maxkabakov - Fotolia
Former White House CIO talks cybersecurity risk mitigation
Cybersecurity expert Theresa Payton provides critical insight on current cybersecurity threats CIOs should be looking out for and how to prepare for them during and after the pandemic.
Theresa Payton, CEO and founder of cyber consultancy Fortalice Solutions and the first female White House CIO from 2006 to 2008, is doing her part during the COVID-19 pandemic and ensuring organizations are prepared for the cybersecurity threats they're facing right now.
With most employees working remotely across industries and having no choice but to rely on video conferencing and email, companies have become especially vulnerable to certain kinds of attacks. It's crucial that CIOs and other IT leaders keep their data secure during these uncertain times by implementing cybersecurity risk mitigation strategies and that they brief their employees on how best to do that from home.
Payton, who has released a book titled Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth, gave TechTarget an inside look into the kinds of cybersecurity threats organizations are dealing with and the different ways they can mitigate them.
Research showed that cybersecurity threats were one of the top IT concerns for CIOs and other IT leaders in 2019 and 2020 before the COVID-19 pandemic -- why do you think that is? What is at stake and why is cybersecurity risk mitigation crucial?
Theresa Payton: What's interesting is I saw an updated survey of C-suite executives -- so, not just the technology decision-makers but [it's] anybody in the C-suite, and other than the pandemic and the concerns around business resiliency and disruption to operations, tied for number two is cybersecurity issues and national security issues. I found that fascinating and also very wise. If you think about the mode that we're all in right now where there's a hybrid model of people who are still working in brick and mortar, but then people who are working remote, you have businesses trying to contain and maintain a level of operational resiliency and availability, but cybercriminals around the world all know that we're in this different state. We basically had almost no notice slipping to this different state, and [cybercriminals] never let a good crisis go to waste. They are attacking with a velocity that we have not seen. I can tell you, working incident response and forensics, the amount of calls we are getting for business email compromise. You can tell that nation-states and cybercriminal syndicates are doing probes and planning out attacks. The different key loggers that we're getting calls about is pretty incredible.
What kind of cybersecurity threats should organizations look out for? Is it mostly phishing at this point?
Payton: What's interesting about this is I'm seeing those very effective manipulation campaigns that were used in the elections and for opinion shaping. I'm seeing them used to conduct cybercrimes. What they're doing is they're playing to your third-party supplier, employees and your own employees' emotions right now. And these manipulation campaigns are grabbing their attention on anything from 'Here's where the latest cure is, here's where you can get face masks [and] hand sanitizer' and these manipulation campaigns are bombarding them at exactly the right time of day with the right messages for a targeted demographic. Your employees are then clicking on links, opening attachments that they normally wouldn't and then going about their business. And in doing so, they're infecting devices, retyping credentials and accidentally giving credentials up. They're giving up key information about your organization.
Another example [is] employees who are trying to show [they're] keeping up with friends [and] coworkers. [The cybercriminals] have been taking pictures of their video conferences [and] in the video conferences, you can see names. It doesn't take long to look up what company the employee works for. And the next thing you know, you have enough information to manipulate and social engineer employees at that company.
Are there ways CIOs can prepare for these kinds of cybersecurity threats? What are some cybersecurity risk mitigation strategies?
Payton: In this pandemic stage, one of the best things you can do for your employees is to hold regular weekly or biweekly webinars where you talk to them about different safety tips, different things to be aware of that are both for their work life, but also their personal life. Think about the fact that most of your employees are coworking with a roommate, a spouse, loved ones. They may have children who are remote schooling, from the ages three all the way to college students who have had to come home. So, if you can address them where they are mentally and emotionally with just-in-time security tips for both their work life and personal life, they're going to join the security team, if you will, because they'll know what the ongoing latest threats are.
