BSides is a set of security conferences across the country, where IT students, professionals, and educators all gather to share expertise and insights into some large security concerns. These conferences are free to attend (you still need to register and receive a ticket), and invaluable to companies concerned about their security.
I was fortunate enough to go to BSides Detroit on June 7th and 8th and caught some really great conversations. The following are a few highlights from the show:
The Ever-Evolving Security Landscape
Jeff Multz, Dell SecureWorks
One of the strongest takeaways from Multz’s talk was that companies should use compliance as a framework, because compliance doesn’t mean total, impenetrable security (this reminds me of the Bashas supermarket chain being breached even while compliant).
He cited that 92% of breach incidents were discovered by a third party, and that 40% of attacks in the past two years were directed at companies with fewer than 500 employees (the reason for this, Multz explains, is that smaller companies tend to have smaller IT budgets, which means security may be a little easier to bypass for an attacker).
Multz also gave a list of motivations behind cyber crime:
The last bullet point is why Multz was adamant that companies be thorough when choosing a vendor. A security breach of your company could very well be the result of lax vendor security. Thus, it’s important for a company to perform their due diligence in order to understand how seriously potential vendors consider security.
Creating A Powerful User Defense Against Attackers
Ben Ten, VP of Information Systems for a medical billing company in IL
This was an incredibly informative talk about the role of users within a company’s security framework. Ten started by reminding the audience that users can leave the door wide open for attackers to come in and breach a company. Because of this, the user becomes a crucial focal point when considering a company’s security.
He cited that 90% of malware needs human interaction in order to work, and 77% of attacks are phishing scams. Also, data found that the more emails sent within a specific campaign, the more people are going to click. That’s what makes training staff so important. But current training is so ineffective.
Ten explained that there are several things that keep user security training fated from the start. First is user apathy. They may not understand the point of the training, and may only see the exercise as a four hour long talk about things that aren’t interesting or relevant to them. Ten resolved this at his own workplace by incentivizing security training.
Second is a matter of mutual respect. Ben says the general perception of the people in an IT department is that they’re intolerant, impolite, impatient, and irritating. When someone who doesn’t know as much about IT requests assistance from someone in that department, they can often receive a response that’s condescending or impatient. This results in users having an apathetic response to security training, or no response when a targeted attack is actually happening in the office.
The flip side of this is the perception of users being inept, ignorant and irresponsible. When someone working in the IT department gets a call from a user within a different department, and they don’t understand why spilling soda on their keyboard last week is causing a malfunction, it can be hard to keep calm.
However, Ben explains that mutual respect and understanding within the organization is going to be one of the best first steps toward maintaining healthy user security. It can increase the amount that users respond to potential attacks as they encounter them, and can mean more personal investment from workers into the security of their workplace.
Security BSides information and upcoming events
Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. Read more