Skip to content

Cybersecurity Deep Dive

By Pittsburgh Technology Council

As businesses look to navigate an ever-changing technological landscape, cybersecurity remains a top priority. With cyberattacks becoming increasingly sophisticated and frequent, companies must stay up to date on the latest trends, opportunities and threats in the cybersecurity space.

TEQ tapped Pittsburgh Technology Council Member experts for their insights on what will shape the cybersecurity landscape for the foreseeable future.

Five Trends Driving 2023

Martin Shepherd, Arch Access Controls

It cannot be said enough: cybersecurity is an ever-evolving field. As technology continues to advance, so do the threats that businesses face. In 2023, there are several trends in cybersecurity that small and midsized businesses (SMBs) should be aware of to protect themselves and their customers.

Increased use of cloud computing: The trend towards cloud computing continues to grow, and migrating to the cloud can offer many benefits to SMBs, including increased scalability and reduced costs. However, the process can also present several challenges. One of the main challenges is ensuring the security of sensitive information in the cloud. SMBs need to be confident that their cloud provider implements proper security measures and that their own security practices are up to date. Another challenge is the potential disruption to operations during the migration process. SMBs need to carefully plan the migration to minimize downtime and ensure that their operations are not impacted. Finally, SMBs may also face a lack of technical expertise in-house, which can make the migration process more difficult. These challenges highlight the importance of careful planning and a thorough understanding of the cloud for SMBs looking to migrate to the cloud.

Growing importance of artificial intelligence and machine learning: AI and machine learning are becoming increasingly important in the fight against cyber threats. AI can help identify and respond to threats in real-time, while machine learning can be used to analyze large amounts of data and identify patterns that may indicate a threat. SMBs should consider investing in endpoint threat protection that leverages AI and machine learning technologies to improve their cybersecurity posture.

Rise of the Internet of Things (IoT): The IoT is growing rapidly, and SMBs are adopting connected devices in their operations. However, these devices can be vulnerable to attack and can potentially compromise the entire network. SMBs need to be aware of these vulnerabilities and take steps to mitigate them. One vulnerability is the lack of security in many IoT devices, which can make them easy targets for cyber criminals. Another vulnerability is the   potential for unauthorized access to sensitive information transmitted by these devices.
Increased focus on data privacy: Data privacy has become a hot topic in recent years, and the trend is only going to continue in 2023. SMBs need to be aware of their obligations under privacy laws and should implement appropriate measures to protect their customers’ personal information. This includes regularly reviewing and updating their privacy policies, implementing encryption technologies, and conducting regular security audits.

Importance of incident response planning: No matter how good your security measures are, there’s always a chance of a security incident occurring. SMBs need to have an incident response plan in place so that they know what to do in the event of a breach. This plan should outline the roles and responsibilities of different employees, what steps to take to contain the incident, and how to communicate with customers and the public.

Companies should seek guidance for managing access to sensitive information and implement solutions with features like multi-factor authentication, role-based access controls and real-time monitoring. These capabilities help ensure that only authorized users can access sensitive information, reducing the risk of data breaches and other security incidents.

Why Your Company Should Care About Cloud Security Posture Management (CSPM)

Michele McGough, solutions4networks

Even though the idea of cloud computing started in 2006, we are still learning how to best balance the big benefits of the technology with its needs for security. Too many organizations are allowing developers to spin up or add applications in the cloud without handling the proper configurations required, setting up the associated security needed to protect the data, and many other significant ramifications.

In simplest terms, simply putting an application in the cloud does not ensure the data, or your network, is safe. And this puts your company in danger. There needs to be a plan, policies and procedures. This is where and why CSPM becomes critical.

Cloud computing creates confusion: who is responsible for securing what? It takes effort, focus and diligent communication to establish a shared understanding about who oversees which parts of complex cloud environments. It is equally important to ensure responsible parties have enough access and visibility to manage their part but not (as is usually the default) far more access than they should have.

As organizations have moved more of their operations to the cloud, more sensitive data and mission-critical systems and services have moved as well. This increase in cloud usage has resulted in a 28% escalation in vulnerabilities since 2021, according to the 2022 IBM Security X-Force Cloud Threat Landscape Report. The highest percentage of errors comes from cloud misconfigurations and human error. The famous 2019 Capital One breach was traced to a misconfigured web application firewall. This cost the organization $80 million in fines and another $190 million in settled customer lawsuits.

