June 15, 2017 by Canadian Underwriter
Tools meant to bolster cyber security are being introduced absent a holistic view, producing even more questions among already-confused businesses expecting some progress on their individual risk reduction efforts, cyber expert Michael Echols suggested Tuesday during a symposium in downtown Toronto.
“Current perimeter intrusion detection is a great tool, but what has happened is the industry is selling products independent of a holistic approach to protecting an environment and reducing risk,” Echols, executive director and CEO of the International Association of Certified ISAOs (Information Sharing and Analysis Organizations) or IACI, told attendees of the symposium, co-hosted by the Travelers Institute and Economic Club of Canada.
“And for all of the people that were confused about cyber security before, they’re even more confused after they’ve spent part of their budget and they still have a problem,” he said during his keynote address at Cyber: Prepare, Prevent, Mitigate, Restore.
This confusion – coupled with how big and unwieldy “cyber security” is perceived to be – may be contributing to inaction, suggested Echols, whose previous role at the U.S. Department of Homeland Security (DHS) focused on public/private partnership to overcome national security and cyber security challenges.
“The word cyber security has become an excuse for inaction. It freezes people,” he argued. “Cyber security is a word that is an accumulation of all of the tools and practices and processes that go into protecting digital infrastructure. And for that reason, people freeze; they do nothing because they don’t know what to do,” he said.
“There is a clear and present danger. And that clear and present danger comes about because of our tools,” he maintained. “When they work, you don’t necessarily know they worked; you don’t necessarily know they didn’t work.”
Exacerbating that is that the problem keeps getting bigger.
“One of the reasons the problem gets bigger and bigger is because our pace at which we work together to mitigate the issues and to mitigate problems that we already know exist is slow,” Echols (pictured right) suggested.
“We’re all going about our business; we’re all doing our thing, making our couple of dollars, thinking it’s going to happen to the next guy, and not me,” Echols said.
That being the case, the idea going forward should be “to help people understand things in a context in which they currently do business or talk or communicate.”
Over the last few years of the previous U.S. administration, Echols said the president and the head of the National Security Agency were sending messages about cyber security – including calling it an economic and national security issue and saying breaches were not a matter of if, but when – that simply have not been picked up.
They “were sending a signal that, we the government, although we can do the role of government and provide tools and protect our borders and we can look at things in a very holistic, global way, we can’t protect you down at the enterprise level. We can’t do it, it’s not our responsibility and we’re not going to do it,” Echols said.
“Somehow, that message hasn’t got across to people,” he added.
“The virulence at which people are trying to break into our system, steal data and disrupt our way of doing business is growing exponentially,” Echols cautioned.
“We don’t even need to think about it in terms of numbers and percentages, because at the point at which you’re breached, you’ve got a problem,” he said simply.
Echols’s message was clear. “Cyber security is risk management.”
Breaches are up and yet those numbers represents but a small portion of what is happening. “Don’t be fooled; multiply by 10. Most people never tell you,” he said.
With regard to ransomware, Echols pointed out, “most ransomware attacks do not ever get communicated outside of the organization that pays the ransom. So the level of the attacks by the people doing ransomware attacks is on the increase, people are paying the ransoms. Do you think that that’s going to stop? No.”
Saying he can go the Internet and find many companies providing assurances that they can protect against a ransomware attack, “that’s not true, right? So all of this drives to the point of if cyber security is risk management, are you managing your risk, because the government is not coming to save you.”
Working with government, IACI strives “to help people share information about what they’ve learned relative to creating cultures of cyber security, educating each other, teaching each other based on a trust environment, teaching each other about things that may have happened to them so that it doesn’t happen to the next guy.”
During his time at DHS, Echols reported, considerable thought was put into cyber security, including what the future might look like, the fact that attacks were becoming more virulent and that organizations were trying to deal with issues individually.
“We thought about the fact that when people work closer together, and we’ve seen it, you actually can put up a defence. You’re not committing to being a victim,” he said.
Resources are available, Echols emphasized. The question is, “do you have the will to protect yourself?” he asked.
“It is important for employers and employees to recognize potential cyber scams, which are becoming more sophisticated and difficult to detect,” Joan Woodward (pictured left), executive vice president of public policy for Travelers Companies, Inc. and president of the Travelers Institute, the insurer’s public policy division, says in a company statement.
“We are pleased to work with the Travelers Institute to help educate companies about creating a strategy to help prevent and recover from a cyber intrusion,” adds Sophie LaPointe, director of operations at the Economic Club of Canada.