One of the biggest mistakes a company can make in thinking about cybersecurity is thinking of it strictly as a technology concern, a Department of Homeland Security official told ARC Forum attendees Tuesday.
"Many of you folks previously thought cybersecurity was all about technology," said Gregory Touhill, deputy assistant secretary of cybersecurity operations and programs at the DHS and a retired brigadier general. "I'm here to tell you cybersecurity is not a technology issue; it's a risk-management issue."
As such, companies need to ensure cybersecurity isn't relegated to IT-specific discussions but rather is a staple of meeting agendas and a factor in all decisions made that address business risks.
"Do you know how much your information is worth?" Touhill asked. Businesses too often fail to account for the value of their intellectual property when they do asset valuations, he said. And the financial threat and reputation risks posed by the theft of intellectual property or the exposure of client or personnel information can destroy a business.
Currently in the commercial sector, the average length of time between when a security breach occurs and when the affected business detects that breach is more than 240 days, Touhill said. "That's unacceptable," he said. "I'd like to know (as a business owner) when they're coming through the gate, not when they're going out the gate."
Getting all employees to understand that cybersecurity is a 24/7 responsibility and that no single piece of software or other technology is a fail-safe protection against cyber threats is essential, according to Touhill.
"Are you training your workforce to take the same cybersecurity precautions at home as they do at work?" Touhill challenged. Sophisticated hackers have begun targeting companies' high-ranking employees at home, he said, trying to get access to sensitive business information made vulnerable when employees work away from the office on less-well-protected devices or using less-secure networks.
And it's not just nation-state actors or individuals looking to sell stolen protected information who pose a cyber-threat, Touhill added. Hacktivists—"folks who don't necessarily agree with your company's mission or core values"—may look to damage a company by exposing sensitive business information. Hacktivism is "something that wise companies keep in mind as part of their risk calculus," he stated.
Mitigation of cyber-risks is multifaceted, Touhill noted. "Technology alone is not going to solve all of your problems," he said. Cybersecurity requires a vigilant mindset—a company-wide awareness of and respect for the multitude of very real business risks posed by malware, phishing scams and more. "If any salesman comes to you and says, 'I have the solution that's going to make you bulletproof,' then alarm bells should be going off in your mind," he said.
Touhill advised attendees to take a five-pronged, "defense-in-depth" approach to cybersecurity: identify, protect, detect, respond and recover.
The first step, identification, involves taking stock of the business's information assets and determining which of these are of highest value and most critical to the business. Protection and detection require a commitment on the part of all employees—permanent and contract workers in all functions of the business. And it's vital for companies to have—and, of equal importance, to rehearse—a response and recovery plan they will employ in the event of a security breach.
"You have to have a plan and you have to practice it," he said. "How many times does your company practice (dealing with) a major disaster with your IT infrastructure?"
"The time to generate a response plan to a hack is not the morning of an attack," Touhill noted.