CHANNEL PARTNERS EVOLUTION — As a startup company with a connected clothing line that can track movements and health statistics, Amy Acme wants to ensure that her business is secure but doesn’t know how to go about it or understand all the risks she faces.
Enter Leo Taddeo, chief security officer for Cryptzone – a provider of network security software – and a former special agent in charge of the Special Operations/Cyber Division of the FBI’s New York Office.
Speaking Tuesday during Channel Partners Evolution, Taddeo said small businesses and large ones alike are vulnerable to the lucrative global enterprise known as cybercrime. And as a startup, Amy Connected Apparel – a hypothetical business that Channel Partners conceived in advance of Channel Partners Evolution – is an attractive target to criminals because it’s innovative and new, he noted.
Cybercriminals are seeking confidential data from the likes of Amy Connected Apparel, such as credit card information, customer lists and intellectual property. Unfortunately, Taddeo noted an increase in the quality and quantity of malware and malicious hackers.
What should Amy do to protect her business? For starters, he recommended the company assign someone who is responsible for security and has the authority to enforce security rules. Often, Taddeo pointed out, no one within a company is accountable when security incidents occur.
Amy said that her business relies on a flexible and mobile workplace. How can her employees remotely – and securely – access company data? Taddeo advised, for example, that Amy prevent employees from accessing resources that are not necessary for their job, use encryption to protect data, and rely on multi-factor authentication to create a digital identity. While encryption is hard to implement, it’s very effective since the data is no use to the criminal even if he gets it, Taddeo pointed out.
“Stealing credentials today" is an easy part of a hacker’s job, noted Taddeo, who rejected the notion that you can safeguard data with a user name and password. “Once inside, the adversary basically has free run of most networks," he warned.
Taddeo rejected the perception that storing data on the cloud is riskier than customer-premises equipment. When implemented property, the cloud offers a significant security advantage, he said. However, the security expert said it’s important to understand where a cloud provider’s responsibilities begin and where a company’s responsibility commences.
Taddeo further addressed Amy’s concerns around customer privacy. He observed her business is likely subject to various regulations. For instance, he cited the need to comply with PCI (payment card industry) standards governing credit cards and said the company was likely subject to HIPAA (Health Insurance Portability and Accountability Act of 1996). Finally, he said it was possible that her clothing apparel could be subject to FDA regulations and considered a “medical device."
Despite the efforts and costs of regulatory compliance, that is no guarantee data is safe, Taddeo cautioned. He referenced cases in which companies were audited for PCI compliance and passed inspections within six months of a breach.
Finally, Taddeo said that security starts with a commitment by an organization’s top brass.
“Main thing," he said, “is you set the tone and lead by example."