May 14 - 27, 2018
www.charlestonbusiness.com 21
SPONSORED BY SC CYBER
Thought Leaders in Cybersecurity A Roundtable Discussion With so much of our lives, both professional and private, now connected to the internet, the concern over security grows daily. In this special section, thought leaders in cybersecurity provide insights into the issues and the steps you can take to protect your data and devices.
David Furr
Paul Ihme
Richard J. Krenmayer
Valerie Sessions
Cyber Attorney Gray, Layton, Kersh, Solomon, Furr and Smith PA
President of Consulting Services Soteria LLC
CEO Stasmayer Inc.
Professor and Chair Computer Science Department Charleston Southern University Computer Scientist SPAWAR, Atlantic
What emerging threats do you believe will impact your clients soon and how are you advising them? DAVID FURR/GRAY, LAYTON, KERSH: Our practice deals mainly with the small and medium businesses (SMB). (US Chamber defines SMB as revenues less than $1.2B or 1,000 employees.) Cybersecurity is nothing more than a critical subset of enterprise risk management. SMBs have a 70% chance of being hacked and even more importantly, 60% go out of business within 18 months of a hack. These are astonishing figures!
Just like the large enterprises, SMBs are fighting day-to-day in a competitive business world to provide their services or products profitably. They do not have the manpower or the technological wherewithal to cope with the cyber threats that face them on a daily basis. Unfortunately, security by obscurity is not a viable solution. These threats are not just from the shadowing figures abroad. We are seeing the emergence of domestic hacking as a competitive means. As varied as financial hacks to the intellectual property hacks to even litigation strategy hacks – ALL are appearing on the horizon of business interference threats.
RICHARD KRENMAYER, STASMAYER INC.: I believe a more sophisticated type of ransomware is on the horizon where attackers can annuitize extortion and ransom over time to increase the value of their revenue streams. It will include spear phishing, social media profile ransom, other doxing, holding data ransom on a machine or network, siphoning out data for later extortion and more we haven’t seen yet. We all need to give credit where it’s due. The outfits that are performing these attacks are very talented and sophisticated and run more mature businesses than a lot of us. A general hardening access of all information surfaces, regardless of being personal or professional, needs to be in the front of everyone’s minds.
22
www.charlestonbusiness.com
May 14 - 27, 2018
SPONSORED BY SC CYBER
Thought Leaders in Cybersecurity
We commonly see businesses operate under the assumption they are not a target or will never become a victim of a breach. While a given company may not be the ultimate target for a hacker, they may be used as a “stepping stone” to reach their end goal. The lack of a security mindset results in organizations failing to establish a plan for handling security incidents, making incidents more difficult (and expensive) to contain and remediate.
SMBs (small to medium businesses) have a 70% chance of being hacked and even more importantly, 60% go out of business within 18 months of a hack. These are astonishing figures!
David Furr, Gray, Layton, Kersh
Paul Ihme, Soteria LLC
What are some common mistakes that companies make and, what are some potential risks associated with them? PAUL IHME, SOTERIA LLC: We commonly see businesses operate under the assumption they are not a target or will never become a victim of a breach. While a given company may not be the ultimate target for a hacker, they may be used as a “stepping stone” to reach their end goal. The lack of a security mindset results in organizations failing to establish a plan for handling security incidents, making incidents more difficult (and expensive) to contain and remediate. For this reason, we recommend all businesses establish a security incident response plan to guide an organization’s efforts in resolving a breach, thereby ensuring recovery can be accomplished with as little downtime as possible. VALERIE SESSIONS, CHARLESTON SOUTHERN UNIVERSITY: One of the biggest mistakes is the lack of desire among organizations to share the types of attacks they are facing and have fallen prey to. Many times we are embarrassed of these breaches or fear our stakeholders will judge us harshly if we disclose this information. But the faster organizations can share information about these attacks, the faster we can learn to patch or make changes that stop them. One example is the phishing scam amongst university libraries that was recently in the media – one of our local firms, PhishLabs was integral in breaking this. Once the student and faculty bodies are aware of these types of attacks, the smarter we can be about stopping them. As we see that we are all vulnerable I believe we will start to share these stories more often and more quickly and limit the scope of the attacks. That’s where having organizations such as SC Cyber as a trusted source of information can help us share these lessons efficiently.
