Require Multi-Factor Authentication: Two-factor authentication is a subset of multi-factor authentication, which requires more than two pieces of evidence to authenticate that a person is who they say they are when logging in. For example, some access requires entering a code sent to a specific user’s device after entering their username and password. By enabling multi-factor authentication, employers can prevent unwanted access, even after a hacker has obtained a user’s login and password.
As a part of my series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Shena Seneca Tharnish. She joined Comcast Business Services as VP, Cybersecurity Products and Practice in late February 2017. In Shena’s time at Comcast Business, she has developed a Cybersecurity Product Framework that drives the commercial product roadmap, as well as security practices for all business products at Comcast Business.
Shena has over 24 years of experience in Information Technology — leading and managing network engineering and application development services.
Thank you so much for joining us in this interview series! Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My career has taken an unexpected journey. From an early age, I grew up dancing — and was a dance major at a performing arts school. After touring New York state with the Empire State Ballet company, I saw how a prima ballerina lives and decided to focus my studies on math and science — a field that would provide me with financial stability and security (no pun intended).
I’ve always been drawn to technology and I later went on to serve roles in IT with The Home Depot and PNC Bank and now — Comcast Business. Working in cybersecurity has always attracted me because it provides a chance to help people and keep them safe.
Are you working on any exciting new projects now? How do you think that will help people?
In my current role, I lead my team to understand the cybersecurity needs of our end-user customers and develop meaningful products based on those needs.
In talking to our small business customers, we found that more than half were experiencing some sort of data breach or security incident. Today cybersecurity attacks have become a destructive and all too common occurrence. And the harsh reality is that no organization is too large — or too small — to be a target.
To solve this problem, we worked to develop a new solution, Comcast Business SecurityEdge, which is engineered to help small businesses effectively manage the growing risk of cyberattacks. SecurityEdge works to protect devices connected to a business’ WiFi network against several existing and emerging internet-related threats, including malware, ransomware, phishing and botnet infections, without requiring additional hardware or software beyond the Comcast Business internet modem.
The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
Cybersecurity can be summed up into three words: interesting, challenging and meaningful.
Each day is different, and the security industry is ever evolving. Cyber attacks happen fast, and the attackers just seem to multiply which makes it difficult to stay ahead. This is the exciting part; it’s solving a puzzle and finding new ways to stop these attacks and cybercriminals. Each situation is unique and a new opportunity to rise to the challenge.
Cybersecurity professionals are built from the “jack-of-all trades” types. We’re willing to adapt to change and are eager to learn more. There’s always a new puzzle to be solved and never a “done” mentality in cybersecurity, just best practices and consistent evolution and learning.
Even though we’re behind the scenes, cybersecurity professionals have a huge impact on businesses. It’s our job to protect a business’s network and the devices connected to it against existing and emerging Internet-related threats, including malware, ransomware and phishing, to name a few. This is the part of the job that makes it meaningful and worth it at the end of the day. I’m able to say that I’ve helped protect not only my customers, but the precious and valuable information their customers have entrusted them with. It’s my job to help people and businesses and keep them safe.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Phishing scams are consistently named as one the top three pain points reported by CISOs (chief information security officers). There seems to be a continuous supply of bad actors trying to manipulate users into giving them information or to click on something.
I do believe companies can shift their security focus from being reactive to proactive and getting their cybersecurity programs off the ground.
In fact, a recent study conducted by Comcast Business and IDG found that more than half of the respondents indicate they are accelerating deployment of new security technologies and approaches, such as implementing “zero trust” policies.
For background, a zero-trust framework is one of the most effective ways for organizations to control access to their networks because it assumes no trust in a network, device, or identity and requires those accessing resources to prove who they are. By separating the network and restricting user access, zero trust security helps the organization contain breaches and minimize potential damage.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
My team spearheaded Comcast Business’ entrance into the cybersecurity space. More than two-thirds of small-mid size businesses reported a cybersecurity breach in 2019 and 60% of small businesses could go out of business due to damages associated with a cyberattack.
It’s evident that small businesses effectively manage the growing risk of cyberattacks. Cybersecurity keeps business owners up at night because they face an onslaught of challenges, from various, ever-changing forms of cyberthreats that can result in the loss of sensitive information or the disruption of business operations.
We help small businesses defend their companies and their data from serious harm — stopping breaches in their tracks — before they’re even to the point of needing to be fixed!
