Information-technology security professionals gathered Friday at Oregon State University-Cascades to learn new ways to protect their companies from attacks like the one that affected 40 million Target customers, or the one that affected 1 billion Yahoo users.
While plenty of tools and procedures are available that will enhance cybersecurity, experts said an organization’s own employees and vendors can pose the greatest threats to its network.
“It’s the person clicking ‘yes’” who ends up letting “the bad guys in,” said C.J. June, part of the security team at Paladin Data Corp., a Bend company that sells point-of-sale systems. “We need to educate the end user in how to be safe and how to be aware. You can’t just buy something to keep you safe.”
June said the Cybersecurity Education Summit, organized by Technology Association of Oregon and Redhawk Network Security of Bend, was valuable because the expert panelists discussed a number of ways to deal with the human factor.
The more an IT team beefs up security, the less accessible a network will be to its users, so IT professionals will always be trying to find the right balance, said Tyler Hardison, director of solutions and innovation at Redhawk. One summit attendee who works on IT security at St. Charles Bend said it’s very challenging to get doctors to place a priority on security because they’re so focused on their work with patients.
As a woman working in the field of security, Clara Tsao, chief technology officer at the Interagency Countering Violent Extremism Task Force at the U.S. Department of Homeland Security, said it helps to have one’s message reiterated by allies who have more credibility with a given audience.
When she’s talking, she said she notices men turn to other men in the room for confirmation that what she’s saying is true. So she’s asked her colleagues to repeat the things she says. “It gets all the way to the top,” she said.
Leslie Golden, president of Instill Security in Portland, said any training should begin by making it relevant to home and personal life. Charlie Kawasaki, principal of Software Diligence Services in Portland, and Lewis Howell, founder of Hueya Inc. in Bend, suggested running pilot programs with a few people from each department. Then the subject-matter experts will adopt the technology and, in turn, help their peers.
“They become that external training source,” Howell said. “You have to start with the culture.”
Ronald Watters Jr., a cybersecurity adviser at the Office of Cybersecurity and Communications in the Department of Homeland Security, said he prefers a punitive approach. Employees should understand that the business system is not for their personal use, and if they violate terms of that agreement, they should have their accounts suspended, and after repeated violations, they should be fired.
But most businesses won’t completely restrict employees’ access to the internet, as long as it keeps them happy and productive, said Howell, of Hueya. And it can be counterproductive to instill fear of the IT department, he said, because then people won’t alert IT when they’ve made a mistake.
Kawasaki, who works with software firms, said he received phishing emails a couple of times this year, and he even fell for one of them. The email purportedly came from a company executive and said, “Are you in your office right now?” Viewing that message from his mobile phone, he replied that he was away on a trip, and then he was caught.
“How come my incoming spam filter didn’t catch that?” Kawasaki said.
So IT professionals still have a responsibility to employ the best tech tools possible to keep busy people from making errors, he said. “I’m not aware of organizations that have their IT systems so locked down there aren’t opportunities” for improvement.
— Reporter: 541-617-7860, firstname.lastname@example.org