Could a proper configuration have prevented the Capital One breach? Absolutely. But the problem is not as straightforward as a single error enabling a specific attack, since sadly many organizations have massive numbers of misconfigurations. This is precisely what CSPM can help prevent. It can identify all kinds of misconfigurations, including firewalls.

Every cloud misconfiguration is a potential vulnerability, waiting to be exploited.

The long-winded point is that the transition to the cloud and the evolution of complex, multi-cloud environments significantly increase each organization’s vulnerable attack surface. Though the cloud alternative was touted for many years as an act of simplification, it is not. CSPM really is necessary to keep cloud configurations secure.

While every cloud scenario is unique, here are some broad categories for CSPM best practices:

  • Use the best CSPM solution you can find for your organization. Depending on your size, some are very cost effective.
  • Clearly define responsibilities and the range of permissions.
  • Embrace the Shared Responsibility Model and Least Privilege Access.
  • Protect against the most common misconfigurations.
  • Monitor compliance and act on violations.
  • Establish and maintain full visibility.
  • Guard against internal threats, not simply external ones.

Don’t Neglect the Basics: The Key to Effective Cybersecurity 

David Biser, Security Engineer II, Ideal Integrations

2023 is underway as are cyber attacks. Network breaches, to ransomware, to malware, the attacks continue. What are businesses, a CISO, a CIO to do? Perhaps, it is time to take a step back and re-evaluate the battlefield.

The battlefield is a flurry of activity. Every year cybersecurity firms release reports highlighting the events of the past year and making predictions for the year ahead. These reports bring forth a few common truths, ignored year after year.

We could go over statistics showing costs of a breach. We could go over statistics showing increases in network intrusions. We could use catch phrases such as “A.I.” or “Machine Learning.” None of these provide the answer, which should be obviously simple and immediately actionable. Pay attention to your cybersecurity program!

Every year cybersecurity leaders report several problems that they face. Examples include:

  • Lack of awareness
  • Lack of funding
  • Lack of properly trained personnel
  • Lack of properly configured security tools

It is as simple as that. Ideal Integrations and Blue Bastion handle many different cybersecurity incidents every year. We see the same problems arise, neglect of basics leads to breaches.

The lack of proper vulnerability management and patching; 2022 was the year of the vulnerability breach. We experienced multiple Microsoft vulnerabilities focused on the Exchange system. These vulnerabilities, unpatched and undealt with, lead to many breaches. It should have been simple enough to patch and mitigate the attack vector, but many IT teams lacked the personnel or knowledge to perform this, and attackers took advantage of it.

Our Adversaries Are Awake While We Are Asleep, Someone Wake Me Up!

David Kane, Ethical Intruder

In 2022, I had an opportunity abroad to present a keynote speech at a cybersecurity conference on the topic of Incident Response. After I spoke, as a lead-in for the day’s activities, there was a rundown of several sophisticated incidents over the past year that resulted in access to corporate systems and, in many cases, included exfiltrating sensitive data and intellectual property.

As I listened to the presented attack scenarios, I realized a trend where each scenario began with some of the same basic cyber hygiene scenarios. Each incident was either initiated due to old and/or bad passwords, lack of MFA on legacy systems, lack of proper asset inventory, missed opportunities for endpoint protection, employees clicking on phishing emails, over-scoped access controls or inappropriately provisioned administrative access. The point being that basic cyber hygiene could have prevented every one of these vectors that led to a more sophisticated attack.

In February of this year, Pittsburgh was fortunate to have Jen Easterly, CISA Director, speak at Carnegie Mellon about a renewed focus on resiliency towards our adversaries. Within days, President Biden announced his new Cybersecurity initiative where almost every article mentioned Jen’s announcement. So how can we protect our Pittsburgh organizations that are so vital to local, state and national innovation from our emboldened adversaries? 

I have two immediate recommendations. First is to utilize open-source security frameworks (unless you are already invested in a framework such as SOC, ISO or PCI). Second is to not avoid step one simply based on the size of your organization: avoiding a security risk assessment or framework review because the organization is “too big” or “too small,” or assuming threat actors do not care about “our data.” Meanwhile, the threat actors are hoping we have these opinions.

