Berkeley Varitronics CEO and cybersecurity expert Scott Schober is a regular guest on Bloomberg, CBS, CNN and other high profile media. What many viewers might not realise is that his company has also been the victim of multiple cyberattacks – a classic case of the expert attracting the wrong kind of attention from the cybercriminals he’s working to thwart.
In the first of a three-part interview, he spoke to Pamela Weaver about his book, Hacked Again, the dangers of accepting breaches as a cost of doing business, the importance of passwords and what businesses can do to fight back.
The opening chapter of your book is entitled “Learning the Hard Way.” Do you think that’s still the way most businesses are learning about cybersecurity and data protection?
Over the past few years, since my company has been hacked, I have learned a lot from others. The topic is something I eat, live, sleep, breath and talk about with friends, coworkers and small business owners. And this includes their pain, which I hear about daily first hand. Some listen and take the necessary steps but I am still amazed when people that reach out for advice but fail to implement the necessary changes to stay safe.
Most seem to suffer from a disconnect. They mistakenly believe that no one wants their personal data or will go after their bank account so they keep the same weak passwords and don’t take basic safeguards to protect their personal data. They see others being hacked and extorted but do not believe they can be part of this group. As a cybersecurity presenter and educator, this is truly disturbing to me because education and prevention go hand in hand. Staying in denial about our chances of being compromised is my number one obstacle as an educator. It’s as important as an addict admitting they have a problem before they can begin treatment.
We all have a long way to go before cybersecurity is no longer relegated as an afterthought and this includes businesses. It takes everyone within a business, from the janitor all the way up to the CEO, to think about security and take actionable steps to stay safe. The days of departmentalizing responsibility and sentiments such as “That’s not my job.” are a thing of the past. Our interconnected world requires all of our participation in both prevention and taking actionable security measures.
It takes everyone within a business, from the janitor all the way up to the CEO, to think about security and take actionable steps to stay safe.
You talk about how banks in particular have arrived at a point where they view cyber fraud as a cost of doing business. Is that something you think is creeping into businesses generally and how dangerous an attitude is it?
The ‘cost of doing business’ attitude is truly a double edged sword. On the one hand, it’s toxic and does the most damage when it trickles down from those in charge to all employees. It’s a shared sickness that only leads to lack of innovation and eventually complacency.
On the other hand, the cost of doing business must be constantly assessed and adjusted. Nowhere is this more urgent than in the area of cybersecurity which is projected to reach $6 Trillion in spending by 2021.
Fortunately, there are some great advances in threat detection tools entering the cyber space. These tools come in all forms: Software, hardware, tutorials and basic security measures that, when used properly, can protect an institution’s most valuable assets including their IP and customer data. But not all banks are embracing these new technologies because it is costly. Smaller regional banks have limited budgets that make it a challenge to spend the right amount of money in the right areas. The good news is that many of these banks pay attention to the headlines and are beginning to realize that the cost of doing business is always shifting. They know that in order to survive, they need to implement best cyber practices throughout their institutions to avoid being included in the next cyber breach headline.
In your book, you talk a lot about the importance of multi-layered security. Could you walk the average non-technical business decision maker through what that means – and what are the key components of a good system?
Layers of security are extremely important. In Hacked Again, I spend a great deal of time stressing layers of security in place at your physical house (dead bolt, camera system, alarm, alarm stickers…) are just like the layers we use in cybersecurity. When you add layers of security such as two-factor authentication, you make it tough for hackers. This additional step keeps you safe without having to memorize a password. It is also free and most secure logins portals offer this (Google, Yahoo, Apple, banking sites, etc..) so take the extra time and utilize it.
Two-factor authentication makes it tough for hackers, so take the extra time and utilize it
There are various layers of security that should be considered within an organization, all with different levels of risk and vulnerability to be assigned. This will vary from organization to organization as well as by the amount of sensitive data, intellectual property, trade secrets the company possesses internally. Companies need to understand that security needs to be properly enabled through the following security layers: human, physical, endpoint, network, and data layers.
People are the human layer and require cyber education so they can effectively distinguish SPAM and phishing attacks from legitimate business correspondence. They need to NOT share passwords with co-workers nor anyone for that matter. They should never divulge their company’s password for the WiFi network or give out credit card information through an email for example. Humans, by nature, trust other humans and that is their biggest security weakness.
Physical security is a tremendous threat mostly because it does not appear to be a threat in the world of cybersecurity. Unlike a police body cam which catches every altercation, hackers are much more deceptive in their physical attacks. My company has two independent systems with 8 cameras that are recording movement inside and outside the facility on a DVR 24/7. Can anyone walk into the front door of your company and place a USB stick into a computer at anytime or just leave a malware-infected stick next to a sensitive computer? If you have no way to see these things as they play out or review them, you should consider taking steps to reinforce your physical security.
What apps are allowed to be run? What type of traffic is allowed in or out of your network? Questions like these will help manage and minimize risk.
Endpoints need to be secure, but nothing is 100% so you need to minimize the risks. Reducing your surface area for attacks, while at the same time reducing the opportunities for an exploit, will strengthen your overall cybersecurity profile. What apps are allowed to be run? What type of traffic is allowed in or out of your network? Questions like these will help manage and minimize risk.
Security beyond the firewall and the risks of big data
Depending upon the organization’s size and budget, they should assess their network security beyond the firewall. Does the information they handle have particular value to a hacker? This includes credit card data, intellectual property, social security numbers on employees or customers. CIOs should consider intrusion prevention systems as well as VPNs. If a device needs to be connected to the network, then it is important that the device is run through a software and/or hardware system that will check and clear it for viruses and malware.
Big Data is quickly becoming the most relied upon resource for large companies. As we learn how to better analyze data to make smart choices, we can learn to grow our business and appreciate efficiencies we never thought would be possible. This is a double edged sword as this data that enables our businesses to run and grow efficiently can also be our downfall if we do not carefully guard this data from hackers.
Businesses need to properly encrypt sensitive data and limit access to it. Big data gets its name from the sheer size of data chunks processed. Users requiring large memory capacities in their USB sticks have enjoyed declining prices for years but this does not always translate to security.
The same goes for physical paper. Does your organization have a policy requiring sensitive data on paper to be properly shredded? I cannot control the waste management practices of my county so I use a micro cut shredder to ensure no sensitive information can be discerned if it did fall into the wrong hands. I was once the victim of a dumpster diver that pieced together a credit card that I cut up. Alongside the empty garbage cans, I once found my shredded credit card pieced back together like a puzzle. That was enough to convince me to micro shred everything from then on.
Scott Schober is CEO of Berkeley Varitronics Systems, a provider of advanced wireless test, detection and security solutions to clients ranging from individual users and small businesses to Fortune 500 companies. His book, Hacked Again is available to buy online.