Hackers will always find a way in, so your business must plan for it, says cybersecurity expert

NORTH BAY BUSINESS JOURNAL

September 9, 2018

David Trepp has been a technology entrepreneur since 1989, leading more than 1,100 information security-penetration test engagements for major industries throughout the United States and abroad.

He's partner for BPM IT Assurance and partner in charge of the accounting firm's Eugene, Oregon, office. Trepp has given dozens of presentations to audiences nationwide, on a variety of information security topics. Prior to joining BPM, he was founder and CEO of Info@Risk, a comprehensive penetration test firm.

Trepp, one of the presenters at the North Bay Business Journal's Protecting Your Business Cybersecurity Conference Sept. 28, talks with the Journal about cybersecurity and business security.

As a firm that tests the ability of businesses to ward off hackers and malware among other threats, are businesses better prepared today than two years ago, why or why not?

The somewhat ironic answer is that businesses are better prepared today, but they are still at greater risk.

While businesses have done a good job improving things like email security controls and employee training over the past couple years, the bad guys have, armed with NSA hacker tools released into the public domain, leapfrogged ahead in creating new avenues of attack.

The sad truth is that many businesses are working hard just to try and maintain their security posture from two years ago.

What key mistake by companies do you see being made again and again in your work?

The biggest deficiency I see over and over is a lack of executive participation in information security.

Executive participation starts with setting a good cybersecurity example for employees to follow.

Additionally, executives and board members need to view cybersecurity as a strategic investment in the future of the business, not just a painful set of expenses.

Lastly, executives and board members need to remain informed about the company's cybersecurity posture, setting standards for what risks are and are not acceptable, overseeing the development of good policies and procedures, and knowing the results of tests to determine where vulnerabilities lurk are all part of all executives' cyber responsibilities.

If workers are a weak link in a company's security, like opening an email attachment from an unknown source, is the only hope to attack the problem additional training?

There are plenty of technical tools, such as strong email and web filters, password safe applications, and easy-to-use multi-factor authentication solutions that can halt attacks, or at least make them far less impactful.

Ultimately though, attackers will find ways to circumvent those controls and the onus will lie squarely with the employees. So a good training program is still an essential weapon in the fight against hackers.

What businesses are most likely to be subjected to a ransomware attack? Why?

Unfortunately, all businesses are equally subject to ransomware attacks. Recent case studies clearly demonstrate that many ransomware criminals target their attacks indiscriminately, not even knowing who the victim is until ransom negotiations commence. If your business has a web presence, it may be subjected to a ransomware attack.

Describe why a business owner who thinks his or her business is too small to worry about hackers, ransom or malware might be wrong about that.

Small businesses may be less likely to be targeted by hackers seeking monetize-able information, but any business that can round up a bitcoin or two is fair game for ransomware.

If you had to gauge who's gaining the upper hand in the area of cybersecurity, the hacker or the firms trying to thwart them, which would it be and why?

Elementary game theory posits that in any game of strategy offense is, by definition, one step ahead of defense.

In other words, playing defense requires waiting to see what the opposing offense comes up with and then responding.

This is also true with cybersecurity; and trying to anticipate what hackers will think of next is destined to result in vulnerabilities.

Ultimately, hackers just have an easier job, as the second law of thermodynamics teaches us that it is simply easier to break things than it is to build them. Hence, hackers will always have an easier time finding vulnerabilities than engineers have in avoiding vulnerabilities while writing software.

Describe why you founded Info@Risk in 1998 and what's changed the most (other than your firm joining BPM last year) in the business since then?

With 18 years in the information security business, I've pretty much seen it all.

In terms of who the bad guys are, I've witnessed the attacker demographic evolve from young hackers looking for bragging rights, to professional organized crime syndicates making real profits, to government-run cyberwarfare battalions.

What's the most common cyberattack small- and medium-sized businesses might encounter?

As far as likelihood is concerned, ransomware is the most common attack facing small and medium businesses right now. If your company is big enough to pay a ransom, your company is big enough.

The loss of sensitive customer/employee data and the resultant reputation hit remains the biggest impact breach scenario.