Do not ignore the insider threat. A majority of the breaches occur due to an insider who works at a company. That insider may have malicious or non-malicious intent.
Understand that cybersecurity is not a one person job. The phrase “it takes a village” comes to mind. Cybersecurity is complicated. With an array of ever-changing technical and regulatory controls, no one person can know it all. Delegate responsibilities to professionals.
Continue to evolve cybersecurity strategies. Since the threat landscape is constantly evolving, it is only natural that cybersecurity strategies also change. Companies should not fall into the habit of resisting change just because a breach has not occurred. The only thing constant in information technology is actually change!
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Dr. Humayun Zafar. He is a Professor of Information Security and Assurance and the FinTech Program Coordinator at Kennesaw State University. He received his doctorate from the University of Texas at San Antonio. His cybersecurity research has appeared in numerous journals and conferences. In 2014, he received an award from the Graduate School at Kennesaw State for his Research and Creative Activity. In 2019, he received the Distinguished Undergraduate Teaching Award for his contributions to cybersecurity education. He routinely presents at professional conferences such as Mobility LIVE! and has appeared in the media numerous times for his expertise in the area of security and mobility. He holds various certifications such as CEH, CISM, and CRISC.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was very much a kid who grew up playing outdoor sports. My parents always encouraged me whenever possible to go outside as opposed to sitting indoors and flipping through the TV channels. To this day, I am active in training for various marathons, playing tennis, golf, etc.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I was working for a company in South Florida back in 2004. My boss asked me to put something on a server that he would then access from an off-site location.
I still remember: it was a Saturday, and I was playing golf on a course, not too far from the office. I received a call from my boss, who was in Houston, and he told me that he was unable to access the server. I was a little perplexed, so I left the golf course early and went to the office. Once I logged into the server, I realized it was running very slowly. It just so happened that someone was using an open email port on our server to send spam. That resulted in a massive log file that completely filled up the server’s hard drive space. I shut down the port, stopped the service, and things went back to normal.
That once instance made me think about information security in a broader context. Incidentally, the term cybersecurity wasn’t even around back then.
Can you share the most interesting story that happened to you since you began this fascinating career?
Being an academic, I love seeing my students succeed. One of my former students returned to complete a degree almost 14 years after initially dropping out. When he dropped out, he was not serious about his education at all — he even admitted that openly. But when he came back he was a straight-A student. He graduated as a non-traditional student and is now working for the federal government. I still get a birthday greeting from him once a year. In my opinion, it shows that the sky’s the limit once people get over themselves and pursue their passions.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My mentor was the late Dr. Jan Clark. She worked with me throughout my doctoral program and ended up being the chair of my dissertation committee. We spoke at length about not just the difficulties of having a successful academic career, but also the importance of being well-rounded. There is a lot more to life than just work.
Are you working on any exciting new projects now? How do you think that will help people?
Every day is a new project day! All are filled with different elements of cybersecurity. I am currently working on a project that reimagines the concept of security training programs that are the staple of cybersecurity policies at the workplace. All I can tell you is that most of the programs in use do not serve the purpose of keeping us secure. However, they do check the compliance box. Just because you are compliant does not mean you are secure.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I am a huge proponent of work-life balance. There will always be more work to do. However, keeping yourself healthy (physically and mentally) is just as important. Especially in times like these with COVID-19 impacting our schedules, it’s even more important to actively engage in a balancing act.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
First thing is that cybersecurity is an area, which very much like healthcare, has the potential to pretty much impact everyone. We have been trending toward complete digitalization of our lives for a few years now, but COVID-19 has accelerated that train since now most of K-12 education has adopted remote learning. Our workplaces have implemented wider virtual options for their employees. We even have Zoom weddings! Who would have guessed that a few years ago!
With everything being woven into all aspects of our lives, it is imperative that users are aware of the implications a cybersecurity breach may have. For those growing up in this environment, they may not even be familiar with what the previous “normal” was.
Secondly, no one needs to be told about the value of cybersecurity as a field. Yet, even with all that focus, the rate at which breaches are occurring is increasing not just in frequency but also in severity. This may point to one inalienable fact, which is that sometimes throwing money at a problem is not always the best solution. We have to think about our current solutions and issues differently and more holistically.
Finally, social media has exploded. Yet, very few users realize that like-jacking is a common form of attack that hackers employ. Basically, hackers post fake like buttons, which when clicked allow malware to be downloaded to the user’s device. That would in turn allow for the leak of sensitive data.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Cybersecurity is a moving target. Currently, the greatest threat to companies is ransomware. This year alone we have seen major companies being hit (e.g. Garmin). However, the threat is applicable to governments and even universities.
