Experts on the Top Information Security Considerations for the High Tech Industry
20 infosec experts weigh in on the top infosec considerations for the high tech industry.
High tech companies are impacting and innovating every industry, from healthcare and manufacturing to consumer goods and travel. The very nature of the high tech industry makes it particularly vulnerable to many of the advanced threats that exist in the modern landscape. Threats originate from inside and outside the organization and result from unpatched vulnerabilities, third-party applications, and employee negligence.
High tech companies must remain vigilant and maintain a robust security posture to protect not only the company's sensitive data, but also the wealth of data generated by customers and users. To find out what information security concerns are most prominent for today's high tech companies, we reached out to a panel of industry leaders and infosec pros and asked them:
"What are the top information security concerns for the high tech industry?"
Meet Our Panel of High Tech Industry Pros and InfoSec Experts:
Read on to learn what our security and IT pros had to say about the biggest infosec concerns facing today's high tech companies, and what you can do to mitigate these prominent risks.
Sundeep Narang is a Node.js-based full-stack web application developer and Senior Software Engineer at Quality EDGAR Solutions, Inc. He has a passion for innovation and has been creating enterprise-scale applications, single-handedly, for two years. Sundeep came to the United States to study Computer Science at New York University.
"In this age of smart devices, the amount and sensitivity of user data has increased overwhelmingly..."
Voice activated assistants, smart watches, and biometric screen locks store the very essence of the user. Any breach to this information can easily lead to identity theft or worse. Security has never been more in demand and needed. Some of the top information security concerns to high tech firms would be as follows:
Recently it was discovered that every Intel and AMD processor is vulnerable. These vulnerabilities, named Meltdown and Spectre, exist in the hardware architecture of the processor. The software patches that have been made aren’t stable or reliable and can reduce the speed of a system up to 20%. This means nearly every computer on the planet is currently vulnerable. We can’t trace any exploitation of these vulnerabilities as they leave no evidence, nor do we know how long it will be before we get a good patch. This leaves a big hole in security for any company – even cloud-hosted systems are vulnerable.
Last year a similar vulnerability was found in WPA2 encryption for Wi-Fi. The encryption algorithm was itself flawed. Not every router maker has issued a patch yet and even for those who have created a patch, not every user has applied the patch. Such large scale vulnerabilities pose great threats to the information security of every company. Companies will have to be proactive and diligent in handling threats like these. They will have to make sure every system is patched at the earliest, and unpatchable issues are monitored until solutions are found.
With the increasing number of IoT devices that have no security protocols, it has become easy to use them as bots. A hacker could control thousands of these devices without knowledge of the users. At best, they would use them for bitcoin mining, but they can also launch large scale DDoS attacks. We saw such an attack on Dyn DNS in 2016, and it was successful in taking down sites like Twitter, GitHub, and PayPal for a few hours.
What makes them so dangerous is that there isn’t a way to prevent them. Because traffic is originating from sources (bots) scattered around the globe, you cannot filter them out. You cannot easily identify which user is a legitimate user and which user is a bot. All you can do is scale up to handle the traffic. There are research projects and products that use AI to intelligently identify bots and filter them out. However, these products are still far from being production ready and reliable. Companies have to set up their cloud architectures intelligently and set up rules to scale up automatically in the case of such an attack. They have to build more redundancies. There is no direct mitigation technique yet, so companies will have to make their systems strong enough to handle such attacks.
Third-Party Applications and Libraries
A good way to achieve results fast is to not re-invent the wheel and use something already available. However, it does come with a caveat of “use at your own risk.” Thus, any third-party application needs to be vetted thoroughly. Sometimes third party applications are used to protect your system, like antivirus software. In these scenarios, it is of paramount importance that these applications are vetted.
Open source applications and libraries can help overcome this issue. They give the user an option to look under the hood and make sure nothing malicious is coded in them. Also, in their making and use, they have been reviewed by a large number of users. However, in any scenario, it is of the utmost importance that companies thoroughly review any third-party application or library being used by them.
