Forbes: Cyber ‘Shark’, Robert Herjavec, Advocates Maintaining ‘Cyber-Hygiene’ For Businesses (Part 1)
March 1, 2018
I had the opportunity to interview Robert Herjavec in an exclusive, two-part series, on what his thoughts were on the current state of the cybersecurity industry today. Part 1 of this interview talks about the state of the cybersecurity industry.
Andrew Rossow: If you had to describe the current state of the cyber-security industry today, how would you describe it?
Robert Herjavec: ACTIVE. We’re in a very challenging time where warfare is being fought in cyberspace and the threats aren’t going to slow down anytime soon. It’s a great industry to be a part of, but at the same time, the diligence required by individuals, corporations and governments has never been higher.
Rossow: What would you consider to be the two biggest threats facing enterprises today?
Herjavec: Cryptocurrency “mining bots” are the new thing, and we’re seeing that expressed with webserver compromise, browser hijacking, and even web ads that are coopting your processor to mine coins.
We are also seeing a resurgence in banking trojans. While there is a drop off in ransomware, the attacks are changing. Everyone should be using two-factor authentication wherever possible and changing their unique passwords frequently. We can expect phishing attacks to become more sophisticated as well.
“I used to say that you didn’t win a lottery you didn’t enter, no one from Russia is emailing to marry you, etc., but now these attacks are becoming far harder to recognize” —Robert Herjavec, Shark Tank Investor & CEO/Founder of Herjavec Group
Understanding The Industry
Over the past few years alone, we have seen various methods of data breaches—from retailer breaches like Sony, Target, Home Depot, and Yahoo; to healthcare breaches like Anthem; and from credit bureaus to transport services like Experian, Equifax, and Uber. But what lessons can we take from each of these incidents?
It’s about doing the basics well, says Herjavec. “We have to double down on compliance measures, cyber-hygiene and the elements of a proactive cyber defense to combat advanced cyber threats.”
In order to combat these threats, one must understand the cybersecurity industry itself. Herjavec emphasized that this entails “knowing what directives your industry is responsible for adhering to and following them, such as PCI, GDPR, PIPEDA, etc.”
Herjavec next turned to the idea of maintaining ‘cyber-hygiene.’ This means changing your passwords, having strong user access and control management in addition to course device management, and patching on time, managing your rogue assets, and of course, using multi factor authentication.
Encouraging businesses of any size to offer security awareness training for its employees and staff members is vital. People are the weakest link and it’s every business owner’s responsibility to educate their staff, says the cyber-security expert.
But what happens when companies are financially limited in providing such resources? For those companies which may not have the IT resources or expertise in-house to support all of these things, they should look to engage third-party cybersecurity providers, or Managed Security Services providers to support them in their cyber-defense efforts, suggests Herjavec.
With Every Breach, Comes A Lesson
Rossow: What should business executives take away from each of these incidents, whether witnessing them or being victimized by them?
Herjavec: The high-profile breaches that we see in the news typically come down to (1) unpatched systems that allowed the enterprise to be open to compromise, and (2) increased damage due to a lack of visibility.
Lesson #1: Buckle Down On Cyber-Hygiene
Enterprises need to buckle down on their cyber-hygiene and ensure they have the controls in place to police and monitor user access at all levels. Executives should ask themselves questions concerning the scope and visibility of their network:
- What’s going on in their network?
- How many devices are connected?
- Is there anomalous behavior occurring?
- What does the data tell us?
Lesson #2: Have a Data Incident Response Policy
No matter your size you have to be prepared, says Herjavec. Security isn’t perfect, but preparation goes a long way in minimizing financial damages and reputational impact.
Herjavec provided me with some tips when it comes to creating a basic data protection policy:
- Document how your data is stored and protected
- Understand the cost and impact if that data were stolen
- Create policies, procedures, and guidelines for handling information security incidents
- Ensuring visibility into the critical activity and behavior in the business environment.
- Practice and learn
Herjavec encourages businesses to involve its legal team, local law enforcement, and even customers. If nothing else, he suggested that there are incident response firms that can assist in building out a custom framework.
Lesson #3: Access Control and Visibility
Understanding what parties in an organization have access to what information is key. Once you know that information, ask yourself, “WHY?”, emphasized Herjavec. Then ask yourself how long they need that access for and what controls [are] in place to monitor that access.
It's not if you're breached, it's when. What's your next move?
Check out Part 2 of my interview with Robert Herjavec, talking directly to millennials who are interested in the cyber-security industry.
Originally posted on forbes.com