Insights on eMerge Americas 2015
eMerge Americas is an annual global idea exchange held in Miami, Florida with a focus on how technology and innovation are disrupting industries. The conference connects small, mid cap and emerging firms with global industry leaders and investors through interactive sessions, keynote and networking events. Matt Anthony, Herjavec Group’s SVP of Consulting & Remediation Services had the privilege of attending eMerge Americas 2015, as part of a panel of information security experts and business leaders discussing how companies prepare themselves for the inevitable threat of external and internal cyber attacks, and how software has evolved to respond to these threats. Members of the panel included Stan Wisseman (CISSP, CISM, CSSLP, CCSK, TOGAF, Security Strategist, ESP//HP), Ian C. Ballon (Shareholder Greenberg Traurig), and moderator Myrna Soto (SVP & CIISO Comcast).
Much of the eMerge panel’s discussion was focused around the type of information that small companies collect and how they collect it. There is a tendency in small to medium-sized businesses to try to manage information security in-house, while the panel unanimously agreed that it is better to seek out a managed services provider or cloud service. Additionally, small businesses are often keen to collect personal information, while some of it may not be necessary to collect or store. The bottom line is: If you do not collect data, the data cannot be stolen or breached from you. While it seems obvious to say, malicious individuals or organizations cannot take or compromise what you don’t have. For example, in the case of PCI, rather than collect credit card information over the phone and store it in databases, it would be wiser to opt for a credit card processor to ensure that you never have to deal with the issues of PCI compliance. While the panel agreed that encryption is a strong protection for sensitive data, businesses must remain cognizant of the insider threat.
Another topic of discussion was the use of frameworks to manage information security programs. Panelists agreed that the type or name of the framework was not nearly as important as the fact that the business has an external set of guidelines governing its approach to its information security profile. The two frameworks recommended by Matt Anthony are the ISO 27000 (specifically ISO 27001) series as well as the NIST Framework. He suggests firms identify the policies that they want to apply to their organization, but also use these frameworks as a way to categorize activities for maturity risk assessment.
On a daily basis we learn about increasingly destructive and sophisticated cyber attacks against the world’s largest organizations. As the Fortune 1000s strengthen their defenses and develop healthier security profiles, cyber criminals are forced to target easier prey with weak defenses: emerging businesses. In fact, a report from Intel Security found almost 90% of small- and medium-sized businesses in the US do not use data protection for company and customer information. With this in mind, small to medium-sized and emerging companies need to understand the risks associated with the collection, use, sharing and storage of sensitive information and work proactively to secure it by adopting recognized frameworks and understanding information security at the board level.
For more information on Herjavec Group’s security consulting services please contact a security specialist today.