Excelsior College School of Business and Technology
Announces its Speaker Series Presentation
Did you know that:
According to Catalyst’s research, few women are earning degrees in STEM, except in life sciences. STEM degrees are even fewer for women of color. Women make up less than one quarter of individuals employed in STEM occupations.
Research identifies a “think manager, think male” mindset. Gender stereotypes such as “women take care; men take charge” are still present in organizations. While being approximately half of the labor force in the U.S., they are slightly over a third of managers. Women are more likely to be managers in the human resources field and in health services.
In honor of International Women’s Day, the School of Business and Technology presents a panel discussing “Women in Technology and Management.”
Date: March 8, 2018
Time: 12-1pm EST
Title: Women in Technology and Management
Moderator: Michele Paludi
Bei Liu, Excelsior College
Barbara McCandless, formerly of St. Peter’s Health Partners
Karen Halaco, Excelsior College
Jennifer Goodall, SUNY Albany
Amelia Estwick, National Cybersecurity Institute at Excelsior College
Ransomware is on the rise, particularly in the finance industry. Hear from industry leaders about ransomware’s impact, latest trends, and what you can do to protect yourself and your company. Facilitator:
Bray Barnes, Director of Cybersecurity Initiatives, NCI Panelists:
Dr. Jim Jones, Associate Professor, George Mason University
Kim Farington, CFO, FirstNet, Office of Peronnel Management
Sam Mok, former CFO and Comptroller, US Dept. of Treasury/former CFO US Dept. of Labor
Celebrating National Cybersecurity Month 2016
The National Cybersecurity Institute at Excelsior College is pleased to announce its 2016 Cybersecurity Month activities. The purpose of this speaker’s series is to highlight key issues facing information assurance & security in some of our most important industry sectors. During the months of October and November, we will feature panel discussions with cyber experts in the finance, telecommunications, energy/utility, health care, and government arenas. These events are open to the public, educators, students, and all who are interested in the cyber defense issues that we are facing today.
More about the National Cybersecurity Institute (NCI)
The NCI is shaping a coordinated effort to build the cybersecurity workforce and influence an informed leadership base that implements cutting-edge cybersecurity policy. The NCI will target the development of effective cybersecurity practice in specific sectors, including health care, finance, utilities/energy, telecommunications, and education/training. The National Security Agency (NSA) and the Department of Homeland Security designated Excelsior College as a National Center of Academic Excellence in Cyber Defense Education, a recognition which extends through 2019. NCI will target the development of effective cybersecurity practice and increase knowledge of cybersecurity to help meet workforce demands with analysis of specific sectors.
Regardless of the industry you are in, cybersecurity has become a primary area of focus. The rapid advancement and sophistication of security attacks have caused wide-spread concern among organizations, with many trying to figure out how to protect their critical infrastructure against emerging cyberthreats. However, as businesses across the global become more digital, it is creating an increasing number of channels and vectors of attack, producing an overwhelming amount of security vulnerabilities companies have to deal with. Adding to the angst is that it seems all organizations – from public corporations to government agencies – are struggling to achieve the level of maturity hackers today have.
Knowing digital devices and computer systems could be breached can be overwhelming – even more so when a business doesn't quite understand what they can do to prevent a cybersecurity incident, or where they fall on the preparedness scale. According to ISACA's Global Cybersecurity Status report, the majority (83 percent) of organizations cite cyberattacks as being among the top three threats they face – but just 38 percent said they are prepared to deal with one.
Traditionally, there has been a problematic disconnect and lack of both integration and collaboration between the C-suite and IT departments. Often, the professionals who understand information security and – perhaps more importantly – are responsible for identifying, monitoring and mitigating risks, are not the same people responsible for making important business strategy and investment decisions. It is not enough to simply acknowledge that cybersecurity is a problem that needs to be addressed. To ensure adequate levels of protection, it is important for all stakeholders to have a comprehensive understanding of what the threats are, what is at stake and how to both prevent and respond to breaches in security.
