Welcome to Cyber Security Today. This is the Week in Review edition for the week ending June 25th.
From my studio in Toronto I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. My guest commentator this week is Dinah Davis, vice-president of research and development at managed service provider Arctic Wolf. I’ll talk with her in a few minutes. But first a quick look at some of the week’s headlines:
IT administrators and owners of 129 models of Dell business and consumer computers are being urged to install the latest Dell security patches. This comes after a security company called Eclypsium discovered a chain of vulnerabilities in the BIOSConnect feature of the computers that could allow an attacker to take over the devices. BIOSConnect allows Dell support to remotely access a computer for recovery of a crash or for updating the firmware. The vulnerabilities allow that capability to be compromised. To get the patches go to Dell’s site and find the Drivers and Downloads page.
A study released this week complains few information security leaders have a direct voice to the chief executive in their organization. That could make it very difficult to ensure leaders have an accurate and complete understanding of security risks facing the organization. I’ll be discussing this report with Dinah the role of information security professionals in firms.
A small Ontario accounting firm has joined the list of companies hit by ransomware. The owner of the company told me this week he thought the firm was too small to be hit. But an expert told me that small businesses are overwhelmingly the ones that are victimized.
The city of Tulsa, Oklahoma is the latest victim of the Conti ransomware gang. This week the gang published thousands of stolen documents, including police citations like traffic tickets, which may have had residents names, dates of birth, home addresses and drivers’ licence numbers.
A ransomware gang has begun publicly releasing documents it says were copied from a Taiwan-based maker of memory and storage chips called ADATA Technolgy. According to news reports the company was victimized in May. The gang says it copied 1.5 TB of files.
Microsoft is warning consumers to not be fooled by crooks pushing an Office 365 scam. The email says a trial subscription to Office 365 has expired and they will be charged a monthly fee unless they call a number to cancel the trial. People who call the number are asked to download a file to cancel the application. However, that file is used by crooks to steal passwords.
Finally, high school students in the province of New Brunswick will be eligible this September to enroll in a special three-year online cybersecurity program. The program will give students a credit just like others in the curriculum. The goal is to help prepare interested students in a cybersecurity career. I’ll also be discussing the pros and cons of this program with Dinah.
(The following is an edited version of our talk. To hear the entire disucssion play the podcast)
Howard: I want to begin with a report by LogRythm, which surveyed over 1,400 cybersecurity professionals around the world. These were people who held the title of Chief Information and Security Officer, IT security manager, CIO, or security director. And what it found was only seven per cent of them reported directly to their CEO. Most reported to the CIO or the director of IT or a vice-president. And so given that the number of cybersecurity incidents keeps going up, should an official with IT security expertise be sitting beside the chief executive or the the chief financial officer and all those other people with ‘chief’ in their names?
Dinah: I think it depends on the size of the company. For a really big company, yes, that’s probably important because if they’re not right there at that table, there’s going to be problems. In smaller companies, as long as the security person reports directly to somebody at the C-level, then I think it’s probably okay. As long as that person is a good [cybersecurity] advocate. There has to be someone responsible for the security of your company at the C-level, whether that is the IT security professional or someone representing it.
Howard: Arguably a lot of managers in an organization think that they’re important. Can an organization have two people representing IT with management, like the CIO and the CIO?
Dinah: I think having both might be a bit odd, but if you think about really, really big companies it may be necessary. And as long as there’s an extremely clear delineation of responsibilities, then it’s probably fine/
Howard: This is a really old discussion: Should every organization have a Chief Information and Security Officer, CISO, who sits with the other chiefs?
Dinah: Again, I think security has to be represented at the C-level. Whether that’s with a specific role, I think depends on that company and the company’s culture. If the current C-level is not paying any attention to it [cybersecurity], then you probably want to add that. But if somebody on the C-level group is quite an advocate for security, then it’s less needed. I don’t think these are black and white answers. I think they’re case by case.
Howard: There’s also some evidence that the advice of security pros isn‘t getting to the top. For example, in this survey less than half of the respondents agreed that their organization values and leverages the expertise of their firm’s cybersecurity leader. So if they don’t think that that they’re valued, isn’t that a sign that, that their expertise, their advice isn’t getting to the top?
Dinah: For sure. And I think that’s a common occurrence. It’s ridiculous. And I think that boards should be demanding information and security updates because it has a direct effect on the financial outcome of the company … The board needs to be engaged [on cybersecurity]. And the way you get them engaged is by showing them the actual risk, showing them that cyber risk is actually organizational risk. And you want to highlight not only the reputational, but commercial implications a breach would have. It can destroy household brand names. You really want to hit those board members where it hurts, and that’s cost. What would it cost the organization if ransomware shut down their facility? If it’s healthcare costs could include things like patient care, productivity, cleanup, compliance, fines, all kinds of things. You have to get them to look at that. … I think that’s really, really important, to always come back to the business case of why security needs to be important.