There are several security frameworks available for organizations to either follow themselves or bring in companies that can assist with the process. The Center for Internet Security (CIS) Controls and NIST Cyber Security Framework (CSF) are good for starting with if your organization is not already mature in cybersecurity or you want a basic cyber hygiene “health check.” One nice aspect of the CIS controls is that they consist of three Implementation Groups (IGs), with the first group considered cyber hygiene basics. These controls should be achieved by all organizations of all sizes, and the CIS Controls allow your organization to do so without feeling overwhelmed.

As for organization size, all companies matter when it comes to protecting Pittsburgh’s organizational, customer and intellectual property data. We are fortunate that Pittsburgh is a big player in many fields: manufacturing, healthcare, robotics and autonomous vehicles to name just a few. We are all excited that Pittsburgh is working towards, and likely can achieve, being the heartbeat of tech across the U.S. It is important for all organizations to review the basics; the easiest way we can battle our adversaries. They are counting on us being asleep while they are working overtime to take advantage of the opportunities we leave for them to obtain our most valued data.

Measuring Security Value Through ROI

Rahul Khanna, iVision

There are three things Chief Information Security Officers (CISOs) can and should articulate in terms of value of security to the leadership and their board of directors:

  • Determine the quantification of the business value vs. loss
  • Quantify the cost to implement the security initiative
  • Calculate the ROI of the prevention of loss to determine effectiveness of the investment

This “prescription” is not new, and it’s purely economics. This “recipe” can be used in the context of understanding risk aversion of a cyberattack. In the words of ChatGPT, “The ROI (Return on Investment) formula can be adapted to measure the return on investment for risk averted by using the following formula:
ROI = (Risk without mitigation – Risk with mitigation) / Cost of mitigation

Calculating the ROI – Without Mitigation
The risk without mitigation is easy to determine – it’s the current state.

For example, imagine you realize that your administrative access to Azure AD, AWS and GCP are respective to their built-in privileged access controls, but the compute and storage services in AWS and GCP do not have those same conditional access policies or multi-factor authentication (MFA).

What would it take for you to react to a breach of access that a privileged access tool would have prevented? This would include costs like:

  • The reactive effort, time and resources to stop the breach (i.e., recover)
  • Analysis of breach, including value of data loss (i.e., root cause analysis)
  • Improvements in UEBA, ZeroTrust, training, etc. (i.e., prevention)
  • Potential legal and regulatory consequences and loss of trust / downward C-SAT (i.e., fallout)

All of this would give you the cost of risk without mitigation. Let’s use an easy figure of $100k per incident. Depending on your business or service, the probability of cyberthreats may include ransomware attacks, data theft and disruption of services to perform or abilities to earn revenue. Let’s say that one of each per year – so a total of $300k per year.

Calculating the ROI – With Mitigation
Now, to determine risk with mitigation, you first need to understand cost of mitigation. Let’s use risk to privileged access to assets, whether domain controller, Cloud services, network devices or even documents or file-sharing services that contain intellectual property information. So, you inquire of a vendor regarding their capabilities. They quote you $100k for a ull suite per year and $100k to implement the solution. The total cost may include:

  • License cost (annual)
  • Implementation (one-time)
  • Training (one-time)
  • Operational (annual)

Additional costs would include $50k for training and $50k operations, so $300k total of the cost for year one, but $100k annual from Year 2 and onwards.

Let’s assume that the tooling, in this scenario, would prevent data theft and ransomware attack by 99%, but perhaps only 20% of disruption of services. Let’s tally that as:

  • Ransomware attacks – $1k
  • Data theft – $1k
  • Disruption of services – $80k

Putting It All Together
In summary, we have:

  • Risk without mitigation: $300k
  • Risk with mitigation: $82k
  • Cost of mitigation: $300k

Let’s plug our figures into the ROI formula, which now shows:
ROI Year 1 = ($300k – 82k) / $300k
ROI = 73%

The percentage of this example ROI shows the effectiveness of moving forward with the risk mitigation strategy just for Year 1. The following ROI for Years 2 and onwards shows:
ROI Years 2+ = ($300k – $82k) / $150k
ROI Years 2+ = 140%

So, year one risk mitigation demonstrates 73% effectiveness, while Years 2 and onward show the migration of risk (i.e., risk aversion) of the investment to the tune of nearly double the benefit!

Again, a no brainer to proceed.

Showing this type of quantification of cyber risk aversion to the overall business or service articulates the request in terms your chief financial officer (CFO) will clearly see as a necessary investment worth funding year to year.