Robotic Process Automation, or RPA, works by teaching a software robot how to work with existing software to perform a process. Listen to learn how your company can take advantage of this new technology.
Enter your email address to be notified about Laserfiche’s latest RPA features:
Welcome. I’m Heather Taylor with Simplicity 2.0’s Podcast. Have you ever had the feeling that a problem is getting both better and worse at the same time? Cybersecurity can feel that way. Events ranging from the Target hack in 2013 up to the phishing during last year’s US presidential campaign have kept the topic in the headlines so we must have all learned to take precautions, right? Well, not exactly. And the problem starts with the we.
Increasingly hackers are eyeing departments not commonly thought of as targets, like HR. And of course hackers will always evolve their strategies to match the opportunities whether those are newly emerging platforms like chatbots, or taking advantage of that sense of complacency that comes from thinking no more needs to be done to secure data. So how can you and the company you work for meet this ever evolving challenge?
Simplicity 2.0 is brought to you by Laserfiche, the world’s leading enterprise content management software which manages and controls information –
— so you can empower employees to work smarter, faster and better. We’re today with Niel Harper, managing director at Octave Consulting and World Economic Forum young global leader. So Niel welcome to the show. So to start I wanted to ask what are the most significant ways that cybersecurity risk has evolved over the past year?
I think one of the primary ways that cybersecurity risk has evolved in the last year would be that you’re seeing more and more nation states using cybersecurity capabilities as a way to attack other nation states and we’ve seen it with, you know, the disproportionate mass surveillance where the people are being hacked. And you saw the situation where the US election where the Democratic National Convention was hacked and their private data –
—was released. You’re also seeing more and more information manipulation as a political tool as well and that’s basically fake news. We’re also seeing because of the prevalence of drones, you’re actually seeing more and more drone jacking. So you’re seeing attackers conscientiously attacking and controlling drones and this could be a threat in terms of if they fly the drone into protected air space if you use the drones to spy on someone.
So and you’re seeing so many different evolving attacks as well around infrastructure, critical infrastructure where you’re seeing attacks against large service providers –
— like Verizon and AT&T and other service providers where you’re seeing the core internet infrastructure actually being attacked. And it’s compromising networks to the point where people are unable to access the internet in large parts of countries like for example earlier this year there was a distributed denial of service attack that essentially brought down the whole northeastern coast of the United States.
So I mean I’ve seen a number of different risks, but I think these would be the main ones I’ve seen in the last –
Heather Taylor: So if everyone agrees that cyber security is so important and these things are happening on, you know, a bigger scale ongoingly on a bigger scale, why do people still forget about the basics like reusing old passwords and making personal copies of corporate data or, you know, clicking on phishing emails?
So if everyone agrees that cyber security is so important and these things are happening on, you know, a bigger scale ongoingly on a bigger scale, why do people still forget about the basics like reusing old passwords and making personal copies of corporate data or, you know, clicking on phishing emails?
I would say –
— there’s an interesting dynamic with users. There’s this risk and reward kind of dynamic with users even though users have these privacy and security concerns they’re more interested in the reward that comes with accessing platforms like social media platforms, you know, Facebook, Instagram and it’s not just accessing these platforms but accessing them in an expedient way.
So people are willing to trade off their security and privacy just to have efficiency and convenience. So you see where someone says, you know, I need to access this platform now. I don’t have time to consider complex passwords with capitals and alphanumerics and symbols, et cetera. And –
— that’s kind of driving some of this really some of these really poor behaviors online. And the same goes for when people make copies of corporate data. You know, instead of saying look, let’s get this data. Let’s store it. Let’s encrypt it. Let’s make sure we use outer-band means to convey encryption keys.
People see that as too complex. It’s not efficient. It doesn’t allow them to do their job or meet certain objectives in an efficient manner. So they’re willing to compromise on security and privacy for efficiency. And that I think that’s part of the reason that we’re seeing such really poor hygiene online.
In terms of phishing, I think it comes back to efficiency as well. People will receive mail that appeals to them saying, you know, get this deal.
To get this deal click here or to see this news article on someone that’s kind of a, you know, it’s very interesting, very intriguing news article and people don’t take the time to check to see if the URL is actually a legitimate URL. It’s really the risk and rewards dynamic.
No, exactly. So you’ve been reading that some studies have found that the worst offenders in cyber security best practices are usually C- level executives as well as IT staff themselves. So you know, they are those ones using those lousy passwords or falling for phishing schemes and circumvent security-using cloud services. So what does it take to get them to comply and to set a better example for their organization?
I’ll start by saying this. I think there’s this assumption that an IT staff member should essentially have cyber security skills –
— but cyber security is a very niche skillset. Like you can have a good system administrator. You can have a very good network administrator who don’t necessarily have cyber security skills. That’s why you see like security architects or security auditors or assessors are really specialized. So I think there’s a situation where IT staff actually may not know that they’re compromising the enterprise security. They’re really trying to get things to work.
And I realize that from meeting with a lot of like customers and working with them through some of their cyber security issues where IT staff are good at making things work. They can get your systems up and running. They can get your network up and running. They can get your applications functioning with the right features that meets the organizational’s functional –
— and day-to-day business needs, but they don’t necessarily know how to secure these systems. So I think that’s part of the problem. In terms of sea level executives it’s really kind of the same issue but there’s also in organizations their CEOs, CFOs functional sea level execs are really good at their jobs in terms of defining strategy, business alignment, you know, looking at competitive and market forces, but they are not knowledgeable in terms of cyber security.
