's absolutely something that I think is a positive step and I would thoroughly recommend that. Do you guys have any thoughts on how you get started in evolving a cybersecurity team?
Robin Tatam: Have you seen people creating these committees in your conversations as well or is there some other approach that people should think of in order to get to this this way of thinking?
David Dingwall: It's really difficult. A lot of it is dependent on company and organizational culture. Unfortunately, there's no one approach and no one way in the door. Often it's a very large hammer being pushed at the C level saying we have to do it and that then it becomes very black and white. How do they go about it is rather random sadly and there doesn't seem to be any particular guidance about how an organization in a particular vertical would go about this. I wish there was, but I'm sure consulting companies get paid a lot of money, but I can't say that their approaches are consistent, even inside single verticals sadly.
Robin Tatam: Would you agree though that something is better than nothing regardless of the approach, at least having that mindset that people are talking about and thinking about that process is beneficial overdoing traditionally nothing and definitely be an improvement?
David Dingwall: I don't think the do-nothing approach is commercially viable anymore. It's required for people to operate in particular regulatory requirements, so they must have it. I'm not sure that a do nothing attitude is going to be a good career decision for anybody in the C level anymore.
Robin Tatam: Yeah. The days of burying the head in the sand are long gone and I don't see that as a bad thing, but we've got a transition from one mindset to the other and I think many organizations are still in that transitional phase.
David Dingwall: Well, certainly even if the management teams or the executives in a company still have their heads in the sand, their non-executive directors will be pushing them because their new legal requirements force the organizations, they're briefing and advising to make sure that this is happening.
Robin Tatam: Yeah, absolutely. Now if we don't have the resources to do this in-house, there's always the option of outsourcing. I think that tends to have a negative connotation to many people in the IT space because they think of that as hey, I'm going to lose my job because we're sending this role or my responsibility to somewhere else, but I think it can also be co-sourced in which the cybersecurity I think that's much more important. There has to be some local buy-in in addition to the repetitive functions perhaps that are sent outside, but looks like again it's a fairly even split between those that are leveraging outside cybersecurity experts with those that are handling this all in-house.
Robin Tatam: Bob do you have any thoughts on people's concern about sharing this type of sensitive role in comparison to say an administration function where perhaps onboarding profiles or resetting accounts that is traditionally been an outsourced function or IT management as a whole? Is cybersecurity any different? Are people more sensitive to letting go of that responsibility?
Bob Erdman: I think people are a little more sensitive because of the types of information that are being given away. If you can't trust that in contract person and you're given them access to the crown jewels of your organization's data or systems, that can be a big problem. An insider of use is plenty big problem in security industry, but there are a number of functions that traditionally are outsourced. Some regulations even mandate a few of them to be outsourced, so that you are self recording things, like pen testing and risk assessment audits and things like that where traditionally we would expect that to be a function that is coming in from an external organization because it's very specific knowledge that you have to have to do those types of things, and generally not everybody has that type of in-house personnel available to them.
Robin Tatam: If you're doing it on an occasional, hopefully recurring basis, then perhaps it doesn't justify a full-time employee or team of employees. You can just bring in the best of the best of the time when it's needed and overall I think having that as a business expense versus somebody on payroll and the benefit and every other element to that overhead can I think financially be justified, but it's certainly a discussion that should be had in house and a decision made. I'm glad that many folks are leveraging outside expertise. Certainly we do a lot with our customers to provide those necessary skills, but for us, we always find that it works best when it's a co-source model where there's dialogue and understanding on both sides and that it's a synergistic type relationship.
Robin Tatam: What about regulatory compliance? We asked whether folks were having to deal with any types of regulations or standards and we certainly got some response here of course that many of you are dealing with these. Leading one is PCI. I can't say I'm surprised by that. GDPR have come out of nowhere. If you're outside of EU, you may not even know what GDPR is, but it's something that needs to be on your radar because people are mistakenly thinking that because this is a European union based regulation that it only impacts the EU, and the reality is it's about securing data stored on EU citizen.
Robin Tatam: If you are an industry where you have customers or maybe we have gaining organizations or entertainment where people are coming on vacation and spending time, if you're collecting data on those people, then that certainly has the potential of sucking you into that upwards of GDPR, and that's something that you really need to be conscious of them and working on. We have HIPAA here in fourth place with medical information. NIST really isn't a regulation per se. It's a framework that people are using of course, but other people focused on adhering to that and if they probably created something roughly have been around now for almost two decades and is designed to oversee business process there, so I think a fair representation.
Robin Tatam: What I found most interesting here is that we had almost a third of the respondents say we simply don't have to deal with this and this is a conversation I encounter frequently. I asked to have that data broken down further because one of the things I find interesting is when you get into the larger organizations, typically they are publicly traded or they're dealing with financial credit card data or they deal with their own human resources and have medical data. They are more often the ones that with funds that they have one or multiples of these regulations to deal with.