Howard: Your point is well taken: It’s not just that a security professional has to report to the CEO, because cybersecurity experts say it’s important that the boards of directors [also] be knowledgeable. The interesting thing is that in the survey, only 30 per cent of the respondents said that they report to their boards about cybersecurity issues every quarter. Forty-one per cent said they only speak to the board when there is a security incident.
Dinah: It’s nuts. I saw those stats in there and I was like, seriously? We [at Arctic Wolf] report on it every single board meeting. It should be part of every single board meeting for every company. It’s just non-negotiable.
Howard: Is this a problem that cybersecurity in general is seen as an expense in the company? It’s not something that makes a company money?
Dinah: I think you’ve got it right there on the money. It’s an additional thing we [infosec pros] need to think about. What people don’t realize is without having it, without thinking about it, you’re actually just putting your entire company at risk. It‘s just part of our world now: We pay electricity, we pay building costs. We need to pay for the costs to keep our company secure. It’s just part of doing business in the cost of doing business these days.
Howard: You found other parts of the survey very interesting. Tell me about that.
Dinah: [Respondents were asked]what are your top security risks affecting your organization? The top item is phishing and social engineering attacks, remote worker, endpoint, ransomware … But then at the same time [when asked about] their spending priorities in 2021, this blew me away: The top spending line item was investment in technologies, such as automation, AI, and machine learning. I was like, why would you do that? And then almost all the way at the bottom near the bottom was investment in training and awareness programs. This should be completely flipped. You should have the investment in awareness programs, training, and awareness programs at the top. We know that this is the number one way that companies get hacked.
And then even at the bottom that they had investment in consultants and MSP (managed service provider) services. That’s also crazy. That should be way, way up higher than buying fancy machine learning tools, because a lot of them just do one or two things. You’re not going to solve this [cybersecurity] problem with a whole bunch of just different technologies. You need a whole solution. You need somebody monitoring what is happening in your company 24 by seven, whether that is your company or if you go to a third party to help you. The biggest spending on AI, to me showspeople just want it to click on the fun IT word.
Howard: I want to turn now to the new New Brunswick high school cybersecurity program, which is partly funded by Cisco Systems. It’s a public-private partnership between the provincial department of education, Cisco and CyberNB, which is a not-for-profit agency that advocates for the cybersecurity industry.
Dinah: ThIs so cool. I am so excited about this. This is exactly what we need.
Howard: As I understand it, it’s a specialty program aimed at equipping students who take want or are thinking of a career in cyber security. It could be a stepping stone to a job or, or into a college or university IT course. Tell me about what you like about it.
Dinah: I recently did a survey of over 50 women in security in my network. I was building a talk around women in security, and one of the things that I had a hunch on was that cybersecurity wasn’t people’s first careers. I found that 75 per cent of people [surveyed] had cybersecurity as a second or tertiary career. One of the problems there is that we never know about it. We don’t know about it when we’re going through high school. And so when I asked all of these women in the survey what could educational institutions do to help them find careers in cybersecurity, their top responses were partner with industry, start in high school and have more hands-on learning. And this program that they’re building in New Brunswick ticks all of those boxes.
This program is really great. It’s even better because it’s run completely online. Why is that great? I’m not necessarily a huge online school fan, especially in the last year or so, but in Ontario we have three computer science courses that you can take in grades 10, 11, and 12. And in my local area each high school maybe has one of those courses, because they need a teacher to decide that they’re going to help and teach those courses. And so students going to different schools have different opportunities based on what the teachers are willing to do. The fact that this is an online program means that it will be available to all of the students in the school district, regardless of whether or not a teacher decides to do this.
You know, recently Ontario updated its grade nine math course, which I’m extremely excited about because my daughter’s just finishing grade seven. And in the new math course, they’re doing two things that are really, really key. They’re stopping streaming of university and non-university math — which they have in their computer science program too, which seems ridiculous to me. You can take a computer science program as if you’re going to university for computer science, or if you’re going to college …That’s just seems silly. But in any case, the new grade nine math course is adding [software] coding to the curriculum. And it’s part of a four-year change plan, meaning that grade 10, 11, and 12 are now going to all get updates in the coming years.
They don’t have to become experts. They don’t need to code again for the rest of their lives. That’s fine, but they do need to know how that underlying system works. And when you add security on top of that, it’s even more important. Security should really become part of every, every child’s career. Maybe not to the extent of this of the Cisco courses, but children need to know how to be safe online. And I just think this is fantastic that they’re bringing in this opportunity for kids to see this before they hit university, because sometimes it’s even hard to find out about the cybersecurity world in university.
So many people have stumbled their way into [cybersecurity] and we need so many workers today that this is going to be key. And in fact, if we go back to the [CISO] report we were talking about earlier, the biggest organizational challenge … was having a skilled workforce. That was the biggest problem that they said they encountered. And this kind of course [in New Brunswick] is exactly what we need to do to try and combat that and build a much larger, more diverse base of cybersecurity professionals going forward.