FURR: (a) Security by Obscurity — the genuine belief that I’m invisible. (b) Not keeping whatever systems they have up-to-date, which means “patched.” In the modern cyber world, there is NO patch for stupidity! (c) Not understanding the Tsunami of the IoT (Internet of Things). By 2020, 76 billion devices will be connected on this planet. The hard core fact is that if it can be connected, it will be connected and exposed to everyone, unless protected. What are the most common recommendations you have made to your clients to help them manage their systems and risk? SESSIONS: At Charleston Southern University, we are preparing our students to step into a tech-pervasive world. As even simple devices go digital, we become vulnerable to attack in new ways. We are preparing our computer science and cybersecurity graduates with the fundamentals of writing secure code, protecting network infrastructure, and designing risk assessment tools for all aspects of cybersecurity — both technical and soft-skills. We prepare graduates ready for the changes they will face in this space during their careers, not just those of today. Because these threats are ever-changing, we are advising our students to stay involved in professional organizations, read trade journals, and constantly stay abreast of new vulnerabilities. This is not a field in which you should ever feel comfortable or that there is not more to learn. IHME: One of the simplest business risk management tactics is only providing employees access to information and assets required to perform their roles. Limiting access to sensitive assets can significantly reduce the overall impact of a breach. For example, if an employee’s computer is compromised, the attacker may have access to all information
on that computer and resources which the employee has access to (e.g. file servers.) By ensuring each employee’s access is limited to only what they need, an organization can reduce the amount of damage that can be done by a successful attack. Some organizations view segmentation as a potential conflict with company cultures based on openness. However, when implemented properly, segmentation should have no negative impact to employees. KRENMAYER: Analysis, Awareness, Training, Analysis, Awareness, Training, etc. The formula is simple. It’s a lifestyle and a practice. You need to know what you don’t know, make your team members (including vendors) know what the problems are and then pivot to change behavior. The people you know are the biggest threat out of your control. All it takes is one person to get compromised. If you don’t know what you don’t know, you can’t be safer for your team and customers. Security needs to be looked at as never ending and a constant improvement process. FURR: The Road to Damascus for the small and medium businesses for cybersecurity does have a very important redemption intersection on it. The SMB simply cannot hire the inhouse expertise or afford the technology stack/ spend like the large enterprise organizations. That said, the redemption point is the IT organizations that are performing managed cybersecurity (cybersecurity as a service). Just like the established home security businesses that we have relied on to protect us from physical intrusion, certain IT organizations are now specializing in managed cybersecurity — a development so critical in the fight that the SMB can now stand with the same safety as the large enterprises without a substantial capital expenditure hit to its finances. This is probably the most important development I have seen in giving our SMBs a fighting chance, while not taking away their valuable time and monies from their day-today operations.
May 14 - 27, 2018
SPONSORED BY SC CYBER
www.charlestonbusiness.com 23
24
www.charlestonbusiness.com
May 14 - 27, 2018
SPONSORED BY SC CYBER
Thought Leaders in Cybersecurity You need to know what you don’t know, make your team members (including vendors) know what the problems are and then pivot to change behavior. The people you know are the biggest threat out of your control. All it takes is one person to get compromised.
One of the biggest mistakes is the lack of desire among organizations to share the types of attacks they are facing and have fallen prey to. Many times we are embarrassed of these breaches or fear our stakeholders will judge us harshly if we disclose this information. But the faster organizations can share information about these attacks, the faster we can learn to patch or make changes that stop them.