"To know which areas need improvement, organizations must understand their risks."
Conduct relevant exercises
By assessing the problem areas within their organization, executives can gain a better understanding of which aspects need to be improved. CSO contributor David Greer recently highlighted a number of real-life scenarios that can indicate a company's incident response and cybersecurity preparedness. For example, by sending out mock spear-phishing emails, businesses can determine how often their employees fall for the scheme and click on the link, or whether a threat was reported to the right party. Obtaining such insight can help organizations significantly improve their cybersecurity because it points to where their biggest vulnerabilities are. In the above example, if internal users were a source of risk, the company would know that they would have to ramp up their awareness and training programs, as well as implement better policies and protocols for information security.
Adopt the best tools and practices
It's no surprise to learn that an organizations ability to detect and resolve a cyber risk before it turns into a full-blown data breach hinges largely on the capabilities and functionalities of its software and tools. Investing in the best cybersecurity systems and data protection programs is a critical component of safeguarding computer networks. However, also of paramount importance is making sure that these technologies are installed and managed correctly, and that they are appropriately addressing the specific issues threatening the company.
Network World recently pointed out a handful of security practices that make it more difficult for hackers to penetrate a system, including:
Minimizing access to privileged accounts. According to the source, companies typically have anywhere between two to three times the amount of privileged accounts as they do workers. Obviously, this is unnecessary – and it puts them at increased risk. Furthermore, the accounts that users do have admin access to should be password-protected.
Following best security practices for passwords. Businesses should make sure that their employees are securing their passwords by changing them often – something that will be significantly easier and more likely for them to do if there is a simple process in place for doing so.
Reducing unknown applications. Networks need to be regularly monitored to ensure there aren't any unknown applications running on the server. The more there are, the harder it will be to maintain constant high-levels of security.
Cybersecurity awareness and training needs to start at the C-suite.
Another security practice that makes the job of hackers more difficult is providing users with cybersecurity training and awareness programs. Ideally, businesses would be able to onboard a team of highly skilled and experienced IT professionals. However, this is not always possible. According to the ISACA report, 86 percent of organizations agreed that there is a cybersecurity skills gap and that more than 90 percent of those who plan to increase the IT pros they hire anticipate that doing so will be difficult – giving companies one more reason to offer cybersecurity education.
Prioritize cybersecurity training
Information security training can be used to reduce the risk attacks attributed to employee errors as well as bridge the current skills gap plaguing organizations today. At The National Cybersecurity Institute, we offer a wide range of specialty courses and training programs that prepare professionals for detecting, preventing and responding to data breaches. From the C-suite and Board level course designed for those who aren't familiar with IT to the (ISC)2 Certified Information Systems Security Professional (CISSP) class that prepares individuals for IT certification exams, we have something for everyone.
Today, organizations across every industry are concerned about security breaches and data hacks, but cybersecurity had become of utmost importance for certain sectors.
Research and Markets recently revealed that over the next four years, the global cybersecurity market is expected to grow from $122.45 billion to $202.36 billion – marking an annual increase of more than 10.6 percent. The surge in businesses making information-security-related investments can be attributed to this rapid expansion. As the number of data breaches and cybersecurity incidents rise, companies become more aware of the crucial need to protect their critical infrastructure.
However, the banking, financial services and insurance industry is expected to account for most of this expansion. Cybercriminals seeking monetary gain target this market due to the large volumes of sensitive financial information and data that circulates its systems. As Research and Markets pointed out, another contributing factor to this vertical's growth in cybersecurity is its accelerated adoption of web and mobile applications, which ultimately heighten susceptibility to security vulnerabilities.
"Digital apps are both a business necessity and security risk."
Financial sector suffering from security vulnerabilities
Digitalizing processes and operations is an increasingly popular method among the financial sector. Reaching and serving customers on mobile platforms and electronic devices has become not only an important but also necessary aspect of business models. Unfortunately, it also puts them at extreme risk.
