“We are using antivirus protection,” “Our IT department is taking care of it,” “We have lots of internet security tools” and “We are not connected to the internet or the internet of Things” and therefore “we are secure” are some of the perceptions that were shattered at this year’s Armour Expo conference.
Antivirus software only detects viruses but nothing more, and it only detects 50 percent of the viruses, said keynote speaker Janine Darling, CEO of cybersecurity company STASH Global.
“Does it help? Absolutely,” she said at the one-day cybersecurity conference at the Marriott Beach Resort on Wednesday, but three-quarters of businesses are, for example, not protected against ransomware, just one form of computer virus.
Most IT departments are good at their job of making sure that everything is up and running, that the most recent software is installed or evaluating what type of new technology could add value to a business. But, Ms. Darling noted, an IT department has typically little security experience.
Even if information is air-gapped and has no connection to the internet, employees, contractors, third-party providers, building management and other service providers can still pose a security risk.
Statistics show that most proprietary company data is stolen by employees and 99 percent of computers are vulnerable to intrusion, most likely through so-called zero-day exploits of outdated, unpatched software versions, she said.
Meanwhile, simply relying on the protection of cloud services providers because one’s data is in the cloud is also not necessarily safe, she added.
The STASH CEO said tools will help keep out less experienced cybercriminals and to mitigate some of the risk, but a tool is not a solution.
A true solution, she argued, would be based on datacentric security, an approach that emphasizes the security of the data itself over the security of networks, servers or applications.
The aim is to overcome the disconnect between the business management’s objectives and security, which can easily become an end in itself. The approach typically involves the identification of where the data is stored and how sensitive it is; managing access to the data; and then protecting it against loss or wrongful use by, among others, constantly monitoring data usage.
The data will be encrypted and sometimes spread around in multiple copies to protect against data loss.
There are two basic strategies, depending on how much valuable data an organization has, Ms. Darling explained. “If you have a lot of valuable data, then find a gap-centered solution, protect it all and then segment it out. Or when you know where your really valuable data is, segment it out first and then protect that valuable data.”
The other critical component is that often IT providers have access to the data. But, Ms. Darling emphasized, “you want to be the only one holding the keys.”
Conor O’Dea, chairman of Cayman Finance, and a board member at Butterfield Group, meanwhile put the evolution of cyberthreats into context.
Not only has the role of the head of security in banking changed dramatically to the extent that the position should be part of the management board, he said. Cybersecurity is now a discussion item at every board meeting and there is much more attention and dollars spent on the issue.
“The problem is, there is a lack of responsibility around where the problem lies,” Mr. O’Dea said, because employees and customers do not always accept or behave according to the rules that effective security demands. How to educate customers and employees to behave well in the security domain, that is the biggest problem, he said.
In addition, it is a challenge for any organization to manage and analyze customer data and handle related ethical and disclosure issues. Likewise, staying on the leading edge of innovation and not crippling the business through security mitigation is a difficult balance to strike, he said.
It used to be expensive to make things public, and cheap to keep them private. Now it is the reverse, the Cayman Finance chairman concluded.
The idea for the Armour Expo conference started in 2016, “when we saw a lot of challenges and innovations around the internet and cybersecurity,” said Polly Pickering, managing director of IT and cybersecurity firm eShore.
“We found that we did not have enough people arming ourselves, arming our communities, arming our businesses and arming our children to really be enabled to do what we needed to for both challenges in security, innovation, Fintech and a lot of the things that are coming down the road,” the event co-founder said.
“So, we decided that it would be good, with some of our friends at Sure International and our sponsors, to put together a venue to arm ourselves and our communities.”