Q&A: CYBERSECURITY AND DIGITAL PRIVACY: Roundtable.

• Position: Industry Outlook - Discussion

Cyber threats and cybersecurity are topics that impact every business, no matter how small or how large, or what industry they're in. Here, a panel of cybersecurity experts discuss the evolving cyber crime landscape--and what business can do to fight back.

PARTICIPANTS

SARAH CLARK

Salt Lake Chamber

JOE CRANDALL

JourneyTEAM

BRUCE JAMES

Intermountain Healthcare

TSUTOMU JOHNSON

Parsons Behle & Latimer

ROBERT JORGENSEN

Utah Valley University

SEAN LAWSON

University of Utah

ELAINA MARAGAKIS

Ray Quinney & Nebeker

ERIC MONTAGUE

Executech

AUBREY MURRAY

Perpetual Storage, Inc.

SHAWN ORR

Big-D Construction

DEAN SAPP

Braintrace

DAVID SONNENREICH

Utah Attorney

General's Office

MATT SORENSEN

Secuvant

Moderator

A special thank you To Romaine Marshall, partner at Holland & Hart, for moderating the discussion.

Q&A

What are some of the major cybersecurity threats in 2018 that businesses should be aware of?

SAPP: When we work with clients, we're seeing a lot of what I would call common hygiene problems that are impacting the businesses around credentials. We see a lot of theft of usernames and passwords associated with email accounts, and then that email account access is being leveraged for wire fraud or phishing fraud. It's commonly called CEO fraud or business email compromise, where your CEO or accounts payable individuals in the organizations are exchanging wire transfer information and it's fraudulent. Large amounts of money get wired and approved because companies don't have very strong dual controls over the movement of money. And so they're realizing large losses. If I were to average in the valley, recently, the breaches we've responded to are in the neighborhood of $2300,000. So significant amounts of money.

SORENSEN: We've also seen an uptick in the delivery channel for phishing and malware into social media. Where companies have invested some resources to watch email and filter email and prevent those links from getting to the end user, they're now getting them through Facebook and even Linkedln. You tighten up one area and it just spreads into another.

MARAGAKIS: From a liability perspective, one of the things we're starting to have to advise our clients about is if they are going to offer multi-factor authentication, are you going to require it or is it going to be optional? Oftentimes what they'll say is a password and a voiceprint, for example. Well, if they don't set up the voiceprint, are you going to let them use the system or not? And that's a huge liability factor because they say, "Well, why didn't you tell me that if I didn't set up the voiceprint, I couldn't use the system?"

And then your client is left in a position where they're saying, "Well, you're the one who didn't set up the voiceprint, so why didn't you do that?" You can sink a lot of money into litigating the liability on that.

JORGENSEN: UVU recently enforced two-factor authentication for all employees. It was basically, "You can't log in if you have not set this up." It is optional for students, just because there's obviously some extra things involved with that, with 35,000 students, but we do offer it for all our students.

MARSHALL: Do you guys ever get any push-back to that from the user community? "This is harder, I want to get into the systems quicker."

JORGENSEN: There always is push-back. And faculty is probably one of the worst user groups to deal with, up there with executives--and that can be on the record--as far as user acceptance. So yes, there's a lot of push-back initially, but when people see how simple it is--we use Duo, so we've got the push authentication. And for them to see that they type in their password, and then a half a second later, their phone buzzes and they punch the thing, and then they're in--it seems to alleviate a lot of that once they see how quickly you can get in with those devices because it really adds seconds to the login, at most.

MONTAGUE: I've seen it way too often, where you meet with the company, you present them with security solutions, and they're like, "That is fantastic. Let's do it. We're all in. Oh, but don't do it for us five executives. I don't want two-factor, I don't want my password to expire."

You're like, "Wait, you're an idiot. You five executives probably have the most critical data, and all this we're putting in place is probably going to protect you five 80 percent, the rest of the company 20 percent." Half the time we do a security analysis, I get some variant of that: "This is awesome. Do it for the whole company, but not for us."

JOHNSON: It's important when you implement these strong procedures to get buy in from the executives at the top of the company. It's really making the case that when we implement these new security structures or buy new technology in order to solve these problems, it's not just so that we can spend money--it's so we can secure against real threats, that there's a real reason that we're doing this. In addition to getting that buy-in, it's important to roll out an educational campaign throughout the organization to say, "This is what we're doing, these are the guidelines and guideposts of what we're doing, and this is why it's imperative that we have you go through these processes" so they don't just view it as just a waste of time.

LAWSON: The most important layer is that human layer. Right? You can have all the great tech in the world, but tech can't solve stupid. If people click that link, download that file, go to that malicious website--if they don't have good cybersecurity education, the tech is not going to save you.

JORGENSEN: A lot of times when we talk about things like business email compromise and electronic funds transfer, that's not necessarily a technology problem. It's often a business process problem. You don't have proper controls for your financial transactions, things like that. So one of the ways to approach both dual-factor authentication and business email compromise is to look at it holistically as a business problem. It's not a technology problem, it's not a cybersecurity problem, it's a business problem to address. And, yes, technology and cybersecurity is a piece of it, but also business practices, user education policies, all those sorts of things.

SORENSEN: Cybersecurity is a business problem and it needs to...