According to BizTech, the U.S. Securities and Exchange Commission named cybersecurity as the biggest risk to the financial system. The source also highlighted a number of statistics that offer a glimpse into the concerning state of cybersecurity in the financial field. For example:
Thirty-seven percent of financial service companies experienced double-digit increases in cybersecurity incidents.
Ninety percent of these firms feel vulnerable to cyberthreats.
Less than 20 percent of investment institutions are confident in their ability to deal with incident response and recovery operations.
Seventy-seven percent agree that data security is a major concern.
Further findings published by SecurityScorecard revealed malware infects 75 percent of the top 20 U.S. commercial banks and about 20 percent of financial firms have severe security vulnerabilities within their email servers. BizTech reported that over the next year, most information security and compliance officers plan to increase cybersecurity investments, with the primary focus being on improving tools and technologies. However, there is not much use in organizations increasing spend on computer protection and IT security systems if they are not implementing the appropriate solutions or targeting the real source of the problem.
"Despite major financial institutions spending billions of dollars on cybersecurity annually, this report suggests the financial industry may not be spending those dollars as effectively as possible," SecurityScorecard COO Sam Kassaoumeh explained. "A greater level of protection is required, which should be a concern for their customers and partners."
The majority of financial service firms are concerned about data security.
Third-party risks to information security and protection
Research and Markets named network security as the segment expected to see the biggest growth due, at least in part, to companies needing to adhere to compliance and regulation requirements. However, SecurityScorecard emphasized the need for financial firms to address another vector of cyberattacks: their network of third-party partners and vendors.
"Financial companies rely on data exchanges with other vendors and may have limited visibility into the cyber risk associated with these transactions," SecurityScorecard Senior Data Scientist Dr. Luis Vargas said. "As cybercriminals find new ways to attack, breach and exploit organizations, threat patterns such as phishing, spear-phishing and social engineering evolve and become more sophisticated."
"Cybersecurity is the biggest challenge for banks today."
An example of the severe repercussions that can incur due to such vendor-security negligence is the recent cybersecurity hack of the central bank of Bangladesh. The Bangladesh bank seems to blame the New York Federal Bank for the breach, though some fingers have also been pointed at SWIFT, an interbank messaging system composed of over 11,000 financial institutions and spanning more than 200 countries. SWIFT fell under fire when cybercriminals were able to use malware and fraudulent messages to steal over $81 million from the bank using the system. Reuters released a new investigative report that examined the handful of problems and missteps that contributed to the incident.
Included in the report was the involved financial institutions' oversight of the severity of cyberthreats, lack of security processes and controls and failure to leverage the proper detection tools and technologies. Many businesses – both in and outside the banking industry – make these mistakes with information security, but they are also ones that can be corrected to ensure a stronger cybersecurity strategy.
Preventing bank cyberattacks
Given the critical nature of the data and information they deal with, bank and other financial service firms must do everything they can to develop the strongest cybersecurity defense possible. Part of this involves investing in the right solutions, as well as enhancing workers' cybersecurity education and capabilities.
When it comes to cyberattacks and data breaches, most people think about computer network security. But it is important to realize cybercriminals can – and do – target virtually any digital device or system, including power and electrical systems. When it comes to our nation's electric, water and power utilities, cybersecurity needs to be a priority. It is a complex and complicated infrastructure and plays a pivotal role in the delivery and performance of so many of our daily functions and processes.
It is not uncommon to hear about high-profile data breaches impacting major financial or health care institutions. For example, as TechCruch contributor Stephen Boyer recently pointed out, earlier this year, a handful of attackers who were associated with the Iranian government conducted cyberattacks on numerous banks between 2011 and 2013. And while this type of cybersecurity incident isn't entirely unheard of, there was one particularly concerning detail: Among the areas the cybercriminals targeted was the Bowman Avenue Dam in Rye Brook, New York. Through the cable modem, the hacker was able to gain control of the system's operations. Had the incident occurred under different circumstances, it could have led to a flood that impacted nearly 200 residents' homes.