Richard Krenmayer, Stasmayer Inc.
Valerie Sessions, Charleston Southern University
What are the core challenges that firms you advise will face in the coming years? KRENMAYER: Budgeting and maturity. We don’t see businesses ready to spend money on security unless they have an incident. Even then we still see them not budget more going forward. It’s mind blowing, but it matches the statistics. It’s going to take the right level of maturity and acumen to integrate security planning into company business plans. Along with the increased budgeting and maturity comes the reality that prices for the consumer need to rise. These costs won’t be able to be dealt with by compressing gross margin or profits, we have to be ready to pass them on to the consumers. When customers buy your widget they’re also buying your security level. It’s part of the price of the product or service. Charge for it. What new technologies are coming to market that you are excited about? SESSIONS: Tools that utilize decentralized architectures and blockchain protocols to address new challenges. While the implementation in cryptocurrency is exciting in itself, this is just the beginning. Electronic voting, secure financial transfers for significantly less cost, asset management – these are just some of the transformative ways I believe this will be used in the future. What is the most underutilized technology available to businesses and why aren’t more businesses using it? IHME: We often find the most underutilized technologies are some of the most cost effective and easiest to implement across businesses of any size and industry. Two-factor authentication, mobile device management apps, and password management platforms are examples of three business security tools often overlooked by firms with which we consult.
By implementing these three technologies, businesses can better protect accounts from unauthorized access, better safeguard mobile devices containing sensitive business data, and improve internal processes for creating, sharing, and storing passwords. General lack of awareness of the existence of these technologies is commonly cited as a reason why they are not implemented across firms. KRENMAYER: Security provider services. Not to shamelessly promote my company, but what we see is that businesses think that since they have an IT department or vendor that they have security. It’s not the same. It’s a totally different set of talent and tools. This is why we have a separate side of the house delivering these solutions. You wouldn’t hire your painter to wire your house and you wouldn’t have your builder inspect it either, so don’t burden your IT with security by default. Like you, they’re just part of the solution. Get ready to know what you don’t know and reinvest your profits in your business of tomorrow. Bring in the experts to grow your strategic security team. What should a managed cybersecurity service provide? FURR: a. IPS firewall protection (sand boxing capability) and endpoint protection and email protection, all addressing the particular SMB need. b. Active management of the above. Mere detection without action is worthless to the SMB. c. Segmentation (where needed) of the crown jewels. d. Management and employee training around the above. Will that ensure my safety? FURR: No, but neither does a home alarm company guarantee your premises will not suffer an intrusion. In the criminal world, an effective cyber defense will act as a deterrence to the intelligent criminal, who will look to the undefended for his ransom.
In terms of cybersecurity, infrastructure and capacity, how does South Carolina stack up against other states in the U.S.? SESSIONS: In October 2012, a cyber attack on the SC Department of Revenue made over 3.6 million tax records vulnerable. It also made it clear that our state had work to do on securing its own systems and educating the public about how to stay safe in cyberspace. I believe we are better prepared with organizations such as SC Cyber standing alongside longstanding professional organizations like the AOC Palmetto Roost to educate the public through sponsoring cyber days, public information sessions and cybersecurity competitions. Our universities and K-12 are also stepping up with an increased emphasis across the curriculum for cybersecurity. The business space in SC for cybersecurity is also blossoming with companies such as Soteria, PhishLabs, as well as government contractors that have long been in this space – SAIC for example. The military resources we have with CYBERCOM, SPAWAR, and the AF base in our back yard are also impressive. While we have more work to do, I am proud of what SC has accomplished in response to the attack. What can South Carolina do to ensure we have the workforce talent needed to fill cybersecurity positions? IHME: As a South Carolina-headquartered cyber security firm, having the talent needed to expand operations locally and nationally is critical to keeping up with the growing needed for security services. To be proactive in training and retaining our state’s own security talent, Soteria established nonprofit NodeSC to train South Carolina’s future security workforce. By offering free security courses to deserving high school students with an aptitude for computer science and technology, we are exposing students to careers in security and inspiring them to explore higher education, internship, and career opportunities in the field.
