Fred Cobb, the chief information security officer for InfoSystems, hosts a weekly podcast, Cybersecurity Weekly, and works with clients around the country to identify and manage threats to the security of their digital data. Hackers attack every 39 seconds — or an average of 2,244 times a day, according to research from the University of Maryland. The reputational damage to companies that lose control of customer data is a huge concern, along with the everyday financial and personal effects on individuals whose data has been compromised. In 2018 hackers stole half a billion personal records, according to the 2018 End-of-Year Data Breach Report from the Identity Theft Resource Center. Spreading awareness of cybersecurity threats is one of Cobb's primary missions.
Q: When you talk to clients about this topic, how do you frame it?
A: I start by asking them to imagine what it would it mean to lose an entire day's worth of work. Not just your own work, but an entire day of every single employee in your company's work. I tell the story of a company where a cyberattack was successful, why it was successful, and I ask clients to put themselves in the shoes of different people who were affected. The actual attack victim who clicked on the email. The employees who were affected. The business owner. The customer. We also talk about the broader effects of cybercrime. Think about the overall impact on our city. Money is being stolen in our community via cybercrime every day. If people and companies are losing money, how does that affect our local economy?
Q: What kind of cybercrime are we talking about?
A: Let's get back to the story I started with - the true story of a successful cyberattack. In this case, an employee of a company clicked on a link in a scam email and exposed sensitive data. An individual's mistake may have been the entry point for a ransomware attack. Someone got the best of him and it affected the whole company. Let's start with how he feels. Guilty. Like a sucker. Scared he could be fired. But should he be fired? Was this incident really his fault? Where should we place the blame in this scenario? The company's executive leadership? The company's IT provider? There's plenty of blame to go around, but let's see this problem for what it really is - this incident happened because none of the people involved were prepared for it.
Q: What are our biggest vulnerabilities?
A: The truth is, most people are unprepared for this kind of event. For the most part, we don't have the right attitude about cybersecurity. We're not taking it seriously enough. On the local news, we hear about shootings, break-ins, robberies, traffic accidents, drugs, illnesses, and all kinds of other events that heighten our awareness about threats to our safety and security. The recent story about members of a local Jewish congregation being targeted by criminals online was a rare example of a cyberattack making headlines in our community. In most cases, the shroud of secrecy surrounding cyberattacks makes it difficult to put a face to these crimes and tell these stories. The real problem is that the cybercriminals are working their tails off on highly sophisticated attacks every day, but the results rarely make headlines.
Q: What can companies and individuals do to protect themselves?
A: Awareness is an important place to start. Much of the work of InfoSystems focuses on promoting cybersecurity awareness. You may think you can spot a fake email with misspelled words and bad grammar, but now phishing emails are becoming really, really convincing. Awareness is obviously not enough to tackle the problem of cyberattacks in our community. Nothing will happen if company leaders don't have a clear understanding of where their company is with cybersecurity right now in light of their realization of how serious this problem is. Business owners need to take action. Work with technology pros to assess your level of exposure. Provide training for your employees. We recommend a platform called KnowBe4.com, which has a huge library of training resources with quizzes and completion tracking, and even allows you to send out "simulated email phishing attacks" to employees so that they get to experience what was covered in the training. Next would be to use a set of guidelines to begin implementing best practices for security and identifying vulnerabilities that may exist. We recommend the Top 20 Security Controls published by the Center for Internet Security.
Cybersecurity Weekly podcast: https://infosystems.biz/podcasts/
University of Maryland cybersecurity research: eng.umd.edu/news/story/study-hackers-attack-every-39-seconds
Identity Theft Resource Center: idtheftcenter.org/2018-end-of-year-data-breach-report/
Center for Internet Security: cisecurity.org/controls/cis-controls-list/