Cybersecurity for utilities comes with its own unique challenges.
Cyber threats in utilities
The Bowman Avenue Dam incident is far from the first, or likely last, example of such a security breach seen in the electric power industry. Boyer listed several other examples of such events, like the 2015 malware attack on a power grid in Ukraine, which caused a blackout in over 100 cities throughout the area. Spear-phishing email attacks, malware and viruses have been identified as a way hackers aim to gain access to power plants, oil and gas firms and steel mills.
"Security attacks on the electric power industry threaten the physical safety of individuals."
In 2005, equipment malfunctions caused issues with the remote monitoring of a dam in St. Louis, Missouri, which resulted in the release of 1 billion gallons of water. In 2008, the CIA confirmed a cyberattack in New Orleans led to a power outage spanning across multiple towns and that utility breaches that involved extortion can be attributed to power equipment disruptions in a number of areas outside the U.S.
In addition to the sensitive data and information at risk, cyberattacks on utilities threaten the distribution of power throughout regions, as well as the function of operational processes at the individual, business and government level. When it comes to electric, water and other utilities, cybersecurity isn't about preventing just digital disruptions; it is also necessary to prevent the kind of physical damage that could be experienced during a natural disaster.
Regulatory structure of the electric power industry
Ensuring the cybersecurity of power and electric grids is imperative. To understand what steps must be taken to improve the security of the industry, we should first understand its current state. Following the Energy Policy Act of 2005, the electric power sector must adhere to the mandatory cybersecurity standards and regulations set forth by the Federal Energy Regulation Commission. The FERC and the North American Electric Reliability Corporation work to create and implement enforceable standards that ensure the safety, reliability and security of utilities. However, just because there are certain guidelines and policies in place does not mean organizations are necessarily enforcing, monitoring or updating them adequately.
The utilities industry uses the Supervisory Control and Data Acquisition system to monitor and control tasks, processes and operations in a wide variety of settings, including chemical and electrical power generation plants, water treatment plants and dams. The NERC and Critical Infrastructure Protections, or CIP, regulate these automated systems. And while SCADA systems have been helpful in addressing known vulnerabilities and risks, they do not seem to advance with the same rapid maturity and sophistication as cyberattacks. The increased digitalization of electric power infrastructure results in a number of attack vectors for cybercriminals to use, including:
Commercial hardware for Master Terminal Unit and Remote Terminal Unit platforms.
"The risk to energy and other public services worldwide, including in the U.S., will be greatly accentuated as more control systems are modernized and brought online," Boyer pointed out in his article for TechCrunch.
Furthermore, as more organizations start to implement smart grids and leverage sensor and wireless technologies and software, this sector's cybersecurity landscape is going to grow only more complex.
As the issue of cybersecurity grows, utilities companies must make it a priority.
The next steps
Last month, the FERC urged companies and agencies in the utilities industry to take more action in ensuring a strong cybersecurity defense, such as developing better security standards, Energy Central reported. And while refining regulation practices and standards is certainly a necessary component of improving electric power critical infrastructure safeguards, the organizations themselves need to be proactive as well. How?
Upgrade legacy systems or implement new technology and tools that will ensure sufficient monitoring, detection and notification processes.
Use multilayer cybersecurity strategy.
Develop an updated incident response plan.
Establish a long-term security improvement strategy.
It is also imperative these organizations prioritize cybersecurity training and awareness programs. Not only does education minimize the risk of security breaches attributed to human error, but it also helps ensure the best practices and methodologies are being used. At The National Cybersecurity Institute, we offer a range of IT certification preparation courses and programs that help professionals gain the latest training, expertise and skills needed to excel in cybersecurity, such as the one designed for the EC-Council Certified Chief Information Security Officer.