Robin Tatam: When we break it down of the 28% that are not dealing with regulations, 24% of those were large organizations defined as having at least a thousand employees on staff, but the vast majority not surprisingly do fall inside the one through 999 employee space what we deemed the small to the mid-sized business. We really want to to recognize that that may change over time. I think regulations are going to get further and further down into the stack and whether you're doing business with large organizations or you have any type of sensitive data, every time there's a breach, there is potential that there will be additional regulations or the scope of the regulation will catch. Dave any additional thoughts here?
David Dingwall: Yeah, especially of the 28%, it's interesting that in the last few years, there's 32 been data protection regulations, national regulations that been enacted. GDPR covering Europe only covers 10% of the world's countries. The other 31 laws have been passed in other countries like India, Turkey, Brazil, China, and many many others and that covers another three quarters of the world's population. Exploring with these people who say we don't really have anything to do with this, I think they're going to have a very rude weakening regulations just like GDPR take a couple of years to run pop, but then the hard deadlines kick in pretty fast and the legal implications are pretty stringent.
David Dingwall: It's the any number at 28% is not something I believe will stay going forward and we'll need to think again about how we phrase this question next year. Maybe not focusing so much on regulations that have been in play for many, many years or decades but maybe those regulations that are changing or affecting the way the business has to operate and respond over the next say 2- or 3-year window.
Robin Tatam: The GDPR side of things as I mentioned is coming at us like a freight train right now. It appears and David, I don't know if you're seeing something similar being in the UK, I know Brexit through a spanner in the works there and there was some thought that the UK wouldn't have to deal with GDPR compliance, but that's really not the case. There's still 17% of people that haven't even started preparing. How long's GDPR have been in its ramp up phase at this point?
David Dingwall: We're really for two or three years and pretty consistently non-stop with information draining on organizations, professional organizations, IT organizations, business level and management, consulting fees and a shed load of external consultants coming in. It actually reminds me very much like the first cycles of SOX compliance in the early 2000s, whereas the regulations and processes and changes that were recommended were all tied to frameworks and business approaches. What happened with SOX is things changed as people gained experience, the focus of these projects and then you have to keep repeating these on at least on an annual or quarterly basis.
David Dingwall: You need to start pulling people like to the process. Our own company standard GDPR project and it was very people hungry, and I think it's fair to say the same with most of the GDPR projects I've touched in the last couple of the years. It's been very people focused and that's going to have to change especially as legal cases come to trial and they will come. They'll provide more guidance on implementation approaches in particular infrastructures and applications and itemize things that we need to avoid. Just like SOX in the past, I'd expect this to change as a program.
David Dingwall: It's a more tool driven solution where most of these exceptions and things to avoid and things you must do in a particular way are actually in tools themselves and can be measured on a consistent basis, taking people out of the equation. I don't expect that shake out over the next few years or so.
Robin Tatam: Yeah. I think there's many of us that are waiting to see it when that hammer falls with regards to who falls on the wrong side of GDPR first because the defined structure there is quite astronomical. I just want to wrap up. Certainly I appreciate the panelists being with you, but of course HelpSystems is very focused in this space. We have a number of solutions that are designed to help customers address their cybersecurity pain points, everything ranging from intrusion detection, questions to user provisioning, secure of managed file transfer, policy management and probably some malware protection. These are all encompassed within a very comprehensive software and professional service portfolio.
Robin Tatam: If you are dealing with any type of pain point today in regards to growing your cybersecurity coverage, then certainly work with us and we'd be happy to provide you some insight into what we bring to the table in that conversation. One of the best things I always suggest to people and a great place to start is with a free security scan. We have developed a tool that is going to run on AIX, Linux, IBM I and it's going to give you some really great insight into your server configuration, and the best part of this like anything is that this particular function is no charge.
Robin Tatam: You're welcome to take advantage of that and get some really good takeaways and this document that you see a thumbnail of here, this is what it generates and this is something that you get to keep it and it's multiple pages, not just the summaries that you see here. All right, I know we're kind a little bit time here, but I didn't see any questions as I was going to going through, but I'm going to just double check here. If you do have a question, please feel free to answer or ask that in the chat window. I've got one final poll here that I am going to open. If you are interested in a security scan, feel free to let us know that. If you'd like more information on it before you commit to anything, of course we'll be more than happy to provide that information to you.
Robin Tatam: Just to say if you're going out to the website and filling out the form, but you can do that at any time. If you head out to helpsystems.com, you can find that information. You can sign up for a scan at any time and you're welcome to do that. We'll work with you no cost, no obligation, great place to give some insight here. All right, let me take a very quick look at the chat window. I think we did answer the question about the cloud being secured, hopefully that was satisfactory to James as far as an answer and that's what I'm seeing here. Looks like we're good. I appreciate the panel joining me here today and for those of you that are on the attendance side, thank you.
Robin Tatam: I know we ran couple minutes long here, appreciate you sticking with us. Hopefully this was good information for you. If there's anything we can help you with from HelpSystems, please don't hesitate, let us know. We are here for this purpose and we look forward to seeing you on an upcoming webinar. Have a great afternoon everybody, thanks.
Bob Erdman: Thank you.
See if the latest cyberthreats could harm your system and get tips on how to mitigate them with a free security scan.