Isaac Kohen is the CEO of Teramind, a software organization taking a user-centric security approach to monitor employee behavior. Teramind software streamlines employee data collection in order to identify suspicious activity, detect possible threats, monitor employee efficiency, and ensure industry compliance.
"Data protection should be a top concern for the high tech industry given the wider 'attack surface' in this industry..."
Beyond the threat of lost customer or employee data, which plagues all industries, the high tech industry is particularly vulnerable to data breach for the following reasons:
- Presence in supply chain: High tech products are part of the infrastructure of almost every organization. So, high tech companies are an attractive route to get to ‘bigger fish.’
- Wide adoption of early-stage technology: The high tech industry is typically an early adopter of technology, some of which may be less than thoroughly vetted from a security standpoint. A culture of ‘shadow IT’ can make it difficult to have good insight on where corporate data lives and who has access to this data.
- Vulnerabilities within the product: Vulnerabilities in high tech products, whether traditional hardware, IoT, or software, can introduce the possibility of data loss for customers.
- The importance of IP: Intellectual property is a key crown jewel for high tech organizations. Competitors and disgruntled employees looking to establish their own enterprises are targeting this data.
Data protection starts with a complete inventory of sensitive data (whether customer data or internal data), where it’s stored, who has access to it, what is the approach to prioritizing investments based on data sensitivity, and what’s the plan if the data is breached. High-tech security and IT leaders should assess these vulnerabilities and ensure they have both a protection strategy and an incident response plan in place for each vulnerability.
Data loss is costly from a recovery and reputation perspective, and governments across the globe are increasing scrutiny – and fines – after a data breach. High-tech organizations should make data protection a top priority.
Siobhán McNamara is a Data Scientist at Agari.
"The security concerns for high tech companies fall into three categories..."
Communication, Storage and Risk Awareness.
1. Communication: Email is core to the functioning of every organization. Internal email between employees and external mail with clients, vendors, or partners are imperative to getting things done. Both, however, pose a security risk. Due to its volume and key role in an organization, email has become the weapon of choice for hackers. Spoofs, fooling an employee that you are a colleague to gain access to sensitive information, are commonplace. This past year, White House officials were tricked by a spoofer who claimed he was a colleague. In one spoof, he convinced the cyber security officer at the White House that he was Jared Kushner and received that officer's private email address unsolicited.
- Authentication – DMARC authentication is a protocol any organization can implement and verify all of the emails they receive are in fact from the sender it purports to be.
- Email Security Applications – let the experts manage it. There are email security applications you can purchase from companies specializing in authentication for enterprises.
- Hedge yourself, incorporate other forms of communication – internal messaging services can often be more secure and allow for quick verification of any suspicious content.
2. Storage: Information storage is both a necessity and a huge weakness. Most organizations need to house massive amounts of data to comply with privacy regulations, enable daily tasks, and facilitate business analysis. Computing has moved largely into the cloud, and keeping data stored in one place with only one point of failure is not commonplace anymore. However, as things change, fraudsters evolve and develop new ways of penetrating weaknesses. We learned lately that Uber leaked data of 57 million users and drivers in 2016. Hackers discovered that Uber developers had published their usernames and private access keys on Github, allowing readers access to their Amazon Web Services-based datastores. Uber reportedly paid a ransom of $100,000 to the hackers to keep the leak under wraps.
- Encrypt data at rest: Data that is stored and is stationary can be encrypted without breaking the bank. Data storage platforms will offer security measures for data at rest. Be sure to incorporate this into your data plan.
- Protect data in motion: Data that moves between hosts and storage systems and is replicated on various platforms requires a separate security approach. This will depend on the data needs of the organization in question. Storage solutions may encrypt data at the network level, in networking equipment, at the application level, in the database, or at the data set or operating system level. Talk to the experts managing your storage solution and explain your data environment. They will create the best security solution depending on how your data moves. Data Loss Prevention solutions also help protect data at rest and in motion.
