Cybersecurity was a hot topic during the 2016 U.S. presidential election and much of the information presented during the recently completed CSX North America Conference demonstrates why it needs to be an ongoing global priority.
Each year, the worldwide cost of cybercrime exceeds $600 billion, noted Brett Kelsey, vice president and CTO-Americas for Intel Security. In the financial industry, the mean time it takes to detect a security breach is 98 days, Kelsey said. In the retail industry, the mean detection time is 197 days. The average cost for each breach is $3.79 million, he reported.
The conference was sponsored by ISACA, the preeminent independent, nonprofit, global organization dedicated to improved information systems. ISACA stands for Information Systems Audit and Control Association, although the group goes only by its acronym.
The event brought cybersecurity thought leaders, experts and professionals together in Las Vegas. Here are some of the critical issues facing the industry which were discussed at the conference.
More qualified people needed
One critical issue for the cybersecurity industry is a shortage of qualified professionals. Keynote speaker Brian Krebs, an investigative journalist and founder of the KrebsonSecurity blog, was among several speakers who urged organizations and businesses to invest more in training and personnel.
Cybersecurity importance not fully appreciated
Krebs explained those who are not continually working and maintaining their privacy don’t have any real privacy because all online devices with IP addresses will eventually be hacked. Phillip Ferraro, senior vice president and global CISO for The Nielson Co., explained some of the challenges associated with convincing boards and organizational leadership of the necessity of cybersecurity. When calculating costs, executives need to consider factors like reputation and brand damage, current and ongoing losses, loss of share value and regulatory fines and sanctions.
Overlooked security threat
Firmware is software embedded in devices like printers, cameras, routers, scanners, etc. Justine Bone, CEO of MedSec reported, “Attackers are targeting firmware — many breaches and vulnerability discoveries these days can be attributed to firmware problems. An ISACA study confirmed few organizations are prepared and firmware is highly vulnerable to cyberthreats. The study showed only 13 percent of security professionals’ enterprises have fully implemented controls for firmware.
Infrastructure at risk
Malware threatens global infrastructure like dams, power stations, railroads, etc. Ed Cabrera, chief cybersecurity officer with Trend Micro, told conference attendees about attacks on the Ukrainian electric grid and mining and rail companies. “Behavior analytics has to become an accepted strategy to go from being the hunted to the hunter, to go after and try to find this activity on the business side and the operational side,” Cabrera said.
Mobility increases vulnerability
The proliferation of devices that connect to the internet provides a daunting challenge for business security professionals. Presenters Mike Krajecki, director, emerging technology and risk services for KMPG, LLP and Milan Patel, program director, IoT security IBM, explained that security and privacy must be embedded into the strategy and design of connected device programs. Security specific to each category of device is necessary and should include strong authentication and access control.
Those who would like to learn more about ISACA and upcoming events should visit the organization website