Troy La Huis, a principal at Crowe, was recently named the leader of its global digital security group. He understands the cybersecurity challenges that organizations face today. La Huis and the digital security group at Crowe help organizations analyze their current cybersecurity posture. They also design enterprise programs tailored to needs that are critical for organizations and their stakeholders.
Why is it so important for organizations to re-examine their cybersecurity stances now?
Troy La Huis: We’re experiencing a digital transformation as organizations accumulate digital assets, whether in the form of intellectual property or data – including how that data is made available to many parties. Organizations are switching from primarily face-to-face communication with their clients to primarily digital communication. As business globalizes and organizations rely more on third-party providers, organizations are deploying more devices and moving more sensitive business and personal data.
All this means that most organizations are more vulnerable to cybercrime than ever before. And cybercriminals aren’t as discriminating about their targets as one might think, especially when it comes to weapons such as ransomware. They can target any organization with flaws because much of their offensive is automated – the criminals put hundreds or thousands of attacks out there and wait for one to hit.
Sometimes all it takes is one system that isn’t patched or updated. Organizations can perform 99 out of 100 cybersecurity tasks properly, but that one misstep leaves the front and back doors open to criminals and costly breaches.
How should organizations shift their approaches to cybersecurity?
Troy La Huis: Even though things are changing rapidly, a lot is still the same, so they need to consider protection, detection, response, and recovery. Historically, organizations have been heavily focused on protection, or building a ring around the organization. But today’s cybersecurity environment calls for greater detection, response, and recovery efforts because no matter which protection controls organizations implement, everyone is susceptible to attack. Protection alone will never be sufficient.
What are some common cybersecurity missteps you see organizations make?
Troy La Huis: When you look at some of the recent data breaches that have received a lot of attention, several factors pop up again and again – weak passwords, weak system patching procedures, poor governance, poor training, a lack of incident response planning, and a single point of failure.
It’s informative, too, to look at what these organizations did as far as cybersecurity. In many cases, they invested significantly in time, money, and resources, built protective perimeters, and passed their compliance examinations. Yet they still fell victim to attacks. Those efforts weren’t enough.
Many organizations also overlook or underestimate what we call “insider risk.” We often think of a cyberattack as coming from some masked individual in a basement in Russia, but it’s almost as likely to come from an insider, whether intentionally or not. Employees need to understand clearly how their actions affect an organization’s security.
Organizations increasingly grasp the risk associated with employees’ ignorance of their cybersecurity roles, but they tend to conceive of the risk too narrowly. They think in terms of phishing scams intended to induce individuals to click on a link that will unleash malware or to turn over their login credentials. They don’t think about, for example, how the human resource (HR) department has access to mounds of employee data and whether those employees know how to secure it when sending it to, say, a payroll services provider.
What advice do you have for organizations that want to improve their cybersecurity?
Troy La Huis: The first step is to identify exactly what they need to protect. Most organizations jump right to protection, and maybe some incidental response planning, without stepping back to identify what they’re really trying to protect and, in turn, whether they make attractive targets. As a result, they go further than perhaps necessary with their protective measures. Not everything is sensitive. A manufacturer, for example, might not possess a lot of intellectual property or other sensitive digital assets that warrant protection. It will, however, want to maintain system operations and ensure business continuity.
Once an organization determines the data it needs to protect, it should consider the exposure points – who threatens that data and how – as well as its risk tolerance, meaning the level of risk they are willing to assume. For example, do third parties such as vendors or clients have access to the network? The hackers who attacked Target several years ago gained access to the company’s network by stealing credentials from a heating and ventilation firm that was allowed access to monitor and maintain HVAC systems. An organization must decide whether the convenience of this type of arrangement outweighs the associated risk. If so, it must take steps to protect against that risk.
Is an enterprise wide approach the best approach?
Troy La Huis: It’s true that risks are so pervasive and complex that we can no longer afford to view cybersecurity as a standalone function assigned to a single department. Every job in the organization plays a role, so organizations must develop a culture of cybersecurity.
The most effective means of protection threads the control environment throughout the entire organization, but I also advocate considering each business unit, rather than examining risk and control at the enterprise level. For example, if analysts look at an HR department, they would be able to dissect the various sets of sensitive data that it owns and accesses. After gaining visibility, analysts can begin to understand the sensitivity of the data. They might determine that employee rating information, for example, is not critical, but that medical information or personally identifiable information is.
At the same time, organizations need to look at how they are controlling access to this information and with whom they are sharing it, both inside and outside the organization. Are they sharing medical information in a secure manner? Do they know what happens with it after it is shared with third parties? Do they have strong controls on the transmission of data or on data at rest? Do the HR employees understand how to keep it secure and how to recognize if a control is breached? The continuing focus on data privacy regulations will only increase the need for this level of identification.
Once an organization has evaluated each business unit, it can map and manage its control environment. Instead of, for example, logging and monitoring access across every unit, it can be specific about where such activities are appropriate.
Where do you see the cybersecurity landscape moving in the future?
Troy La Huis: Attackers are getting more sophisticated and are using methods that bypass traditional cybersecurity controls. Right now, bringing the entire organization together to fight back is critical. Organizations also need to expand their security ecosystems to include their third parties and to connect with other organizations in their industries to share information and collaborate.
In addition, executive management and boards of directors must take on a greater role throughout the process. Those individuals are facing higher regulatory expectations for their participation in and knowledge about cybersecurity. And, of course, it simply makes good governance sense for them to have more than a general awareness. In too many situations, the catalyst for executive involvement and understanding is a breach. Organizations around the world and across industries have acknowledged cybersecurity as a critical issue, so leaders must be engaged and informed.
Isn’t technology the ultimate answer?
Troy La Huis: Too many organizations measure their cybersecurity initiatives by dollars spent on technology, but effective cybersecurity requires much more than technology. Technology must be complemented by communication – between the chief information security officer and the board and executive management and between the company and its third parties. All the cogs in the machine must have a common language and understanding of the organization’s cybersecurity goals and framework.