Basically, the line between ransomware attacks and data breaches has blurred, with a number of prolific ransomware operators such as Maze, Sodinokibi, CLOP, and Sekhmet creating their own websites where they publish stolen data.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I do, but I am not allowed to talk about it. All I can say is that the solution was not technical, but policy-oriented.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Well, as a certified ethical hacker, I employ tools such as Nmap and Metasploit among many others. Nmap allows me to fingerprint a system to get an idea of what my target looks like. At a technical level, it shows me which ports may be open for an attack to succeed.
Metasploit is an open-source penetration testing framework that allows me to enumerate networks and hosts and execute remote attacks. It also provides an option for me to run vulnerability scans.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
There is no easy answer here. If the team is not large, then we may be talking about small-to-medium-sized companies in which people wear many hats. A lot of it relies on that company’s cybersecurity strategy.
It’s all about identifying and prioritizing the digital assets, educating users, ensuring systems are patched, and there is an incident response and disaster recovery strategy put in place. But one thing that needs to be clear is that just because a company is small, it does not mean that it is not at risk. The threat profile still remains the same.
In regard to over the counter software, companies need to ensure that default credentials have been deleted since that’s usually overlooked. Cybersecurity is complex. Some requirements may need to be enforced due to the regulatory environment. For example, regardless of size companies that transmit and store credit card data would need to abide by PCI DSS requirements. Maybe at that point partnering with a managed security services provider (MSSP) would make more sense since it would set them on the right path. Not all cybersecurity can exist in-house these days.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
I think we should not try to make all people cybersecurity experts. There is too much to learn, and everything changes. The best option would be to design our solutions that have cybersecurity embedded in them. This concept is at times referred to as security by design.
However, all people can practice good digital hygiene: use two-factor authentication, do not use the same passwords everywhere (use of password managers like OnePass helps) and do not post sensitive information on social media accounts. There is no need to tell everyone when you are going on vacation. That basically tells attackers exactly when it would be easy to attack someone. In the meantime, keep an eye on your financial records for unauthorized charges.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
This can vary based on the industry and where a company is located. There may be specific breach notification laws or maybe other regulatory requirements that need to be resolved as a matter of compliance.
In general, there should be an incident response plan that needs to be put into action. A couple of things that should be done are as follows:
- Enhanced communication with internal and external stakeholders. This can involve email, snail mail, phone calls, SMS, etc.
- Identify the cause of the breach and ensure that it has been stopped.
- Bring in an external entity to investigate and analyze.
- Provide customers with resources if sensitive information has been disclosed.
California has historically led the charge on behalf of the US when it comes to privacy measures, and even breach notification laws. The newer requirements promote governance and accountability and governance for businesses (CCPA/CPRA) or controllers (GDPR) and are legally required to be compliant with the respective laws, i.e. they are “must do” requirements vs. “nice-to-do’’ recommendations/guidance.
CPRA could get California very close to GDPR because of the addition of requirements around data protection by design as well as the requirements to maintain records and perform data protection impact analysis. For GDPR, controllers need to appoint a Data Protection Officer in specific instances. This is not a requirement embedded in CCPA and CPRA. Also, for GDPR, transfers of personal data outside the EU are restricted with certain exceptions. Once again, CCPA and CPRA do not have this requirement.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Hubris is probably the whopper. Many companies believe that they will not be breached. Underestimating the hacker is the last thing you want anyone to do.
Companies also lack an effective incident response and disaster recovery plan. Those that do may never have tested the plan out to see if it is still relevant or not. All plans need to keep up with the changing business environment.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Absolutely. The attack surface has increased dramatically since most people are working from home and are using their personal devices. Those devices may not be configured for high levels of security to begin with. Some may be out-of-date, from both the hardware and software perspectives. That opens the door for breaches to occur.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Do not ignore the insider threat. A majority of the breaches occur due to an insider who works at a company. That insider may have malicious or non-malicious intent.
- Offer the “right” kind of training. Offering security training for compliance is fine, but the best method is to offer training that is able to engage groups based on their roles and responsibilities in a company.
- Understand that cybersecurity is not a one person job. The phrase “it takes a village” comes to mind. Cybersecurity is complicated. With an array of ever-changing technical and regulatory controls, no one person can know it all. Delegate responsibilities to professionals.
- Do not underestimate the importance of good incident response and disaster recovery plans. Even the failure of having up-to-date backups can result in a situation where small-to-medium-sized businesses do not recover from a breach.
- Continue to evolve cybersecurity strategies. Since the threat landscape is constantly evolving, it is only natural that cybersecurity strategies also change. Companies should not fall into the habit of resisting change just because a breach has not occurred. The only thing constant in information technology is actually change!
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Understand that cybersecurity is a shared responsibility. Just like we lock our doors when we leave our homes, we have to be just as cautious about our digital assets. Make things difficult for the hacker!
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!