By Sydney Rodgers*
Theresa Payton is a notable expert on leading cyber security and IT strategy. As former White House CIO from May 2006 until September 2008, she is one of the leading security specialists in the nation. Payton is the CEO of Fortalice Solutions and co-founder of Dark Cubed. Both companies provide security, risk and fraud consulting services to various organizations.
At the recent Public Relations Society of America (PRSA) International Conference, Payton compared potential security risk to connecting a talking Barbie to unknown WIFI sources. According to Interstate Technology & Regulatory Council (ITRC), in 2015 over 169 million personal records were exposed due to breaches. With the internet playing such a large role in daily life I wanted Payton’s insight on how to structure your brand. Below Payton gives us tips on how to expand your assets without putting them at risk.
How does someone determine their most valuable assets?
Your most valuable asset(s) is that information that you absolutely cannot afford to lose. It’s the most critical asset that you need to safeguard and protect either for yourself or your organization. Lots of digital assets are considered valuable but the top 3 digital assets that cyber criminals target before and during a large event are:
- The schedules of notable people and their security detail assignments;
- Ability to spoof or fake credentials online or in person; and/or
- Stealing personally-identifiable information or the right credentials to access payment information and bank accounts
What trends do you see in breaches of security?
Over the course of my career, one item rings true over and over again. Today’s technology, by design, is open so it can be easily updated. That open design also means that a breach is inevitable, but how you plan to respond to one is not. If you create and store data, there will be cyber criminals waiting to pounce to copy it, take it, post it, ransom it, or destroy it. Offensive strategies with defensive mitigating controls work, but a purely defensive strategy is a losing strategy. For every defense you put in the path of a cyber criminal, just like a squirrel after an acorn, they will relentlessly try to circumvent your defenses to grab it.
As we live in today’s world, it would be completely negligent to only think in terms of physical or digital security as two separate entities. We discussed this in great detail at the White House that a security strategy must dovetail the two together, physical and digital, and that a one sided approach was doomed to fail.
What things should someone take into consideration when looking into cyber security?
An area often overlooked or widely misunderstood is the use of open source intelligence, also known as OSINT, as part of the overall strategy. 70% of data breach victims indicate that they were alerted they had a breach from someone outside their own organization. That stunning statistic reinforces why every company should target your own organization, as if you are the adversary. This approach helps you identify the information leaking out of your vendor’s connections to your data, through your own employees, or technology, before cyber criminals use that same intelligence to launch an attack against your organization.
Digitally, you can use OSINT tools to identify everything you can about the technology and people that work at your organization. You can also use OSINT to see if your sensitive data has leaked online. Physically, you can use an OSINT technique to digitally geo fence a specific and physical land area and monitor the digital traffic occurring that mentions the location. In the case of fighting terrorism, private sector companies and law enforcement can geo fence critical infrastructure, significant events, and venues and then monitor to identify terrorist capabilities, sympathizers, motivation, flash points and intentions through various OSINT tools.
What apps would you suggest someone use to monitor their protection?
Some apps that I use everyday are: Privacy Badger and Ghostery to protect my online browsing from 3rd party marketing firms and other snoops. I also use Threema to protect sensitive text messages.
Should there be differences in cyber security for personal and professional?
How you think about protecting your privacy and sensitive digital assets in your personal and work life are the same. Most of the principals that you apply in your personal life should go to the office with you and vice versa. Please make sure you are familiar with the tighter restrictions at work that are typically agreed to within employee agreements that you have signed so you don’t unknowingly break rules or put your company’s most sensitive assets at risk.
*Sydney Rodgers is a student at Southeast Missouri State University. She has always been interested in the communication process and social interaction and is currently studying public relations. In her spare time Sydney likes to keep up with current events and is AVP of Communication for her Public Relations Student Society chapter.