May 14 - 27, 2018
SPONSORED BY SC CYBER
www.charlestonbusiness.com 25
SC CYBER EXCELLENCE AWARDS SC Cyber 2018 Award for Government Excellence Presented to City of North Augusta
The City of North Augusta is in the midst of a $230 million public private development along the Savannah River aptly named, Riverside Village. This development lies just across the river from the Hull McKnight Georgia Cyber Center for Innovation and Training, a $100 million initiative by the State of Georgia for cyber education, training, and research. Over the past year, the City has been looking to leverage the proximity of Riverside Village to the Georgia Cyber Center to attract cyber contractors, startups, and young cyber professionals to
create a cyber economy in North Augusta. In addition, the City recently hosted Gov. Henry McMaster for a discussion on the impact of Cyber in the region. McMaster also celebrated the opening of SC Cyber’s satellite office in North Augusta. The City partnered with the North Augusta Chamber of Commerce, the Savannah River National Laboratory, the University of South Carolina-Aiken, EDTS Cyber, and SC Cyber to host a regional event to introduce the local business community to resources offered by the state’s universities and industry partners across South Carolina.
SC Cyber 2018 Award for Industry Excellence Presented to EDTS Cyber
SC Cyber 2018 Award for Academic Excellence Presented to ECPI University
With campuses in South Carolina, North Carolina, Virginia and Florida, ECPI University offers an accelerated, hands-on education. By attending classes yearround, students can earn a bachelor’s degree in 2.5 years or an associate’s in 1.5 years. ECPI University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools to award associate, baccalaureate, and master’s degrees and diploma programs. In the last year, ECPI University has remained active in Cyber support, promotion, and education. Outreach includes: • Sponsor of Cyber in the Middle • CIS Dual Credit program with three
Dorchester District 2 high schools • Teams in Southeast Regional and Palmetto Cyber Defense Competitions • Active on SC Cyber and Charleston Defense Contractors Association Education Committees • Sponsor of SC Cyber Summit Scholarships • CIS program articulation with Trident Technical College and Spartanburg Community College • Host 3rd annual IT Showcase for 100 high schoolers • Cyber Summer Camp host • Delivered Java Bootcamp with the Charleston Metro Chamber of Commerce • Designated as NSA Center for Academic Excellence
SC Cyber 2018 Award For Individual Excellence Presented to Joyce Camp
Protecting clients from its 24x7 Security Operations Center, EDTS Cyber offers companies the full lifecycle of IT security –auditing for current security gaps, remediation of those issues, real-time security monitoring, incident response and forensics, along with consistent user security awareness training and testing.
EDTS Cyber helps organizations protect their data, secure their systems and respond to cyber incidents. It serves clients from three South Carolina offices and four locations in Georgia and North Carolina. Employing top talent, utilizing innovative technology and following industry best practices, EDTS Cyber is diligent in protecting private industry, local governments and nonprofits.
The company’s highly trained, certified and experienced cyber analysts, threat hunters and security auditors have led the company to be recognized as one of the top 100 Managed Security Providers in America for 2017 and 2018. Their parent company EDTS, LLC has consistently been recognized as a leading provider of Managed IT services, advanced infrastructure, and IT support services for nearly 20 years.
• • • •
Secured NSA Gen Cyber Camps for Teachers and Students Engaged NICERC for Teacher Development Workshops Designed curriculum for SCDOE in Cybersecurity and Computer Forensics Co-chair of the SC Cyber Education Committee
SC Cyber is a statewide initiative, based at the University of South Carolina and with partners across all levels of academia, industry, and government, with a mission to develop the talent, techniques, and tools to defend critical, connected infrastructure within South Carolina and the United States.