As companies increasingly explore how to improve their cybersecurity and shield their technology, proprietary secrets, and the personal data of their executives and staff from bad actors, they must take steps to fix a workplace culture that is still resistant to the habits and practices that best ensure online security, not to mention a shortfall of personnel with expertise in cyber issues.
These points came across in a Feb. 13 panel discussion, “2023 Top Cybersecurity Risks,” held under the auspices of the Bipartisan Policy Center (BPC), a Washington-based think tank, in partnership with Equifax, an Atlanta-based consumer credit reporting agency. Moderated by The Washington Post journalist Tim Starks, the panel featured Jamil Farshchi, Equifax executive vice president and chief information security officer; Tom Romanoff, director of the Bipartisan Policy Center’s Technology Project; Noopur Davis, executive vice president, chief information security officer, and product privacy officer at Comcast; Jerry Davis, founder of Gryphon X; and Christopher Painter, former cybersecurity head at the State Department, the Justice Department, and the White House.
The catalyst for the panel discussion was a new BPC report on cybersecurity issues and problems and the steps firms can take to educate their staff about the threat of cyber breaches and avoid risky habits and practices.
While Romanoff and others have long thought of cybersecurity as a largely domestic issue, the reality these days is that a company’s systems can come under attack from bad actors anytime, anywhere. “In the evolving world that is cybersecurity, you must take into account these days foreign folks that are trying to tap into our systems. That was the first kind of wake-up moment when I was trying to put together this report,” Romanoff recalled.
But while cyber thieves and other bad actors may be growing more widely dispersed throughout the world, and more sophisticated, the good news is that certain technological advances have greatly helped companies trying to bolster their defenses. Noopur Davis made a strong case for Multi-Factor Authentication (MFA), which uses traits unique to individuals in order to screen users and protect data, as one of the best means for ensuring the integrity and safety of companies’ data. But MFA is not a panacea in a world where some employees are stuck in the habits and practices of an office culture of the past where cyber breaches were not the constant threat that they are today, she cautioned.
A running theme of the discussion was the lack of sufficient numbers of professionals qualified to oversee cybersecurity for companies. All too often, employers have placed the emphasis on finding professionals with the ideal qualifications rather than on training people who could, with time, move into the role.
“You don’t just need to have those tech skills, those hard skills. I think we need to continue to build those. But for me the question is, are they curious? Can they learn? There are many aspects of security, whether you’re on the risk management side, whether you’re on the technology side, or the strategy side, I believe that the talent is out there; we just have to look at new ways of identifying the talent, not just by their backgrounds, whether they have a degree in IT or coding and that sort of thing. There are other markers that show that someone can learn and be very good in the security field,” said Jerry Davis.
Lack of Experts
Indeed, one of the most concerning issues identified by the panelists is the sheer shortage of personnel at companies, banks, and financial institutions who have top-level training in the installation, maintenance, upgrading, and firmwide enforcement of cybersecurity practices and protocols.
In the view of Farshchi, part of the problem here is cultural. Schools and universities may simply not be placing enough emphasis on offering this kind of technical and vocational training.
Unfortunately, the layoffs that have rocked the tech sector in recent weeks—with many more thousand jobs possibly to be cut in coming months as tech platforms adjust to variations in ad revenue and a cultural backlash against social media—cannot be said to have provided companies with a fresh pool of potential hires well versed in cyber issues, Farshchi believes.
“So far, the layoffs haven’t really provided any relief on the talent front with security. I think the last numbers I saw [indicated] several hundred thousand open security jobs in the United States alone. So that hasn’t actually borne out yet,” he stated.
Those who look to artificial intelligence (AI) as a panacea for the shortage of human talent do not have a realistic grasp of the situation, Farshschi contended.
“AI could potentially provide some relief. It’s got potential, but it’s too early to meaningfully be able to tell how that’s going to play out. I think what we need is more systemic, we need to have more focus and more investment on building up that broader pipeline. We just aren’t getting enough kids in school being educated on cyber so that when they get out, it’s easy to be able to tap into them,” he added.
The shortfall is unnecessary, he suggested, because while cybersecurity is a specialized area, it is not too complex and daunting to master for those with tangentially related backgrounds, for example in information technology (IT).
But cultural issues, namely a tendency only to search for talent within the field, have so far precluded the recruitment and retention of potentially highly useful personnel.
“I also think that organizationally, within our industry, we’ve historically had reticence to bring in people who don’t specifically have cyber expertise. We need to broaden that horizon, there’s a ton of skill sets, you can teach them security components and they can be extraordinarily valuable,” Farshci said.
Getting Up to Speed
Painter concurred on the need to broaden efforts to bring aboard people who can quickly get up to speed on cybersecurity issues and bolster internal cultures of compliance, though he acknowledged the reality that some will have a learning curve.
“For some organizations, some of the people who got laid off are the security people. It is [a matter of] getting more people interested in this. It’s building that pipeline and maybe retraining some of the people who’ve been laid off. Maybe they have some basic understanding of tech, but they have to understand the security element, which is a different field,” he said.
Besides making a greater investment in the human resources needed to oversee cybersecurity, firms must face the reality that what may seem like simple and obvious protocols sometimes go unobserved, Noopur Davis pointed out.
“It’s a simple set of rules, I think. You have to be careful, be aware of social engineering which continues to be the number one way, even for enterprises, that bad actors gain access,” she said.
Some employees need to be brought up to speed on practices such as phishing, where malefactors falsely identifying themselves as representatives of respected banks, companies, or government institutions contact employees and try to get them to divulge sensitive information or send money under a false pretext.
Noopur Davis also warned about the dangers of employees using public WiFi.
“Have strong passwords, don’t get on any public WiFi even if it says ‘I’m very safe, connect to me,’ it probably isn’t. So just follow this basic hygiene, just learn about the impact of social engineering, make sure you are not joining unsafe and insecure WiFi to do your high-level security business,” she said.
Better Safe Than Sorry
In a corporate culture where people are trying to get as much work done as quickly as possible, it is all too easy for employees or executives to cut corners and ignore very basic safe practices.
“These may be simple things, but they’re not easy. Simple doesn’t mean easy,” Noopur Davis added.
This is particularly the case when it comes to MFA, which some people may simply consider too much of a hassle to make use of, even though it is critical for online security.
“I wish it were seamless, but security often is that balance between usability and security, and MFA can feel like it’s getting in your way,” she said.
She praised advances that have made MFA more appealing for some users by incorporating facial and/or voice verification into the security protocol.
“It’s getting better and better, especially on devices. When your biometrics become your factor, it’s easy when it’s your face or your voice. But without that, yes, it can seem intrusive,” Noopur Davis said.
Another concern is that some employees lack clarity around the protocols and the ideal timeline for reporting phishing and other suspicious activity.
“Report an issue within 72 hours—the question that goes through your head is, 72 hours from when?” she said.
Painter agreed that even people who are not unfamiliar with such issues sometimes fail to follow all the protocols and safeguards that could avoid or minimize damage from a cyber breach.
“Even people who are security professionals don’t always have the security habits that they should. It’s a sad reality, but we’re human,’ Painter said.
“In the past, people have not valued security enough to actually pay more for it, at least in the United States. In some countries, they do. How can that be built into the infrastructure more generally, so that the ordinary grandmother doesn’t have to worry about it?” he asked.