The second thing we highly recommend to our CIOs and CISOs is to offer some 'office hours' to basically have a security Genius Bar available and encourage people to join your security team on video conferences and have people say, 'I don't know how to get my VPN up and running. I don't know what's going on with my router. My antivirus software and the VPN don't work very well.' You need to get that ground truth of what's going on.
And the last thing is really making sure that you don't end up having employees storing your data out of regulatory compliance on thumb drives, portable hard drives and personal cloud instances.
And how can they implement cybersecurity risk mitigation strategies post-pandemic?
Payton: If you think about what ended up happening, you had a baseline of traffic and how traffic accessed your different applications and your data. Then, all of a sudden you sent everybody home, and you had to get a new baseline of traffic so that you could spot anomalies [and] attackers from your own employees. How it looks around the globe is you're going to [have a] form of a hybrid model, potentially for the next 12 to 18 months while we wait for a vaccine, of people in the office [and] not in the office working remotely [and] working in shifts -- you're going to have to create new behavioral-based analytics so that you know the good traffic and legitimate traffic from cyber operatives and cybercriminals. That planning needs to happen now.
The second part of planning to be thinking about is [that] you probably are in violation of some regulatory requirement. Because when you send everybody home in an effort to do good work for you and for your customers, most likely data storage, data access [and] data handling according to a regulatory framework can't be followed 100% and still get the job done. Maybe you're the CIO or the CISO for an organization that has very large customer call centers that take payment data. Your agents may find when they work from home, that their home Internet with the kids on it [or] with the spouse on it is slow. They may be writing customer payment information on notepads -- they may have no other alternative. You don't know if they have a crosscut shredder at home. So, now you've got customer data sitting on a notepad. These are all things as you're getting ready for post-pandemic [that] you want to find almost like an amnesty, where you help your employees feel comfortable self-reporting. And then you want to spend time with your internal counsel, coming up with a self-reporting mechanism.
What really motivates hackers? You describe some in your book, but let's say the ones who try to hack into enterprises. Would it help if C-suite executives knew why they were doing it?
Payton: I mean, if you're anywhere in the research and development healthcare ecosystem, you're being attacked right now. You have nation-states trying to figure out what everybody else knows, and they're attacking the private sector to do that. But you also have unscrupulous competition going on in other countries. They're looking for every opportunity to steal your intellectual property. If you are someone who does money movement, real estate transactions [or] holding things in escrow -- anything [where] you aggregate the dollars and turn around and pay third party vendors or subcontractors -- you are a target right now because [in] many countries there's a lot of people out of work. And cybercriminal syndicates have been recruiting and people are making good money just stealing information and stealing money out of these different money movement and escrow accounts. Basically, every company is a target, but we are seeing that those two tend to be the most targeted.
The third thing that we're seeing from a company perspective is if they believe that you have received bailout funds or Paycheck Protections Program funds from the Small Business Administration, you are also a target because they know you've received an influx of funds. They're playing upon the fact that you're in constant communication with CPA firm tax accountants and the SBA and your bank, and from a social engineering standpoint, they're trying to get in between you and those other parties.
What have cybersecurity experts learned from Russia meddling in the 2016 election, which is a big topic in your book, that can be applied to enterprise IT?
Payton: For starters, how are these manipulation campaigns going to be used to actually destroy your industry or your company's reputation? When Russia learned that America was achieving energy independence, they knew that would drive fuel prices down and look where we are, we're at historic lows for oil. [But] at the time -- sort of around that 2016 timeframe and beyond -- Russia actually created fake personas of Canadians and Americans and did an antifracking campaign.
There's definitely a focus across different American industries and what you see these nation-states doing is they want to level the playing field. But instead of competing on the basis of capitalism, they're going to compete on the basis of intellectual property theft, hacking in and stealing intercompany confidential communications and then [conducting] reputational campaigns. So those are the three areas that all CIOs and CISOs should look at [regarding] what happened to the U.S. elections and extrapolate forward on how to think about protecting their companies today.
Editor's note: This interview has been edited for length and clarity.