Cybersecurity needs to be "a team sport": Homeland Security official

Feb. 11, 2015
All employees need to take ownership of mitigating cyber risks, DHS cybersecurity expert tells ARC forum audience.

One of the biggest mistakes a company can make in thinking about cybersecurity is thinking of it strictly as a technology concern, a Department of Homeland Security official told ARC Forum attendees Tuesday.

"Many of you folks previously thought cybersecurity was all about technology," said Gregory Touhill, deputy assistant secretary of cybersecurity operations and programs at the DHS and a retired brigadier general. "I'm here to tell you cybersecurity is not a technology issue; it's a risk-management issue."

As such, companies need to ensure cybersecurity isn't relegated to IT-specific discussions but rather is a staple of meeting agendas and a factor in all decisions made that address business risks.

"Do you know how much your information is worth?" Touhill asked. Businesses too often fail to account for the value of their intellectual property when they do asset valuations, he said. And the financial threat and reputation risks posed by the theft of intellectual property or the exposure of client or personnel information can destroy a business.

Currently in the commercial sector, the average length of time between when a security breach occurs and when the affected business detects that breach is more than 240 days, Touhill said. "That's unacceptable," he said. "I'd like to know (as a business owner) when they're coming through the gate, not when they're going out the gate."

Getting all employees to understand that cybersecurity is a 24/7 responsibility and that no single piece of software or other technology is a fail-safe protection against cyber threats is essential, according to Touhill.

"Are you training your workforce to take the same cybersecurity precautions at home as they do at work?" Touhill challenged. Sophisticated hackers have begun targeting companies' high-ranking employees at home, he said, trying to get access to sensitive business information made vulnerable when employees work away from the office on less-well-protected devices or using less-secure networks.

And it's not just nation-state actors or individuals looking to sell stolen protected information who pose a cyber-threat, Touhill added. Hacktivists—"folks who don't necessarily agree with your company's mission or core values"—may look to damage a company by exposing sensitive business information. Hacktivism is "something that wise companies keep in mind as part of their risk calculus," he stated.

Mitigation of cyber-risks is multifaceted, Touhill noted. "Technology alone is not going to solve all of your problems," he said. Cybersecurity requires a vigilant mindset—a company-wide awareness of and respect for the multitude of very real business risks posed by malware, phishing scams and more. "If any salesman comes to you and says, 'I have the solution that's going to make you bulletproof,' then alarm bells should be going off in your mind," he said.

Touhill advised attendees to take a five-pronged, "defense-in-depth" approach to cybersecurity: identify, protect, detect, respond and recover.

The first step, identification, involves taking stock of the business's information assets and determining which of these are of highest value and most critical to the business. Protection and detection require a commitment on the part of all employees—permanent and contract workers in all functions of the business. And it's vital for companies to have—and, of equal importance, to rehearse—a response and recovery plan they will employ in the event of a security breach.

"You have to have a plan and you have to practice it," he said. "How many times does your company practice (dealing with) a major disaster with your IT infrastructure?"

"The time to generate a response plan to a hack is not the morning of an attack," Touhill noted.

Sponsored Recommendations

Limitations of MERV Ratings for Dust Collector Filters

Feb. 23, 2024
It can be complicated and confusing to select the safest and most efficient dust collector filters for your facility. For the HVAC industry, MERV ratings are king. But MERV ratings...

The Importance of Air-To-Cloth Ratio when Selecting Dust Collector Filters

Feb. 23, 2024
Selecting the right filter cartridges for your application can be complicated. There are a lot of things to evaluate and consider...like air-to-cloth ratio. When your filters ...

ASHRAE Standard 199 for Evaluating Dust Collection Systems

Feb. 23, 2024
This standard ensures dust collection systems are tested under real-world conditions, measuring a dust collector's emissions, pressure drop, and compressed air usage. Learn why...

Dust Collector Explosion Protection

Feb. 23, 2024
Combustible dust explosions are a serious risk, and an unprotected dust collection system can be a main cause. Learn what NFPA-compliant explosion protection you need to keep ...