3. Risk Awareness: Often times, it is not a hacker breaking through security but an error on the part of an organization that leads to an enormous breach. In June, a marketing company, Deep Root Analytics working for the Republican National Committee, leaked sensitive data of over 60% of the US voting population. The data was accidentally stored on a publicly available Amazon cloud server. This included information on about 200 million US citizens’ home addresses, birthdates, phone numbers, political views, and analyses used by political groups to predict where individual voters fall on controversial issues such as gun ownership, stem cell research, and the right to an abortion. In another blunder this year, the Swedish Transport Agency (STA) released sensitive information on the country's military units and witness relocation program. The STA had contracted IBM to manage its databases and networks. However, the STA mistakenly uploaded IBM's entire database onto cloud servers and then emailed the data to marketers in clear text format.
Solution: These are data governance issues. Mistakes are bound to happen, but on this scale it is data negligence. This is a highly specialized field and one of pertinence to every organization. There are trained specialists who architect data pipelines and generate succinct data governance procedures. This places accountability in one central place and keeps details from falling through the cracks. Give your organization's data the respect it requires and hire data security and data governance specialists. An effective data storage strategy will in turn promote security awareness and encourage employees and users to consider best practices from both a technological and a process point of view.
Andy Jordan is a Special Project Lead at Mosaic451, a managed services provider that focuses on maintaining and protecting critical IT systems.
"There are several security concerns facing organizations in the high tech industry..."
Organizational Breaches: While the Equifax breach was a significant breach, it will not be the last breach we see. Organizations are usually not purposefully negligent or have a desire to disrespect the sensitive information they use to run their businesses. The problem is that there are so many points in an organization where hidden gaps can exist. Two common examples that we see today are poor application code or design and misconfigured cloud environments. During the post-breach retrospective events, the gaps are often not complicated and point back to basic technical controls.
- Integrate application security practices into your DevOps processes.
- Perform continuous vulnerability scanning to help identify gaps in your patching and configuration programs.
- Leverage PenTests to simulate how a malicious actor could get into your network along with what sensitive data they are able to find .
- Use cloud technologies like CloudChecker to help identify configuration issues with your cloud environments.
Unintentional Insider Threats: Users are still users. The result of our humanity is that we all make mistakes. To combat this, we have started leveraging technology to help us make less mistakes. As we consider phishing attacks along with unsafe browsing habits, technology cannot prevent every mistake we might make. Another rising trend is the evolution from "bring your own device" to "bring your own identity." Cell phones that support both personal and professional lives are a perfect working example of this. A compromise to one side will likely impact the other. In the past, CISOs and other executive leaders could draw a boundary for endpoint devices. Today, this approach will need to be rebuilt because a person’s digital identity cannot be easily segmented.
- Ensure you’ve defined your organizational policies to include restrictions for the use of personal data and identity on organizational devices.
- Create different and longer passwords for each service you use.
- Use protective controls for email and web proxies.
- Leverage software defined network segmentation to restrict untrusted devices from accessing trusted zones.
Robert Siciliano, CSP, a Best Selling Amazon.com author and a security expert with Hotspot Shield, is serious about security awareness training. Robert is a security expert and private investigator fiercely committed to informing, educating, and empowering people so they can protect themselves, both in their physical and virtual interactions.
"Phishing and a lack of security awareness training are top infused concerns for high tech companies…”
Some studies show anywhere from 15 to 80 percent of consumers or employees still fall for phishing scams, even though they know the risks. Why do so many employees (and mainstream users) fail to recognize a phishing e-mail? Strong security awareness training at companies is lacking. Perhaps the company simply tosses a few hardcopy instructions to employees. Perching them before videos isn’t enough, either.
