IoT, cloud computing, nation-state threats redefining enterprise security, panelists say

Companies need to worry about securing hardware that's connected to the Web as well as Windows, said one speaker

A printer that connects to the Web may pose as great a risk to enterprise security as an OS vulnerability, but yet companies worry about the latter and too often ignore the former, said a CTO during a discussion at MIT.

With more devices gaining Web connectivity as part of the Internet of Things movement, hackers have greater opportunities to exploit weaknesses, said Patrick Gilmore, CTO of data-center and telecommunications service provider the Markley Group. The people who write software for printers may not be worried about security, he said.

"No one talks about what if your printer is hacked and every document your CEO printed is posted to a blog," he said.

The session, part of the Massachusetts Institute of Technology Sloan CIO Symposium Wednesday, covered a range of security issues, including cloud computing, emerging threats and data security.

Companies using cloud services should review what conditions would allow a provider to cut off a customer's service, said Rob May, CEO and co-founder of Backupify, which backs up data stored in cloud applications to a separate cloud system.

"You have a responsibility to protect your data. You can't outsource all your security to a cloud vendor," he said.

A Backupify customer that uses Gmail approached the company about securing its data if Google terminated its email account, May said. The customer works in a controversial business, he said, and presented a scenario in which Google would drop the business as a client after people protested the company's service providers. The company asked Backupify how quickly it could migrate its email data to Microsoft Outlook if such a situation occurred, May said.

Cloud customers need to ask better questions when considering Web services, Gilmore said.

Instead of inquiring about a cloud provider's physical and technical security measures, customers ask about pricing and backup procedures, he said. Physical plans are especially important, he said, since cloud data is ultimately stored in hardware and some vendors throw out hard drives instead of destroying them.

The challenge for security teams is in balancing the need to share data to achieve corporate goals while maintaining security procedures, said Mark Morrison, senior vice president and chief information security officer at financial service firm State Street Corporation.

State Street is moving risk management security to counteract emerging threats, Morrison said. Security is no longer "if we do these five things we are somehow magically secure," he said, adding that companies can no longer simply follow a checklist that includes basic security measures like establishing a firewall.

"You've got to realize prevention isn't going to be your sole protection anymore," he said.

For example, Morrison is looking to deter cyberattackers by making the investment required to wage an attack cost more than the return.

"If you can increase their costs, hopefully they'll move on," he said.

New threats are coming from nation states that include cyberattacks as part of their defense plans. In some instance, these countries are funding attackers and using them as "cybermercenaries," he said.

Morrison is also looking to increase the use of two-factor authentication and decrease reliance on passwords.

"Password are a complete waste of time," he said. "They are the equivalent of signing the back of a credit card."

Passwords need to be 14 or 16 characters long to offer protection, he said, so people write them down to remember them, which places them at risk of being misused.

Trying to control employees use of USB-equipped devices to transfer data is another ineffective security measure, Gilmore said.

Identifying USB devices is challenging, he said, noting that the technology is found in common items like pens and watches.

"Data is ubiquitous, easy to transfer," he said. "How do you keep them from using USB? You don't."

Instead, companies should implement policies that make workers not want to steal data, and consider how to contain damage if information is leaked.

Businesses hiring IT security professionals should find candidates who think like the enemy, since cyberscofflaws don't follow rules.

"You need to have people that think like attackers," he said.

Fred O'Connor writes about IT careers and health IT for The IDG News Service. Follow Fred on Twitter at @fredjoconnor. Fred's e-mail address is fred_o'

Join the CSO newsletter!

Error: Please check your email address.

Tags securityState Street Corporation

More about FredFred'sGoogleIDGMassachusetts Institute of TechnologyMicrosoftMITTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fred O'Connor

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place