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
In today’s hyper-connected world, cyberthreats are becoming more sophisticated and prevalent. On a regular basis, I help our customers enhance their physical and digital security posture. A few that come top of mind include: SmartOffice, an affordable video surveillance product designed to improve efficiency through advanced interior and exterior monitoring, and SecurityEdge, that offers SMBs a more streamlined approach to protecting their businesses from the latest threats.
Our SecurityEdge solution allows businesses the ability to filter web content — gaining more visibility into their network safety with a simple to use, personalized dashboard that provides regular reporting.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Often DDOS attacks are created to distract businesses and point their resources and attention towards stopping the attack. However, these cybercriminals could be using a “back door” to get to other things while all the intentions are on the attack.
If DDOS attacks are happening to your business, you shouldn’t only be looking at how to defend those. It’s what other vulnerabilities you have in your network that bad actors are trying to distract you from.
Phishing and social engineering are very prevalent everywhere. I always stress the importance of educating employees on the dangers of phishing, and how easy it is to mistake those emails and to click on the link and to what could happen to the organization.
Many employees use the same password on their work and personal accounts. If there is a breach on those sites, your data is out on the dark web. Your username and password that has been breached. If you use the same credentials in a business environment, then you’re subject to a cybercriminal getting a hold of your information.
Businesses should really go through their own systems and make sure their employees aren’t using compromised data that’s out on the web and forcing them to change passwords.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Planning is key to being prepared. Ideally, you would have a plan set in place before you had a breach and know who to bring in and what their roles are.
If you have an issue and the system is compromised, what are we going to do? In the event it happens you’re more prepared and you’re not trying to make it up as you go.
You’ll also need to have many different areas of your organization involved. Some of these areas include: communication, risk and compliance, legal and all of your operations support. It’s important that all of your partners are able to jump into the scenario as well.
If a breach does occur, you’ll want to isolate and quickly determine what was compromised. However, it can take some time to isolate the situation. Next, you’ll want to determine how it was compromised and how did a bad actor get in? This will take a lot of time and research. From there, you’ll want to see if anything data or personal information was taken, and then you’ll need to determine if taking down those systems is necessary.
Eventually, you need to report out the impact whether it’s internal or external customers and inform them of the situation.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
For businesses, understanding data and how it’s being used is critical with all regulations — and CCPA, CPRA and GDPR are no exception. There’s a lot of businesses on the smaller side that may not be prepared to comply.
What are the most common data security and cybersecurity mistakes you have seen companies make?
One mistake is that all too many companies aren’t using multi- or two-factor authentication. For example, we have it on your iPhone and on your banking account. Oftentimes, many of the tools we use every single day have security capabilities embedded — it’s just a matter of enabling them.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Phishing scams are extremely prevalent. As the pandemic continues, there’s been a startling increase in these attacks. The number of malicious domains increased by 150% since the beginning of COVID, along with a 13-fold increase in blocked malicious queries. It’s a general rule that has held during COVID that anytime there’s something that upends part of the world, cybercriminals are going to use those situations to get the best of the businesses and individuals affected.
What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Businesses should take the following into consideration when protecting their employees, assets, and customers from cybercriminals:
- Rethink cloud security: As companies become increasingly reliant on the cloud — especially during the pandemic — they need to be aware of their cloud footprint at any given time in order to ensure that unused applications are removed. This added level of security and validation ensures you aren’t leaving your business and customers vulnerable to leaky, unused cloud apps that could cause a customer data breach.
- Secure Customer Disruption: while phishing and ransomware remain the biggest threat to businesses of all sizes, DDoS attack traffic has also greatly increased within the last year. During these attacks, businesses are not able to serve their customers online, transact with supply chain partners, or interact with their employees. This prolonged disruption translates to loss. While these threats aren’t new, the volume of attacks continues to spike over time.
- Educate employees: IT security leaders can protect personnel and environments by educating employees on what to avoid in emails and other communications, and by boosting security measures on the devices being used and the connections between remote employees and corporate networks.
- Require Multi-Factor Authentication: Two-factor authentication is a subset of multi-factor authentication, which requires more than two pieces of evidence to authenticate that a person is who they say they are when logging in. For example, some access requires entering a code sent to a specific user’s device after entering their username and password. By enabling multi-factor authentication, employers can prevent unwanted access, even after a hacker has obtained a user’s login and password.
- Employ Virtual Desktop Infrastructure Security: Companies can use a virtual desktop infrastructure (VDI) to provide the needed resources to get work done without exposing the underlying network to the threats posed by unsecured devices. VDI, often available via cloud-based offerings, renders an image and doesn’t download actual data to the device, blocking off unnecessary access.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!