Security awareness training needs to also include staged phishing attacks to see which employees grab the bait and why they do so. With a simulated phishing attack approach, employees will have a much better chance of retaining anything they’ve learned. It’s like teaching a kid to hit a home run; they won’t learn much if all they do is read instructions and watch videos. They need to swing at balls coming at them.
Alexis Zanger works at Aegis Americas, which provides software solutions for manufacturers.
"On average, high tech companies are more vulnerable to cyber threats for various reasons..."
Including their own employees. They tend to be the first to obtain new technologies that are new to the marketplace and therefore are more vulnerable to attacks and exploits. Employees in high-tech organizations tend to own cutting-edge mobile devices and the latest mobile apps, which may not be secure. High-tech organizations also seem to have a more open corporate culture that is designed to stimulate creativity and collaboration, which may also make it harder to setup cyber protection.
Tom Rowley is a security strategist at Savvius, Inc. With over 35 years of experience, he is an expert entrepreneurial leader who specializes in driving early-stage technology companies to commercialize their technology and develop new markets.
"Every enterprise in the high-tech space dreads the prospect of being breached..."
Yet breaches still happen every day. The underlying truth is that every network is vulnerable to being hacked, no matter how sophisticated or expensive its Intrusion Prevention Systems and Intrusion Detection Systems are.
In the case of customer data exfiltration, these high-tech companies are primarily concerned with how a breach will negatively impact their brand and reputation, and how it will damage customer trust. If the breach resulted in the loss of R&D or other proprietary information, there is naturally a concern about possible financial and competitive losses. With regulations such as HIPAA and GDPR (in the EU) in play, there is also a valid secondary concern of regulatory fines or additional oversight as a result of a breach.
Most companies don’t realize that their network has been breached until many months later. As these ‘dwell times’ reach historic lengths, it’s clear that more attention needs to be paid to implementing tools that help NetOps and SecOps teams discover and remediate breaches that are discovered within days or months later.
Tyler Riddell is the Vice President of Marketing for eSUB Construction Software with over 15 years of experience. He has a proven track record for successful go to market and corporate communication programs in multiple vertical tech markets.
"The high tech industry is..."
One of the leading targets of cyber threats and data breaches. For these types of companies, theft of intellectual property is one of the biggest threats and suffering a loss like that can cause problems even years after the incident. This can undermine and dramatically reduce an organization’s competitive edge. Another cyber threat worry for high-tech companies who also offer online services is the loss of customer information. This type of criminal activity and attack is highly visible and must be reported to the public.
Bob Herman is the Co-Founder and President of IT Tropolis. He is an engineer with over thirty years of professional working experience. His areas of expertise include managed IT services, data protection, cybersecurity, cloud computing, technology implementations, project management, IT operations, business continuity, network topology, and virtualization technologies.
”External and internal threats are both important considerations for high tech companies…”
External threats include theft of data due to a breach and ransomware due to vulnerabilities, just to name a couple. Internal threats often originate from disgruntled employees. In either case, some basic principles of information security help protect against these threats:
- Minimize vulnerabilities by ensuring all devices have monitored and updated anti-malware, and that patches provided by hardware manufacturers and software vendors are installed quickly once available.
- A monitored backup and disaster recovery plan is imperative to ensure data can be recovered in the event of a loss.
- Employee access to data should be configured on a need to know basis so if a disgruntled user sabotages data the scope of data affected will be contained.
- User training these days has increased in importance given the types of attacks we're seeing. Users should be trained on how to detect email phishing scams, fraudulent phone calls, bad websites, and dangerous email attachments. Furthermore, training on what information should never be provided on social media posts and to unverified sources is important.
Lindsey Havens is a Senior Manager at PhishLabs, which specializes in protecting organizations and users from exploitative attacks.
"The greatest threat felt by high-tech companies is..."
