Q&A: Herjavec Group's Mark Infusino talks IT security
To get a better sense of the cyberthreats and solutions facing Canadian businesses, we spoke with one of the country's leading experts.
Keeping abreast of cybersecurity threats and vulnerabilities is a job that never ends, and the bigger your organization the more ground there is to cover.
In addition to possessing assets that are prime targets for cybercriminals and hacktivists, enterprises have to contend with a large number of access points, a broad range of connected devices, and hundreds, if not thousands, of staff to train on the dangers of cyberthreats. Plus, with a growing shortage of qualified cybersecurity professionals and often insufficient budgets, because cybersecurity doesn’t contribute to the bottom line in a direct and conspicuous way, it's getting more difficult to implement the necessary measures for enterprises to properly protect themselves.
But that's no excuse not to be proactive. Whether you employ a third party to expertly manage a custom cybersecurity solution or choose a security platform that protects against the most common risks, there's still a lot you can do to shore up your company's defenses.
We talked to Mark Infusino, Vice-President of Sales at Herjavec Group, who has nearly a decade of experience providing analysis and security solutions to corporations. He had plenty of invaluable advice to offer, from strategically placing yourself in the middle of the pack to draw the least attention from would-be attackers, to how to strike the proper balance in evaluating security risks and security spend.
Can you provide us with an overview of the current threat landscape facing Canadian businesses?
It's constantly changing based on nation state activity, hacktivist activity and cybercrime. Bad guys are coming up with new ways to make our lives more difficult every day.
The rapid changes in the threat vector landscape drive innovation on a daily basis. The challenge we have as security professionals, and as organizations, is that there are millions of unfulfilled cybersecurity jobs in North America alone.
So, what you have is an ever-evolving problem, new technologies coming to market to help mitigate it, and not enough skilled people to help deploy and operate these solutions. Without the combination of people, process and technology, we can’t drive actionable intelligence and risk-based decision making. There's a gap. And that gap's being exploited by threat actors doing bad things.
How are security professionals and targeted companies dealing with emerging threats?
It's the gazelle theory: If you're being chased by the lion you don't want to be the slowest gazelle. You don't want to be the fastest gazelle either, because that's the target they'll go after from a brand recognition standpoint.
What you want to do is bring in a cybersecurity team to identify the gaps within your current risk posture and put a plan together that will plug the holes. Typically, this comes at the expense of budgets that are tied to infrastructure or revenue generation, but companies need to understand that it takes just one news article or one breach to submarine your brand and put your company at risk.
It's a balancing act. You want to ensure you're investing enough so that when they knock on your door, it's tough enough that they'll move on to the next door that's easier, but not so tough that they take it on from a pride standpoint.
Is there any way to determine which organizations are at greatest risk?
Whether its hacktivists, cybercriminals or nation state activity, critical infrastructure is a primary target. Utilities, financial services, oil and gas, grid infrastructure, federal government – these are the first places that will be targeted.
Are changing company cultures and employee behaviours making your job harder?
From a data-loss prevention perspective and from an identity perspective, culture is definitely a core focus. Companies today employ more Millennial employees than ever before, and they expect to do their job differently. They’re online, connected with their personal devices and require social media access. That leads to interconnectivity, and expanded access across the enterprise. And with that comes more risk.
Access from an IoT perspective is particularly scary. For example, in the not so distant future, all household appliances will be IP-enabled, meaning they will all have an IP address. This means more access points and a wider attack surface. Translate that concept into a work environment, and it doesn’t just lead to automation and technological advancement, but also the expansion of scope for employee identity controls and access requirements. We are trying to couple cyber-investment with a balance of corporate policies and procedures, but we really need to educate our teams about the fact that their user profiles and access points are important threat vectors.
It's challenging however, because you need to strike a balance. How do businesses enable growth in a competitive market, and at the same time balance restrictions on certain revenue-generating activities that are cyber risks? We need to be responsible in determining how much access we give.
What sort of security measures do you recommend for budget-conscious companies?
At a foundational level, proper hygiene. Make sure your patch levels are up to date, and your security investment is at par with industry standards. Build strong corporate policies and risk-averse procedures.
Corporate IT hygiene can be costly at times, so organizations should think about modelling out the impact of an exposure versus letting systems run without updates. Security professionals are big believers in making sure foundational infrastructure is solid, and that the appropriate level of policies and procedures are in place and adhered too. If you build a home on a poor foundation, the home's going to crumble eventually. It’s just a matter of time.
You don’t need to go it alone. Consider turning to cybersecurity professionals who can support you with managed security services using a utility model. You'll pay a monthly or annual subscription fee, and they'll provide you with 24/7 cybersecurity services. They can deploy infrastructure, including cloud infrastructure, and manage it on your behalf. They'll use their resources and people to consolidate the data and make it meaningful, actionable intelligence.
The reality is, whether it is ransomware, some other form of malware, or an advanced persistent threat, security often isn't a priority until you have been exposed, or your competitor is in the news, and then it becomes a priority. You might want to redo your kitchen or put in a new bathroom, but if your roof is leaking, those tasks get put on hold because you have to make sure you plug the holes so the rain doesn't get in.