It’s not their day-to-day job. And there’s not a large demand on C-level executives to have that skillset or to have an understanding. It’s necessary and we’re seeing a trend where more and more organizations are hiring individuals –
— especially for the executive positions as well as their directors on their boards who have understanding of cyber security and not necessarily at the technical level but more of how it impacts the business from operational risk, reputational risk, financial risk. What are some of the risk responses that the business needs to put in place to address cyber risk?
So you’re seeing more governance risk and control being imbedded into businesses because traditionally cyber security has not been an important priority at the sea level. And because you’re seeing more and more businesses financials being affected and their market positions being affected as well as in some countries our jurisdictions there’s actually mandatory that you have a chief privacy officer or a chief information security officer. So it’s being driven by market forces –
— as well as regulatory requirements.
So if we’re looking at what the C-suite has to think about for the upcoming year, are there any – I know you talked about drones, drone jacking which to me sounds terrifying – but what new cyber security risks do you see emerging in the upcoming year?
So I think we’ve seen in the last few months we’ve seen a greater prevalence of ransomware attacks. So there are a lot of different types of ransomware. The ransomware developers are consistently making changes and amendments to make the ransomware more stealthy and more effective so companies in the next few months to the next year really need to look at how they respond to their risk of ransomware and it’s traditionally –
— being, you know, companies think yeah, we have backups so that’s not a problem. But it isn’t just having your backups. It’s making sure that your backups are robust backups like you can backup disc to disc and then backup to a tape. Take the tape offsite. You can encrypt backups when they’re stored and you know, putting more robust controls around how you secure your data from ransomware.
In terms of emerging trends as well, I would say there are more and more attacks against critical network infrastructure. And I say critical network infrastructure I mean like your reservoirs, your electric supply. You’re seeing more attacks against infrastructure that if they’re compromised –
— there’s a serious impact in terms of human life and public safety. So I think more critical network infrastructure owners need to focus on securing the network and they need to coordinate with each other as well to share information to better understand the threats, to do threat modeling to give them a better insight into the threats they’re being faced with and how to respond to these threats in a timely and effective manner.
I think too what’s really important as well we’re seeing a lot more attacks against cell phones and tablets, mobile devices because I think the threat factors recognize that the enterprise is a space that they’re seeing a lot more controls, a lot more improvements in security but the end users, many of them –
— are not aware of cyber threats. So you’re seeing a lot more attacks through phishing, through spam, spam as a malware vector.
You’re also seeing a lot more malicious applications in software in legitimate like legitimate stores like the Apple Store like Android Play. So I think those are some of the emerging threats that not just enterprise but end users need to be focused on.
Heather Taylor: So I just have one last question for us to wrap this all up. So I think, you know, this might be the biggest question for our listeners. So what kind of strategy can ensure your company or I guess an individual as well, as you’re saying it’s individual attacks, for them to stay engaged and protected when it comes to cyber security because it’s always evolving?
yeah. I think from an enterprise perspective I think what –
— companies need to change their organizational thinking, their groupthink. And instead of seeing cyber security as being the responsibility of the IT department cyber security really needs to be seen as the responsibility of everyone in the organization. And that’s key. Not just the executive level, not just at the board of directors’ level, but right down through the organization.
I think the tone needs to be set from the top as well where the C-level executives start to include cyber security discussions in their executive meetings, board of directors need to have a running team or discussion point on cybersecurity. They need to compel the IT departments to regularly report on how investments in cyber security capabilities are actually performing –
— because that’s something that many companies don’t do. Hey invest in cybersecurity controls and new technologies and training, but there’s no way to get the metrics on how those controls are performing. So I think across the organization there needs to be a more, a better understanding of cyber security risks, how those risks impact the business as an entity and really kind of imbed that kind of risk, risk mentality throughout the organization so everyone feels as though they have a stake in protecting the organization’s infrastructure and information assets.
In terms of end users, I’ll circle back to the risk and risk and reward discussion we had earlier. I think end users need to really focus on –
— awareness, security awareness. There are a lot of different websites. There’s a lot of different newsletters that you can subscribe to that really gives you good information on traps rather it be end users or organizations to help you better know how to protect yourself. And users are harder because in an organization you can mandate cyber security and awareness programs.
You can mandate that it’s linked to your performance appraisals. You can have information security policy or accessible usage and group agreement that gives you enforcement authority that you can require someone if they don’t adhere to the direct security and hygiene. But an end user doesn’t really have any consequences except in the very end where their data is compromised, where their identity is stolen. So it’s harder –
— for an end user, but I think we’re seeing a lot of enterprises also using an approach. They’re seeing security as a service and I say that cyber security as a service as a differentiator. So where they were organizations whether it be a bank whether it be a technical provider, whether it be a cable provider who are sending, actually actively sending out whether it be text messages, emails, sending note cyber security awareness to their consumers as a differentiator that says look; we’re really concerned about you and your privacy and we are providing this as a service that differentiates us from our competition.
Fantastic. Well thank you so much for joining us today on Simplicity 2.0. Remember to add Simplicity 2.0 to your favorite RSS feed or ITunes. Thanks to Laserfiche –
[End of Audio]