How to Address Security's Weakest LinkUser Awareness Tops Security Leaders' List of Challenges
Security leaders have a firm grasp on their technology controls and processes as they continue into 2013. It's addressing the vulnerabilities in people that remains the outstanding challenge of the year.
"People are our greatest assets, but they're also our weakest link when it comes to information security," says Elayne Starkey, chief security officer for the state of Delaware.
For Matthew Speare of M&T Bank, one of the 20 largest bank holding companies in the United States, education and awareness training still isn't enough to protect people from online vulnerabilities.
"People end up being their own worst enemy, as well as ours," he says in an interview with Information Security Media Group [transcript below].
For Starkey, the state has been working hard on continuing its push to ensure employees are aware of phishing attacks and how to identify them. "We're always looking for fresh and creative ways to keep our employees out there on the defense," she says.
In healthcare, Christopher Paidhrin of PeaceHealth Southwest Medical Center is conducting a program known as "awareness in depth."
"Similar to a technology 'defense in depth,' we need an 'awareness in depth,' from the evaluation of potential applicants, the hiring, recruiting, all the way through the lifecycle of an employee," he says.
In this first of a series of interview installments, the three security leaders discuss:
- The current threat landscape;
- How they are addressing security's weakest link - people;
- Unique and common risks they face heading into 2013.
About the Participants:
Christopher Paidhrin is IT security compliance officer at PeaceHealth Southwest Medical Center, where he has worked for 12 years. Earlier, he worked in higher education, as well as in private sector and entrepreneurial ventures, where he held a number of director-level positions.
Matthew Speare is senior vice president for information technology at M&T Bank. He is responsible for developing and sustaining an information risk program that effectively protects the personal information of millions of customers of M&T Bank, the nation's 17th largest bank holding company, based in Buffalo, N.Y.
Elayne Starkey is CSO for the state of Delaware - a role she's held for seven years. She is responsible for the enterprise-wide protection of information assets from high consequence events, including cyber and physical terrorism and natural disasters.
Biggest Challenges in 2012
TOM FIELD: Elayne, to start out, what would you say has been the biggest challenge for you in your role in 2012?
ELAYNE STARKEY: My role in Delaware here is kind of centered around the broad enterprise-wide information security program. I'm responsible for disaster recovery and continuity of government. What we like to do is kind of center our framework around three guiding principles, and that's people, process and technology. I would say this year, if I reflect back on 2012, we've made a lot of advances in all three areas. The easy ones to advance quite frankly are processes and technology. We've made progress on the people side too. People are our greatest assets, but they're also our weakest link when it comes to information security. We've been working hard to try to close up data links, help them identify phishing attacks and all of the typical education and awareness best practices as well. We're always looking for fresh and creative ways to keep our employees out there and to be on the defense, along with our tools, technology and the process and policies that go along with it.
CHRISTOPHER PAIDHRIN: Certainly, I appreciate and respect Elayne's challenges. Unique to PeaceHealth on the west coast, Southwest and PeaceHealth have merged over the last year, so if there's one outstanding activity, our integration and merger has taken the vast majority of our energies. But from an operational perspective, we have transitioned our IT operation to an IT service management operation, where we're no longer a technology function, but a service entity. I've been very blessed to be a lead change agent in developing that service management model. In terms of a security-centric issue, it's been the deep parameterization of security, so bring-your-own-device, here's your own device, mobile, cloud, health information exchanges. All of that has dramatically changed our security posture and approach.
MATTHEW SPEARE: When I think about some of what's been going on in our world, especially being a serial acquirer, I certainly appreciate Elayne's comments about people, process and technology, and it's the same issue that we have, whether it's internal employees, whether it's customers. Unfortunately, people end up being their own worst enemy as well as ours. What we think is that, despite all the efforts that you've put around education and awareness training for them, they continue to be fooled along the way or just never realize that they end up being part of attempted fraudulent transactions or security breaches. Then, you couple that with the amount of change that goes on when you do an acquisition - that very vulnerable point in time - and we've seen it time and time again that the bad guys definitely know the schedule and look to take advantage of it. You end up being at a very critical phase when there's a lot of change activity going on with your customer base or your internal-employee base, and it makes it more challenging all the time.
FIELD: Here's a question to toss out for each of you. Matt, how is your security landscape different today, for better or for worse, than it was a year ago? I know we've seen compliance issues this year. We've seen breaches. We've seen the DDoS attacks. How do you assess the security landscape? Are you better off now than you were a year ago?
SPEARE: Certainly technologies have continued to evolve, and we've gotten better at the implementations of layered controls to help protect our customer base, and at the same time what we've seen is a change in the methodology and the level of sophistication that our opponents have. Somewhere along the line they realized that instead of attacking the financial institution directly, they have a higher likelihood of being successful if they're to attack our customers and use that as a mechanism to ultimately get to the funds. In a broad scale, I'd say that 2012 has kind of been a draw, meaning that we've improved a lot as well as they have, and it will be interesting to see what might change in 2013.
STARKEY: Many things have stayed constant. I agree with Matt - the sophistication level has increased the risks. I think in 2012 we saw risk increase. We saw things got more sophisticated. It's harder than ever to keep what we call our crown jewels, our data. We in government by nature are a huge repository of personally identifiable information, and that was true this year and it was true last year, and it's going to be true in 2013. That part of the equation kind of stays constant. It's data that can be very lucrative to the bad actors that are out there. We take a lot of steps to try to protect that data.
All in all, when I reflect back on 2012, we've had an excellent year in 2012 when it comes to some of the recognition. We've been recognized in a big way for our strategy, and we've been recognized as having the best cybersecurity website in state government, and we're doing some unique things with educating and training our information security officers. We've received some nice recognition for some of those efforts as well. We feel good about where we are. Still, I like to tell my team this is a race with no finish line.
PAIDHRIN: In healthcare, in general, I think that it's hard to say because healthcare goes from single physician clinics up to large multi-hospital systems, and different sectors within our industry are experiencing different aspects of the risk environment. For PeaceHealth, we're better off. For industry as a whole, we've had weak adoption up until enforcement began through the Office of Civil Rights through HHS; but it's improving. We don't have as an industry as high a level of cyberattacks, DDoS, very targeted attacks from a brute force or from a malicious intent. People want to attack hospitals to get at information, mostly for identity theft, not so much for medical record theft. But for us, it's all confidential information and if we look to Health and Human Services, or to the several research organizations that have evaluated the trending over the last couple of years, the large breaches are going down, but the small breaches are going up. That still is not reassuring when hundreds of thousands or millions of records are breached in a given incident. We're all applying better standards. We're all applying better controls, doing more auditing and obviously more reporting. Spear-phishing or phishing is going way up and that's not just in healthcare, but it's going way up.
To go back to your question about what's changed, for us our focus is on MDM, mobile device management. The technology, the consumerization has gotten out ahead of most industries. We cannot afford that in healthcare. As Matt was saying just moments ago, in spite of all the technological controls, it's the end user. They're the weak link. We have here at PeaceHealth Southwest a program called "awareness in depth." I've been talking about it over the last couple of years [and have] written a few articles. Similar to a technology defense in-depth, we need an awareness in-depth, from the evaluation of potential applicants, the hiring, recruiting, all the way through the lifecycle of an employee and/or an affiliate, because more than half of our access is from non-affiliated users, whether it's through an HIE, partners or physicians who are not employees. It's a big challenge and it's demanding a lot of our attention.