Loss of intellectual property. Having IP stolen after years of investment can take away a company's competitive advantage. While competitors can be the cyber hackers involved in these types of data breaches, those working for the organization are a major threat as well. A highly skilled insider who has access to the right kind of information can come away with huge amounts of valuable data.
Alexandra Kovaleva is a Technical Writer for DDI Development, a company that provides web and mobile digital solutions.
"The high-technology industry is most directly affected by..."
Cybersecurity risks as a consequence of the digital age, including:
- Attacks on industrial IoT devices that include products like webcams, smart TVs, internet-connected fridges, and a broad range of electronics, sensors, actuators and software that are built into everything from your car to your home.
- Corporate data on personal devices. Whether an organization distributes corporate phones or not, confidential data is still being accessed on personal devices.
- Botnet armies that connect to the internet and are remotely-controlled. They are becoming more and more sophisticated, making it difficult for companies to establish appropriate countermeasures.
- Extortion by electronic means (credit cards with contactless pay systems where the data is read and transmitted wirelessly in real time from ATM machines and point of sale devices).
- Wearables are tracking all sorts of personal information, including GPS location, blood pressure, heart rate, and anything else you feed them, such as weight or diet. Such personally identifiable information could be used as a base to target you for spear-phishing or aid in identity theft.
- A mixture of malware and social engineering that can result in financial fraud and the loss of thousands dollars.
- Attacks on cloud services where a lot of data is kept.
Infosec experts at high technology companies should guide their businesses toward proper cybersecurity planning and mitigation, quickening the process of adaptation to the ever-changing threat environment.
Ryan is the Founder of A Cloud Guru. He is the first person to be recognized as both an AWS Community Hero and an Alexa Champion; and so far, over 135,000 students have taken his AWS Certified Solutions Architect Associate course. He loves being a cloud geek and enjoys sharing his knowledge with the community as an online educator.
"As more enterprises adopt the public cloud and migrate their sensitive data..."
Their top security concern is a data breach. While major cloud providers like Amazon Web Services (AWS) offer mature managed security services, the lack of skilled cloud security professionals is resulting in poor implementations and slowing down their adoption plans.
Chris Carter is the CEO of Approyo, a leading SAP technology solution provider. Carter has been in the big data and SAP industry for more than 25 years. He has been nationally recognized by the American SAP Users Group, SAP, Hadoop World, and more.
"The top information security concerns are bot attacks from other countries..."
We continue to see this threaten our systems. Computers can bombard networks to find open ports in order to gain access and control. This menace is painful to all companies without ever knowing about it. Having a proper security protocol and plan in place allows for this enemy to be left at the gates.
Jeremy Vance is the VP of Technology at US Cloud. He has been in the IT industry for 20-plus years in a variety of leadership positions and roles.
"The top information security concern for the high tech industry is…”
The amalgamation of unique threats coming from all angles that must be considered together. The high tech industry is more vulnerable than most industries, other than maybe finance and healthcare, because of the unique combination of three different dimensions – the products they make that need to be secured for consumers, the information they collect and manage that needs to be safeguarded, and their intellectual property that needs to be protected as well.
Daryl Heinz is the CEO of DFHeinz. He has been instrumental in bringing open source solutions to more than a dozen Fortune 500 companies as well as the NSA.
"Cutting costs in the high tech and software industry often means..."
Turning to open source solutions, which has its set of infosec concerns. It's critical that we demystify what it means to secure these solutions so that scalable, future-proof solutions may be more widely accessible.
Roberts is considered one of the world's foremost experts on counter threat intelligence within the Information security industry. At Acalvio, Roberts helps drive Technology Innovation and Product Leadership. In addition, Roberts directs a portfolio of services within Acalvio designed to improve the physical and digital security posture of both enterprise, industrial and government clients. Roberts is a regular speaker at leading industry conferences (RSA, BlackHat, DefCon, Bsides, etc.) and has been featured in several documentaries.
"We are adding more and more complex technology..."
