Cybersecurity culture: Arrow in CIOs' quiver to fight cyberthreats

Who should own your cybersecurity culture? How can we protect rampant IoT devices? MIT Sloan researchers clued CIOs into their latest research at Tuesday's SIM Boston Summit.

It is a truism that the most vulnerable elements of an enterprise's cybersecurity regime are the people sitting in front of the screens. Hardening a workforce against phishing attempts reduces the risk of a potentially devastating breach, and according to one top researcher in the field, establishing a cybersecurity culture is key to preventing hacks.

One of the best ways to do that is to put someone in charge of encouraging a culture of safe and cybersecure behaviors and decisions, said Keri Pearlson, executive director of Cybersecurity at MIT Sloan (CAMS).

"The companies that we've seen successfully change their culture have someone who owns [cybersecurity] culture," Pearlson said after a talk at the SIM Boston Technology Leadership Summit held at Gillette Stadium in Foxborough, Mass., on Tuesday. "Their job is to make sure that the word and the behaviors and the values and the attitudes and the beliefs are adjusted and informed."

An important piece of advice: The executive tasked with fostering a cybersecurity culture should be separate from the chief information security officer, because the CISO has a much bigger portfolio, Pearlson said.

Pearlson, along with MIT Sloan colleagues Matt Maloney and Keman Huang, gave CIOs at the SIM event a glimpse into their recent research on cybersecurity, which includes learning as much as they can about how attackers interact on the dark web and how to defend against strikes that target weaknesses in people and software.

Cybersecurity culture

Training is only a piece of what is necessary to establish a cybersecurity culture, according to Pearlson, who said companies can reinforce good practices by incorporating cybersecurity into employee evaluations.

If I evaluate you on how many times you click on a phishing email, or if you do cybersecure behavior so I reward the positives or have consequences for the negatives, you're going to change your behavior.
Keri Pearlsonexecutive director, Cybersecurity at MIT Sloan

"If I evaluate you on how many times you click on a phishing email, or if you do cybersecure behavior so I reward the positives or have consequences for the negatives, you're going to change your behavior," Pearlson said.

The CAMS team at MIT is looking into a range of other cybersecurity threats, including the billions of relatively unprotected network-connected smart devices, and the business models used by those who perpetrate cybercrimes.

About 84% of cyberattacks can be attributed to human error, such as failure to install a patch, using simple passwords or leaving devices in insecure places, according to Pearlson.

Bolstering security for burgeoning IoT devices

Establishing a cybersecurity culture is necessary, but not sufficient, to safeguard enterprises. The adoption of new technologies leaves companies vulnerable to new attack vectors -- in part, because security was not a high priority for the developers and manufacturers eager to get new products to market. Pearlson's colleague, research scientist Matt Maloney, has been working on a "lightweight security agent" to run on one such technology: internet-of-things devices.

The software would create a whitelist of permissible activities for IoT devices -- such as remote monitors and temperature gauges -- creating guardrails to prevent the machines from being manipulated by bad actors.

"It's a lot easier to look at the problem by looking at the bounds of what is normal and what is not normal," Maloney said. "Because if you know how the device as normal is supposed to run, then you can easily spot abnormalities."

There are more than 23 billion IoT devices online today. And by 2025, that number is projected to grow to more than 75 billion devices, according to Maloney, who said most of them are used in industrial processes. The ballooning use of IoT devices increases the attack vector, and the devices themselves often have significant security weaknesses, according to Maloney.

"A lot of these IoT devices come out and they're deployed and the original manufacturers are already onto version No. 2 before they stop selling version 1," Maloney said. "And they really don't have patching cycles, and there's no laws or regulations that say they have to go out and patch these devices, so a lot of consumers are left with vulnerable devices. They might not have been vulnerable when they were released, but vulnerabilities get found on a daily basis, and that's given rise to huge IoT botnets all over the world."

IoT devices usually have very limited memory and computing capacity, and some don't even have an operating system. Maloney's research is working on creating software that could be distributed via a blockchain that would run on a wide range of industrial devices and dictate what activities are permissible for the devices to perform.

"Right now, there's not [an] out-of-the-box solution," Maloney said.

The project has received funding from the Department of Energy, and in the next phase, researchers will use test beds that simulate systems such as power plants that make substantial use of IoT devices, according to Maloney.

MIT Sloan researchers Keman Huang, Matt Maloney, Keri Pearlson, cybersecurity culture, IoT devices, cybercriminal business models
From left to right: MIT Sloan researchers Keman Huang, Matt Maloney and Keri Pearlson discuss their latest cybersecurity research with CIOs at the SIM Boston Technology Leadership Summit.

Business models used in cybercrimes

While developers try to protect industrial tools so they cannot be deployed in cybercrimes, other research at MIT has shown how criminals on the dark web have professionalized criminal hacking.

"It's no longer a hobby, but actually it can run as a business," said Keman Huang, a research scientist at MIT Sloan. "Hackers now have become more well-organized."

Criminals with specialties in hacking, domain expertise and money laundering can be hired for cybercrimes by corrupt business people.

Huang predicted that cybercrime will become cheaper and more scalable, and he said understanding how cyberattacks are formed will better inform efforts to combat them.

A next step in the research will be to determine the best and most widespread business models for cybercrime, according to Huang.

Dig Deeper on Risk management and governance