And handing the aforementioned technology to a population that doesn't understand (or care in many cases) about security. One of the biggest infosec concerns for the high tech industry is the end user. Users are integrating complex technology into their homes, offices, bodies, cars, and lives, and we don't have enough qualified people to manage the current issues – let alone what's coming down the pipeline. In addition, there's not enough in-house technical know-how in the companies themselves to manage endpoints, systems, and potential attack vectors.
Heather Howland is Vice President of Marketing at Preempt. Heather has over 20 years of experience marketing enterprise security and infrastructure solutions at both innovative startups and market leading companies. Prior to Preempt, Heather was Vice President of Marketing for Lacoon Mobile Security (acquired by Check Point in April 2015).
"In an increasingly digital business world, binary decisions – allow or block – do not work..."
High tech, as well as most, enterprises are looking at how they can make their information security infrastructure more continuously adaptive so that they can better enable their employees, while at the same time being able to preempt threats before they have impact on the business. They are looking to find ways to enable transactions when all of the information is not available or there is a known level of risk. They need to better understand identity (of users and entities) along with behavior and risk to enable more effective threat prevention to protect the business.
In response to the risks posed by cyberattacks and breaches, we also see many organizations concerned about and investing in additional security controls to more proactively identify, manage and protect their privileged users and accounts. We have found many organizations have little visibility into who all of their privileged users are and what they have access to, which can be very dangerous if someone's credentials are compromised and that person has access to important IP or code.
David Dingwall is the VP at Fox Technologies.
”Insiders are one of the biggest security threats to organizations in the high tech industry…”
There is a security talent shortage, and the staff who are not IT security specialists tend to have poor training regarding corporate security practices. There is an assumption that technology is going to solve the security problems, but actually, everyone in the organization needs to put work into it. It's a day to day business problem, not just a technology fix.
Technology is improving, but the bad guys are always trying to get into your organization and will be looking at new ways to infiltrate you and steal your IP or your customer’s data. Every employee should be thinking about how to keep sensitive data private and making sure it doesn’t go where it shouldn’t go.
High tech companies should assume they will be breached in 2018 and prepare for how all employees should respond when they get breached.
Matt C. Pinsker
Matt Pinsker is a professor of homeland security at Virginia Commonwealth University (VCU), has multiple publications in the area of cybersecurity, and also consults on cybersecurity issues.
"The main concern of the high tech industry is a data breach by hackers..."
No one wants to be the next Sony, Equifax, or HBO. Whether it is individual consumers having their personal information exposed or it is the revelation of company secrets, being hit like this results in embarrassment, stock value tumbles, and top executives losing their jobs.
Andrew joined AsTech in 2014, bringing more than ten years of industry experience in information security and technology. Utilizing a unique composition of skills and expertise, he has worked with numerous enterprise customers to improve application, network, and organizational security practices. Andrew works with AsTech customers, partners, and team members to develop and deliver the highest-caliber resolutions to security liabilities.
"It may sound like a broken record..."
But ransomware continues to escalate and present increasingly pernicious risks to every organization that depends on technology, including those in the high tech industry. Maersk reported that disruption and replacement costs from its massive ransomware incident last year will top $300M. Deep defensive measures, offline backups, and parallel infrastructure are all important considerations to avoid or mitigate infection, but a single mistake can cripple even massively redundant operations.
In addition to planning and effective response, we also advise customers to strategically address accumulated security findings. Loss aversion, an ancient instinct to avoid jeopardy in resource supply such as food, can also steer individuals and organizations away from allocating resources towards the prevention of uncertain losses: given a choice between certainly losing $500 and a 50-50 chance of losing $0 or $1,000, which sounds better? Framed this way, more people choose to take the risk. Along the same lines, it can be all too easy to deny resources to security initiatives based on the hope that they will not be necessary. We see this kind of hopeful neglect as a serious long-term risk to the industry in the face of the next phase of evolution for malicious activity like ransomware.